From e6da819ec8605bc7f0f0abc46ebe92579d550af6 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 14:50:26 -0700
Subject: [PATCH 01/18] feat(dashboard): add risk activity page

---
 .../dashboard/src/components/app-sidebar.tsx  |   1 +
 .../src/components/log-workbench.tsx          |  74 +++
 .../dashboard/src/components/page-header.tsx  |   1 +
 .../src/pages/security/RiskActivity.tsx       | 464 ++++++++++++++++++
 .../src/pages/security/SecurityOverview.tsx   | 157 +-----
 .../src/pages/security/risk-finding-ui.tsx    |  85 ++++
 .../src/pages/security/risk-finding-utils.ts  |  41 ++
 client/dashboard/src/routes.tsx               |   7 +
 8 files changed, 690 insertions(+), 140 deletions(-)
 create mode 100644 client/dashboard/src/components/log-workbench.tsx
 create mode 100644 client/dashboard/src/pages/security/RiskActivity.tsx
 create mode 100644 client/dashboard/src/pages/security/risk-finding-ui.tsx
 create mode 100644 client/dashboard/src/pages/security/risk-finding-utils.ts

diff --git a/client/dashboard/src/components/app-sidebar.tsx b/client/dashboard/src/components/app-sidebar.tsx
index 913e17d81d..0a7e2e7634 100644
--- a/client/dashboard/src/components/app-sidebar.tsx
+++ b/client/dashboard/src/components/app-sidebar.tsx
@@ -132,6 +132,7 @@ export function AppSidebar({ ...props }: React.ComponentProps<typeof Sidebar>) {
                 item={routes.riskOverview}
                 scope="project:read"
               />
+              <ScopeGatedNavItem item={routes.riskActivity} scope="org:admin" />
               <ScopeGatedNavItem
                 item={routes.policyCenter}
                 scope={["project:read", "project:write"]}
diff --git a/client/dashboard/src/components/log-workbench.tsx b/client/dashboard/src/components/log-workbench.tsx
new file mode 100644
index 0000000000..454f78ff72
--- /dev/null
+++ b/client/dashboard/src/components/log-workbench.tsx
@@ -0,0 +1,74 @@
+import { cn } from "@/lib/utils";
+import type React from "react";
+
+export interface LogWorkbenchProps {
+  title: React.ReactNode;
+  description?: React.ReactNode;
+  actions?: React.ReactNode;
+  filters?: React.ReactNode;
+  status?: React.ReactNode;
+  header?: React.ReactNode;
+  children: React.ReactNode;
+  footer?: React.ReactNode;
+  detail?: React.ReactNode;
+  onScroll?: React.UIEventHandler<HTMLDivElement>;
+  scrollRef?: React.Ref<HTMLDivElement>;
+  contentClassName?: string;
+  className?: string;
+}
+
+export function LogWorkbench({
+  title,
+  description,
+  actions,
+  filters,
+  status,
+  header,
+  children,
+  footer,
+  detail,
+  onScroll,
+  scrollRef,
+  contentClassName,
+  className,
+}: LogWorkbenchProps) {
+  return (
+    <>
+      <div className={cn("flex min-h-0 w-full flex-1 flex-col", className)}>
+        <div className="shrink-0 px-8 py-4">
+          <div className="mb-4 flex items-start justify-between gap-4">
+            <div className="flex min-w-0 flex-col gap-1">
+              <h1 className="text-xl font-semibold">{title}</h1>
+              {description ? (
+                <p className="text-muted-foreground text-sm">{description}</p>
+              ) : null}
+            </div>
+            {actions ? (
+              <div className="flex shrink-0 items-center gap-2">{actions}</div>
+            ) : null}
+          </div>
+          {filters ? (
+            <div className="flex flex-wrap items-center gap-4">{filters}</div>
+          ) : null}
+        </div>
+
+        <div className="min-h-0 flex-1 overflow-hidden border-t">
+          <div className="bg-background flex h-full flex-col">
+            {status}
+            {header}
+            <div
+              ref={scrollRef}
+              className={cn("flex-1 overflow-y-auto", contentClassName)}
+              onScroll={onScroll}
+            >
+              {children}
+            </div>
+            {footer}
+          </div>
+        </div>
+      </div>
+
+      {detail}
+    </>
+  );
+}
diff --git a/client/dashboard/src/components/page-header.tsx b/client/dashboard/src/components/page-header.tsx
index d2101e0a26..30bdfbd597 100644
--- a/client/dashboard/src/components/page-header.tsx
+++ b/client/dashboard/src/components/page-header.tsx
@@ -71,6 +71,7 @@ const breadcrumbSubstitutions = {
   "audit-logs": "Audit Logs",
   "admin-settings": "Admin Settings",
   "risk-overview": "Risk Overview",
+  "risk-activity": "Risk Activity",
   "risk-policies": "Risk Policies",
   // The URL segments `slack` and `clis` are preserved for backwards
   // compatibility, but the sidebar/route titles were rebranded — map them
diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
new file mode 100644
index 0000000000..e0e02041e8
--- /dev/null
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -0,0 +1,464 @@
+import { LogWorkbench } from "@/components/log-workbench";
+import { Page } from "@/components/page-layout";
+import { RequireScope } from "@/components/require-scope";
+import { Button } from "@/components/ui/button";
+import { Drawer, DrawerContent } from "@/components/ui/drawer";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
+import { useSdkClient } from "@/contexts/Sdk";
+import { cn } from "@/lib/utils";
+import { ChatDetailPanel } from "@/pages/chatLogs/ChatDetailPanel";
+import type { RiskResult } from "@gram/client/models/components";
+import {
+  invalidateAllRiskListShadowMCPApprovals,
+  useRiskApproveShadowMCPMutation,
+  useRiskListPolicies,
+} from "@gram/client/react-query/index.js";
+import { Icon } from "@speakeasy-api/moonshine";
+import { useInfiniteQuery, useQueryClient } from "@tanstack/react-query";
+import { RefreshCw, ShieldOff } from "lucide-react";
+import { useCallback, useMemo, useRef } from "react";
+import { useSearchParams } from "react-router";
+import { toast } from "sonner";
+import { CategoryLabel, MaskedMatch } from "./risk-finding-ui";
+
+export default function RiskActivity() {
+  return (
+    <RequireScope scope="org:admin" level="page">
+      <Page>
+        <Page.Header>
+          <Page.Header.Breadcrumbs />
+        </Page.Header>
+        <Page.Body fullWidth fullHeight overflowHidden noPadding>
+          <RiskActivityContent />
+        </Page.Body>
+      </Page>
+    </RequireScope>
+  );
+}
+
+function RiskActivityContent() {
+  const client = useSdkClient();
+  const queryClient = useQueryClient();
+  const [searchParams, setSearchParams] = useSearchParams();
+  const selectedChatId = searchParams.get("chat_id");
+  const policyFilter = searchParams.get("policy_id") ?? "";
+  const containerRef = useRef<HTMLDivElement>(null);
+
+  const setSelectedChatId = useCallback(
+    (chatId: string | null) => {
+      setSearchParams(
+        (prev) => {
+          const next = new URLSearchParams(prev);
+          if (chatId) {
+            next.set("chat_id", chatId);
+          } else {
+            next.delete("chat_id");
+          }
+          return next;
+        },
+        { replace: true },
+      );
+    },
+    [setSearchParams],
+  );
+
+  const setPolicyFilter = useCallback(
+    (policyId: string) => {
+      setSearchParams(
+        (prev) => {
+          const next = new URLSearchParams(prev);
+          if (policyId) {
+            next.set("policy_id", policyId);
+          } else {
+            next.delete("policy_id");
+          }
+          return next;
+        },
+        { replace: true },
+      );
+      containerRef.current?.scrollTo({ top: 0 });
+    },
+    [setSearchParams],
+  );
+
+  const { data: policiesData, isLoading: policiesLoading } =
+    useRiskListPolicies();
+  const policies = useMemo(
+    () => policiesData?.policies ?? [],
+    [policiesData?.policies],
+  );
+  const policyMessageById = useMemo(() => {
+    const m = new Map<string, string>();
+    for (const policy of policies) {
+      if (policy.userMessage && policy.userMessage.trim() !== "") {
+        m.set(policy.id, policy.userMessage);
+      }
+    }
+    return m;
+  }, [policies]);
+
+  const resultsQuery = useInfiniteQuery({
+    queryKey: ["risk", "results", "list", policyFilter],
+    queryFn: async ({ pageParam }) => {
+      return client.risk.results.list({
+        cursor: pageParam,
+        limit: 50,
+        policyId: policyFilter || undefined,
+      });
+    },
+    initialPageParam: undefined as string | undefined,
+    getNextPageParam: (lastPage) => lastPage.nextCursor ?? undefined,
+  });
+
+  const results = useMemo(
+    () => resultsQuery.data?.pages.flatMap((p) => p.results) ?? [],
+    [resultsQuery.data],
+  );
+  const totalCount = resultsQuery.data?.pages[0]?.totalCount ?? results.length;
+  const isInitialLoading = policiesLoading || resultsQuery.isLoading;
+
+  const approveMutation = useRiskApproveShadowMCPMutation();
+  const handleExclude = useCallback(
+    (policyId: string, match: string, serverName?: string) => {
+      approveMutation.mutate(
+        {
+          request: {
+            approveShadowMCPRequestBody: {
+              policyId,
+              match,
+              serverName,
+            },
+          },
+        },
+        {
+          onSuccess: () => {
+            toast.success("Excluded from policy");
+            queryClient.invalidateQueries({
+              queryKey: ["risk", "results", "list"],
+            });
+            invalidateAllRiskListShadowMCPApprovals(queryClient);
+          },
+          onError: (err) => {
+            toast.error(`Failed to exclude: ${err.message ?? "unknown error"}`);
+          },
+        },
+      );
+    },
+    [approveMutation, queryClient],
+  );
+
+  const handleScroll = useCallback(
+    (e: React.UIEvent<HTMLDivElement>) => {
+      const container = e.currentTarget;
+      const distanceFromBottom =
+        container.scrollHeight - (container.scrollTop + container.clientHeight);
+
+      if (resultsQuery.isFetchingNextPage || resultsQuery.isFetching) return;
+      if (!resultsQuery.hasNextPage) return;
+
+      if (distanceFromBottom < 200) {
+        resultsQuery.fetchNextPage();
+      }
+    },
+    [resultsQuery],
+  );
+
+  return (
+    <LogWorkbench
+      title="Risk Activity"
+      description="Review policy findings across recent analyzed chats."
+      actions={
+        <Button
+          variant="outline"
+          size="sm"
+          onClick={() => resultsQuery.refetch()}
+          disabled={resultsQuery.isFetching}
+          aria-label="Refresh risk activity"
+        >
+          <RefreshCw
+            className={cn("h-4 w-4", resultsQuery.isFetching && "animate-spin")}
+          />
+          Refresh
+        </Button>
+      }
+      filters={
+        <Select
+          value={policyFilter || "all"}
+          onValueChange={(value) =>
+            setPolicyFilter(value === "all" ? "" : value)
+          }
+        >
+          <SelectTrigger className="w-[260px]">
+            <SelectValue placeholder="Filter by policy" />
+          </SelectTrigger>
+          <SelectContent>
+            <SelectItem value="all">All policies</SelectItem>
+            {policies.map((policy) => (
+              <SelectItem key={policy.id} value={policy.id}>
+                {policy.name}
+              </SelectItem>
+            ))}
+          </SelectContent>
+        </Select>
+      }
+      status={
+        resultsQuery.isFetching && results.length > 0 ? (
+          <div className="bg-primary/20 h-1 shrink-0">
+            <div className="bg-primary h-full animate-pulse" />
+          </div>
+        ) : null
+      }
+      header={<RiskActivityHeader />}
+      footer={
+        results.length > 0 ? (
+          <RiskActivityFooter
+            count={results.length}
+            totalCount={totalCount}
+            hasNextPage={resultsQuery.hasNextPage}
+            isFetchingNextPage={resultsQuery.isFetchingNextPage}
+            onLoadMore={() => resultsQuery.fetchNextPage()}
+          />
+        ) : null
+      }
+      detail={
+        <Drawer
+          open={!!selectedChatId}
+          onOpenChange={(open) => !open && setSelectedChatId(null)}
+          direction="right"
+        >
+          <DrawerContent className="data-[vaul-drawer-direction=right]:w-[720px] data-[vaul-drawer-direction=right]:sm:max-w-[720px]">
+            {selectedChatId && (
+              <ChatDetailPanel
+                chatId={selectedChatId}
+                resolutions={[]}
+                onClose={() => setSelectedChatId(null)}
+                onDelete={() => setSelectedChatId(null)}
+                collapseNonRisk
+              />
+            )}
+          </DrawerContent>
+        </Drawer>
+      }
+      scrollRef={containerRef}
+      onScroll={handleScroll}
+    >
+      <RiskActivityRows
+        error={resultsQuery.error}
+        isLoading={isInitialLoading}
+        results={results}
+        policyMessageById={policyMessageById}
+        isExcluding={approveMutation.isPending}
+        onSelectChat={setSelectedChatId}
+        onExclude={handleExclude}
+      />
+    </LogWorkbench>
+  );
+}
+
+function RiskActivityHeader() {
+  return (
+    <div className="bg-muted/30 text-muted-foreground flex shrink-0 items-center gap-3 border-b px-8 py-2.5 text-xs font-medium tracking-wide uppercase">
+      <div className="w-[150px] shrink-0">Occurred</div>
+      <div className="w-[140px] shrink-0">Category</div>
+      <div className="w-[160px] shrink-0">Rule</div>
+      <div className="min-w-[160px] flex-1">Chat</div>
+      <div className="w-[180px] shrink-0">User</div>
+      <div className="w-[220px] shrink-0">Match</div>
+      <div className="w-[220px] shrink-0">Policy Note</div>
+      <div className="w-[110px] shrink-0 text-right">Actions</div>
+    </div>
+  );
+}
+
+function RiskActivityRows({
+  error,
+  isLoading,
+  results,
+  policyMessageById,
+  isExcluding,
+  onSelectChat,
+  onExclude,
+}: {
+  error: Error | null;
+  isLoading: boolean;
+  results: RiskResult[];
+  policyMessageById: Map<string, string>;
+  isExcluding: boolean;
+  onSelectChat: (chatId: string | null) => void;
+  onExclude: (policyId: string, match: string, serverName?: string) => void;
+}) {
+  if (error) {
+    return (
+      <div className="flex flex-col items-center gap-3 py-12">
+        <div className="bg-destructive/10 flex size-12 items-center justify-center rounded-full">
+          <Icon name="circle-alert" className="text-destructive size-6" />
+        </div>
+        <span className="text-foreground font-medium">
+          Error loading risk activity
+        </span>
+        <span className="text-muted-foreground max-w-sm text-center text-sm">
+          {error.message}
+        </span>
+      </div>
+    );
+  }
+
+  if (isLoading) {
+    return (
+      <div className="text-muted-foreground flex items-center justify-center gap-2 py-12">
+        <Icon name="loader-circle" className="size-5 animate-spin" />
+        <span>Loading risk activity...</span>
+      </div>
+    );
+  }
+
+  if (results.length === 0) {
+    return (
+      <div className="flex flex-col items-center gap-3 py-12 text-center">
+        <div className="bg-muted flex size-12 items-center justify-center rounded-full">
+          <Icon name="inbox" className="text-muted-foreground size-6" />
+        </div>
+        <span className="text-foreground font-medium">
+          No risk activity found
+        </span>
+        <span className="text-muted-foreground max-w-sm text-sm">
+          Findings will appear here as messages are analyzed.
+        </span>
+      </div>
+    );
+  }
+
+  return (
+    <>
+      {results.map((result) => (
+        <RiskActivityRow
+          key={result.id}
+          result={result}
+          policyNote={policyMessageById.get(result.policyId)}
+          isExcluding={isExcluding}
+          onSelectChat={onSelectChat}
+          onExclude={onExclude}
+        />
+      ))}
+    </>
+  );
+}
+
+function RiskActivityRow({
+  result,
+  policyNote,
+  isExcluding,
+  onSelectChat,
+  onExclude,
+}: {
+  result: RiskResult;
+  policyNote: string | undefined;
+  isExcluding: boolean;
+  onSelectChat: (chatId: string | null) => void;
+  onExclude: (policyId: string, match: string, serverName?: string) => void;
+}) {
+  const isShadowMCP = result.source === "shadow_mcp";
+
+  return (
+    <button
+      type="button"
+      className={cn(
+        "hover:bg-muted/30 flex w-full items-center gap-3 border-b px-8 py-3 text-left text-sm transition-colors",
+        !result.chatId && "cursor-default",
+      )}
+      onClick={() => {
+        if (result.chatId) {
+          onSelectChat(result.chatId);
+        }
+      }}
+    >
+      <div className="text-muted-foreground w-[150px] shrink-0 text-xs">
+        {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
+      </div>
+      <div className="w-[140px] shrink-0">
+        <CategoryLabel source={result.source} ruleId={result.ruleId} />
+      </div>
+      <div className="w-[160px] shrink-0">
+        <span className="font-mono text-xs">{result.ruleId ?? "-"}</span>
+      </div>
+      <div className="text-muted-foreground min-w-[160px] flex-1 truncate">
+        {result.chatTitle ?? "Untitled"}
+      </div>
+      <div className="text-muted-foreground w-[180px] shrink-0 truncate">
+        {result.userId ?? "-"}
+      </div>
+      <div className="w-[220px] shrink-0 truncate">
+        {isShadowMCP && result.match ? (
+          <span className="font-mono text-xs" title={result.match}>
+            {result.match}
+          </span>
+        ) : (
+          <MaskedMatch value={result.match} />
+        )}
+      </div>
+      <div
+        className="text-muted-foreground w-[220px] shrink-0 truncate italic"
+        title={policyNote}
+      >
+        {policyNote ?? "-"}
+      </div>
+      <div className="flex w-[110px] shrink-0 justify-end">
+        {isShadowMCP && result.match ? (
+          <Button
+            variant="ghost"
+            size="sm"
+            disabled={isExcluding}
+            onClick={(e) => {
+              e.stopPropagation();
+              onExclude(result.policyId, result.match!);
+            }}
+            title="Exclude this MCP server from the policy"
+          >
+            <ShieldOff className="mr-1 h-3 w-3" />
+            <span className="text-xs">Exclude</span>
+          </Button>
+        ) : null}
+      </div>
+    </button>
+  );
+}
+
+function RiskActivityFooter({
+  count,
+  totalCount,
+  hasNextPage,
+  isFetchingNextPage,
+  onLoadMore,
+}: {
+  count: number;
+  totalCount: number;
+  hasNextPage: boolean;
+  isFetchingNextPage: boolean;
+  onLoadMore: () => void;
+}) {
+  return (
+    <div className="bg-muted/30 text-muted-foreground flex shrink-0 items-center justify-between gap-4 border-t px-8 py-3 text-sm">
+      <span>
+        Showing {count.toLocaleString()} of {totalCount.toLocaleString()}{" "}
+        {totalCount === 1 ? "finding" : "findings"}
+        {hasNextPage && " - Scroll to load more"}
+      </span>
+      {hasNextPage ? (
+        <Button
+          variant="ghost"
+          size="sm"
+          disabled={isFetchingNextPage}
+          onClick={onLoadMore}
+        >
+          {isFetchingNextPage ? "Loading..." : "Load More"}
+        </Button>
+      ) : null}
+    </div>
+  );
+}
diff --git a/client/dashboard/src/pages/security/SecurityOverview.tsx b/client/dashboard/src/pages/security/SecurityOverview.tsx
index edda84478a..8a414fd67d 100644
--- a/client/dashboard/src/pages/security/SecurityOverview.tsx
+++ b/client/dashboard/src/pages/security/SecurityOverview.tsx
@@ -1,3 +1,4 @@
+import { Button, Icon } from "@speakeasy-api/moonshine";
 import { Page } from "@/components/page-layout";
 import { RequireScope } from "@/components/require-scope";
 import { Type } from "@/components/ui/type";
@@ -17,9 +18,8 @@ import {
   SelectValue,
 } from "@/components/ui/select";
 import { useRoutes } from "@/routes";
-import { Eye, EyeOff, Shield, ShieldOff } from "lucide-react";
-import { Button } from "@/components/ui/button";
-import { useCallback, useMemo, useState } from "react";
+import { Shield, ShieldOff } from "lucide-react";
+import { useCallback, useMemo } from "react";
 import { useSearchParams } from "react-router";
 import { useInfiniteQuery, useQueryClient } from "@tanstack/react-query";
 import {
@@ -29,91 +29,10 @@ import {
 } from "@gram/client/react-query/index.js";
 import { useSdkClient } from "@/contexts/Sdk";
 import { toast } from "sonner";
-import {
-  DETECTION_RULES,
-  RULE_CATEGORY_META,
-  type RuleCategory,
-} from "./policy-data";
-import { humanizeRuleId } from "./rule-ids";
 import { ChatDetailPanel } from "@/pages/chatLogs/ChatDetailPanel";
 import { Drawer, DrawerContent } from "@/components/ui/drawer";
 import { MetricCard } from "@/components/chart/MetricCard";
-import { Button as MoonshineButton, Icon } from "@speakeasy-api/moonshine";
-
-// DETECTION_RULES.id is the canonical rule_id the backend writes to
-// risk_results, so lookup maps key by it directly.
-const RULE_ID_TO_CATEGORY = new Map<string, RuleCategory>();
-const RULE_ID_TO_TITLE = new Map<string, string>();
-for (const [category, rules] of Object.entries(DETECTION_RULES)) {
-  for (const rule of rules) {
-    RULE_ID_TO_CATEGORY.set(rule.id, category as RuleCategory);
-    RULE_ID_TO_TITLE.set(rule.id, rule.title);
-  }
-}
-
-const SOURCE_TO_CATEGORY = new Map<string, RuleCategory>([
-  ["destructive_tool", "destructive_tool"],
-  ["shadow_mcp", "shadow_mcp"],
-  ["prompt_injection", "prompt_injection"],
-  ["cli_destructive", "cli_destructive"],
-]);
-
-function getCategoryForFinding(
-  source: string | undefined,
-  ruleId: string | undefined,
-): RuleCategory | null {
-  if (ruleId) {
-    const byRule = RULE_ID_TO_CATEGORY.get(ruleId);
-    if (byRule) return byRule;
-  }
-  if (source) {
-    return SOURCE_TO_CATEGORY.get(source) ?? null;
-  }
-  return null;
-}
-
-function getRuleTitleFallback(ruleId: string | undefined): string {
-  if (!ruleId) return "-";
-  return RULE_ID_TO_TITLE.get(ruleId) ?? humanizeRuleId(ruleId);
-}
-
-function CategoryLabel({
-  source,
-  ruleId,
-}: {
-  source?: string;
-  ruleId?: string;
-}) {
-  const category = getCategoryForFinding(source, ruleId);
-  if (category) {
-    return (
-      <span className="font-mono text-xs">
-        {RULE_CATEGORY_META[category].label}
-      </span>
-    );
-  }
-  // Unknown source: title-case it so the table cell still reads cleanly
-  // (e.g. a future "presidio_pro" source renders as "Presidio Pro").
-  return (
-    <span className="font-mono text-xs">
-      {source ? humanizeRuleId(source.replace(/_/g, "-")) : "-"}
-    </span>
-  );
-}
-
-// Renders a rule id with a tooltip-quality fallback when the dashboard
-// hasn't seen this rule before. The backend may roll out new gitleaks,
-// presidio, or prompt_injection rules independently of the dashboard, so
-// every snake_case id needs to display legibly without a code change.
-function RuleLabel({ ruleId }: { source?: string; ruleId?: string }) {
-  if (!ruleId) return <span className="font-mono text-xs">-</span>;
-  const title = getRuleTitleFallback(ruleId);
-  return (
-    <span className="font-mono text-xs" title={ruleId}>
-      {title}
-    </span>
-  );
-}
+import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-finding-ui";
 
 export default function SecurityOverview() {
   return (
@@ -130,48 +49,6 @@ export default function SecurityOverview() {
   );
 }
 
-function MaskedMatch({ value }: { value: string | undefined }) {
-  const [revealed, setRevealed] = useState(false);
-
-  if (!value) return <span>-</span>;
-
-  if (!revealed) {
-    return (
-      <button
-        type="button"
-        className="text-muted-foreground hover:text-foreground inline-flex items-center gap-1 text-xs"
-        onClick={(e) => {
-          e.stopPropagation();
-          setRevealed(true);
-        }}
-      >
-        <EyeOff className="h-3 w-3" />
-        <span>Click to reveal</span>
-      </button>
-    );
-  }
-
-  return (
-    <span className="inline-flex items-center gap-1">
-      <span className="font-mono text-xs">
-        {value.length > 40
-          ? `${value.slice(0, 20)}...${value.slice(-10)}`
-          : value}
-      </span>
-      <button
-        type="button"
-        className="text-muted-foreground hover:text-foreground"
-        onClick={(e) => {
-          e.stopPropagation();
-          setRevealed(false);
-        }}
-      >
-        <Eye className="h-3 w-3" />
-      </button>
-    </span>
-  );
-}
-
 function SecurityOverviewContent() {
   const routes = useRoutes();
   const client = useSdkClient();
@@ -315,15 +192,15 @@ function SecurityOverviewContent() {
           project
         </Page.Section.Description>
         <Page.Section.CTA>
-          <MoonshineButton
+          <Button
             variant="secondary"
             onClick={() => routes.policyCenter.goTo()}
           >
-            <MoonshineButton.Text>Manage Policies</MoonshineButton.Text>
-            <MoonshineButton.RightIcon>
+            <Button.Text>Manage Policies</Button.Text>
+            <Button.RightIcon>
               <Icon name="arrow-right" />
-            </MoonshineButton.RightIcon>
-          </MoonshineButton>
+            </Button.RightIcon>
+          </Button>
         </Page.Section.CTA>
         <Page.Section.Body>
           <div className="bg-muted/20 flex flex-col items-center justify-center rounded-xl border border-dashed px-8 py-16">
@@ -363,15 +240,15 @@ function SecurityOverviewContent() {
         </Page.Section.Description>
 
         <Page.Section.CTA>
-          <MoonshineButton
+          <Button
             variant="secondary"
             onClick={() => routes.policyCenter.goTo()}
           >
-            <MoonshineButton.Text>Manage Policies</MoonshineButton.Text>
-            <MoonshineButton.RightIcon>
+            <Button.Text>Manage Policies</Button.Text>
+            <Button.RightIcon>
               <Icon name="arrow-right" />
-            </MoonshineButton.RightIcon>
-          </MoonshineButton>
+            </Button.RightIcon>
+          </Button>
         </Page.Section.CTA>
 
         <Page.Section.Body>
@@ -439,7 +316,7 @@ function SecurityOverviewContent() {
                 {chatSummaryQuery.hasNextPage && (
                   <div className="flex justify-center">
                     <Button
-                      variant="ghost"
+                      variant="tertiary"
                       size="sm"
                       disabled={chatSummaryQuery.isFetchingNextPage}
                       onClick={() => chatSummaryQuery.fetchNextPage()}
@@ -557,7 +434,7 @@ function SecurityOverviewContent() {
                                   reason="Only organization admins can exclude MCP servers from a policy."
                                 >
                                   <Button
-                                    variant="ghost"
+                                    variant="tertiary"
                                     size="sm"
                                     disabled={approveMutation.isPending}
                                     onClick={(e) => {
@@ -584,7 +461,7 @@ function SecurityOverviewContent() {
                 {resultsQuery.hasNextPage && (
                   <div className="flex justify-center">
                     <Button
-                      variant="ghost"
+                      variant="tertiary"
                       size="sm"
                       disabled={resultsQuery.isFetchingNextPage}
                       onClick={() => resultsQuery.fetchNextPage()}
diff --git a/client/dashboard/src/pages/security/risk-finding-ui.tsx b/client/dashboard/src/pages/security/risk-finding-ui.tsx
new file mode 100644
index 0000000000..3cb04061af
--- /dev/null
+++ b/client/dashboard/src/pages/security/risk-finding-ui.tsx
@@ -0,0 +1,85 @@
+import { Eye, EyeOff } from "lucide-react";
+import { useState } from "react";
+import { RULE_CATEGORY_META } from "./policy-data";
+import { getCategoryForFinding, getRuleTitleFallback } from "./risk-finding-utils";
+import { humanizeRuleId } from "./rule-ids";
+
+export function CategoryLabel({
+  source,
+  ruleId,
+}: {
+  source?: string;
+  ruleId?: string;
+}) {
+  const category = getCategoryForFinding(source, ruleId);
+  if (category) {
+    return (
+      <span className="font-mono text-xs">
+        {RULE_CATEGORY_META[category].label}
+      </span>
+    );
+  }
+  // Unknown source: title-case it so the table cell still reads cleanly
+  // (e.g. a future "presidio_pro" source renders as "Presidio Pro").
+  return (
+    <span className="font-mono text-xs">
+      {source ? humanizeRuleId(source.replace(/_/g, "-")) : "-"}
+    </span>
+  );
+}
+
+// Renders a rule id with a tooltip-quality fallback when the dashboard
+// hasn't seen this rule before. The backend may roll out new gitleaks,
+// presidio, or prompt_injection rules independently of the dashboard, so
+// every snake_case id needs to display legibly without a code change.
+export function RuleLabel({ ruleId }: { source?: string; ruleId?: string }) {
+  if (!ruleId) return <span className="font-mono text-xs">-</span>;
+  const title = getRuleTitleFallback(ruleId);
+  return (
+    <span className="font-mono text-xs" title={ruleId}>
+      {title}
+    </span>
+  );
+}
+
+export function MaskedMatch({ value }: { value: string | undefined }) {
+  const [revealed, setRevealed] = useState(false);
+
+  if (!value) return <span>-</span>;
+
+  if (!revealed) {
+    return (
+      <button
+        type="button"
+        className="text-muted-foreground hover:text-foreground inline-flex items-center gap-1 text-xs"
+        onClick={(e) => {
+          e.stopPropagation();
+          setRevealed(true);
+        }}
+      >
+        <EyeOff className="h-3 w-3" />
+        <span>Click to reveal</span>
+      </button>
+    );
+  }
+
+  return (
+    <span className="inline-flex items-center gap-1">
+      <span className="font-mono text-xs">
+        {value.length > 40
+          ? `${value.slice(0, 20)}...${value.slice(-10)}`
+          : value}
+      </span>
+      <button
+        type="button"
+        className="text-muted-foreground hover:text-foreground"
+        onClick={(e) => {
+          e.stopPropagation();
+          setRevealed(false);
+        }}
+      >
+        <Eye className="h-3 w-3" />
+      </button>
+    </span>
+  );
+}
diff --git a/client/dashboard/src/pages/security/risk-finding-utils.ts b/client/dashboard/src/pages/security/risk-finding-utils.ts
new file mode 100644
index 0000000000..8c66687769
--- /dev/null
+++ b/client/dashboard/src/pages/security/risk-finding-utils.ts
@@ -0,0 +1,41 @@
+import { DETECTION_RULES, type RuleCategory } from "./policy-data";
+import { humanizeRuleId } from "./rule-ids";
+
+// DETECTION_RULES.id is the canonical rule_id the backend writes to
+// risk_results, so lookup maps key by it directly.
+export const RULE_ID_TO_CATEGORY = new Map<string, RuleCategory>();
+
+export const RULE_ID_TO_TITLE = new Map<string, string>();
+
+for (const [category, rules] of Object.entries(DETECTION_RULES)) {
+  for (const rule of rules) {
+    RULE_ID_TO_CATEGORY.set(rule.id, category as RuleCategory);
+    RULE_ID_TO_TITLE.set(rule.id, rule.title);
+  }
+}
+
+export function getRuleTitleFallback(ruleId: string | undefined): string {
+  if (!ruleId) return "-";
+  return RULE_ID_TO_TITLE.get(ruleId) ?? humanizeRuleId(ruleId);
+}
+
+export const SOURCE_TO_CATEGORY = new Map<string, RuleCategory>([
+  ["destructive_tool", "destructive_tool"],
+  ["shadow_mcp", "shadow_mcp"],
+  ["prompt_injection", "prompt_injection"],
+  ["cli_destructive", "cli_destructive"],
+]);
+
+export function getCategoryForFinding(
+  source: string | undefined,
+  ruleId: string | undefined,
+): RuleCategory | null {
+  if (ruleId) {
+    const byRule = RULE_ID_TO_CATEGORY.get(ruleId);
+    if (byRule) return byRule;
+  }
+  if (source) {
+    return SOURCE_TO_CATEGORY.get(source) ?? null;
+  }
+  return null;
+}
diff --git a/client/dashboard/src/routes.tsx b/client/dashboard/src/routes.tsx
index 4641ad1f9a..0e649667c7 100644
--- a/client/dashboard/src/routes.tsx
+++ b/client/dashboard/src/routes.tsx
@@ -71,6 +71,7 @@ import SlackAppsIndex, { SlackAppsRoot } from "./pages/slackapp/SlackApp";
 import TriggersIndex, { TriggersRoot } from "./pages/triggers/Triggers";
 import SlackAppDetailPage from "./pages/slackapp/SlackAppDetail";
 import SecurityOverview from "./pages/security/SecurityOverview";
+import RiskActivity from "./pages/security/RiskActivity";
 import PolicyCenter from "./pages/security/PolicyCenter";
 import Team from "./pages/team/Team";
 import SourceDetails from "./pages/sources/SourceDetails";
@@ -441,6 +442,12 @@ const ROUTE_STRUCTURE = {
     stage: "beta",
     component: SecurityOverview,
   },
+  riskActivity: {
+    title: "Risk Activity",
+    url: "risk-activity",
+    icon: "shield",
+    component: RiskActivity,
+  },
   policyCenter: {
     title: "Risk Policies",
     url: "risk-policies",

From bca134cf88c50c190d02ff8eaadcc68da7972334 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 14:52:13 -0700
Subject: [PATCH 02/18] chore(dashboard): generalize risk shared files

---
 client/dashboard/src/pages/security/RiskActivity.tsx            | 2 +-
 .../src/pages/security/{risk-finding-ui.tsx => risk-ui.tsx}     | 2 +-
 .../src/pages/security/{risk-finding-utils.ts => risk-utils.ts} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename client/dashboard/src/pages/security/{risk-finding-ui.tsx => risk-ui.tsx} (96%)
 rename client/dashboard/src/pages/security/{risk-finding-utils.ts => risk-utils.ts} (100%)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index e0e02041e8..7ea3801baf 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -25,7 +25,7 @@ import { RefreshCw, ShieldOff } from "lucide-react";
 import { useCallback, useMemo, useRef } from "react";
 import { useSearchParams } from "react-router";
 import { toast } from "sonner";
-import { CategoryLabel, MaskedMatch } from "./risk-finding-ui";
+import { CategoryLabel, MaskedMatch } from "./risk-ui";
 
 export default function RiskActivity() {
   return (
diff --git a/client/dashboard/src/pages/security/risk-finding-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
similarity index 96%
rename from client/dashboard/src/pages/security/risk-finding-ui.tsx
rename to client/dashboard/src/pages/security/risk-ui.tsx
index 3cb04061af..d07f998fee 100644
--- a/client/dashboard/src/pages/security/risk-finding-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -1,7 +1,7 @@
 import { Eye, EyeOff } from "lucide-react";
 import { useState } from "react";
 import { RULE_CATEGORY_META } from "./policy-data";
-import { getCategoryForFinding, getRuleTitleFallback } from "./risk-finding-utils";
+import { getCategoryForFinding, getRuleTitleFallback} from "./risk-utils";
 import { humanizeRuleId } from "./rule-ids";
 
 export function CategoryLabel({
diff --git a/client/dashboard/src/pages/security/risk-finding-utils.ts b/client/dashboard/src/pages/security/risk-utils.ts
similarity index 100%
rename from client/dashboard/src/pages/security/risk-finding-utils.ts
rename to client/dashboard/src/pages/security/risk-utils.ts

From f003413015bd47ec852b5bc6432b5b57e6732dfa Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 14:54:31 -0700
Subject: [PATCH 03/18] fix(dashboard): polish risk activity timestamp

---
 client/dashboard/src/pages/security/RiskActivity.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index 7ea3801baf..f89945ec0e 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -264,7 +264,7 @@ function RiskActivityContent() {
 function RiskActivityHeader() {
   return (
     <div className="bg-muted/30 text-muted-foreground flex shrink-0 items-center gap-3 border-b px-8 py-2.5 text-xs font-medium tracking-wide uppercase">
-      <div className="w-[150px] shrink-0">Occurred</div>
+      <div className="w-[150px] shrink-0">Timestamp</div>
       <div className="w-[140px] shrink-0">Category</div>
       <div className="w-[160px] shrink-0">Rule</div>
       <div className="min-w-[160px] flex-1">Chat</div>
@@ -378,7 +378,7 @@ function RiskActivityRow({
         }
       }}
     >
-      <div className="text-muted-foreground w-[150px] shrink-0 text-xs">
+      <div className="text-muted-foreground w-[150px] shrink-0 font-mono text-xs">
         {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
       </div>
       <div className="w-[140px] shrink-0">

From 055b5d712454ebcaacdf521b7981d59bd8f95a6e Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:06:04 -0700
Subject: [PATCH 04/18] fix(dashboard): adjust risk activity table spacing

---
 .../src/pages/security/RiskActivity.tsx       | 41 ++++++++-----------
 1 file changed, 18 insertions(+), 23 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index f89945ec0e..d50fb8843f 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -264,14 +264,14 @@ function RiskActivityContent() {
 function RiskActivityHeader() {
   return (
     <div className="bg-muted/30 text-muted-foreground flex shrink-0 items-center gap-3 border-b px-8 py-2.5 text-xs font-medium tracking-wide uppercase">
-      <div className="w-[150px] shrink-0">Timestamp</div>
-      <div className="w-[140px] shrink-0">Category</div>
-      <div className="w-[160px] shrink-0">Rule</div>
-      <div className="min-w-[160px] flex-1">Chat</div>
-      <div className="w-[180px] shrink-0">User</div>
-      <div className="w-[220px] shrink-0">Match</div>
-      <div className="w-[220px] shrink-0">Policy Note</div>
-      <div className="w-[110px] shrink-0 text-right">Actions</div>
+      <div className="w-[172px] shrink-0">Timestamp</div>
+      <div className="w-[256px] shrink-0">Category</div>
+      <div className="w-[288px] shrink-0">Rule</div>
+      <div className="w-[288px] shrink-0">Session Name</div>
+      <div className="w-[288px] shrink-0">User</div>
+      <div className="min-w-[320px] flex-1">Match</div>
+      <div className="w-[288px] shrink-0">Policy Note</div>
+      <div className="flex w-[110px] shrink-0 justify-center">Actions</div>
     </div>
   );
 }
@@ -378,22 +378,20 @@ function RiskActivityRow({
         }
       }}
     >
-      <div className="text-muted-foreground w-[150px] shrink-0 font-mono text-xs">
+      <div className="text-muted-foreground w-[172px] shrink-0 font-mono text-xs">
         {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
       </div>
-      <div className="w-[140px] shrink-0">
+      <div className="w-[256px] shrink-0">
         <CategoryLabel source={result.source} ruleId={result.ruleId} />
       </div>
-      <div className="w-[160px] shrink-0">
+      <div className="w-[288px] shrink-0">
         <span className="font-mono text-xs">{result.ruleId ?? "-"}</span>
       </div>
-      <div className="text-muted-foreground min-w-[160px] flex-1 truncate">
+      <div className="w-[288px] shrink-0 truncate">
         {result.chatTitle ?? "Untitled"}
       </div>
-      <div className="text-muted-foreground w-[180px] shrink-0 truncate">
-        {result.userId ?? "-"}
-      </div>
-      <div className="w-[220px] shrink-0 truncate">
+      <div className="w-[288px] shrink-0 truncate">{result.userId ?? "-"}</div>
+      <div className="min-w-[320px] flex-1 truncate">
         {isShadowMCP && result.match ? (
           <span className="font-mono text-xs" title={result.match}>
             {result.match}
@@ -402,16 +400,13 @@ function RiskActivityRow({
           <MaskedMatch value={result.match} />
         )}
       </div>
-      <div
-        className="text-muted-foreground w-[220px] shrink-0 truncate italic"
-        title={policyNote}
-      >
+      <div className="w-[288px] shrink-0 truncate" title={policyNote}>
         {policyNote ?? "-"}
       </div>
-      <div className="flex w-[110px] shrink-0 justify-end">
+      <div className="flex w-[110px] shrink-0 justify-center">
         {isShadowMCP && result.match ? (
           <Button
-            variant="ghost"
+            variant="secondary"
             size="sm"
             disabled={isExcluding}
             onClick={(e) => {
@@ -420,7 +415,7 @@ function RiskActivityRow({
             }}
             title="Exclude this MCP server from the policy"
           >
-            <ShieldOff className="mr-1 h-3 w-3" />
+            <ShieldOff className="h-3 w-3" />
             <span className="text-xs">Exclude</span>
           </Button>
         ) : null}

From aa92908fb7c9efc9e8d16bce84738627b3062451 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:11:00 -0700
Subject: [PATCH 05/18] fix(dashboard): make risk activity columns responsive

---
 .../src/pages/security/RiskActivity.tsx       | 47 +++++++++++--------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index d50fb8843f..c927d74a36 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -27,6 +27,9 @@ import { useSearchParams } from "react-router";
 import { toast } from "sonner";
 import { CategoryLabel, MaskedMatch } from "./risk-ui";
 
+const RISK_ACTIVITY_GRID =
+  "grid grid-cols-[172px_minmax(140px,0.9fr)_minmax(160px,1fr)_minmax(180px,1.15fr)_minmax(160px,1fr)_minmax(200px,1.25fr)_minmax(180px,1.1fr)_110px] gap-3";
+
 export default function RiskActivity() {
   return (
     <RequireScope scope="org:admin" level="page">
@@ -263,15 +266,20 @@ function RiskActivityContent() {
 
 function RiskActivityHeader() {
   return (
-    <div className="bg-muted/30 text-muted-foreground flex shrink-0 items-center gap-3 border-b px-8 py-2.5 text-xs font-medium tracking-wide uppercase">
-      <div className="w-[172px] shrink-0">Timestamp</div>
-      <div className="w-[256px] shrink-0">Category</div>
-      <div className="w-[288px] shrink-0">Rule</div>
-      <div className="w-[288px] shrink-0">Session Name</div>
-      <div className="w-[288px] shrink-0">User</div>
-      <div className="min-w-[320px] flex-1">Match</div>
-      <div className="w-[288px] shrink-0">Policy Note</div>
-      <div className="flex w-[110px] shrink-0 justify-center">Actions</div>
+    <div
+      className={cn(
+        RISK_ACTIVITY_GRID,
+        "bg-muted/30 text-muted-foreground shrink-0 items-center border-b px-8 py-2.5 text-xs font-medium tracking-wide",
+      )}
+    >
+      <div className="min-w-0">Timestamp</div>
+      <div className="min-w-0">Category</div>
+      <div className="min-w-0">Rule</div>
+      <div className="min-w-0">Session Name</div>
+      <div className="min-w-0">User</div>
+      <div className="min-w-0">Match</div>
+      <div className="min-w-0">Policy Note</div>
+      <div className="flex min-w-0 justify-center">Actions</div>
     </div>
   );
 }
@@ -369,7 +377,8 @@ function RiskActivityRow({
     <button
       type="button"
       className={cn(
-        "hover:bg-muted/30 flex w-full items-center gap-3 border-b px-8 py-3 text-left text-sm transition-colors",
+        RISK_ACTIVITY_GRID,
+        "hover:bg-muted/30 w-full items-center border-b px-8 py-3 text-left text-sm transition-colors",
         !result.chatId && "cursor-default",
       )}
       onClick={() => {
@@ -378,20 +387,18 @@ function RiskActivityRow({
         }
       }}
     >
-      <div className="text-muted-foreground w-[172px] shrink-0 font-mono text-xs">
+      <div className="text-muted-foreground min-w-0 font-mono text-xs">
         {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
       </div>
-      <div className="w-[256px] shrink-0">
+      <div className="min-w-0">
         <CategoryLabel source={result.source} ruleId={result.ruleId} />
       </div>
-      <div className="w-[288px] shrink-0">
+      <div className="min-w-0 truncate">
         <span className="font-mono text-xs">{result.ruleId ?? "-"}</span>
       </div>
-      <div className="w-[288px] shrink-0 truncate">
-        {result.chatTitle ?? "Untitled"}
-      </div>
-      <div className="w-[288px] shrink-0 truncate">{result.userId ?? "-"}</div>
-      <div className="min-w-[320px] flex-1 truncate">
+      <div className="min-w-0 truncate">{result.chatTitle ?? "Untitled"}</div>
+      <div className="min-w-0 truncate">{result.userId ?? "-"}</div>
+      <div className="min-w-0 truncate">
         {isShadowMCP && result.match ? (
           <span className="font-mono text-xs" title={result.match}>
             {result.match}
@@ -400,10 +407,10 @@ function RiskActivityRow({
           <MaskedMatch value={result.match} />
         )}
       </div>
-      <div className="w-[288px] shrink-0 truncate" title={policyNote}>
+      <div className="min-w-0 truncate" title={policyNote}>
         {policyNote ?? "-"}
       </div>
-      <div className="flex w-[110px] shrink-0 justify-center">
+      <div className="flex min-w-0 justify-center">
         {isShadowMCP && result.match ? (
           <Button
             variant="secondary"

From 0b37913b024fc0785c69090bbe8d1fb91942d1fe Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:25:00 -0700
Subject: [PATCH 06/18] fix(dashboard): compact risk category badges

---
 client/dashboard/src/App.css                  | 25 +++++++++++++++
 .../src/pages/security/SecurityOverview.tsx   |  2 +-
 .../dashboard/src/pages/security/risk-ui.tsx  | 31 ++++++++++++-------
 3 files changed, 45 insertions(+), 13 deletions(-)

diff --git a/client/dashboard/src/App.css b/client/dashboard/src/App.css
index e577bda061..4ca4160e9f 100644
--- a/client/dashboard/src/App.css
+++ b/client/dashboard/src/App.css
@@ -101,3 +101,28 @@
   animation: scroll-dots 3s linear infinite;
   color: oklch(0.553 0.013 58.071 / 0.4);
 }
+
+@layer components {
+  .risk-category-label {
+    container-type: inline-size;
+    display: block;
+    min-width: 0;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+  }
+
+  .risk-category-label__short {
+    display: none;
+  }
+
+  @container (max-width: 220px) {
+    .risk-category-label[data-short-label="true"] .risk-category-label__long {
+      display: none;
+    }
+
+    .risk-category-label[data-short-label="true"] .risk-category-label__short {
+      display: inline;
+    }
+  }
+}
diff --git a/client/dashboard/src/pages/security/SecurityOverview.tsx b/client/dashboard/src/pages/security/SecurityOverview.tsx
index 8a414fd67d..5504ba6801 100644
--- a/client/dashboard/src/pages/security/SecurityOverview.tsx
+++ b/client/dashboard/src/pages/security/SecurityOverview.tsx
@@ -32,7 +32,7 @@ import { toast } from "sonner";
 import { ChatDetailPanel } from "@/pages/chatLogs/ChatDetailPanel";
 import { Drawer, DrawerContent } from "@/components/ui/drawer";
 import { MetricCard } from "@/components/chart/MetricCard";
-import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-finding-ui";
+import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-ui";
 
 export default function SecurityOverview() {
   return (
diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index d07f998fee..dd7fbd1a42 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -2,7 +2,7 @@ import { Eye, EyeOff } from "lucide-react";
 import { useState } from "react";
 import { RULE_CATEGORY_META } from "./policy-data";
 import { getCategoryForFinding, getRuleTitleFallback} from "./risk-utils";
-import { humanizeRuleId } from "./rule-ids";
+import { Badge } from "@speakeasy-api/moonshine";
 
 export function CategoryLabel({
   source,
@@ -12,18 +12,25 @@ export function CategoryLabel({
   ruleId?: string;
 }) {
   const category = getCategoryForFinding(source, ruleId);
-  if (category) {
-    return (
-      <span className="font-mono text-xs">
-        {RULE_CATEGORY_META[category].label}
-      </span>
-    );
-  }
-  // Unknown source: title-case it so the table cell still reads cleanly
-  // (e.g. a future "presidio_pro" source renders as "Presidio Pro").
+  const label = category ? RULE_CATEGORY_META[category].label : null;
+  const shortLabel = category === "pii" ? "PII" : null;
   return (
-    <span className="font-mono text-xs">
-      {source ? humanizeRuleId(source.replace(/_/g, "-")) : "-"}
+    <span
+      className="risk-category-label"
+      data-short-label={shortLabel ? "true" : undefined}
+    >
+      <Badge variant="neutral" title={label ?? undefined}>
+        <Badge.Text>
+          {shortLabel ? (
+            <>
+              <span className="risk-category-label__long">{label}</span>
+              <span className="risk-category-label__short">{shortLabel}</span>
+            </>
+          ) : (
+            label
+          )}
+        </Badge.Text>
+      </Badge>
     </span>
   );
 }

From 564caace7aa4a5da8ea06dea28b6f87a18c6c438 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:28:31 -0700
Subject: [PATCH 07/18] fix(dashboard): use tailwind category query

---
 client/dashboard/src/App.css                  | 25 -------------------
 .../dashboard/src/pages/security/risk-ui.tsx  |  9 +++----
 2 files changed, 3 insertions(+), 31 deletions(-)

diff --git a/client/dashboard/src/App.css b/client/dashboard/src/App.css
index 4ca4160e9f..e577bda061 100644
--- a/client/dashboard/src/App.css
+++ b/client/dashboard/src/App.css
@@ -101,28 +101,3 @@
   animation: scroll-dots 3s linear infinite;
   color: oklch(0.553 0.013 58.071 / 0.4);
 }
-
-@layer components {
-  .risk-category-label {
-    container-type: inline-size;
-    display: block;
-    min-width: 0;
-    overflow: hidden;
-    text-overflow: ellipsis;
-    white-space: nowrap;
-  }
-
-  .risk-category-label__short {
-    display: none;
-  }
-
-  @container (max-width: 220px) {
-    .risk-category-label[data-short-label="true"] .risk-category-label__long {
-      display: none;
-    }
-
-    .risk-category-label[data-short-label="true"] .risk-category-label__short {
-      display: inline;
-    }
-  }
-}
diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index dd7fbd1a42..cc5d374e76 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -15,16 +15,13 @@ export function CategoryLabel({
   const label = category ? RULE_CATEGORY_META[category].label : null;
   const shortLabel = category === "pii" ? "PII" : null;
   return (
-    <span
-      className="risk-category-label"
-      data-short-label={shortLabel ? "true" : undefined}
-    >
+    <span className="@container block min-w-0 overflow-hidden whitespace-nowrap">
       <Badge variant="neutral" title={label ?? undefined}>
         <Badge.Text>
           {shortLabel ? (
             <>
-              <span className="risk-category-label__long">{label}</span>
-              <span className="risk-category-label__short">{shortLabel}</span>
+              <span className="@max-[220px]:hidden">{label}</span>
+              <span className="hidden @max-[220px]:inline">{shortLabel}</span>
             </>
           ) : (
             label

From fae4acf2c8546015afe9acdb036597e843a2fa41 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:37:26 -0700
Subject: [PATCH 08/18] fix(dashboard): address risk activity review

---
 .../src/pages/security/RiskActivity.tsx          | 16 ++++++++++++----
 client/dashboard/src/pages/security/risk-ui.tsx  |  2 +-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index c927d74a36..5ccadebb12 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -28,7 +28,7 @@ import { toast } from "sonner";
 import { CategoryLabel, MaskedMatch } from "./risk-ui";
 
 const RISK_ACTIVITY_GRID =
-  "grid grid-cols-[172px_minmax(140px,0.9fr)_minmax(160px,1fr)_minmax(180px,1.15fr)_minmax(160px,1fr)_minmax(200px,1.25fr)_minmax(180px,1.1fr)_110px] gap-3";
+  "grid grid-cols-[172px_minmax(0,0.9fr)_minmax(0,1fr)_minmax(0,1.15fr)_minmax(0,1fr)_minmax(0,1.25fr)_minmax(0,1.1fr)_110px] gap-3";
 
 export default function RiskActivity() {
   return (
@@ -374,8 +374,9 @@ function RiskActivityRow({
   const isShadowMCP = result.source === "shadow_mcp";
 
   return (
-    <button
-      type="button"
+    <div
+      role={result.chatId ? "button" : undefined}
+      tabIndex={result.chatId ? 0 : undefined}
       className={cn(
         RISK_ACTIVITY_GRID,
         "hover:bg-muted/30 w-full items-center border-b px-8 py-3 text-left text-sm transition-colors",
@@ -386,6 +387,13 @@ function RiskActivityRow({
           onSelectChat(result.chatId);
         }
       }}
+      onKeyDown={(e) => {
+        if (!result.chatId) return;
+        if (e.key === "Enter" || e.key === " ") {
+          e.preventDefault();
+          onSelectChat(result.chatId);
+        }
+      }}
     >
       <div className="text-muted-foreground min-w-0 font-mono text-xs">
         {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
@@ -427,7 +435,7 @@ function RiskActivityRow({
           </Button>
         ) : null}
       </div>
-    </button>
+    </div>
   );
 }
 
diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index cc5d374e76..45f9ba22ba 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -15,7 +15,7 @@ export function CategoryLabel({
   const label = category ? RULE_CATEGORY_META[category].label : null;
   const shortLabel = category === "pii" ? "PII" : null;
   return (
-    <span className="@container block min-w-0 overflow-hidden whitespace-nowrap">
+    <span className="@container block min-w-0 truncate">
       <Badge variant="neutral" title={label ?? undefined}>
         <Badge.Text>
           {shortLabel ? (

From 195b17fa20f8ee030bbae34fd456af6fe898650a Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Fri, 15 May 2026 15:41:52 -0700
Subject: [PATCH 09/18] fix(dashboard): use moonshine risk activity buttons

---
 client/dashboard/src/pages/security/RiskActivity.tsx | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index 5ccadebb12..453d9b1d0d 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -1,7 +1,6 @@
 import { LogWorkbench } from "@/components/log-workbench";
 import { Page } from "@/components/page-layout";
 import { RequireScope } from "@/components/require-scope";
-import { Button } from "@/components/ui/button";
 import { Drawer, DrawerContent } from "@/components/ui/drawer";
 import {
   Select,
@@ -19,7 +18,7 @@ import {
   useRiskApproveShadowMCPMutation,
   useRiskListPolicies,
 } from "@gram/client/react-query/index.js";
-import { Icon } from "@speakeasy-api/moonshine";
+import { Button, Icon } from "@speakeasy-api/moonshine";
 import { useInfiniteQuery, useQueryClient } from "@tanstack/react-query";
 import { RefreshCw, ShieldOff } from "lucide-react";
 import { useCallback, useMemo, useRef } from "react";
@@ -178,7 +177,7 @@ function RiskActivityContent() {
       description="Review policy findings across recent analyzed chats."
       actions={
         <Button
-          variant="outline"
+          variant="secondary"
           size="sm"
           onClick={() => resultsQuery.refetch()}
           disabled={resultsQuery.isFetching}
@@ -461,7 +460,7 @@ function RiskActivityFooter({
       </span>
       {hasNextPage ? (
         <Button
-          variant="ghost"
+          variant="tertiary"
           size="sm"
           disabled={isFetchingNextPage}
           onClick={onLoadMore}

From e057ce3bf8256f3b2a58fe164a78d0ca170c2c4a Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 14:39:41 -0700
Subject: [PATCH 10/18] fix(security): refine risk category labels

---
 .../dashboard/src/pages/security/risk-ui.tsx  | 23 +++++-------
 .../src/pages/security/risk-utils.ts          | 35 +++++++++++--------
 2 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index 45f9ba22ba..dbceba65f1 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -1,7 +1,7 @@
 import { Eye, EyeOff } from "lucide-react";
 import { useState } from "react";
 import { RULE_CATEGORY_META } from "./policy-data";
-import { getCategoryForFinding, getRuleTitleFallback} from "./risk-utils";
+import { getCategoryForFinding, getRuleTitleFallback } from "./risk-utils";
 import { Badge } from "@speakeasy-api/moonshine";
 
 export function CategoryLabel({
@@ -12,20 +12,15 @@ export function CategoryLabel({
   ruleId?: string;
 }) {
   const category = getCategoryForFinding(source, ruleId);
-  const label = category ? RULE_CATEGORY_META[category].label : null;
-  const shortLabel = category === "pii" ? "PII" : null;
+  const meta = category ? RULE_CATEGORY_META[category] : null;
   return (
-    <span className="@container block min-w-0 truncate">
-      <Badge variant="neutral" title={label ?? undefined}>
-        <Badge.Text>
-          {shortLabel ? (
-            <>
-              <span className="@max-[220px]:hidden">{label}</span>
-              <span className="hidden @max-[220px]:inline">{shortLabel}</span>
-            </>
-          ) : (
-            label
-          )}
+    <span
+      className="block min-w-0 truncate"
+      title={meta ? `${meta.label}: ${meta.description}` : undefined}
+    >
+      <Badge variant="neutral" className="max-w-full">
+        <Badge.Text className="min-w-0 truncate">
+          {meta?.label ?? "Unknown"}
         </Badge.Text>
       </Badge>
     </span>
diff --git a/client/dashboard/src/pages/security/risk-utils.ts b/client/dashboard/src/pages/security/risk-utils.ts
index 8c66687769..647a69b76f 100644
--- a/client/dashboard/src/pages/security/risk-utils.ts
+++ b/client/dashboard/src/pages/security/risk-utils.ts
@@ -1,34 +1,39 @@
 import { DETECTION_RULES, type RuleCategory } from "./policy-data";
 import { humanizeRuleId } from "./rule-ids";
 
-// DETECTION_RULES.id is the canonical rule_id the backend writes to
-// risk_results, so lookup maps key by it directly.
-export const RULE_ID_TO_CATEGORY = new Map<string, RuleCategory>();
+const SOURCE_TO_CATEGORY: ReadonlyMap<string, RuleCategory> = new Map<
+  string,
+  RuleCategory
+>([
+  ["destructive_tool", "destructive_tool"],
+  ["shadow_mcp", "shadow_mcp"],
+  ["prompt_injection", "prompt_injection"],
+  ["cli_destructive", "cli_destructive"],
+]);
 
-export const RULE_ID_TO_TITLE = new Map<string, string>();
+const ruleIdToCategory = new Map<string, RuleCategory>();
+const ruleIdToTitle = new Map<string, string>();
 
 for (const [category, rules] of Object.entries(DETECTION_RULES)) {
   for (const rule of rules) {
-    RULE_ID_TO_CATEGORY.set(rule.id, category as RuleCategory);
-    RULE_ID_TO_TITLE.set(rule.id, rule.title);
+    ruleIdToCategory.set(rule.id, category as RuleCategory);
+    ruleIdToTitle.set(rule.id, rule.title);
   }
 }
 
+// DETECTION_RULES.id is the canonical rule_id the backend writes to
+// risk_results, so lookup maps key by it directly.
+const RULE_ID_TO_CATEGORY: ReadonlyMap<string, RuleCategory> = ruleIdToCategory;
+const RULE_ID_TO_TITLE: ReadonlyMap<string, string> = ruleIdToTitle;
+
 export function getRuleTitleFallback(ruleId: string | undefined): string {
   if (!ruleId) return "-";
   return RULE_ID_TO_TITLE.get(ruleId) ?? humanizeRuleId(ruleId);
 }
 
-export const SOURCE_TO_CATEGORY = new Map<string, RuleCategory>([
-  ["destructive_tool", "destructive_tool"],
-  ["shadow_mcp", "shadow_mcp"],
-  ["prompt_injection", "prompt_injection"],
-  ["cli_destructive", "cli_destructive"],
-]);
-
 export function getCategoryForFinding(
-  source: string | undefined,
-  ruleId: string | undefined,
+  source?: string,
+  ruleId?: string,
 ): RuleCategory | null {
   if (ruleId) {
     const byRule = RULE_ID_TO_CATEGORY.get(ruleId);

From 598332f5510c0eba7a626d307c74b03f41281929 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 14:48:45 -0700
Subject: [PATCH 11/18] fix(security): use risk rule labels in activity

---
 client/dashboard/src/pages/security/RiskActivity.tsx | 8 ++++----
 client/dashboard/src/pages/security/risk-ui.tsx      | 5 ++---
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskActivity.tsx
index 453d9b1d0d..e46dca55b3 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskActivity.tsx
@@ -24,7 +24,7 @@ import { RefreshCw, ShieldOff } from "lucide-react";
 import { useCallback, useMemo, useRef } from "react";
 import { useSearchParams } from "react-router";
 import { toast } from "sonner";
-import { CategoryLabel, MaskedMatch } from "./risk-ui";
+import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-ui";
 
 const RISK_ACTIVITY_GRID =
   "grid grid-cols-[172px_minmax(0,0.9fr)_minmax(0,1fr)_minmax(0,1.15fr)_minmax(0,1fr)_minmax(0,1.25fr)_minmax(0,1.1fr)_110px] gap-3";
@@ -397,11 +397,11 @@ function RiskActivityRow({
       <div className="text-muted-foreground min-w-0 font-mono text-xs">
         {result.createdAt ? new Date(result.createdAt).toLocaleString() : "-"}
       </div>
-      <div className="min-w-0">
+      <div className="min-w-0 truncate">
         <CategoryLabel source={result.source} ruleId={result.ruleId} />
       </div>
       <div className="min-w-0 truncate">
-        <span className="font-mono text-xs">{result.ruleId ?? "-"}</span>
+        <RuleLabel source={result.source} ruleId={result.ruleId} />
       </div>
       <div className="min-w-0 truncate">{result.chatTitle ?? "Untitled"}</div>
       <div className="min-w-0 truncate">{result.userId ?? "-"}</div>
@@ -420,7 +420,7 @@ function RiskActivityRow({
       <div className="flex min-w-0 justify-center">
         {isShadowMCP && result.match ? (
           <Button
-            variant="secondary"
+            variant="tertiary"
             size="sm"
             disabled={isExcluding}
             onClick={(e) => {
diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index dbceba65f1..9f3eb25b23 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -32,11 +32,10 @@ export function CategoryLabel({
 // presidio, or prompt_injection rules independently of the dashboard, so
 // every snake_case id needs to display legibly without a code change.
 export function RuleLabel({ ruleId }: { source?: string; ruleId?: string }) {
-  if (!ruleId) return <span className="font-mono text-xs">-</span>;
-  const title = getRuleTitleFallback(ruleId);
+  const label = ruleId ? getRuleTitleFallback(ruleId) : "-";
   return (
     <span className="font-mono text-xs" title={ruleId}>
-      {title}
+      {label}
     </span>
   );
 }

From 76636ca0f63ce754b25fb0fb0aeb7fe0e1c1a116 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 15:37:00 -0700
Subject: [PATCH 12/18] fix: clarify unknown risk source labels

---
 client/dashboard/src/pages/security/risk-ui.tsx | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/client/dashboard/src/pages/security/risk-ui.tsx b/client/dashboard/src/pages/security/risk-ui.tsx
index 9f3eb25b23..2b6e187847 100644
--- a/client/dashboard/src/pages/security/risk-ui.tsx
+++ b/client/dashboard/src/pages/security/risk-ui.tsx
@@ -2,6 +2,7 @@ import { Eye, EyeOff } from "lucide-react";
 import { useState } from "react";
 import { RULE_CATEGORY_META } from "./policy-data";
 import { getCategoryForFinding, getRuleTitleFallback } from "./risk-utils";
+import { humanizeRuleId } from "./rule-ids";
 import { Badge } from "@speakeasy-api/moonshine";
 
 export function CategoryLabel({
@@ -13,14 +14,21 @@ export function CategoryLabel({
 }) {
   const category = getCategoryForFinding(source, ruleId);
   const meta = category ? RULE_CATEGORY_META[category] : null;
+  const unknownSourceLabel = source ? humanizeRuleId(source) : "-";
   return (
     <span
       className="block min-w-0 truncate"
-      title={meta ? `${meta.label}: ${meta.description}` : undefined}
+      title={
+        meta
+          ? `${meta.label}: ${meta.description}`
+          : source
+            ? `Unknown source: ${source}`
+            : undefined
+      }
     >
       <Badge variant="neutral" className="max-w-full">
         <Badge.Text className="min-w-0 truncate">
-          {meta?.label ?? "Unknown"}
+          {meta?.label ?? unknownSourceLabel}
         </Badge.Text>
       </Badge>
     </span>

From 9c1a157d96f97bc1fe481fb9fb6d9b7a2c4c321e Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 15:53:06 -0700
Subject: [PATCH 13/18] refactor: move risk events under logs

---
 .../dashboard/src/components/app-sidebar.tsx  |  1 -
 .../src/components/observe/ObserveTabNav.tsx  | 31 +++++++++--
 .../dashboard/src/components/page-header.tsx  |  2 +-
 client/dashboard/src/pages/logs/Logs.tsx      |  9 ++++
 .../{RiskActivity.tsx => RiskEvents.tsx}      | 51 +++++++------------
 client/dashboard/src/routes.tsx               | 19 ++++---
 6 files changed, 66 insertions(+), 47 deletions(-)
 rename client/dashboard/src/pages/security/{RiskActivity.tsx => RiskEvents.tsx} (92%)

diff --git a/client/dashboard/src/components/app-sidebar.tsx b/client/dashboard/src/components/app-sidebar.tsx
index 0a7e2e7634..913e17d81d 100644
--- a/client/dashboard/src/components/app-sidebar.tsx
+++ b/client/dashboard/src/components/app-sidebar.tsx
@@ -132,7 +132,6 @@ export function AppSidebar({ ...props }: React.ComponentProps<typeof Sidebar>) {
                 item={routes.riskOverview}
                 scope="project:read"
               />
-              <ScopeGatedNavItem item={routes.riskActivity} scope="org:admin" />
               <ScopeGatedNavItem
                 item={routes.policyCenter}
                 scope={["project:read", "project:write"]}
diff --git a/client/dashboard/src/components/observe/ObserveTabNav.tsx b/client/dashboard/src/components/observe/ObserveTabNav.tsx
index bdbeb56f47..6c4472e6eb 100644
--- a/client/dashboard/src/components/observe/ObserveTabNav.tsx
+++ b/client/dashboard/src/components/observe/ObserveTabNav.tsx
@@ -1,12 +1,19 @@
 import { cn } from "@/lib/utils";
 import { Link, useLocation } from "react-router";
 import { useSlugs } from "@/contexts/Sdk";
+import { RequireScope } from "@/components/require-scope";
+import type { Scope } from "@/hooks/useRBAC";
 import {
   ReleaseStage,
   ReleaseStageBadge,
 } from "@/components/release-stage-badge";
 
-type Tab = { label: string; href: string; stage?: ReleaseStage };
+type Tab = {
+  label: string;
+  href: string;
+  stage?: ReleaseStage;
+  scope?: Scope | Scope[];
+};
 
 export function ObserveTabNav({ base }: { base: "insights" | "logs" }) {
   const { orgSlug, projectSlug } = useSlugs();
@@ -17,7 +24,15 @@ export function ObserveTabNav({ base }: { base: "insights" | "logs" }) {
     { label: "Tools", href: `${baseSlug}/tools` },
     { label: "MCP Servers", href: `${baseSlug}/mcp` },
     ...(base === "logs"
-      ? [{ label: "Agents", href: `${baseSlug}/agents` }]
+      ? ([
+          {
+            label: "Risk Events",
+            href: `${baseSlug}/risk-events`,
+            stage: "beta",
+            scope: "org:admin",
+          },
+          { label: "Agents", href: `${baseSlug}/agents` },
+        ] satisfies Tab[])
       : []),
     ...(base === "insights"
       ? ([
@@ -37,7 +52,7 @@ export function ObserveTabNav({ base }: { base: "insights" | "logs" }) {
         const isActive =
           location.pathname === tab.href ||
           location.pathname.startsWith(tab.href + "/");
-        return (
+        const link = (
           <Link
             key={tab.href}
             to={tab.href}
@@ -56,6 +71,16 @@ export function ObserveTabNav({ base }: { base: "insights" | "logs" }) {
             )}
           </Link>
         );
+
+        if (tab.scope) {
+          return (
+            <RequireScope key={tab.href} scope={tab.scope} level="section">
+              {link}
+            </RequireScope>
+          );
+        }
+
+        return link;
       })}
     </div>
   );
diff --git a/client/dashboard/src/components/page-header.tsx b/client/dashboard/src/components/page-header.tsx
index 30bdfbd597..b60e3540b7 100644
--- a/client/dashboard/src/components/page-header.tsx
+++ b/client/dashboard/src/components/page-header.tsx
@@ -71,7 +71,7 @@ const breadcrumbSubstitutions = {
   "audit-logs": "Audit Logs",
   "admin-settings": "Admin Settings",
   "risk-overview": "Risk Overview",
-  "risk-activity": "Risk Activity",
+  "risk-events": "Risk Events",
   "risk-policies": "Risk Policies",
   // The URL segments `slack` and `clis` are preserved for backwards
   // compatibility, but the sidebar/route titles were rebranded — map them
diff --git a/client/dashboard/src/pages/logs/Logs.tsx b/client/dashboard/src/pages/logs/Logs.tsx
index 12be8cc4d5..a6cc181d67 100644
--- a/client/dashboard/src/pages/logs/Logs.tsx
+++ b/client/dashboard/src/pages/logs/Logs.tsx
@@ -4,6 +4,7 @@ import { Page } from "@/components/page-layout";
 import { RequireScope } from "@/components/require-scope";
 import { LogsTools } from "@/components/observe/LogsTools";
 import { ObserveTabNav } from "@/components/observe/ObserveTabNav";
+import RiskEvents from "@/pages/security/RiskEvents";
 
 export function LogsRoot() {
   return (
@@ -37,3 +38,11 @@ export function LogsMCPPage() {
     </RequireScope>
   );
 }
+
+export function LogsRiskEventsPage() {
+  return (
+    <RequireScope scope="org:admin" level="page">
+      <RiskEvents />
+    </RequireScope>
+  );
+}
diff --git a/client/dashboard/src/pages/security/RiskActivity.tsx b/client/dashboard/src/pages/security/RiskEvents.tsx
similarity index 92%
rename from client/dashboard/src/pages/security/RiskActivity.tsx
rename to client/dashboard/src/pages/security/RiskEvents.tsx
index e46dca55b3..e22c8d013f 100644
--- a/client/dashboard/src/pages/security/RiskActivity.tsx
+++ b/client/dashboard/src/pages/security/RiskEvents.tsx
@@ -1,6 +1,4 @@
 import { LogWorkbench } from "@/components/log-workbench";
-import { Page } from "@/components/page-layout";
-import { RequireScope } from "@/components/require-scope";
 import { Drawer, DrawerContent } from "@/components/ui/drawer";
 import {
   Select,
@@ -26,25 +24,10 @@ import { useSearchParams } from "react-router";
 import { toast } from "sonner";
 import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-ui";
 
-const RISK_ACTIVITY_GRID =
+const RISK_EVENTS_GRID =
   "grid grid-cols-[172px_minmax(0,0.9fr)_minmax(0,1fr)_minmax(0,1.15fr)_minmax(0,1fr)_minmax(0,1.25fr)_minmax(0,1.1fr)_110px] gap-3";
 
-export default function RiskActivity() {
-  return (
-    <RequireScope scope="org:admin" level="page">
-      <Page>
-        <Page.Header>
-          <Page.Header.Breadcrumbs />
-        </Page.Header>
-        <Page.Body fullWidth fullHeight overflowHidden noPadding>
-          <RiskActivityContent />
-        </Page.Body>
-      </Page>
-    </RequireScope>
-  );
-}
-
-function RiskActivityContent() {
+export default function RiskEvents() {
   const client = useSdkClient();
   const queryClient = useQueryClient();
   const [searchParams, setSearchParams] = useSearchParams();
@@ -173,7 +156,7 @@ function RiskActivityContent() {
 
   return (
     <LogWorkbench
-      title="Risk Activity"
+      title="Risk Events"
       description="Review policy findings across recent analyzed chats."
       actions={
         <Button
@@ -181,7 +164,7 @@ function RiskActivityContent() {
           size="sm"
           onClick={() => resultsQuery.refetch()}
           disabled={resultsQuery.isFetching}
-          aria-label="Refresh risk activity"
+          aria-label="Refresh risk events"
         >
           <RefreshCw
             className={cn("h-4 w-4", resultsQuery.isFetching && "animate-spin")}
@@ -216,10 +199,10 @@ function RiskActivityContent() {
           </div>
         ) : null
       }
-      header={<RiskActivityHeader />}
+      header={<RiskEventsHeader />}
       footer={
         results.length > 0 ? (
-          <RiskActivityFooter
+          <RiskEventsFooter
             count={results.length}
             totalCount={totalCount}
             hasNextPage={resultsQuery.hasNextPage}
@@ -250,7 +233,7 @@ function RiskActivityContent() {
       scrollRef={containerRef}
       onScroll={handleScroll}
     >
-      <RiskActivityRows
+      <RiskEventsRows
         error={resultsQuery.error}
         isLoading={isInitialLoading}
         results={results}
@@ -263,11 +246,11 @@ function RiskActivityContent() {
   );
 }
 
-function RiskActivityHeader() {
+function RiskEventsHeader() {
   return (
     <div
       className={cn(
-        RISK_ACTIVITY_GRID,
+        RISK_EVENTS_GRID,
         "bg-muted/30 text-muted-foreground shrink-0 items-center border-b px-8 py-2.5 text-xs font-medium tracking-wide",
       )}
     >
@@ -283,7 +266,7 @@ function RiskActivityHeader() {
   );
 }
 
-function RiskActivityRows({
+function RiskEventsRows({
   error,
   isLoading,
   results,
@@ -307,7 +290,7 @@ function RiskActivityRows({
           <Icon name="circle-alert" className="text-destructive size-6" />
         </div>
         <span className="text-foreground font-medium">
-          Error loading risk activity
+          Error loading risk events
         </span>
         <span className="text-muted-foreground max-w-sm text-center text-sm">
           {error.message}
@@ -320,7 +303,7 @@ function RiskActivityRows({
     return (
       <div className="text-muted-foreground flex items-center justify-center gap-2 py-12">
         <Icon name="loader-circle" className="size-5 animate-spin" />
-        <span>Loading risk activity...</span>
+        <span>Loading risk events...</span>
       </div>
     );
   }
@@ -332,7 +315,7 @@ function RiskActivityRows({
           <Icon name="inbox" className="text-muted-foreground size-6" />
         </div>
         <span className="text-foreground font-medium">
-          No risk activity found
+          No risk events found
         </span>
         <span className="text-muted-foreground max-w-sm text-sm">
           Findings will appear here as messages are analyzed.
@@ -344,7 +327,7 @@ function RiskActivityRows({
   return (
     <>
       {results.map((result) => (
-        <RiskActivityRow
+        <RiskEventsRow
           key={result.id}
           result={result}
           policyNote={policyMessageById.get(result.policyId)}
@@ -357,7 +340,7 @@ function RiskActivityRows({
   );
 }
 
-function RiskActivityRow({
+function RiskEventsRow({
   result,
   policyNote,
   isExcluding,
@@ -377,7 +360,7 @@ function RiskActivityRow({
       role={result.chatId ? "button" : undefined}
       tabIndex={result.chatId ? 0 : undefined}
       className={cn(
-        RISK_ACTIVITY_GRID,
+        RISK_EVENTS_GRID,
         "hover:bg-muted/30 w-full items-center border-b px-8 py-3 text-left text-sm transition-colors",
         !result.chatId && "cursor-default",
       )}
@@ -438,7 +421,7 @@ function RiskActivityRow({
   );
 }
 
-function RiskActivityFooter({
+function RiskEventsFooter({
   count,
   totalCount,
   hasNextPage,
diff --git a/client/dashboard/src/routes.tsx b/client/dashboard/src/routes.tsx
index 0e649667c7..7f190437c7 100644
--- a/client/dashboard/src/routes.tsx
+++ b/client/dashboard/src/routes.tsx
@@ -30,7 +30,12 @@ import Home from "./pages/home/Home";
 import Integrations from "./pages/integrations/Integrations";
 import Login from "./pages/login/Login";
 import Register from "./pages/login/Register";
-import { LogsRoot, LogsMCPPage, LogsToolsPage } from "./pages/logs/Logs";
+import {
+  LogsRoot,
+  LogsMCPPage,
+  LogsRiskEventsPage,
+  LogsToolsPage,
+} from "./pages/logs/Logs";
 import { BuiltInMCPDetailPage } from "./pages/mcp/BuiltInMCPDetailPage";
 import { MCPDetailPage, MCPDetailsRoot } from "./pages/mcp/MCPDetails";
 import { MCPPage, MCPRoot } from "./pages/mcp/MCP";
@@ -71,7 +76,6 @@ import SlackAppsIndex, { SlackAppsRoot } from "./pages/slackapp/SlackApp";
 import TriggersIndex, { TriggersRoot } from "./pages/triggers/Triggers";
 import SlackAppDetailPage from "./pages/slackapp/SlackAppDetail";
 import SecurityOverview from "./pages/security/SecurityOverview";
-import RiskActivity from "./pages/security/RiskActivity";
 import PolicyCenter from "./pages/security/PolicyCenter";
 import Team from "./pages/team/Team";
 import SourceDetails from "./pages/sources/SourceDetails";
@@ -422,6 +426,11 @@ const ROUTE_STRUCTURE = {
         url: "mcp",
         component: LogsMCPPage,
       },
+      riskEvents: {
+        title: "Risk Events",
+        url: "risk-events",
+        component: LogsRiskEventsPage,
+      },
       agents: {
         title: "Agent Sessions",
         url: "agents",
@@ -442,12 +451,6 @@ const ROUTE_STRUCTURE = {
     stage: "beta",
     component: SecurityOverview,
   },
-  riskActivity: {
-    title: "Risk Activity",
-    url: "risk-activity",
-    icon: "shield",
-    component: RiskActivity,
-  },
   policyCenter: {
     title: "Risk Policies",
     url: "risk-policies",

From d835db953cfa906fe8f92d62464269aec4f0cb24 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 15:53:50 -0700
Subject: [PATCH 14/18] fix: invalidate generated risk result queries

---
 client/dashboard/src/pages/security/RiskEvents.tsx       | 2 ++
 client/dashboard/src/pages/security/SecurityOverview.tsx | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/client/dashboard/src/pages/security/RiskEvents.tsx b/client/dashboard/src/pages/security/RiskEvents.tsx
index e22c8d013f..512f35d4e1 100644
--- a/client/dashboard/src/pages/security/RiskEvents.tsx
+++ b/client/dashboard/src/pages/security/RiskEvents.tsx
@@ -12,6 +12,7 @@ import { cn } from "@/lib/utils";
 import { ChatDetailPanel } from "@/pages/chatLogs/ChatDetailPanel";
 import type { RiskResult } from "@gram/client/models/components";
 import {
+  invalidateAllRiskListResults,
   invalidateAllRiskListShadowMCPApprovals,
   useRiskApproveShadowMCPMutation,
   useRiskListPolicies,
@@ -127,6 +128,7 @@ export default function RiskEvents() {
             queryClient.invalidateQueries({
               queryKey: ["risk", "results", "list"],
             });
+            invalidateAllRiskListResults(queryClient);
             invalidateAllRiskListShadowMCPApprovals(queryClient);
           },
           onError: (err) => {
diff --git a/client/dashboard/src/pages/security/SecurityOverview.tsx b/client/dashboard/src/pages/security/SecurityOverview.tsx
index 5504ba6801..542587955d 100644
--- a/client/dashboard/src/pages/security/SecurityOverview.tsx
+++ b/client/dashboard/src/pages/security/SecurityOverview.tsx
@@ -23,6 +23,7 @@ import { useCallback, useMemo } from "react";
 import { useSearchParams } from "react-router";
 import { useInfiniteQuery, useQueryClient } from "@tanstack/react-query";
 import {
+  invalidateAllRiskListResults,
   useRiskApproveShadowMCPMutation,
   useRiskListPolicies,
   invalidateAllRiskListShadowMCPApprovals,
@@ -118,6 +119,7 @@ function SecurityOverviewContent() {
             queryClient.invalidateQueries({
               queryKey: ["risk", "results", "list"],
             });
+            invalidateAllRiskListResults(queryClient);
             invalidateAllRiskListShadowMCPApprovals(queryClient);
           },
           onError: (err) => {

From 8a6869756d68946287bdbee2abf0ef0d036da8fc Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 15:54:49 -0700
Subject: [PATCH 15/18] perf: virtualize risk event rows

---
 .../src/pages/security/RiskEvents.tsx         | 52 ++++++++++++++-----
 1 file changed, 39 insertions(+), 13 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskEvents.tsx b/client/dashboard/src/pages/security/RiskEvents.tsx
index 512f35d4e1..eca79dafb2 100644
--- a/client/dashboard/src/pages/security/RiskEvents.tsx
+++ b/client/dashboard/src/pages/security/RiskEvents.tsx
@@ -19,8 +19,9 @@ import {
 } from "@gram/client/react-query/index.js";
 import { Button, Icon } from "@speakeasy-api/moonshine";
 import { useInfiniteQuery, useQueryClient } from "@tanstack/react-query";
+import { useVirtualizer } from "@tanstack/react-virtual";
 import { RefreshCw, ShieldOff } from "lucide-react";
-import { useCallback, useMemo, useRef } from "react";
+import { useCallback, useMemo, useRef, type RefObject } from "react";
 import { useSearchParams } from "react-router";
 import { toast } from "sonner";
 import { CategoryLabel, MaskedMatch, RuleLabel } from "./risk-ui";
@@ -241,6 +242,7 @@ export default function RiskEvents() {
         results={results}
         policyMessageById={policyMessageById}
         isExcluding={approveMutation.isPending}
+        scrollRef={containerRef}
         onSelectChat={setSelectedChatId}
         onExclude={handleExclude}
       />
@@ -274,6 +276,7 @@ function RiskEventsRows({
   results,
   policyMessageById,
   isExcluding,
+  scrollRef,
   onSelectChat,
   onExclude,
 }: {
@@ -282,9 +285,17 @@ function RiskEventsRows({
   results: RiskResult[];
   policyMessageById: Map<string, string>;
   isExcluding: boolean;
+  scrollRef: RefObject<HTMLDivElement | null>;
   onSelectChat: (chatId: string | null) => void;
   onExclude: (policyId: string, match: string, serverName?: string) => void;
 }) {
+  const rowVirtualizer = useVirtualizer({
+    count: results.length,
+    getScrollElement: () => scrollRef.current,
+    estimateSize: () => 52,
+    overscan: 12,
+  });
+
   if (error) {
     return (
       <div className="flex flex-col items-center gap-3 py-12">
@@ -327,18 +338,33 @@ function RiskEventsRows({
   }
 
   return (
-    <>
-      {results.map((result) => (
-        <RiskEventsRow
-          key={result.id}
-          result={result}
-          policyNote={policyMessageById.get(result.policyId)}
-          isExcluding={isExcluding}
-          onSelectChat={onSelectChat}
-          onExclude={onExclude}
-        />
-      ))}
-    </>
+    <div
+      className="relative w-full"
+      style={{ height: `${rowVirtualizer.getTotalSize()}px` }}
+    >
+      {rowVirtualizer.getVirtualItems().map((virtualRow) => {
+        const result = results[virtualRow.index];
+        if (!result) return null;
+
+        return (
+          <div
+            key={result.id}
+            ref={rowVirtualizer.measureElement}
+            data-index={virtualRow.index}
+            className="absolute top-0 left-0 w-full"
+            style={{ transform: `translateY(${virtualRow.start}px)` }}
+          >
+            <RiskEventsRow
+              result={result}
+              policyNote={policyMessageById.get(result.policyId)}
+              isExcluding={isExcluding}
+              onSelectChat={onSelectChat}
+              onExclude={onExclude}
+            />
+          </div>
+        );
+      })}
+    </div>
   );
 }
 

From 9ce8b2cc42a259018121c57e102617f0e408cc3a Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 15:55:39 -0700
Subject: [PATCH 16/18] fix: allow horizontal risk event scrolling

---
 client/dashboard/src/components/log-workbench.tsx  |  9 ++++++++-
 client/dashboard/src/pages/security/RiskEvents.tsx | 10 ++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/client/dashboard/src/components/log-workbench.tsx b/client/dashboard/src/components/log-workbench.tsx
index 454f78ff72..c336290156 100644
--- a/client/dashboard/src/components/log-workbench.tsx
+++ b/client/dashboard/src/components/log-workbench.tsx
@@ -13,6 +13,7 @@ export interface LogWorkbenchProps {
   detail?: React.ReactNode;
   onScroll?: React.UIEventHandler<HTMLDivElement>;
   scrollRef?: React.Ref<HTMLDivElement>;
+  surfaceClassName?: string;
   contentClassName?: string;
   className?: string;
 }
@@ -29,6 +30,7 @@ export function LogWorkbench({
   detail,
   onScroll,
   scrollRef,
+  surfaceClassName,
   contentClassName,
   className,
 }: LogWorkbenchProps) {
@@ -53,7 +55,12 @@ export function LogWorkbench({
         </div>
 
         <div className="min-h-0 flex-1 overflow-hidden border-t">
-          <div className="bg-background flex h-full flex-col">
+          <div
+            className={cn(
+              "bg-background flex h-full flex-col",
+              surfaceClassName,
+            )}
+          >
             {status}
             {header}
             <div
diff --git a/client/dashboard/src/pages/security/RiskEvents.tsx b/client/dashboard/src/pages/security/RiskEvents.tsx
index eca79dafb2..149e773144 100644
--- a/client/dashboard/src/pages/security/RiskEvents.tsx
+++ b/client/dashboard/src/pages/security/RiskEvents.tsx
@@ -202,7 +202,11 @@ export default function RiskEvents() {
           </div>
         ) : null
       }
-      header={<RiskEventsHeader />}
+      header={
+        <div className="min-w-[1120px]">
+          <RiskEventsHeader />
+        </div>
+      }
       footer={
         results.length > 0 ? (
           <RiskEventsFooter
@@ -235,6 +239,8 @@ export default function RiskEvents() {
       }
       scrollRef={containerRef}
       onScroll={handleScroll}
+      surfaceClassName="overflow-x-auto"
+      contentClassName="min-w-[1120px]"
     >
       <RiskEventsRows
         error={resultsQuery.error}
@@ -255,7 +261,7 @@ function RiskEventsHeader() {
     <div
       className={cn(
         RISK_EVENTS_GRID,
-        "bg-muted/30 text-muted-foreground shrink-0 items-center border-b px-8 py-2.5 text-xs font-medium tracking-wide",
+        "bg-muted/30 text-muted-foreground shrink-0 items-center border-b px-8 py-2.5 text-xs font-medium tracking-wide uppercase",
       )}
     >
       <div className="min-w-0">Timestamp</div>

From 955f0aa22c3691d73b7576f4b725205b4a5a168b Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 16:12:22 -0700
Subject: [PATCH 17/18] fix: use moonshine button slots

---
 .../src/pages/security/RiskEvents.tsx         | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/client/dashboard/src/pages/security/RiskEvents.tsx b/client/dashboard/src/pages/security/RiskEvents.tsx
index 149e773144..698b7f3c8a 100644
--- a/client/dashboard/src/pages/security/RiskEvents.tsx
+++ b/client/dashboard/src/pages/security/RiskEvents.tsx
@@ -169,10 +169,15 @@ export default function RiskEvents() {
           disabled={resultsQuery.isFetching}
           aria-label="Refresh risk events"
         >
-          <RefreshCw
-            className={cn("h-4 w-4", resultsQuery.isFetching && "animate-spin")}
-          />
-          Refresh
+          <Button.LeftIcon>
+            <RefreshCw
+              className={cn(
+                "h-4 w-4",
+                resultsQuery.isFetching && "animate-spin",
+              )}
+            />
+          </Button.LeftIcon>
+          <Button.Text>Refresh</Button.Text>
         </Button>
       }
       filters={
@@ -446,8 +451,10 @@ function RiskEventsRow({
             }}
             title="Exclude this MCP server from the policy"
           >
-            <ShieldOff className="h-3 w-3" />
-            <span className="text-xs">Exclude</span>
+            <Button.LeftIcon>
+              <ShieldOff className="h-3 w-3" />
+            </Button.LeftIcon>
+            <Button.Text>Exclude</Button.Text>
           </Button>
         ) : null}
       </div>

From ab0f1605b26aa689de8de1e16b3ae2907d948b43 Mon Sep 17 00:00:00 2001
From: Alex Martin <alex.martin@speakeasy.com>
Date: Mon, 18 May 2026 16:16:37 -0700
Subject: [PATCH 18/18] docs(changeset): Add a beta Risk Events log under Logs
 for reviewing and managing policy-flagged or blocked findings.

---
 .changeset/dark-webs-shave.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/dark-webs-shave.md

diff --git a/.changeset/dark-webs-shave.md b/.changeset/dark-webs-shave.md
new file mode 100644
index 0000000000..a552c56446
--- /dev/null
+++ b/.changeset/dark-webs-shave.md
@@ -0,0 +1,5 @@
+---
+"dashboard": minor
+---
+
+Add a beta Risk Events log under Logs for reviewing and managing policy-flagged or blocked findings.