Skip to content

feat(vscode): governance visualization, detail panels, and browser executive dashboard#738

Open
MythologIQ wants to merge 11 commits intomicrosoft:mainfrom
MythologIQ:feat/vscode-governance-visualization-v2
Open

feat(vscode): governance visualization, detail panels, and browser executive dashboard#738
MythologIQ wants to merge 11 commits intomicrosoft:mainfrom
MythologIQ:feat/vscode-governance-visualization-v2

Conversation

@MythologIQ
Copy link
Copy Markdown

@MythologIQ MythologIQ commented Apr 3, 2026

Summary

Complete governance visualization system for the Agent OS VS Code extension. Builds a React/Tailwind webview panel system with 8 dedicated detail panels, a 3-slot configurable sidebar, and a browser-based executive governance dashboard with theming, policy editor, and real-time data.

10 commits | 183 files changed | +21,568 / -871 lines

What's Included

1. Governance Visualization Infrastructure

  • SLO Dashboard — gauges, sparklines, budget bars, trust distribution
  • Agent Topology — D3.js force-directed graph with trust-colored nodes
  • Governance Hub — composite tabbed view (SLO + Topology + Audit + Policy)
  • Mock backends for SLO, topology, and policy data during development

2. React/Tailwind Webview Panel System

  • 3-slot configurable sidebar with panel picker overlay (gear icon)
  • 8 summary panels: SLO Dashboard, Agent Topology, Governance Hub, Audit Log, Active Policies, Safety Stats, Kernel Debugger, Memory Browser
  • 8 dedicated detail panels — each sidebar panel opens its own full-panel React view:
Panel Components Data
SLO Dashboard Gauges, sparklines, budget bars SLODataProvider
Agent Topology Force graph, node details, bridges AgentTopologyDataProvider
Governance Hub Tabbed composite (SLO+Topo+Audit+Policy) All providers
Audit Log Severity badges, event table, counts AuditLogger
Active Policies Action badges, rule table, violations PolicyDataProvider
Safety Stats Blocked/warnings/CMVK stat cards AuditLogger.getStats()
Kernel Debugger Agent status table, metrics grid KernelDebuggerProvider
Memory Browser Expandable VFS tree, dir/file counts MemoryBrowserProvider
  • Attention modes: Auto (scanning + priority rotation) and Manual (user-locked)
  • GovernanceStore with event-driven refresh, latency isolation, detail subscriptions
  • Shared panelHost factory with CSP nonce-gated scripts, singleton lifecycle

3. Browser Executive Dashboard

Single-screen grid layout served via local HTTP server (127.0.0.1 only):

  • Layout: SLO banner (full width) | Left tabs (Stats/Kernel/Memory) | Center topology (D3.js) | Right tabs (Policies/Audit/Editor)
  • 6 premium themes persisted to localStorage:
    • Corporate Slate (default), Midnight Blue, Onyx, Azure Mist, High Contrast Dark, High Contrast Light
  • Policy Editor with 5 governance templates:
    • Strict Security, SOC 2 Compliance, GDPR Data Protection, Development Mode, Rate Limiting
    • YAML/JSON/Rego format selector, client-side validation, 4 test scenarios, file download/import
  • Real-time filtering on Audit Log (by severity) and Policies (by action type)
  • SLO trend arrows showing delta between updates
  • WebSocket broadcasts all 4 data types (SLO, topology, audit, policies) every 10s

4. Language Intelligence

  • Diagnostic providers: policy YAML validation, governance rule checking
  • Completion provider: policy keywords, signal names, governance patterns
  • Hover provider: contextual documentation for governance terms
  • Code actions: quick fixes for policy violations

5. Security Hardening

  • CSP nonce-gated scripts on all webviews and browser dashboard
  • esc() / escHtml() on all innerHTML data paths
  • CSP blob: alignment between HTTP header and HTML meta tag
  • CSS class attribute sanitization via regex whitelist
  • XSS fix in CMVK results panel (external API data without escaping)
  • WebSocket session token via Sec-WebSocket-Protocol (not URL query)
  • Server binds to 127.0.0.1 only with rate limiting

6. Testing and Documentation

  • Unit tests for GovernanceStore, detailFetchers, sidebar components, event bus, panel picker
  • SECURITY.md, CHANGELOG.md
  • OTel span validation tests
  • Keyboard navigation (Ctrl+Shift+Up/Down for slot focus)

Architecture

packages/agent-os-vscode/
  src/
    extension.ts                # Activation, command registration
    server/                     # Browser dashboard (HTTP + WebSocket)
      GovernanceServer.ts       # Singleton local server
      browserTemplate.ts        # HTML grid layout
      browserStyles.ts          # 6 CSS themes
      browserScripts.ts         # WebSocket client, filtering, trends
      browserPolicyEditor.ts    # Policy templates + editor logic
    webviews/
      sidebar/                  # 3-slot sidebar (React)
        GovernanceStore.ts      # Event-driven state
        SidebarProvider.ts      # Webview lifecycle
        Sidebar.tsx             # Root component
        PanelPicker.tsx         # Config overlay
        panels/                 # 8 summary components
      shared/                   # DetailShell, panelHost, types
      sloDetail/                # SLO full panel
      topologyDetail/           # Topology full panel
      hubDetail/                # Hub composite panel
      kernelDetail/             # Kernel debugger panel
      memoryDetail/             # Memory browser panel
      statsDetail/              # Safety stats panel
      auditDetail/              # Audit log panel
      policyDetail/             # Policy detail panel
    views/                      # TreeDataProviders
    language/                   # Diagnostics, completions, hovers
    mockBackend/                # Dev data providers
    services/                   # Provider factory
  esbuild.webview.mjs           # 9 React entry points
  tailwind.config.js            # Monolith Ledger design system
  package.json                  # Extension manifest

Test plan

  • tsc --noEmit passes with zero errors
  • eslint src --ext ts passes with zero errors (warnings are pre-existing)
  • Extension activates in VS Code Extension Development Host (F5)
  • All 8 sidebar panels render summary data
  • Clicking each sidebar panel opens its dedicated detail view
  • Active Policies opens the full Policy Editor (not read-only)
  • Panel picker (gear) opens, allows slot config, Apply saves
  • Panel picker modal has opaque background
  • Browser dashboard opens via sidebar link-external icon
  • All 6 themes switch correctly and persist across reload
  • Policy editor: template selection populates textarea with YAML
  • Policy editor: validate, test, download, import all function
  • Audit and policy filters narrow results with match counts
  • SLO trend arrows appear after second WebSocket update
  • Keyboard nav (Ctrl+Shift+Up/Down) moves slot focus
  • No console errors in Extension Host or browser DevTools

Generated with Claude Code

MythologIQ and others added 10 commits March 28, 2026 16:16
@MythologIQ @claude
feat(vscode): add governance visualization infrastructure
00f4288 
Add GovernanceServer with REST API and browser experience, mock backends
for policy/SLO/topology data, export system with HTML report generation,
observability metrics exporter, and service layer for provider factory
and live client integration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
feat(vscode): add React/Tailwind webview panels and sidebar system
a25ea32 
Replace 8-view sidebar with unified 3-slot React panel system. Add
GovernanceStore with event bus, priority engine, scanning mode, and
attention toggle. Add SLO Dashboard, Topology Graph, and Governance Hub
detail panels with D3.js force graph and Chart.js sparklines. Bundle
CDN dependencies locally in assets/vendor/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
feat(vscode): add governance language intelligence and status bar
09387c8 
Add diagnostic provider with governance-specific rules, code actions for
quick fixes, integration rule definitions, and completion provider. Add
governance-aware status bar with real-time indicators.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
refactor(vscode): extract extension to packages/agent-os-vscode/
2edb42f 
Move VS Code extension from packages/agent-os/extensions/vscode/ to
packages/agent-os-vscode/ as a standalone sibling package (aligns with
upstream PR microsoft#546). Integrate upstream security fixes: CSP nonces on all
legacy panels, prototype pollution protection in WorkflowDesigner,
ReDoS-safe regex in PolicyEngine, token-in-SecretStorage for SSO.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
docs(vscode): add documentation, tests, and security policy
1e5764a 
Add HELP.md user guide, SECURITY.md policy, update CHANGELOG.md and
README.md. Add 37 test files covering mock backends, language providers,
webview components, governance store, and sidebar subsystems.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
fix(vscode): harden browser script esc() to escape quotes
a9a190d 
Replace DOM-based esc() with string-based replacement that escapes all
five HTML-significant characters (& < > " '), consistent with
ReportGenerator.ts and escapeHtml utility.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
fix(vscode): address code review security findings
08cdec0 
- WebSocket auth: move session token from URL query string to
  Sec-WebSocket-Protocol subprotocol header. Query strings can leak
  into proxy logs and browser history; subprotocol headers are not
  logged by default. Client sends ['governance-v1', token], server
  validates via handleProtocols callback.

- Rate limiter: add TTL eviction to prevent unbounded Map growth.
  Stale entries are pruned on each checkRateLimit() call.

- Python path: add null byte rejection to prevent POSIX path
  truncation attacks. spawn() already uses array args (no shell),
  so metachar regex is defense-in-depth only.

- CSP style-src: document why 'unsafe-inline' is required (VS Code
  injects theme CSS variables as inline styles at runtime, outside
  extension control). Cannot use style nonces/hashes for
  platform-injected styles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
fix(vscode): residual sweep — stale docs, misleading comments, test gap
9b62137 
- Correct handleProtocols comment: ws library does NOT reject connections
  when false is returned; real auth is in the connection handler
- Update serverHelpers.ts comment: token now via subprotocol, not query
- Update HELP.md: reflect subprotocol auth and TTL eviction
- Add null byte rejection test for isValidPythonPath
- Add CSP security comments to all 4 legacy webview panels

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
feat(vscode): type safety, OTel validation, keyboard navigation
8022eaa 
- GovernanceStore: constrain panelType from string to DetailPanelType
  union ('slo'|'topology'|'audit'|'policy'|'hub') for compile-time
  safety on detail subscriptions and fetcher dispatch

- MetricsExporter: validate endpoint URL on construction and
  setEndpoint(). Reject non-URL strings and non-http(s) protocols
  with console.warn. push() silently no-ops when endpoint is empty.
  4 new tests for validation behavior.

- Sidebar keyboard navigation: Arrow Up/Down moves focus between
  panel slots. Slots have tabIndex, role="region", aria-label, and
  focus-visible ring. Keybindings registered in package.json
  (ctrl+shift+down/up when sidebar focused).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ @claude
feat(vscode): add detail panels, browser executive dashboard, and sec…
39433f1 
…urity hardening

Add 5 dedicated detail webview panels (Kernel Debugger, Memory Browser,
Safety Stats, Audit Log, Active Policies) so all 8 sidebar panels now
open their own full-panel React views instead of falling back to the
Governance Hub.

Redesign the browser dashboard as an executive governance experience:
- Single-screen grid layout with all panels visible simultaneously
- 6 premium themes (Corporate Slate, Midnight Blue, Onyx, Azure Mist,
  High Contrast Dark, High Contrast Light) persisted via localStorage
- Policy editor with 5 governance templates (Strict Security, SOC 2,
  GDPR, Development, Rate Limiting), validation, test scenarios, and
  file download/import
- Real-time filtering on Audit Log (by severity) and Policies (by action)
- SLO trend arrows showing delta between updates
- Full data broadcast (SLO, topology, audit, policies) over WebSocket

Security hardening:
- Fix CSP mismatch between HTTP header and HTML meta tag (blob: for downloads)
- Escape all data values in browser innerHTML with esc() including numerics
- Sanitize CSS class attribute injection via regex whitelist
- Fix pre-existing XSS in CMVK results panel (escHtml on external API data)

Sidebar fixes:
- Panel settings modal now fully opaque (was 5% transparent)
- Browser launch button added to sidebar header
- PROMOTE_COMMANDS correctly routes all 8 panels

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added the size/XL Extra large PR (500+ lines) label Apr 3, 2026
@MythologIQ @claude
merge: resolve conflicts with upstream/main
35a7cd0 
Take our governance visualization features (detail panels, browser
dashboard, security hardening) over upstream's base version. Bump
version to 3.1.0 to follow upstream's 3.0.2 scheme. Remove
package-lock.json per upstream convention.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MythologIQ MythologIQ mentioned this pull request Apr 3, 2026
Closed
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/XL Extra large PR (500+ lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MythologIQ