cursor-guard 4.7.0 → 4.7.1

package/README.md

@@ -25,6 +25,10 @@ When Cursor's AI agent edits your files, there's a risk of accidental overwrites
 - **Proactive change-velocity alerts (V4)** — Auto-detects abnormal file change patterns and raises risk warnings
 - **Backup health dashboard (V4)** — One-call comprehensive view: strategy, counts, disk usage, protection scope, health status
 - **Web dashboard (V4.2)** — Local read-only web UI at `http://127.0.0.1:3120` — see health, backups, restore points, diagnostics, protection scope at a glance. Dual-language (zh-CN / en-US), auto-refresh every 15s, multi-project support
+- **IDE extension (V4.7)** — Full dashboard embedded in VSCode/Cursor/Windsurf as a WebView tab + status bar alert indicator + sidebar project tree. No browser needed
+- **One-click hot restart (V4.5.8)** — Dashboard detects new versions and offers in-place server restart without losing state
+- **Shadow incremental hard links (V4.5.4)** — Unchanged files are hard-linked to save disk space and I/O
+- **Strong protection mode (V4.5.4)** — `always_watch: true` auto-starts watcher with MCP server, ensuring zero protection gaps
 
 ---
 
@@ -124,6 +128,11 @@ After installation, your directory structure should look like this:
     │       └── app.js
     ├── mcp/
     │   └── server.js                   # MCP Server (9 tools)
+    ├── vscode-extension/               # IDE Extension (V4.7)
+    │   ├── extension.js                # Extension entry point
+    │   ├── package.json                # Extension manifest
+    │   ├── lib/                        # Modules (dashboard-manager, webview, status-bar, tree-view, poller)
+    │   └── media/                      # Icons (SVG + PNG)
     ├── bin/
     │   ├── cursor-guard-backup.js      # CLI: npx cursor-guard-backup
     │   ├── cursor-guard-doctor.js      # CLI: npx cursor-guard-doctor
@@ -388,6 +397,7 @@ The skill activates on these signals:
 | `references/bin/cursor-guard-doctor.js` | CLI entry: `npx cursor-guard-doctor` |
 | `references/dashboard/server.js` | Dashboard HTTP server + REST API |
 | `references/dashboard/public/` | Dashboard web UI (index.html, style.css, app.js) |
+| `references/vscode-extension/` | IDE Extension: WebView dashboard, status bar, sidebar tree, commands |
 | `references/auto-backup.ps1` / `.sh` | Thin wrappers (Windows / macOS+Linux) |
 | `references/guard-doctor.ps1` / `.sh` | Thin wrappers (Windows / macOS+Linux) |
 | `references/recovery.md` | Recovery command templates |
@@ -400,6 +410,33 @@ The skill activates on these signals:
 
 ## Changelog
 
+### v4.7.0 — IDE Extension
+
+- **Feature**: VSCode/Cursor/Windsurf extension — full dashboard as WebView tab, status bar alert indicator, sidebar TreeView with project status, Command Palette integration
+- **Feature**: Auto-activation on `.cursor-guard.json` detection, dashboard server runs in extension host process (zero subprocess overhead)
+- **Adapt**: `fetchJson()` supports `__GUARD_BASE_URL__` for WebView; `copyText()` bridges to `vscode.env.clipboard` when in IDE
+
+### v4.6.x — Alert UX Overhaul
+
+- **Fix**: Alert countdown now updates every second (was only on 15s page refresh)
+- **Fix**: Alert file details modal now shows per-file "Copy Restore Command" buttons
+- **Fix**: Backup stale threshold changed to `max(interval*10, 300)s` (min 5 min); only checks when watcher is running
+- **Feature**: Alert history always accessible (both active and no-alert states), persisted in `localStorage`
+- **Feature**: Alert history as modal dialog with nested file detail drill-down
+
+### v4.5.x — Protection Hardening
+
+- **Fix**: Shadow hard-link ordering bug (previous snapshot was always empty directory)
+- **Fix**: `changedFiles` now filters ignored paths from git diff output
+- **Feature**: Alert structured file list — per-file path, action, +/- lines, sortable tables
+- **Feature**: Shadow incremental hard links — unchanged files linked to previous snapshot, saving disk space
+- **Feature**: `always_watch: true` config — watcher auto-starts with MCP server, zero protection gaps
+- **Feature**: Dashboard server singleton — multiple projects share one port, hot-add new projects
+- **Feature**: Dashboard version detection + one-click hot restart (`/api/restart` endpoint)
+- **Feature**: File detail modal with per-file restore command copy buttons
+- **Feature**: `cursor-guard-init` auto-creates `.cursor-guard.json`; `backup_interval_seconds` alias supported
+- **License**: Changed from MIT to BSL 1.1 (source available, commercial use requires author authorization)
+
 ### v4.4.0 — V4 Final
 
 - **Fix**: First snapshot now generates "Added N: file1, file2, ..." summary instead of blank — previously the very first backup had no summary because there was no parent tree to diff against
@@ -489,6 +526,16 @@ The skill activates on these signals:
 
 ---
 
+## Support / Donate
+
+This is an independent open-source project maintained by a solo developer. If Cursor Guard has saved your code or your time, consider buying me a coffee :)
+
+| WeChat Pay | Alipay |
+|:---:|:---:|
+| <img src="media/wechat-pay.png" alt="WeChat Pay" width="200"> | <img src="media/alipay.jpg" alt="Alipay" width="200"> |
+
+---
+
 ## License
 
-MIT
+[BSL 1.1 (Business Source License)](LICENSE) — Source code is freely available for viewing, modification, and non-commercial use. Commercial use requires authorization from the author. Auto-converts to Apache 2.0 on 2056-03-22.

package/README.zh-CN.md

@@ -25,6 +25,10 @@
 - **主动变更频率告警（V4）** — 自动检测异常文件变更模式并发出风险预警
 - **备份健康看板（V4）** — 一次调用全面查看：策略、数量、磁盘占用、保护范围、健康状态
 - **Web 仪表盘（V4.2）** — 本地只读 Web 页面 `http://127.0.0.1:3120`——健康状态、备份、恢复点、诊断、保护范围一目了然。中英双语、每 15 秒自动刷新、支持多项目监控
+- **IDE 扩展（V4.7）** — 完整仪表盘嵌入 VSCode/Cursor/Windsurf，WebView 标签页 + 状态栏告警指示器 + 侧边栏项目树。无需打开浏览器
+- **一键热重启（V4.5.8）** — 仪表盘检测到新版本时可原地重启服务，不丢失状态
+- **Shadow 增量硬链接（V4.5.4）** — 未变更文件硬链接到上次快照，节省磁盘空间和 I/O
+- **强保护模式（V4.5.4）** — `always_watch: true` 让 watcher 随 MCP server 自动启动，确保零保护缺口
 
 ---
 
@@ -124,6 +128,11 @@ git clone https://github.com/zhangqiang8vipp/cursor-guard.git .cursor/skills/cur
     │       └── app.js
     ├── mcp/
     │   └── server.js                   # MCP Server（9 个工具）
+    ├── vscode-extension/               # IDE 扩展（V4.7）
+    │   ├── extension.js                # 扩展入口
+    │   ├── package.json                # 扩展清单
+    │   ├── lib/                        # 模块（dashboard-manager、webview、status-bar、tree-view、poller）
+    │   └── media/                      # 图标（SVG + PNG）
     ├── bin/
     │   ├── cursor-guard-backup.js      # CLI：npx cursor-guard-backup
     │   ├── cursor-guard-doctor.js      # CLI：npx cursor-guard-doctor
@@ -388,6 +397,7 @@ code --install-extension .
 | `references/bin/cursor-guard-doctor.js` | CLI 入口：`npx cursor-guard-doctor` |
 | `references/dashboard/server.js` | 仪表盘 HTTP 服务 + REST API |
 | `references/dashboard/public/` | 仪表盘 Web UI（index.html、style.css、app.js） |
+| `references/vscode-extension/` | IDE 扩展：WebView 仪表盘、状态栏、侧边栏树、命令面板 |
 | `references/auto-backup.ps1` / `.sh` | 薄封装（Windows / macOS+Linux） |
 | `references/guard-doctor.ps1` / `.sh` | 薄封装（Windows / macOS+Linux） |
 | `references/recovery.md` | 恢复命令模板 |
@@ -400,6 +410,33 @@ code --install-extension .
 
 ## 更新日志
 
+### v4.7.0 — IDE 扩展
+
+- **功能**：VSCode/Cursor/Windsurf 扩展 — 完整仪表盘作为 WebView 标签页嵌入，状态栏告警指示器，侧边栏 TreeView 项目状态，命令面板集成
+- **功能**：检测到 `.cursor-guard.json` 自动激活，Dashboard 服务在扩展宿主进程内运行（零额外进程开销）
+- **适配**：`fetchJson()` 支持 `__GUARD_BASE_URL__` 用于 WebView；`copyText()` 在 IDE 中通过 `postMessage` 桥接到 `vscode.env.clipboard`
+
+### v4.6.x — 告警 UX 大优化
+
+- **修复**：告警倒计时现在每秒更新（之前仅在 15 秒页面刷新时更新）
+- **修复**：告警文件详情弹窗支持每文件「复制恢复命令」按钮
+- **修复**：备份过时阈值改为 `max(interval*10, 300)` 秒（至少 5 分钟）；仅在 watcher 运行时检查
+- **功能**：告警历史始终可访问（无论是否有活跃告警），使用 `localStorage` 持久化
+- **功能**：告警历史作为弹窗展示，支持嵌套查看文件详情
+
+### v4.5.x — 保护加固
+
+- **修复**：Shadow 硬链接顺序 bug（上次快照总是空目录）
+- **修复**：`changedFiles` 现在过滤忽略路径
+- **功能**：告警结构化文件列表 — 每文件路径、操作、+/- 行数，支持排序
+- **功能**：Shadow 增量硬链接 — 未变更文件链接到上次快照，节省磁盘空间
+- **功能**：`always_watch: true` 配置 — watcher 随 MCP server 自动启动，零保护缺口
+- **功能**：Dashboard 服务单例 — 多项目共享一个端口，热加载新项目
+- **功能**：Dashboard 版本检测 + 一键热重启（`/api/restart` 端点）
+- **功能**：文件详情弹窗 + 每文件恢复命令复制按钮
+- **功能**：`cursor-guard-init` 自动创建 `.cursor-guard.json`；支持 `backup_interval_seconds` 别名
+- **许可证**：从 MIT 变更为 BSL 1.1（源码可见，商业使用需作者授权）
+
 ### v4.4.0 — V4 收官版
 
 - **修复**：首次快照现在会生成 "Added N: file1, file2, ..." 摘要，而不是空白——之前第一次备份因为没有 parent tree 对比所以 summary 始终为空
@@ -489,6 +526,16 @@ code --install-extension .
 
 ---
 
+## 支持 / 捐赠
+
+这是一个独立开发者维护的开源项目。如果 Cursor Guard 拯救过你的代码或节省了你的时间，欢迎请我喝杯咖啡 :)
+
+| 微信支付 | 支付宝 |
+|:---:|:---:|
+| <img src="media/wechat-pay.png" alt="微信支付" width="200"> | <img src="media/alipay.jpg" alt="支付宝" width="200"> |
+
+---
+
 ## 许可证
 
-MIT
+[BSL 1.1（商业源代码许可证）](LICENSE) — 源代码自由查看、修改和非商业使用。商业使用需获得作者授权。2056-03-22 之后自动转为 Apache 2.0。

package/ROADMAP.md

@@ -3,8 +3,8 @@
 > 本文档描述 cursor-guard 从 V2 到 V7 的长期演进方向。
 > 每一代向下兼容，低版本功能永远不废弃。
 >
-> **当前版本**：`V4.7.0`  
-> **文档状态**：`V2` ~ `V4.7.0` 已完成交付（含 V5 intent/audit 基础），`V5` 主体规划中
+> **当前版本**：`V4.7.1`  
+> **文档状态**：`V2` ~ `V4.7.1` 已完成交付（含 V5 intent/audit 基础），`V5` 主体规划中
 
 ## 阅读导航
 
@@ -734,6 +734,16 @@ V4 经过 4 轮系统性代码审查，修复了以下关键问题：
 }
 ```
 
+### V4.7.1：IDE 插件 Bug 修复 + UX 增强 ✅
+
+| 修复/增强 | 说明 |
+|----------|------|
+| **P1 Bug 修复** | `snapshotNow` 中 `loadConfig` 返回 `{cfg, loaded, error, warnings}`，但代码直接传了整个对象。修复为解构 `const { cfg } = loadConfig()` |
+| **WebView CSP** | WebView 缺少 Content-Security-Policy meta 标签，导致 `fetch` 请求被浏览器安全策略阻止（failed to fetch）。添加 CSP 允许 `connect-src` 到 Dashboard Server |
+| **一键启动/停止 Watcher** | `Start Watcher` / `Stop Watcher` 命令从提示文字改为实际 `spawn` 子进程启动和 `SIGTERM` 停止 |
+| **TreeView 彩色化** | 所有图标使用 `ThemeColor`（绿色=正常、红色=告警/停止、蓝色=备份、紫色=统计）。项目节点根据状态显示 Protected/Unprotected/ALERT。新增 Quick Actions 折叠区（Open Dashboard / Snapshot Now / Start/Stop Watcher / Refresh） |
+| **StatusBar 增强** | Watcher 未运行时显示 `$(eye-closed) Guard: Unprotected`；告警时图标动画 `$(bell~spin)` |
+
 ### V4.7.0：IDE 集成（VSCode/Cursor Extension） ✅
 
 | 组件 | 说明 |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cursor-guard",
-  "version": "4.7.0",
+  "version": "4.7.1",
   "description": "Protects code from accidental AI overwrite or deletion in Cursor IDE — mandatory pre-write snapshots, review-before-apply, local Git safety net, and deterministic recovery. | 保护代码免受 Cursor AI 代理意外覆写或删除——强制写前快照、预览再执行、本地 Git 安全网、确定性恢复。",
   "keywords": [
     "cursor",
@@ -51,6 +51,7 @@
     "references/mcp/",
     "references/dashboard/",
     "references/vscode-extension/",
+    "media/",
     "references/config-reference.md",
     "references/config-reference.zh-CN.md",
     "references/cursor-guard.example.json",

package/references/vscode-extension/extension.js

@@ -40,16 +40,38 @@ async function activate(context) {
       poller.forceRefresh();
     }),
 
-    vscode.commands.registerCommand('cursorGuard.startWatcher', () => {
-      vscode.window.showInformationMessage(
-        'Cursor Guard: run `cursor-guard-backup --path <dir> --dashboard` in terminal to start the watcher.'
-      );
+    vscode.commands.registerCommand('cursorGuard.startWatcher', async () => {
+      const folders = vscode.workspace.workspaceFolders;
+      if (!folders || folders.length === 0) {
+        vscode.window.showWarningMessage('Cursor Guard: no workspace folder open.');
+        return;
+      }
+      const projectPath = folders[0].uri.fsPath;
+      const existingPid = dashMgr.getWatcherPid(projectPath);
+      if (existingPid) {
+        vscode.window.showInformationMessage(`Cursor Guard: watcher already running (PID ${existingPid})`);
+        return;
+      }
+      const pid = dashMgr.startWatcher(projectPath);
+      if (pid) {
+        vscode.window.showInformationMessage(`Cursor Guard: watcher started (PID ${pid})`);
+        setTimeout(() => poller.forceRefresh(), 2000);
+      } else {
+        vscode.window.showWarningMessage('Cursor Guard: failed to start watcher');
+      }
     }),
 
-    vscode.commands.registerCommand('cursorGuard.stopWatcher', () => {
-      vscode.window.showInformationMessage(
-        'Cursor Guard: stop the watcher by terminating its terminal process (Ctrl+C).'
-      );
+    vscode.commands.registerCommand('cursorGuard.stopWatcher', async () => {
+      const folders = vscode.workspace.workspaceFolders;
+      if (!folders || folders.length === 0) return;
+      const projectPath = folders[0].uri.fsPath;
+      const stopped = dashMgr.stopWatcher(projectPath);
+      if (stopped) {
+        vscode.window.showInformationMessage('Cursor Guard: watcher stopped');
+        setTimeout(() => poller.forceRefresh(), 1000);
+      } else {
+        vscode.window.showWarningMessage('Cursor Guard: no running watcher found');
+      }
     }),
 
     vscode.commands.registerCommand('cursorGuard.refreshTree', () => {

package/references/vscode-extension/lib/dashboard-manager.js

@@ -3,6 +3,7 @@
 const fs = require('fs');
 const path = require('path');
 const http = require('http');
+const { spawn } = require('child_process');
 
 const CONFIG_FILE = '.cursor-guard.json';
 
@@ -71,13 +72,53 @@ class DashboardManager {
     try {
       const { createGitSnapshot } = require('../../lib/core/snapshot');
       const { loadConfig } = require('../../lib/utils');
-      const cfg = loadConfig(projectPath);
+      const { cfg } = loadConfig(projectPath);
       return createGitSnapshot(projectPath, cfg, { message: 'guard: manual snapshot via IDE extension' });
     } catch (e) {
       return { status: 'error', error: e.message };
     }
   }
 
+  startWatcher(projectPath) {
+    if (!projectPath) return null;
+    const backupScript = path.resolve(__dirname, '..', '..', 'lib', 'auto-backup.js');
+    const child = spawn(process.execPath, [backupScript, '--path', projectPath], {
+      cwd: projectPath,
+      stdio: 'ignore',
+      detached: true,
+    });
+    child.unref();
+    return child.pid;
+  }
+
+  stopWatcher(projectPath) {
+    if (!projectPath) return false;
+    try {
+      const lockPath = path.join(projectPath, '.cursor-guard-backup.lock');
+      if (!fs.existsSync(lockPath)) return false;
+      const lockData = JSON.parse(fs.readFileSync(lockPath, 'utf-8'));
+      if (lockData.pid) {
+        process.kill(lockData.pid, 'SIGTERM');
+        try { fs.unlinkSync(lockPath); } catch { /* ok */ }
+        return true;
+      }
+    } catch { /* ok */ }
+    return false;
+  }
+
+  getWatcherPid(projectPath) {
+    try {
+      const lockPath = path.join(projectPath, '.cursor-guard-backup.lock');
+      if (!fs.existsSync(lockPath)) return null;
+      const lockData = JSON.parse(fs.readFileSync(lockPath, 'utf-8'));
+      if (lockData.pid) {
+        process.kill(lockData.pid, 0);
+        return lockData.pid;
+      }
+    } catch { /* not running */ }
+    return null;
+  }
+
   dispose() {
     this._instance = null;
   }

package/references/vscode-extension/lib/status-bar.js

@@ -14,16 +14,19 @@ class StatusBarController {
   }
 
   _setIdle() {
-    this._item.text = '$(shield) Guard';
+    this._item.text = '$(shield) Guard: init...';
     this._item.backgroundColor = undefined;
+    this._item.color = new vscode.ThemeColor('statusBar.foreground');
   }
 
   _update(data) {
     let hasAlert = false;
     let watcherRunning = false;
     let alertFileCount = 0;
+    let projectCount = 0;
 
     for (const [, p] of data) {
+      projectCount++;
       const d = p.dashboard;
       if (!d) continue;
       if (d.alerts?.active) {
@@ -34,17 +37,25 @@ class StatusBarController {
     }
 
     if (hasAlert) {
-      this._item.text = `$(warning) Guard: ${alertFileCount} files!`;
+      this._item.text = `$(bell~spin) Guard: ${alertFileCount} files!`;
       this._item.backgroundColor = new vscode.ThemeColor('statusBarItem.warningBackground');
-      this._item.tooltip = `Cursor Guard — ALERT: ${alertFileCount} files changed rapidly`;
+      this._item.color = undefined;
+      this._item.tooltip = `Cursor Guard — ALERT: ${alertFileCount} files changed rapidly. Click to open dashboard.`;
     } else if (watcherRunning) {
       this._item.text = '$(shield) Guard: OK';
       this._item.backgroundColor = undefined;
-      this._item.tooltip = 'Cursor Guard — watcher running, no alerts';
+      this._item.color = new vscode.ThemeColor('statusBar.foreground');
+      this._item.tooltip = 'Cursor Guard — watcher running, no alerts. Click to open dashboard.';
+    } else if (projectCount > 0) {
+      this._item.text = '$(eye-closed) Guard: Unprotected';
+      this._item.backgroundColor = undefined;
+      this._item.color = new vscode.ThemeColor('statusBar.foreground');
+      this._item.tooltip = 'Cursor Guard — watcher NOT running. Click to open dashboard, or use Command Palette > Start Watcher.';
     } else {
       this._item.text = '$(shield) Guard';
       this._item.backgroundColor = undefined;
-      this._item.tooltip = 'Cursor Guard — watcher not running';
+      this._item.color = new vscode.ThemeColor('statusBar.foreground');
+      this._item.tooltip = 'Cursor Guard — no projects detected';
     }
   }
 

package/references/vscode-extension/lib/tree-view.js

@@ -24,48 +24,106 @@ class GuardTreeView {
   getChildren(element) {
     if (!element) return this._getRootItems();
     if (element.contextValue === 'project') return this._getProjectChildren(element.projectId);
+    if (element.contextValue === 'actions') return this._getActionItems();
     return [];
   }
 
   _getRootItems() {
     const data = this._poller.data;
-    if (data.size === 0) {
-      return [new TreeItem('No projects detected', 'info', { icon: 'info' })];
-    }
     const items = [];
-    for (const [id, p] of data) {
-      const item = new TreeItem(p.name || id, 'project', {
-        icon: 'folder',
-        description: p.pathLabel,
-        collapsible: vscode.TreeItemCollapsibleState.Expanded,
+
+    if (data.size === 0) {
+      const hint = new TreeItem('No projects detected', 'info', {
+        icon: new vscode.ThemeIcon('info', new vscode.ThemeColor('charts.yellow')),
+        description: 'Add .cursor-guard.json',
       });
-      item.projectId = id;
-      items.push(item);
+      items.push(hint);
+    } else {
+      for (const [id, p] of data) {
+        const d = p.dashboard;
+        const hasAlert = d?.alerts?.active;
+        const watcherOk = d?.watcher?.running;
+        const iconColor = hasAlert
+          ? new vscode.ThemeColor('charts.red')
+          : watcherOk
+            ? new vscode.ThemeColor('charts.green')
+            : new vscode.ThemeColor('charts.yellow');
+        const icon = hasAlert
+          ? new vscode.ThemeIcon('shield', iconColor)
+          : watcherOk
+            ? new vscode.ThemeIcon('shield', iconColor)
+            : new vscode.ThemeIcon('shield', iconColor);
+
+        const item = new TreeItem(p.name || id, 'project', {
+          icon,
+          description: hasAlert ? 'ALERT' : watcherOk ? 'Protected' : 'Unprotected',
+          collapsible: vscode.TreeItemCollapsibleState.Expanded,
+        });
+        item.projectId = id;
+        items.push(item);
+      }
     }
+
+    const actionsItem = new TreeItem('Quick Actions', 'actions', {
+      icon: new vscode.ThemeIcon('zap', new vscode.ThemeColor('charts.blue')),
+      collapsible: vscode.TreeItemCollapsibleState.Collapsed,
+    });
+    items.push(actionsItem);
+
     return items;
   }
 
+  _getActionItems() {
+    const openDash = new TreeItem('Open Dashboard', 'action', {
+      icon: new vscode.ThemeIcon('dashboard', new vscode.ThemeColor('charts.blue')),
+    });
+    openDash.command = { command: 'cursorGuard.openDashboard', title: 'Open Dashboard' };
+
+    const snapshot = new TreeItem('Snapshot Now', 'action', {
+      icon: new vscode.ThemeIcon('device-camera', new vscode.ThemeColor('charts.purple')),
+    });
+    snapshot.command = { command: 'cursorGuard.snapshotNow', title: 'Snapshot Now' };
+
+    const startW = new TreeItem('Start Watcher', 'action', {
+      icon: new vscode.ThemeIcon('play', new vscode.ThemeColor('charts.green')),
+    });
+    startW.command = { command: 'cursorGuard.startWatcher', title: 'Start Watcher' };
+
+    const stopW = new TreeItem('Stop Watcher', 'action', {
+      icon: new vscode.ThemeIcon('debug-stop', new vscode.ThemeColor('charts.red')),
+    });
+    stopW.command = { command: 'cursorGuard.stopWatcher', title: 'Stop Watcher' };
+
+    const refresh = new TreeItem('Refresh', 'action', {
+      icon: new vscode.ThemeIcon('refresh', new vscode.ThemeColor('charts.orange')),
+    });
+    refresh.command = { command: 'cursorGuard.refreshTree', title: 'Refresh' };
+
+    return [openDash, snapshot, startW, stopW, refresh];
+  }
+
   _getProjectChildren(projectId) {
     const p = this._poller.data.get(projectId);
-    if (!p?.dashboard) return [new TreeItem('Loading...', 'loading', { icon: 'loading~spin' })];
+    if (!p?.dashboard) {
+      return [new TreeItem('Loading...', 'loading', {
+        icon: new vscode.ThemeIcon('loading~spin', new vscode.ThemeColor('charts.blue')),
+      })];
+    }
     const d = p.dashboard;
     const items = [];
 
-    const watcherStatus = d.watcher?.running ? 'Running' : 'Stopped';
-    const watcherIcon = d.watcher?.running ? 'eye' : 'eye-closed';
-    const watcherItem = new TreeItem(`Watcher: ${watcherStatus}`, 'watcher', { icon: watcherIcon });
-    if (d.watcher?.pid) watcherItem.description = `PID ${d.watcher.pid}`;
-    items.push(watcherItem);
-
-    if (d.lastBackup?.git) {
-      const ago = this._relativeTime(d.lastBackup.git.timestamp);
-      items.push(new TreeItem(`Last Backup: ${ago}`, 'backup', { icon: 'git-commit' }));
-    }
-
-    if (d.counts) {
-      const gitCount = d.counts.git?.commits || 0;
-      const shadowCount = d.counts.shadow?.snapshots || 0;
-      items.push(new TreeItem(`Backups: ${gitCount} git, ${shadowCount} shadow`, 'counts', { icon: 'database' }));
+    if (d.watcher?.running) {
+      const w = new TreeItem('Watcher: Running', 'watcher', {
+        icon: new vscode.ThemeIcon('eye', new vscode.ThemeColor('charts.green')),
+        description: d.watcher.pid ? `PID ${d.watcher.pid}` : '',
+      });
+      items.push(w);
+    } else {
+      const w = new TreeItem('Watcher: Stopped', 'watcher', {
+        icon: new vscode.ThemeIcon('eye-closed', new vscode.ThemeColor('charts.red')),
+        description: 'Click Quick Actions > Start',
+      });
+      items.push(w);
     }
 
     if (d.alerts?.active) {
@@ -73,18 +131,44 @@ class GuardTreeView {
       const alertItem = new TreeItem(
         `ALERT: ${a.fileCount || '?'} files in ${a.windowSeconds || '?'}s`,
         'alert',
-        { icon: 'warning' }
+        {
+          icon: new vscode.ThemeIcon('bell', new vscode.ThemeColor('charts.red')),
+          description: `threshold: ${a.threshold}`,
+        }
       );
-      alertItem.description = `threshold: ${a.threshold}`;
       items.push(alertItem);
+    } else {
+      items.push(new TreeItem('No alerts', 'noalert', {
+        icon: new vscode.ThemeIcon('check', new vscode.ThemeColor('charts.green')),
+      }));
     }
 
-    const health = d.health?.status || 'unknown';
-    const healthIcon = health === 'healthy' ? 'pass' : health === 'critical' ? 'error' : 'warning';
-    const healthItem = new TreeItem(`Health: ${health}`, 'health', { icon: healthIcon });
-    if (d.health?.issues?.length > 0) {
-      healthItem.description = d.health.issues[0];
+    if (d.lastBackup?.git) {
+      const ago = this._relativeTime(d.lastBackup.git.timestamp);
+      items.push(new TreeItem(`Last Backup: ${ago}`, 'backup', {
+        icon: new vscode.ThemeIcon('git-commit', new vscode.ThemeColor('charts.blue')),
+      }));
+    }
+
+    if (d.counts) {
+      const gitCount = d.counts.git?.commits || 0;
+      const shadowCount = d.counts.shadow?.snapshots || 0;
+      items.push(new TreeItem(`Git: ${gitCount}  Shadow: ${shadowCount}`, 'counts', {
+        icon: new vscode.ThemeIcon('database', new vscode.ThemeColor('charts.purple')),
+      }));
     }
+
+    const health = d.health?.status || 'unknown';
+    const healthColor = health === 'healthy'
+      ? new vscode.ThemeColor('charts.green')
+      : health === 'critical'
+        ? new vscode.ThemeColor('charts.red')
+        : new vscode.ThemeColor('charts.yellow');
+    const healthIcon = health === 'healthy' ? 'pass-filled' : health === 'critical' ? 'error' : 'warning';
+    const healthItem = new TreeItem(`Health: ${health}`, 'health', {
+      icon: new vscode.ThemeIcon(healthIcon, healthColor),
+      description: d.health?.issues?.length > 0 ? d.health.issues[0] : '',
+    });
     items.push(healthItem);
 
     return items;
@@ -111,7 +195,7 @@ class TreeItem extends vscode.TreeItem {
   constructor(label, contextValue, opts = {}) {
     super(label, opts.collapsible || vscode.TreeItemCollapsibleState.None);
     this.contextValue = contextValue;
-    if (opts.icon) this.iconPath = new vscode.ThemeIcon(opts.icon);
+    if (opts.icon) this.iconPath = opts.icon;
     if (opts.description) this.description = opts.description;
   }
 }

package/references/vscode-extension/lib/webview-provider.js

@@ -57,9 +57,19 @@ class WebViewProvider {
     const token = this._dashMgr.token || '';
     const nonce = _getNonce();
 
+    const csp = [
+      `default-src 'none'`,
+      `style-src ${webview.cspSource} 'unsafe-inline'`,
+      `script-src 'nonce-${nonce}' ${webview.cspSource}`,
+      `font-src ${webview.cspSource}`,
+      `img-src ${webview.cspSource} data:`,
+      `connect-src ${baseUrl}`,
+    ].join('; ');
+
     html = html.replace(
       '</head>',
-      `<script nonce="${nonce}">
+      `<meta http-equiv="Content-Security-Policy" content="${csp}">
+<script nonce="${nonce}">
   window.__GUARD_TOKEN__ = "${token}";
   window.__GUARD_BASE_URL__ = "${baseUrl}";
   window.__IN_VSCODE__ = true;