I4cTime · I4cTime · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
@@ -34,6 +34,10 @@ jobs:
           cache-dependency-path: web/pnpm-lock.yaml
 
       - name: Install dependencies
+        env:
+          # Required by @heroui-pro/react postinstall to download licensed
+          # bundle from the HeroUI CDN. Stored as a repo secret.
+          HEROUI_AUTH_TOKEN: ${{ secrets.HEROUI_AUTH_TOKEN }}
         run: pnpm install --frozen-lockfile
 
       - name: Build

@@ -37,6 +37,10 @@ jobs:
           cache-dependency-path: web/pnpm-lock.yaml
 
       - name: Install dependencies
+        env:
+          # Required by @heroui-pro/react postinstall to download licensed
+          # bundle from the HeroUI CDN. Stored as a repo secret.
+          HEROUI_AUTH_TOKEN: ${{ secrets.HEROUI_AUTH_TOKEN }}
         run: pnpm install --frozen-lockfile
 
       - name: Lint

@@ -2,6 +2,25 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased]
+
+### Changed
+- **Status dashboard rebuilt** — `qring status` (and the `status_dashboard` MCP tool) now serves a denser, more useful live page. New surfaces:
+  - **KPI strip** — total secrets, detected env, protected count, active approvals, hooks (enabled / total), 24-hour read & write counts, denied-action count, and live anomaly count.
+  - **Manifest panel** — declared / required / missing / expired / stale keys from `.q-ring.json`.
+  - **Policy panel** — at-a-glance MCP / exec / secret-policy presence with allow-deny / approval / rotation counts.
+  - **Approvals panel** — every grant with scope, reason, time-remaining, and tamper / expiry state.
+  - **Hooks panel** — every registered shell / HTTP / signal hook with its `key` / `tag` / `event` match summary.
+  - **Agent memory panel** — count of encrypted memory keys.
+  - **Sortable + searchable secrets table** — key / scope / env / type / decay / tags / last-read columns with quick chips (`expired`, `stale`, `protected`) and a `/`-focusable search box.
+  - **Audit log filters** — action chips (`read` / `write` / `delete` / `export`), source chips (`cli` / `mcp` / `hook` / `agent`), and a free-text filter.
+  - **Top-bar controls** — pause SSE updates, force refresh, jump to raw JSON, and a relative "updated Ns ago" timestamp that keeps ticking while paused.
+  - **Keyboard shortcuts** — `/` focus secrets search, `P` pause, `R` refresh, `Esc` blur.
+- **Snapshot payload expanded** — `/api/status` and the SSE stream now also include `version`, `projectPath`, `scopes`, `protectedCount`, `manifest`, `policy`, `approvals`, `hooks`, `memoryKeys`, and `auditMetrics` (action / source counts, top read keys, total events in the last 24h).
+
+### Fixed
+- **Dashboard search input no longer loses focus** — the SSE re-render now uses a focus-preserving DOM swap that retains caret position, selection, and scroll offset across the 5-second tick (previously, typing a search term would be wiped out on every snapshot).
+
 ## [0.10.1] — 2026-04-24
 
 ### Fixed

@@ -626,9 +626,23 @@ qring agent --once
 
 ### Quantum Status Dashboard — Live Monitoring
 
-Launch a real-time dashboard in your browser that visualizes every quantum subsystem at a glance: health summary, decay timers, superposition states, entanglement pairs, active tunnels, anomaly alerts, audit log, and environment detection.
+Launch a real-time dashboard in your browser that turns the entire quantum subsystem into one glanceable page. The dashboard is a single self-contained HTML page served locally — no dependencies, no cloud, no config — and streams updates every 5 seconds via Server-Sent Events while preserving search input and scroll position across ticks.
 
-The dashboard is a self-contained HTML page served locally. Data streams in via Server-Sent Events and updates every 5 seconds — no dependencies, no cloud, no config.
+What you get:
+
+- **KPI strip** — total secrets, detected environment, protected count, active approvals, hooks, 24-hour reads, and live anomaly count.
+- **Health summary** — donut chart of healthy / stale / expired / no-decay secrets plus per-scope counts (global / project / team / org).
+- **Environment** — wavefunction collapse details: detected env, source, branch, and any project context.
+- **Manifest** — `.q-ring.json` summary with declared / required / missing / expired / stale keys.
+- **Policy** — at-a-glance view of MCP, exec, and secret policies (allow/deny tools, deny keys/tags, allow/deny commands, approval & rotation requirements).
+- **Secrets table** — searchable, sortable view of every secret (key, scope, env, type, decay, tags, last read), with quick chips for `expired`, `stale`, and `protected` filters. Press `/` to focus the search box.
+- **Quantum cards** — decay timers, superposition states, entanglement pairs, and active quantum tunnels.
+- **Approvals & hooks** — live list of valid (and tampered) approval grants and every registered hook with its match summary.
+- **Agent memory** — count of encrypted memory keys persisted at `~/.config/q-ring/agent-memory.enc`.
+- **Anomaly alerts** — burst reads, off-hours access, tampered audit chain, and other suspicious patterns.
+- **Audit log (24h)** — filterable feed with action chips (`read`/`write`/`delete`/`export`), source chips (`cli`/`mcp`/`hook`/`agent`), and a free-text filter.
+
+Top-bar controls let you **pause** SSE updates (handy while reading the audit feed), **refresh** on demand, or jump to the raw JSON snapshot at `/api/status`. Keyboard shortcuts: `/` focus secrets search · `P` pause · `R` refresh.
 
 ```bash
 # Open the dashboard (auto-launches your browser)
@@ -727,7 +741,7 @@ q-ring includes a full MCP server with 44 tools for AI agent integration.
 | `verify_audit_chain` | Verify tamper-evident hash chain integrity |
 | `export_audit` | Export audit events in jsonl, json, or csv format |
 | `health_check` | Full health report |
-| `status_dashboard` | Launch the quantum status dashboard via MCP |
+| `status_dashboard` | Launch the quantum status dashboard (SSE) — live KPIs, health, secrets table, manifest, policy, approvals, hooks, agent memory, anomalies, and audit feed |
 | `agent_scan` | Run autonomous agent scan |
 
 ### Governance & Policy Tools

@@ -1,11 +1,33 @@
 ---
 name: qring:dashboard
-description: Start the q-ring local status dashboard (SSE + browser UI). Use when the user wants a live view of secret health without exposing values.
+description: Start the q-ring local status dashboard (SSE + browser UI). Use when the user wants a live view of secret health, manifest gaps, policy posture, approvals, hooks, and audit traffic without exposing secret values.
 ---
 
 # /qring:dashboard
 
 1. Call MCP tool **`status_dashboard`**.
-2. Open the returned `http://127.0.0.1:…` URL in a browser (local only).
+2. Open the returned `http://127.0.0.1:…` URL in a browser (local only — bound to loopback).
 
-If the dashboard is already running, the tool reports the existing URL.
+If the dashboard is already running, the tool reports the existing URL instead of starting a second listener.
+
+## What the page shows
+
+- **KPI strip** — total secrets, detected env, protected count, active approvals, hooks, 24h reads/writes, denied actions, and live anomaly count.
+- **Health summary** — donut of healthy / stale / expired / no-decay secrets with per-scope breakdown.
+- **Environment** — wavefunction collapse details (env, source, branch).
+- **Manifest** — declared / required / missing / expired / stale keys from `.q-ring.json`.
+- **Policy** — MCP / exec / secret policy presence with allow-deny / approval / rotation counts.
+- **Secrets table** — sortable, searchable view of every secret with quick chips for `expired`, `stale`, `protected`.
+- **Quantum cards** — decay timers, superposition states, entanglement pairs, active tunnels.
+- **Approvals & hooks** — live grants and registered hooks with tamper / expiry state and match summaries.
+- **Agent memory** — count of encrypted memory keys.
+- **Anomaly alerts + audit feed** — filterable by action and source with free-text search.
+
+## Controls
+
+- Top bar: pause SSE updates, force refresh, jump to raw JSON (`/api/status`).
+- Keyboard: `/` focus secrets search · `P` pause · `R` refresh · `Esc` blur input.
+
+## Important
+
+The dashboard never renders secret **values** — only metadata. It is safe to share a screenshot for debugging, but the bound URL stays on `127.0.0.1` and should not be exposed beyond the local machine.