4runr-os 2.10.73 → 2.10.75

package/mk3-tui/src/app.rs

@@ -5,6 +5,7 @@ use crate::storage::Cache;
 use crate::ui::agent_builder::AgentBuilderState;
 use crate::ui::run_manager::RunManagerState;
 use crate::ui::sentinel_config::SentinelConfigState;
+use crate::ui::shield_dashboard::ShieldDashboardState;
 use crate::ui::settings::SettingsState;
 use crate::websocket::WebSocketClient;
 use crossterm::event::{KeyCode, KeyEvent, KeyEventKind};
@@ -386,6 +387,8 @@ pub struct AppState {
     pub posture_status: String,
     pub shield_mode: String,           // "off", "monitor", "enforce"
     pub shield_detectors: Vec<String>, // ["pii", "injection", "hallucination"]
+    pub shield_blocks_total: u64,
+    pub shield_masks_total: u64,
     pub sentinel_state: String,        // "idle", "watching", "triggered"
     pub sentinel_active_runs: usize,
 
@@ -429,6 +432,7 @@ pub struct AppState {
     pub agent_builder: AgentBuilderState,
     pub run_manager: RunManagerState,
     pub sentinel_config: SentinelConfigState,
+    pub shield_dashboard: ShieldDashboardState,
     pub settings: SettingsState,
     pub agent_list: AgentListState,
     pub connection_portal: ConnectionPortalState,
@@ -461,6 +465,7 @@ pub struct AppState {
 
     pub pending_sentinel_load_id: Option<String>,
     pub pending_sentinel_apply_id: Option<String>,
+    pub pending_shield_load_id: Option<String>,
 
     // Deletion confirmation (Step 5.5)
     pub agent_delete_requested: bool,
@@ -489,6 +494,8 @@ impl Default for AppState {
             posture_status: "Demo Mode".to_string(),
             shield_mode: "enforce".to_string(),
             shield_detectors: vec!["pii".into(), "injection".into(), "hallucination".into()],
+            shield_blocks_total: 0,
+            shield_masks_total: 0,
             sentinel_state: "idle".to_string(),
             sentinel_active_runs: 0,
             total_runs: 0,
@@ -526,6 +533,7 @@ impl Default for AppState {
             agent_builder: AgentBuilderState::default(),
             run_manager: RunManagerState::default(),
             sentinel_config: SentinelConfigState::default(),
+            shield_dashboard: ShieldDashboardState::default(),
             settings: SettingsState::default(),
             agent_list: AgentListState::default(),
             connection_portal: ConnectionPortalState::default(),
@@ -550,6 +558,7 @@ impl Default for AppState {
             pending_run_quick_id: None,
             pending_sentinel_load_id: None,
             pending_sentinel_apply_id: None,
+            pending_shield_load_id: None,
             agent_delete_requested: false,
             operation_mode: OperationMode::Local,
             cache: Cache::new().ok(),
@@ -828,6 +837,40 @@ impl App {
         }
     }
 
+    pub fn open_shield_dashboard(&mut self, ws: Option<&WebSocketClient>) {
+        self.state.pending_shield_load_id = None;
+        self.push_overlay(Screen::ShieldDashboard);
+        self.state
+            .logs
+            .push_back("[NAV] Opening Shield (production safety layer)...".into());
+        if self.state.operation_mode == OperationMode::Connected {
+            if let Some(ws) = ws {
+                self.begin_shield_load_request(ws);
+            }
+        } else {
+            self.state.shield_dashboard.error = Some(
+                "Connect to Gateway first (connect portal).".to_string(),
+            );
+        }
+        self.request_immediate_render("open_shield_dashboard");
+    }
+
+    pub fn begin_shield_load_request(&mut self, ws: &WebSocketClient) {
+        if self.state.operation_mode != OperationMode::Connected {
+            return;
+        }
+        if self.state.pending_shield_load_id.is_some() {
+            return;
+        }
+        self.state.shield_dashboard.loading = true;
+        self.state.shield_dashboard.error = None;
+        if let Ok(id) = ws.send_command("shield.load", None) {
+            self.state.pending_shield_load_id = Some(id);
+        } else {
+            self.state.shield_dashboard.loading = false;
+        }
+    }
+
     pub fn open_sentinel_config(&mut self, ws: Option<&WebSocketClient>) {
         self.state.pending_sentinel_load_id = None;
         self.state.pending_sentinel_apply_id = None;
@@ -1316,6 +1359,11 @@ impl App {
             return self.handle_sentinel_config_input(key, ws_client);
         }
 
+        // === SHIELD DASHBOARD INPUT HANDLING ===
+        if self.state.navigation.current_screen() == &Screen::ShieldDashboard {
+            return self.handle_shield_dashboard_input(key, ws_client);
+        }
+
         // === SETTINGS INPUT HANDLING ===
         if self.state.navigation.current_screen() == &Screen::Settings {
             return self.handle_settings_input(key);
@@ -1489,6 +1537,10 @@ impl App {
                                 "  sentinel           - Configure Sentinel policies (templates)"
                                     .to_string(),
                             );
+                            self.state.logs.push_back(
+                                "  shield             - Shield safety dashboard (live metrics + enforcement)"
+                                    .to_string(),
+                            );
                             self.state.logs.push_back(
                                 "  build              - Open Agent Builder (6-step wizard)"
                                     .to_string(),
@@ -1570,6 +1622,9 @@ impl App {
                         "sentinel" | "sentinel config" | "sentinel policies" => {
                             self.open_sentinel_config(ws_client);
                         }
+                        "shield" | "shield status" | "shield dashboard" => {
+                            self.open_shield_dashboard(ws_client);
+                        }
                         "config" | "settings" => {
                             self.push_overlay(Screen::Settings);
                             self.state
@@ -1854,6 +1909,10 @@ impl App {
                 use crate::ui::sentinel_config;
                 sentinel_config::render(f, &self.state);
             }
+            Screen::ShieldDashboard => {
+                use crate::ui::shield_dashboard;
+                shield_dashboard::render(f, &self.state);
+            }
             Screen::Settings => {
                 use crate::ui::settings;
                 settings::render(f, &self.state);
@@ -2588,6 +2647,50 @@ impl App {
         Ok(false)
     }
 
+    fn handle_shield_dashboard_input(
+        &mut self,
+        key: KeyEvent,
+        ws_client: Option<&WebSocketClient>,
+    ) -> anyhow::Result<bool> {
+        use crossterm::event::KeyModifiers;
+
+        if key.modifiers.contains(KeyModifiers::CONTROL) {
+            match key.code {
+                KeyCode::Char('c') | KeyCode::Char('q') => return Ok(true),
+                _ => return Ok(false),
+            }
+        }
+
+        match key.code {
+            KeyCode::Char('r') | KeyCode::Char('R') => {
+                if self.state.operation_mode == OperationMode::Connected {
+                    if let Some(ws) = ws_client {
+                        self.begin_shield_load_request(ws);
+                    }
+                }
+                self.request_render("shield_refresh");
+            }
+            KeyCode::Char('a') | KeyCode::Char('A') => {
+                self.state.shield_dashboard.auto_refresh_enabled =
+                    !self.state.shield_dashboard.auto_refresh_enabled;
+                let status = if self.state.shield_dashboard.auto_refresh_enabled {
+                    "ON"
+                } else {
+                    "OFF"
+                };
+                self.add_log(format!("[SHIELD] Live refresh {}", status));
+                self.request_render("shield_live_toggle");
+            }
+            KeyCode::Esc => {
+                self.pop_overlay();
+                self.request_render("shield_close");
+            }
+            _ => {}
+        }
+
+        Ok(false)
+    }
+
     // ============================================================
     // SETTINGS INPUT HANDLING (Step 4.8)
     // ============================================================

package/mk3-tui/src/main.rs

@@ -189,6 +189,27 @@ fn main() -> Result<()> {
             }
         }
 
+        // Shield dashboard: live poll shield.load every ~5s when enabled
+        if matches!(current_screen, Screen::ShieldDashboard)
+            && app.state.operation_mode == OperationMode::Connected
+        {
+            let shield_poll = {
+                let sd = &app.state.shield_dashboard;
+                if !sd.auto_refresh_enabled || sd.loading {
+                    false
+                } else {
+                    sd.last_refresh
+                        .map(|lr| lr.elapsed() >= sd.auto_refresh_interval)
+                        .unwrap_or(true)
+                }
+            };
+            if shield_poll {
+                if let Some(ws) = &ws_client {
+                    app.begin_shield_load_request(ws);
+                }
+            }
+        }
+
         // Run Manager: live poll run.list every ~3s when enabled (no manual R)
         if matches!(current_screen, Screen::RunManager)
             && app.state.operation_mode == OperationMode::Connected
@@ -279,6 +300,58 @@ fn main() -> Result<()> {
                                                 app.state.posture_status = posture_str.to_string();
                                             }
                                         }
+                                        if let Some(sh) =
+                                            obj.get("shield").and_then(|v| v.as_object())
+                                        {
+                                            if let Some(m) =
+                                                sh.get("mode").and_then(|v| v.as_str())
+                                            {
+                                                app.state.shield_mode = m.to_string();
+                                            }
+                                            if let Some(dets) =
+                                                sh.get("detectors").and_then(|v| v.as_array())
+                                            {
+                                                app.state.shield_detectors = dets
+                                                    .iter()
+                                                    .filter_map(|v| {
+                                                        v.as_str().map(|s| s.to_string())
+                                                    })
+                                                    .collect();
+                                            }
+                                            app.state.shield_blocks_total = sh
+                                                .get("blocksTotal")
+                                                .and_then(|v| v.as_u64())
+                                                .unwrap_or(0);
+                                            app.state.shield_masks_total = sh
+                                                .get("masksTotal")
+                                                .and_then(|v| v.as_u64())
+                                                .unwrap_or(0);
+                                        }
+                                        if let Some(sent) =
+                                            obj.get("sentinel").and_then(|v| v.as_object())
+                                        {
+                                            app.state.sentinel_active_runs = sent
+                                                .get("watchedRuns")
+                                                .and_then(|v| v.as_u64())
+                                                .unwrap_or(0) as usize;
+                                            let enabled = sent
+                                                .get("enabled")
+                                                .and_then(|v| v.as_bool())
+                                                .unwrap_or(false);
+                                            let healthy = sent
+                                                .get("healthy")
+                                                .and_then(|v| v.as_bool())
+                                                .unwrap_or(false);
+                                            app.state.sentinel_state = if !enabled {
+                                                "off".to_string()
+                                            } else if app.state.sentinel_active_runs > 0 {
+                                                "watching".to_string()
+                                            } else if healthy {
+                                                "idle".to_string()
+                                            } else {
+                                                "degraded".to_string()
+                                            };
+                                        }
                                         app.add_log(format!(
                                             "✓ [{}] Mode: {}, Posture: {}",
                                             short_id,
@@ -288,6 +361,61 @@ fn main() -> Result<()> {
                                                 .unwrap_or("?")
                                         ));
                                     }
+                                    else if obj.get("shieldDemo").and_then(|v| v.as_bool())
+                                        == Some(true)
+                                    {
+                                        let msg = obj
+                                            .get("message")
+                                            .and_then(|v| v.as_str())
+                                            .unwrap_or("Shield demo run started");
+                                        app.add_log(format!("✓ [{}] {}", short_id, msg));
+                                        if let Some(rid) =
+                                            obj.get("runId").and_then(|v| v.as_str())
+                                        {
+                                            app.add_log(format!(
+                                                "[SHIELD] Demo run id: {} — open Run Manager",
+                                                rid
+                                            ));
+                                        }
+                                    }
+                                    else if obj.get("shieldProbe").and_then(|v| v.as_bool())
+                                        == Some(true)
+                                    {
+                                        let result = obj.get("result");
+                                        let action = result
+                                            .and_then(|r| r.get("decision"))
+                                            .and_then(|d| d.get("action"))
+                                            .and_then(|a| a.as_str())
+                                            .unwrap_or("?");
+                                        app.add_log(format!(
+                                            "✓ [{}] Shield probe: action={}",
+                                            short_id, action
+                                        ));
+                                    }
+                                    else if obj.get("shieldStatus").and_then(|v| v.as_bool())
+                                        == Some(true)
+                                    {
+                                        let metrics = obj.get("metrics").and_then(|v| v.as_object());
+                                        let blocks = metrics
+                                            .and_then(|m| m.get("blocks"))
+                                            .and_then(|v| v.as_u64())
+                                            .unwrap_or(0);
+                                        let masks = metrics
+                                            .and_then(|m| m.get("masks"))
+                                            .and_then(|v| v.as_u64())
+                                            .unwrap_or(0);
+                                        app.state.shield_blocks_total = blocks;
+                                        app.state.shield_masks_total = masks;
+                                        let mode = obj
+                                            .get("health")
+                                            .and_then(|h| h.get("mode"))
+                                            .and_then(|v| v.as_str())
+                                            .unwrap_or("?");
+                                        app.add_log(format!(
+                                            "✓ [{}] Shield {} — {} block(s), {} mask(s)",
+                                            short_id, mode, blocks, masks
+                                        ));
+                                    }
                                     // Handle agent.list response
                                     else if let Some(agents_data) = obj.get("agents") {
                                         if let Some(agents_array) = agents_data.as_array() {
@@ -562,6 +690,66 @@ fn main() -> Result<()> {
                                         }
                                         app.request_render("run_quick_ok");
                                     }
+                                    // Shield dashboard: load health + config + metrics + history
+                                    else if Some(&resp.id)
+                                        == app.state.pending_shield_load_id.as_ref()
+                                    {
+                                        app.state.pending_shield_load_id = None;
+                                        if obj.get("shieldLoad").and_then(|v| v.as_bool()) == Some(true)
+                                        {
+                                            use crate::ui::shield_dashboard::parse_shield_load;
+                                            let health_val = obj
+                                                .get("health")
+                                                .cloned()
+                                                .unwrap_or(serde_json::Value::Null);
+                                            let config_val = obj
+                                                .get("config")
+                                                .cloned()
+                                                .unwrap_or(serde_json::Value::Null);
+                                            let metrics_val = obj
+                                                .get("metrics")
+                                                .cloned()
+                                                .unwrap_or(serde_json::Value::Null);
+                                            let gateway_health_val = obj
+                                                .get("gatewayHealth")
+                                                .cloned()
+                                                .unwrap_or(serde_json::Value::Null);
+                                            let runs_val = obj
+                                                .get("recentRuns")
+                                                .cloned()
+                                                .unwrap_or(serde_json::Value::Null);
+                                            let warnings_vec: Vec<String> = obj
+                                                .get("warnings")
+                                                .and_then(|v| v.as_array())
+                                                .map(|a| {
+                                                    a.iter()
+                                                        .filter_map(|w| {
+                                                            w.as_str().map(|s| s.to_string())
+                                                        })
+                                                        .collect()
+                                                })
+                                                .unwrap_or_default();
+                                            let (h, c, m, mut w, recent) = parse_shield_load(
+                                                &health_val,
+                                                &config_val,
+                                                &metrics_val,
+                                                &gateway_health_val,
+                                                &runs_val,
+                                            );
+                                            w.extend(warnings_vec);
+                                            app.state.shield_dashboard.apply_load(
+                                                &h, &c, &m, w, recent,
+                                            );
+                                            app.state.shield_mode = h.mode.clone();
+                                            app.state.shield_blocks_total = m.blocks;
+                                            app.state.shield_masks_total = m.masks;
+                                            app.add_log(format!(
+                                                "✓ [{}] Shield loaded — {} block(s), {} mask(s)",
+                                                short_id, m.blocks, m.masks
+                                            ));
+                                        }
+                                        app.request_render("shield_loaded");
+                                    }
                                     // Sentinel config: load templates + current + health
                                     else if Some(&resp.id)
                                         == app.state.pending_sentinel_load_id.as_ref()
@@ -1435,6 +1623,14 @@ fn main() -> Result<()> {
                                     "✗ [{}] run.quick failed: {}",
                                     short_id, error_msg
                                 ));
+                            } else if Some(&resp.id) == app.state.pending_shield_load_id.as_ref() {
+                                app.state.pending_shield_load_id = None;
+                                app.state.shield_dashboard.loading = false;
+                                app.state.shield_dashboard.error = Some(error_msg.clone());
+                                app.add_log(format!(
+                                    "✗ [{}] shield.load failed: {}",
+                                    short_id, error_msg
+                                ));
                             } else if Some(&resp.id) == app.state.pending_sentinel_load_id.as_ref()
                             {
                                 app.state.pending_sentinel_load_id = None;

package/mk3-tui/src/screens/mod.rs

@@ -18,6 +18,7 @@ pub enum Screen {
     AgentBuilder,
     RunManager,
     SentinelConfig,
+    ShieldDashboard,
     Settings,
     AgentList,
     ConnectionPortal,
@@ -40,7 +41,7 @@ impl Screen {
     pub fn is_overlay(&self) -> bool {
         matches!(
             self,
-            Screen::AgentBuilder | Screen::RunManager | Screen::SentinelConfig | Screen::Settings | Screen::AgentList
+            Screen::AgentBuilder | Screen::RunManager | Screen::SentinelConfig | Screen::ShieldDashboard | Screen::Settings | Screen::AgentList
         )
     }
 
@@ -70,6 +71,7 @@ impl Screen {
             Screen::AgentBuilder => "Agent Builder",
             Screen::RunManager => "Run Manager",
             Screen::SentinelConfig => "Sentinel Config",
+            Screen::ShieldDashboard => "Shield",
             Screen::Settings => "Settings",
             Screen::AgentList => "Agent List",
             Screen::ConnectionPortal => "Connection Portal",

package/mk3-tui/src/ui/layout.rs

@@ -394,6 +394,18 @@ fn render_left_column(f: &mut Frame, area: Rect, state: &AppState) {
             Style::default().fg(TEXT_DIM),
         ),
     ]));
+    if state.shield_blocks_total > 0 || state.shield_masks_total > 0 {
+        lines.push(Line::from(vec![
+            Span::raw("  "),
+            Span::styled(
+                format!(
+                    "↳ {} block(s) · {} mask(s) (Gateway metrics)",
+                    state.shield_blocks_total, state.shield_masks_total
+                ),
+                Style::default().fg(TEXT_DIM),
+            ),
+        ]));
+    }
 
     // Sentinel status
     let sentinel_color = match state.sentinel_state.as_str() {

package/mk3-tui/src/ui/mod.rs

@@ -8,5 +8,6 @@ pub mod portal_monitoring;
 pub mod run_manager;
 pub mod safe_viewport;
 pub mod sentinel_config;
+pub mod shield_dashboard;
 pub mod settings;
 pub mod setup_portal;

package/mk3-tui/src/ui/run_manager.rs

@@ -67,6 +67,9 @@ pub struct RunInfo {
     pub total_cost: Option<f64>,
     pub model: Option<String>,
     pub error_message: Option<String>,
+    /// True when Gateway output indicates Shield blocked or masked on the run path.
+    pub shield_blocked: bool,
+    pub safety_reason: Option<String>,
     pub logs: Vec<String>,
 }
 
@@ -213,12 +216,20 @@ pub fn run_info_from_gateway_value(v: &Value) -> Option<RunInfo> {
                 .collect()
         })
         .unwrap_or_default();
-    let error_message = o
-        .get("output")
-        .and_then(|out| out.as_object())
+    let output_obj = o.get("output").and_then(|out| out.as_object());
+    let error_message = output_obj
         .and_then(|oo| oo.get("error"))
         .and_then(|e| e.as_str())
         .map(|s| s.to_string());
+    let safety_reason = output_obj
+        .and_then(|oo| oo.get("reason"))
+        .and_then(|r| r.as_str())
+        .map(|s| s.to_string());
+    let shield_blocked = error_message
+        .as_deref()
+        .map(|e| e.to_lowercase().contains("shield"))
+        .unwrap_or(false)
+        || logs.iter().any(|l| l.to_lowercase().contains("shield blocked"));
     let model = o
         .get("input")
         .and_then(|i| i.as_object())
@@ -248,6 +259,8 @@ pub fn run_info_from_gateway_value(v: &Value) -> Option<RunInfo> {
         total_cost: None,
         model,
         error_message,
+        shield_blocked,
+        safety_reason,
         logs,
     })
 }
@@ -542,7 +555,7 @@ fn render_run_list(f: &mut Frame, area: Rect, state: &RunManagerState) {
             let duration_str = run.duration.as_deref().unwrap_or("--");
 
             // Build line with colored spans
-            let line = Line::from(vec![
+            let mut spans = vec![
                 Span::styled(
                     if is_selected { "▶ " } else { "  " },
                     Style::default().fg(BRAND_PURPLE).bold(),
@@ -551,6 +564,16 @@ fn render_run_list(f: &mut Frame, area: Rect, state: &RunManagerState) {
                     format!("{:<10}", run.status.as_str()),
                     Style::default().fg(run.status.color()).bold(),
                 ),
+            ];
+            if run.shield_blocked {
+                spans.push(Span::styled(
+                    " SHIELD ",
+                    Style::default()
+                        .fg(Color::Rgb(255, 140, 0))
+                        .add_modifier(Modifier::BOLD),
+                ));
+            }
+            spans.extend([
                 Span::styled(" │ ", Style::default().fg(TEXT_DIM)),
                 Span::styled(
                     format!("{:<20}", run.name),
@@ -583,6 +606,8 @@ fn render_run_list(f: &mut Frame, area: Rect, state: &RunManagerState) {
                 ),
             ]);
 
+            let line = Line::from(spans);
+
             ListItem::new(line)
         })
         .collect();
@@ -764,8 +789,28 @@ fn render_detail_view(f: &mut Frame, area: Rect, state: &RunManagerState) {
         ]));
     }
 
-    // Add error if present
-    if let Some(error) = &run.error_message {
+    if run.shield_blocked {
+        info_lines.push(Line::from(""));
+        info_lines.push(
+            Line::from("Safety (Shield):").style(Style::default().fg(Color::Rgb(255, 140, 0)).bold()),
+        );
+        info_lines.push(Line::from(vec![
+            Span::styled("  Action: ", Style::default().fg(TEXT_DIM)),
+            Span::styled("BLOCKED", Style::default().fg(Color::Rgb(255, 140, 0)).bold()),
+        ]));
+        if let Some(reason) = &run.safety_reason {
+            info_lines.push(Line::from(vec![
+                Span::styled("  Reason: ", Style::default().fg(TEXT_DIM)),
+                Span::styled(reason, Style::default().fg(TEXT_PRIMARY)),
+            ]));
+        }
+        if let Some(error) = &run.error_message {
+            info_lines.push(Line::from(vec![
+                Span::styled("  Error: ", Style::default().fg(TEXT_DIM)),
+                Span::styled(error, Style::default().fg(Color::Rgb(255, 69, 69))),
+            ]));
+        }
+    } else if let Some(error) = &run.error_message {
         info_lines.push(Line::from(""));
         info_lines
             .push(Line::from("Error:").style(Style::default().fg(Color::Rgb(255, 69, 69)).bold()));