From 4b02241f11ebc0979928f1b216674a9570eba545 Mon Sep 17 00:00:00 2001
From: Jean du Plessis <jean@kilocode.ai>
Date: Wed, 17 Jun 2026 20:24:52 +0200
Subject: [PATCH 1/3] feat(security-agent): add audit report UI

---
 apps/web/package.json                         |    3 +-
 .../[id]/security-agent/audit-report/page.tsx |   16 +
 .../[id]/security-agent/layout.tsx            |   12 +-
 .../[id]/security-agent/page.tsx              |    9 +-
 .../security-agent/audit-report/page.tsx      |   16 +
 .../src/app/(app)/security-agent/layout.tsx   |   11 +-
 .../web/src/app/(app)/security-agent/page.tsx |    9 +-
 apps/web/src/app/globals.css                  |  330 +-
 apps/web/src/app/layout.tsx                   |    6 +-
 .../DismissFindingDialog.test.ts              |   82 +
 .../security-agent/DismissFindingDialog.tsx   |   52 +-
 .../security-agent/FindingDetailDialog.tsx    | 3760 +++++++++++++----
 .../security-agent/RepositoryFilter.tsx       |   11 +-
 .../security-agent/SecurityAgentActionBar.tsx |   49 +
 .../SecurityAgentContext.test.ts              |   76 +
 .../security-agent/SecurityAgentContext.tsx   |  171 +-
 .../SecurityAgentGitHubInstallCta.tsx         |   28 +
 .../security-agent/SecurityAgentLayout.tsx    |  428 +-
 .../SecurityAuditReportPage.test.ts           |  443 ++
 .../SecurityAuditReportPage.tsx               | 1549 +++++++
 .../security-agent/SecurityConfigForm.tsx     |  264 +-
 .../security-agent/SecurityConfigPage.tsx     |   14 +-
 .../security-agent/SecurityConfigSections.tsx |    2 +-
 .../security-agent/SecurityDashboard.tsx      | 1186 +++++-
 .../security-agent/SecurityFindingRow.test.ts |  102 +
 .../security-agent/SecurityFindingRow.tsx     |  453 +-
 .../security-agent/SecurityFindingsCard.tsx   |  456 +-
 .../security-agent/SecurityFindingsPage.tsx   |   78 +-
 .../security-agent/dismiss-finding-form.ts    |   73 +
 .../manual-analysis-admission-copy.test.ts    |   75 +-
 .../manual-analysis-admission-copy.ts         |   37 +
 .../remediation-unavailable-copy.test.ts      |   27 +
 .../remediation-unavailable-copy.ts           |   26 +-
 ...ecurity-agent-command-invalidation.test.ts |    2 +-
 .../security-agent-command-invalidation.ts    |    1 +
 .../security-finding-list-presentation.ts     |  186 +
 apps/web/src/components/ui/accordion.tsx      |    4 +-
 apps/web/src/components/ui/badge.tsx          |    2 +-
 apps/web/src/components/ui/button.tsx         |   18 +-
 apps/web/src/components/ui/calendar.tsx       |  176 +
 apps/web/src/components/ui/progress.tsx       |    1 +
 pnpm-lock.yaml                                |  126 +-
 42 files changed, 8633 insertions(+), 1737 deletions(-)
 create mode 100644 apps/web/src/app/(app)/organizations/[id]/security-agent/audit-report/page.tsx
 create mode 100644 apps/web/src/app/(app)/security-agent/audit-report/page.tsx
 create mode 100644 apps/web/src/components/security-agent/DismissFindingDialog.test.ts
 create mode 100644 apps/web/src/components/security-agent/SecurityAgentActionBar.tsx
 create mode 100644 apps/web/src/components/security-agent/SecurityAgentGitHubInstallCta.tsx
 create mode 100644 apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
 create mode 100644 apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
 create mode 100644 apps/web/src/components/security-agent/SecurityFindingRow.test.ts
 create mode 100644 apps/web/src/components/security-agent/dismiss-finding-form.ts
 create mode 100644 apps/web/src/components/security-agent/remediation-unavailable-copy.test.ts
 create mode 100644 apps/web/src/components/security-agent/security-finding-list-presentation.ts
 create mode 100644 apps/web/src/components/ui/calendar.tsx

diff --git a/apps/web/package.json b/apps/web/package.json
index a89e29b9a..2d4801cb0 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -51,9 +51,9 @@
     "@kilocode/event-service": "workspace:*",
     "@kilocode/kilo-chat": "workspace:*",
     "@kilocode/kilo-chat-hooks": "workspace:*",
-    "@kilocode/mcp-gateway": "workspace:*",
     "@kilocode/kiloclaw-instance-tiers": "workspace:*",
     "@kilocode/kiloclaw-secret-catalog": "workspace:*",
+    "@kilocode/mcp-gateway": "workspace:*",
     "@kilocode/organization-entitlement": "workspace:*",
     "@kilocode/worker-utils": "workspace:*",
     "@linear/sdk": "76.0.0",
@@ -151,6 +151,7 @@
     "posthog-node": "5.10.4",
     "react": "19.2.6",
     "react-countup": "6.5.3",
+    "react-day-picker": "10.0.1",
     "react-dom": "19.2.6",
     "react-markdown": "10.1.0",
     "react-turnstile": "1.1.5",
diff --git a/apps/web/src/app/(app)/organizations/[id]/security-agent/audit-report/page.tsx b/apps/web/src/app/(app)/organizations/[id]/security-agent/audit-report/page.tsx
new file mode 100644
index 000000000..4384ebd19
--- /dev/null
+++ b/apps/web/src/app/(app)/organizations/[id]/security-agent/audit-report/page.tsx
@@ -0,0 +1,16 @@
+import { Suspense } from 'react';
+import { SecurityAuditReportPage } from '@/components/security-agent/SecurityAuditReportPage';
+
+export default function OrgAuditReportPage() {
+  return (
+    <Suspense
+      fallback={
+        <div className="text-muted-foreground block py-16 text-center text-sm">
+          Loading audit report...
+        </div>
+      }
+    >
+      <SecurityAuditReportPage />
+    </Suspense>
+  );
+}
diff --git a/apps/web/src/app/(app)/organizations/[id]/security-agent/layout.tsx b/apps/web/src/app/(app)/organizations/[id]/security-agent/layout.tsx
index 638507712..f068dd0d0 100644
--- a/apps/web/src/app/(app)/organizations/[id]/security-agent/layout.tsx
+++ b/apps/web/src/app/(app)/organizations/[id]/security-agent/layout.tsx
@@ -1,11 +1,10 @@
-import { PageContainer } from '@/components/layouts/PageContainer';
 import { OrganizationByPageLayout } from '@/components/organizations/OrganizationByPageLayout';
 import { SecurityAgentLayout } from '@/components/security-agent/SecurityAgentLayout';
 import { SecurityAgentProvider } from '@/components/security-agent/SecurityAgentContext';
 
 export const metadata = {
   title: 'Security Agent | Kilo Code',
-  description: 'Monitor and manage Dependabot security alerts',
+  description: 'Monitor and manage Security Findings synced from Dependabot',
 };
 
 type LayoutProps = {
@@ -17,12 +16,11 @@ export default async function OrgSecurityAgentLayout({ params, children }: Layou
   return (
     <OrganizationByPageLayout
       params={params}
+      fullBleed
       render={({ organization }) => (
-        <PageContainer>
-          <SecurityAgentProvider organizationId={organization.id}>
-            <SecurityAgentLayout>{children}</SecurityAgentLayout>
-          </SecurityAgentProvider>
-        </PageContainer>
+        <SecurityAgentProvider organizationId={organization.id}>
+          <SecurityAgentLayout>{children}</SecurityAgentLayout>
+        </SecurityAgentProvider>
       )}
     />
   );
diff --git a/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx b/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
index 537010dd3..9974b42d9 100644
--- a/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
+++ b/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
@@ -7,10 +7,13 @@ import { useSecurityAgent } from '@/components/security-agent/SecurityAgentConte
 import { SecurityDashboard } from '@/components/security-agent/SecurityDashboard';
 
 export default function OrgSecurityAgentDashboardPage() {
-  const { hasIntegration, isEnabled, isLoadingConfig, organizationId } = useSecurityAgent();
+  const { hasIntegration, isEnabled, isLoadingConfig, isLoadingPermission, organizationId } =
+    useSecurityAgent();
   const router = useRouter();
 
-  const shouldRedirectToConfig = hasIntegration && isEnabled === false && !!organizationId;
+  const shouldRedirectToConfig =
+    !!organizationId &&
+    ((!isLoadingPermission && !hasIntegration) || (hasIntegration && isEnabled === false));
 
   useEffect(() => {
     if (shouldRedirectToConfig) {
@@ -26,7 +29,7 @@ export default function OrgSecurityAgentDashboardPage() {
     );
   }
 
-  if (hasIntegration && isLoadingConfig) {
+  if (isLoadingPermission || (hasIntegration && isLoadingConfig)) {
     return (
       <div className="text-muted-foreground flex items-center justify-center gap-2 py-16 text-sm">
         <Loader2 className="size-6 animate-spin motion-reduce:animate-none" aria-hidden="true" />
diff --git a/apps/web/src/app/(app)/security-agent/audit-report/page.tsx b/apps/web/src/app/(app)/security-agent/audit-report/page.tsx
new file mode 100644
index 000000000..5254f9e95
--- /dev/null
+++ b/apps/web/src/app/(app)/security-agent/audit-report/page.tsx
@@ -0,0 +1,16 @@
+import { Suspense } from 'react';
+import { SecurityAuditReportPage } from '@/components/security-agent/SecurityAuditReportPage';
+
+export default function AuditReportPage() {
+  return (
+    <Suspense
+      fallback={
+        <div className="text-muted-foreground block py-16 text-center text-sm">
+          Loading audit report...
+        </div>
+      }
+    >
+      <SecurityAuditReportPage />
+    </Suspense>
+  );
+}
diff --git a/apps/web/src/app/(app)/security-agent/layout.tsx b/apps/web/src/app/(app)/security-agent/layout.tsx
index 0ecdea21c..1e8336b45 100644
--- a/apps/web/src/app/(app)/security-agent/layout.tsx
+++ b/apps/web/src/app/(app)/security-agent/layout.tsx
@@ -1,18 +1,15 @@
-import { PageContainer } from '@/components/layouts/PageContainer';
 import { SecurityAgentLayout } from '@/components/security-agent/SecurityAgentLayout';
 import { SecurityAgentProvider } from '@/components/security-agent/SecurityAgentContext';
 
 export const metadata = {
   title: 'Security Agent | Kilo Code',
-  description: 'Monitor and manage Dependabot security alerts',
+  description: 'Monitor and manage Security Findings synced from Dependabot',
 };
 
 export default function SecurityAgentRootLayout({ children }: { children: React.ReactNode }) {
   return (
-    <PageContainer>
-      <SecurityAgentProvider>
-        <SecurityAgentLayout>{children}</SecurityAgentLayout>
-      </SecurityAgentProvider>
-    </PageContainer>
+    <SecurityAgentProvider>
+      <SecurityAgentLayout>{children}</SecurityAgentLayout>
+    </SecurityAgentProvider>
   );
 }
diff --git a/apps/web/src/app/(app)/security-agent/page.tsx b/apps/web/src/app/(app)/security-agent/page.tsx
index 3c5033dcf..6fddb31b3 100644
--- a/apps/web/src/app/(app)/security-agent/page.tsx
+++ b/apps/web/src/app/(app)/security-agent/page.tsx
@@ -7,15 +7,16 @@ import { useSecurityAgent } from '@/components/security-agent/SecurityAgentConte
 import { SecurityDashboard } from '@/components/security-agent/SecurityDashboard';
 
 export default function SecurityAgentDashboardPage() {
-  const { hasIntegration, isEnabled, isLoadingConfig } = useSecurityAgent();
+  const { hasIntegration, isEnabled, isLoadingConfig, isLoadingPermission } = useSecurityAgent();
   const router = useRouter();
 
   // Redirect per truth table:
-  // No integration -> show dashboard with install CTA (handled by SecurityDashboard)
+  // No integration -> redirect to settings with install CTA
   // Installed + disabled -> redirect to config
   // Installed + enabled -> show dashboard
   // isEnabled is undefined while config is loading — wait before deciding
-  const shouldRedirectToConfig = hasIntegration && isEnabled === false;
+  const shouldRedirectToConfig =
+    (!isLoadingPermission && !hasIntegration) || (hasIntegration && isEnabled === false);
 
   useEffect(() => {
     if (shouldRedirectToConfig) {
@@ -31,7 +32,7 @@ export default function SecurityAgentDashboardPage() {
     );
   }
 
-  if (hasIntegration && isLoadingConfig) {
+  if (isLoadingPermission || (hasIntegration && isLoadingConfig)) {
     return (
       <div className="text-muted-foreground flex items-center justify-center gap-2 py-16 text-sm">
         <Loader2 className="size-6 animate-spin motion-reduce:animate-none" aria-hidden="true" />
diff --git a/apps/web/src/app/globals.css b/apps/web/src/app/globals.css
index 5ab1625fa..515d8d5b5 100644
--- a/apps/web/src/app/globals.css
+++ b/apps/web/src/app/globals.css
@@ -40,8 +40,8 @@
 @theme inline {
   --color-background: var(--background);
   --color-foreground: var(--foreground);
-  --font-sans: var(--font-geist-sans);
-  --font-mono: var(--font-geist-mono);
+  --font-sans: var(--font-sans-loaded);
+  --font-mono: var(--font-mono-loaded);
   --color-sidebar-ring: var(--sidebar-ring);
   --color-sidebar-border: var(--sidebar-border);
   --color-sidebar-accent-foreground: var(--sidebar-accent-foreground);
@@ -57,27 +57,73 @@
   --color-chart-1: var(--chart-1);
   --color-ring: var(--ring);
   --color-input: var(--input);
+  --color-input-background: var(--input-background);
   --color-border: var(--border);
+  --color-border-strong: var(--border-strong);
   --color-destructive: var(--destructive);
+  --color-destructive-hover: var(--destructive-hover);
+  --color-destructive-foreground: var(--destructive-foreground);
   --color-accent-foreground: var(--accent-foreground);
   --color-accent: var(--accent);
   --color-muted-foreground: var(--muted-foreground);
+  --color-foreground-subtle: var(--foreground-subtle);
   --color-muted: var(--muted);
   --color-secondary-foreground: var(--secondary-foreground);
   --color-secondary: var(--secondary);
   --color-primary-foreground: var(--primary-foreground);
+  --color-primary-hover: var(--brand-primary-hover);
   --color-primary: var(--primary);
+  --color-link-hover: var(--link-hover);
+  --color-link: var(--link);
   --color-popover-foreground: var(--popover-foreground);
   --color-popover: var(--popover);
   --color-card-foreground: var(--card-foreground);
   --color-card: var(--card);
-  --radius-sm: calc(var(--radius) - 4px);
-  --radius-md: calc(var(--radius) - 2px);
-  --radius-lg: var(--radius);
-  --radius-xl: calc(var(--radius) + 4px);
+  --color-surface-inset: var(--surface-inset);
+  --color-surface-background: var(--surface-background);
+  --color-surface-raised: var(--surface-raised);
+  --color-surface-overlay: var(--surface-overlay);
+  --color-surface-hover: var(--surface-hover);
+  --color-surface-selected: var(--surface-selected);
+  --color-status-success: var(--status-success-foreground);
+  --color-status-success-icon: var(--status-success-icon);
+  --color-status-success-surface: var(--status-success-surface);
+  --color-status-success-border: var(--status-success-border);
+  --color-status-warning: var(--status-warning-foreground);
+  --color-status-warning-icon: var(--status-warning-icon);
+  --color-status-warning-surface: var(--status-warning-surface);
+  --color-status-warning-border: var(--status-warning-border);
+  --color-status-destructive: var(--status-destructive-foreground);
+  --color-status-destructive-icon: var(--status-destructive-icon);
+  --color-status-destructive-surface: var(--status-destructive-surface);
+  --color-status-destructive-border: var(--status-destructive-border);
+  --color-status-neutral: var(--status-neutral-foreground);
+  --color-status-neutral-icon: var(--status-neutral-icon);
+  --color-status-neutral-surface: var(--status-neutral-surface);
+  --color-status-neutral-border: var(--status-neutral-border);
+  --color-syntax-plain: var(--syntax-plain);
+  --color-syntax-comment: var(--syntax-comment);
+  --color-syntax-keyword: var(--syntax-keyword);
+  --color-syntax-string: var(--syntax-string);
+  --color-syntax-number: var(--syntax-number);
+  --color-syntax-function: var(--syntax-function);
+  --color-syntax-type: var(--syntax-type);
+  --color-syntax-property: var(--syntax-property);
+  --color-syntax-constant: var(--syntax-constant);
+  --color-syntax-operator: var(--syntax-operator);
+  --color-diff-add-text: var(--diff-add-text);
+  --color-diff-add-surface: var(--diff-add-surface);
+  --color-diff-delete-text: var(--diff-delete-text);
+  --color-diff-delete-surface: var(--diff-delete-surface);
+  --radius-sm: var(--radius-token-sm);
+  --radius-md: var(--radius-token-md);
+  --radius-lg: var(--radius-token-lg);
+  --radius-xl: var(--radius-token-xl);
   --color-kilo-gray: var(--color-kilo-gray);
   --color-kilo-gray-lighter: var(--color-kilo-gray-lighter);
   --color-brand-primary: var(--brand-primary);
+  --color-brand-primary-hover: var(--brand-primary-hover);
+  --color-brand-primary-ring: var(--brand-primary-ring);
   --ease-out-strong: cubic-bezier(0.23, 1, 0.32, 1);
 }
 
@@ -99,14 +145,6 @@
   }
 }
 
-@layer utilities {
-  /* Your custom styles below */
-
-  :root {
-    --background: #ffffff;
-    --foreground: #171717;
-  }
-}
 @utility prose {
   code {
     &::before,
@@ -123,48 +161,236 @@
   -o-user-drag: none;
   user-drag: none;
 }
+
+@utility type-title {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 1.5rem;
+  font-weight: 600;
+  line-height: 1.2;
+  letter-spacing: -0.015em;
+}
+
+@utility type-heading {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 1.125rem;
+  font-weight: 600;
+  line-height: 1.25;
+  letter-spacing: -0.01em;
+}
+
+@utility type-body-lg {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 1rem;
+  font-weight: 400;
+  line-height: 1.5;
+}
+
+@utility type-body {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 0.875rem;
+  font-weight: 400;
+  line-height: 1.5;
+}
+
+@utility type-label {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 0.75rem;
+  font-weight: 500;
+  line-height: 1.4;
+}
+
+@utility type-eyebrow {
+  font-family: var(--font-sans-loaded, 'Inter', ui-sans-serif, system-ui, sans-serif);
+  font-size: 0.6875rem;
+  font-weight: 500;
+  line-height: 1.2;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+}
+
+@utility type-code {
+  font-family: var(--font-mono-loaded, 'Roboto Mono', ui-monospace, monospace) !important;
+  font-size: 0.875rem !important;
+  font-weight: 400 !important;
+  line-height: 1.5 !important;
+}
+
+@utility size-control-touch {
+  width: var(--control-size-touch);
+  height: var(--control-size-touch);
+}
+
+@utility h-control-touch {
+  height: var(--control-size-touch);
+}
+
+@utility min-h-control-touch {
+  min-height: var(--control-size-touch);
+}
+
+@utility size-control-default {
+  width: var(--control-size-default);
+  height: var(--control-size-default);
+}
+
+@utility h-control-default {
+  height: var(--control-size-default);
+}
+
+@utility size-icon-sm {
+  width: var(--icon-size-sm);
+  height: var(--icon-size-sm);
+}
+
+@utility px-status {
+  padding-inline: var(--status-padding-inline);
+}
+
+@utility gap-hairline {
+  gap: var(--spacing-hairline);
+}
+
 /*
   ---break---
 */
 
 :root {
-  --radius: 0.625rem;
-  --background: oklch(0.145 0 0);
-  --foreground: oklch(0.985 0 0);
-  --card: oklch(0.205 0 0);
-  --card-foreground: oklch(0.985 0 0);
-  --popover: oklch(0.205 0 0);
-  --popover-foreground: oklch(0.985 0 0);
-  --primary: oklch(0.922 0 0);
-  --primary-foreground: oklch(0.205 0 0);
-  --secondary: oklch(0.269 0 0);
-  --secondary-foreground: oklch(0.985 0 0);
-  --muted: oklch(0.269 0 0);
-  --muted-foreground: oklch(0.708 0 0);
-  --accent: oklch(0.269 0 0);
-  --accent-foreground: oklch(0.985 0 0);
-  --destructive: oklch(0.704 0.191 22.216);
-  --border: oklch(1 0 0 / 10%);
-  --input: oklch(1 0 0 / 15%);
-  --ring: oklch(0.556 0 0);
-  --chart-1: oklch(0.488 0.243 264.376);
-  --chart-2: oklch(0.696 0.17 162.48);
-  --chart-3: oklch(0.769 0.188 70.08);
-  --chart-4: oklch(0.627 0.265 303.9);
-  --chart-5: oklch(0.645 0.246 16.439);
-  --sidebar: oklch(0.205 0 0);
-  --sidebar-foreground: oklch(0.985 0 0);
-  --sidebar-primary: oklch(0.488 0.243 264.376);
-  --sidebar-primary-foreground: oklch(0.985 0 0);
-  --sidebar-accent: oklch(0.269 0 0);
-  --sidebar-accent-foreground: oklch(0.985 0 0);
-  --sidebar-border: oklch(1 0 0 / 10%);
-  --sidebar-ring: oklch(0.556 0 0);
-  --color-kilo-gray: oklch(0.24 0.007 1);
-  --color-kilo-gray-lighter: oklch(from var(--color-kilo-gray) calc(l + 0.1) c h);
-
-  /* BRAND COLORS */
-  --brand-primary: oklch(95% 0.15 108);
+  --radius: 10px;
+  --radius-token-sm: 4px;
+  --radius-token-md: 8px;
+  --radius-token-lg: 10px;
+  --radius-token-xl: 14px;
+
+  --surface-inset: #101010;
+  --surface-background: #151515;
+  --surface-raised: #202020;
+  --surface-overlay: #333333;
+  --surface-hover: #3a3a3a;
+  --surface-selected: #454545;
+
+  --foreground-default: #fafafa;
+  --foreground-muted: #a3a3a3;
+  --foreground-subtle: #7a7a7a;
+  --foreground-on-secondary: #fafafa;
+  --foreground-on-destructive: #ffffff;
+
+  --border-default: #ffffff1a;
+  --border-strong: #ffffff2e;
+  --input-background: #ffffff0a;
+
+  --brand-primary: #f7f586;
+  --brand-primary-hover: #e6e475;
+  --brand-primary-ring: #f7f58659;
+  --brand-foreground: #1f1f1f;
+  --link: #60a5fa;
+  --link-hover: #93c5fd;
+
+  --status-blue-300: #93c5fd;
+  --status-blue-400: #60a5fa;
+  --status-blue-500: #3b82f6;
+  --status-blue-600: #2563eb;
+  --status-purple-300: #d8b4fe;
+  --status-purple-400: #c084fc;
+  --status-purple-500: #a855f7;
+  --status-purple-600: #9333ea;
+  --status-teal-300: #4ce7d7;
+  --status-teal-400: #00d4c2;
+  --status-teal-500: #00baa9;
+  --status-teal-600: #009689;
+  --status-gray-300: #d4d4d8;
+  --status-gray-400: #a1a1aa;
+  --status-gray-500: #71717a;
+  --status-gray-600: #52525b;
+  --status-orange-300: #fdba74;
+  --status-orange-400: #fb923c;
+  --status-orange-500: #f97316;
+  --status-orange-600: #ea580c;
+  --status-green-300: #86efac;
+  --status-green-400: #4ade80;
+  --status-green-500: #22c55e;
+  --status-green-600: #16a34a;
+  --status-yellow-300: #fdd94a;
+  --status-yellow-400: #fbc51c;
+  --status-yellow-500: #f0a900;
+  --status-yellow-600: #d28100;
+  --status-red-300: #fca5a5;
+  --status-red-400: #f87171;
+  --status-red-500: #ef4444;
+  --status-red-600: #dc2626;
+
+  --status-success-foreground: var(--status-green-300);
+  --status-success-icon: var(--status-green-400);
+  --status-success-surface: #22c55e1a;
+  --status-success-border: #22c55e33;
+  --status-warning-foreground: var(--status-yellow-300);
+  --status-warning-icon: var(--status-yellow-400);
+  --status-warning-surface: #f0a9001a;
+  --status-warning-border: #f0a90033;
+  --status-destructive-foreground: var(--status-red-300);
+  --status-destructive-icon: var(--status-red-400);
+  --status-destructive-surface: #ef44441a;
+  --status-destructive-border: #ef444433;
+  --status-neutral-foreground: var(--foreground-default);
+  --status-neutral-icon: var(--foreground-muted);
+  --status-neutral-surface: var(--surface-overlay);
+  --status-neutral-border: var(--border-default);
+
+  --syntax-plain: #e8e8e8;
+  --syntax-comment: #7a7a7a;
+  --syntax-keyword: #ff9ae2;
+  --syntax-string: #ecf58c;
+  --syntax-number: #f2b36b;
+  --syntax-function: #93e9f6;
+  --syntax-type: #00ceb9;
+  --syntax-property: #9cdcfe;
+  --syntax-constant: #c792ea;
+  --syntax-operator: #a3a3a3;
+  --diff-add-text: #9bcd97;
+  --diff-add-surface: #1a2919;
+  --diff-delete-text: #fc533a;
+  --diff-delete-surface: #42120b;
+
+  --control-size-touch: 44px;
+  --control-size-default: 36px;
+  --icon-size-sm: 14px;
+  --status-padding-inline: 10px;
+  --spacing-hairline: 1px;
+
+  --background: var(--surface-background);
+  --foreground: var(--foreground-default);
+  --card: var(--surface-raised);
+  --card-foreground: var(--foreground-default);
+  --popover: var(--surface-overlay);
+  --popover-foreground: var(--foreground-default);
+  --primary: var(--brand-primary);
+  --primary-foreground: var(--brand-foreground);
+  --secondary: var(--surface-overlay);
+  --secondary-foreground: var(--foreground-on-secondary);
+  --muted: var(--surface-raised);
+  --muted-foreground: var(--foreground-muted);
+  --accent: var(--surface-hover);
+  --accent-foreground: var(--foreground-default);
+  --destructive: var(--status-red-500);
+  --destructive-hover: var(--status-red-600);
+  --destructive-foreground: var(--foreground-on-destructive);
+  --border: var(--border-default);
+  --input: var(--border-strong);
+  --ring: var(--brand-primary-ring);
+  --chart-1: var(--status-blue-500);
+  --chart-2: var(--status-teal-500);
+  --chart-3: var(--status-orange-500);
+  --chart-4: var(--status-purple-500);
+  --chart-5: var(--status-red-500);
+  --sidebar: var(--surface-raised);
+  --sidebar-foreground: var(--foreground-default);
+  --sidebar-primary: var(--brand-primary);
+  --sidebar-primary-foreground: var(--brand-foreground);
+  --sidebar-accent: var(--surface-hover);
+  --sidebar-accent-foreground: var(--foreground-default);
+  --sidebar-border: var(--border-default);
+  --sidebar-ring: var(--brand-primary-ring);
+  --color-kilo-gray: var(--surface-raised);
+  --color-kilo-gray-lighter: var(--surface-overlay);
   --color-brand-primary: var(--brand-primary);
 }
 
@@ -174,7 +400,7 @@
 
 @layer base {
   * {
-    @apply border-border outline-ring/50;
+    @apply border-border outline-ring;
     color-scheme: dark;
   }
   html {
diff --git a/apps/web/src/app/layout.tsx b/apps/web/src/app/layout.tsx
index 2943ba309..eab7990fe 100644
--- a/apps/web/src/app/layout.tsx
+++ b/apps/web/src/app/layout.tsx
@@ -11,13 +11,13 @@ import { APP_URL } from '@/lib/constants';
 const inter = Inter({
   subsets: ['latin'],
   display: 'swap',
-  variable: '--font-sans',
+  variable: '--font-sans-loaded',
 });
 
 const mono = Roboto_Mono({
   subsets: ['latin'],
   display: 'swap',
-  variable: '--font-mono',
+  variable: '--font-mono-loaded',
 });
 
 const jetbrainsMono = JetBrains_Mono({
@@ -103,7 +103,7 @@ export default function RootLayout({
     <html
       suppressHydrationWarning
       lang="en"
-      className={`${inter.variable} ${mono.variable} ${jetbrainsMono.variable} antialiased`}
+      className={`${inter.variable} ${mono.variable} ${jetbrainsMono.variable} font-sans antialiased`}
     >
       <head />
       <body>
diff --git a/apps/web/src/components/security-agent/DismissFindingDialog.test.ts b/apps/web/src/components/security-agent/DismissFindingDialog.test.ts
new file mode 100644
index 000000000..6080b3ddb
--- /dev/null
+++ b/apps/web/src/components/security-agent/DismissFindingDialog.test.ts
@@ -0,0 +1,82 @@
+import type { SecurityFindingAnalysis } from '@kilocode/db/schema-types';
+import { getDismissFindingFormDefaults } from './dismiss-finding-form';
+
+const triageDismissAnalysis = {
+  analyzedAt: '2026-06-16T12:00:00.000Z',
+  triage: {
+    needsSandboxAnalysis: false,
+    needsSandboxReasoning: 'Package is only used by an inactive development tool.',
+    suggestedAction: 'dismiss',
+    confidence: 'high',
+    triageAt: '2026-06-16T12:00:00.000Z',
+  },
+} satisfies SecurityFindingAnalysis;
+
+const sandboxNotExploitableAnalysis = {
+  ...triageDismissAnalysis,
+  analyzedAt: '2026-06-16T12:05:00.000Z',
+  sandboxAnalysis: {
+    isExploitable: false,
+    exploitabilityReasoning: 'No vulnerable code path is reachable in this repository.',
+    usageLocations: [],
+    suggestedFix: 'No change needed.',
+    suggestedAction: 'open_pr',
+    summary: 'Dependency is not used by application code.',
+    rawMarkdown: 'Analysis details',
+    analysisAt: '2026-06-16T12:05:00.000Z',
+  },
+} satisfies SecurityFindingAnalysis;
+
+describe('getDismissFindingFormDefaults', () => {
+  it('uses empty defaults when analysis is unavailable', () => {
+    expect(getDismissFindingFormDefaults(null)).toEqual({
+      reason: 'not_used',
+      comment: '',
+    });
+  });
+
+  it('uses non-exploitable sandbox reasoning when analysis recommends opening a PR', () => {
+    expect(getDismissFindingFormDefaults(sandboxNotExploitableAnalysis)).toEqual({
+      reason: 'not_used',
+      comment: 'No vulnerable code path is reachable in this repository.',
+    });
+  });
+
+  it('uses triage dismissal reasoning when sandbox analysis is unavailable', () => {
+    expect(getDismissFindingFormDefaults(triageDismissAnalysis)).toEqual({
+      reason: 'not_used',
+      comment: 'Package is only used by an inactive development tool.',
+    });
+  });
+
+  it('does not use stale triage reasoning when sandbox analysis finds exploitability', () => {
+    const conflictingAnalysis = {
+      ...sandboxNotExploitableAnalysis,
+      sandboxAnalysis: {
+        ...sandboxNotExploitableAnalysis.sandboxAnalysis,
+        isExploitable: true,
+        suggestedAction: 'open_pr',
+      },
+    } satisfies SecurityFindingAnalysis;
+
+    expect(getDismissFindingFormDefaults(conflictingAnalysis)).toEqual({
+      reason: 'not_used',
+      comment: '',
+    });
+  });
+
+  it('limits generated comments to GitHub dismissal constraints', () => {
+    const longReasoningAnalysis = {
+      ...sandboxNotExploitableAnalysis,
+      sandboxAnalysis: {
+        ...sandboxNotExploitableAnalysis.sandboxAnalysis,
+        exploitabilityReasoning: 'x'.repeat(300),
+      },
+    } satisfies SecurityFindingAnalysis;
+
+    const defaults = getDismissFindingFormDefaults(longReasoningAnalysis);
+
+    expect(defaults.comment).toHaveLength(280);
+    expect(defaults.comment).toBe(`${'x'.repeat(279)}…`);
+  });
+});
diff --git a/apps/web/src/components/security-agent/DismissFindingDialog.tsx b/apps/web/src/components/security-agent/DismissFindingDialog.tsx
index 1319d883c..7930525ce 100644
--- a/apps/web/src/components/security-agent/DismissFindingDialog.tsx
+++ b/apps/web/src/components/security-agent/DismissFindingDialog.tsx
@@ -16,42 +16,17 @@ import { RadioGroup, RadioGroupItem } from '@/components/ui/radio-group';
 import { AlertTriangle } from 'lucide-react';
 import type { SecurityFinding } from '@kilocode/db/schema';
 import { securityAgentCommandAdmissionCopy } from './security-agent-command-copy';
+import {
+  DISMISS_REASONS,
+  getDismissFindingFormDefaults,
+  MAX_DISMISS_COMMENT_LENGTH,
+  type DismissReason,
+} from './dismiss-finding-form';
 
-// GitHub Dependabot dismiss reasons
-const DISMISS_REASONS = [
-  {
-    value: 'fix_started',
-    label: 'Fix started',
-    description: 'A fix for this vulnerability has been started',
-  },
-  {
-    value: 'no_bandwidth',
-    label: 'No bandwidth',
-    description: 'No bandwidth to fix this vulnerability at this time',
-  },
-  {
-    value: 'tolerable_risk',
-    label: 'Tolerable risk',
-    description: 'The risk is tolerable for this project',
-  },
-  {
-    value: 'inaccurate',
-    label: 'Inaccurate',
-    description: 'This alert is inaccurate or incorrect',
-  },
-  {
-    value: 'not_used',
-    label: 'Not used',
-    description: 'This vulnerable code is not actually used',
-  },
-] as const;
-
-type DismissReason = (typeof DISMISS_REASONS)[number]['value'];
-
-const DISMISS_REASON_VALUES = DISMISS_REASONS.map(r => r.value);
+const DISMISS_REASON_VALUES = new Set<string>(DISMISS_REASONS.map(reason => reason.value));
 
 function isDismissReason(value: string): value is DismissReason {
-  return DISMISS_REASON_VALUES.includes(value as DismissReason);
+  return DISMISS_REASON_VALUES.has(value);
 }
 
 type DismissFindingDialogProps = {
@@ -69,8 +44,9 @@ export function DismissFindingDialog({
   onDismiss,
   isLoading,
 }: DismissFindingDialogProps) {
-  const [reason, setReason] = useState<DismissReason>('not_used');
-  const [comment, setComment] = useState('');
+  const formDefaults = getDismissFindingFormDefaults(finding?.analysis);
+  const [reason, setReason] = useState<DismissReason>(formDefaults.reason);
+  const [comment, setComment] = useState(formDefaults.comment);
 
   const handleSubmit = () => {
     onDismiss(reason, comment || undefined);
@@ -78,9 +54,8 @@ export function DismissFindingDialog({
 
   const handleOpenChange = (newOpen: boolean) => {
     if (!newOpen) {
-      // Reset form when closing
-      setReason('not_used');
-      setComment('');
+      setReason(formDefaults.reason);
+      setComment(formDefaults.comment);
     }
     onOpenChange(newOpen);
   };
@@ -144,6 +119,7 @@ export function DismissFindingDialog({
               placeholder="Add context for this dismissal"
               value={comment}
               onChange={e => setComment(e.target.value)}
+              maxLength={MAX_DISMISS_COMMENT_LENGTH}
               rows={3}
             />
           </div>
diff --git a/apps/web/src/components/security-agent/FindingDetailDialog.tsx b/apps/web/src/components/security-agent/FindingDetailDialog.tsx
index 66ef9a0d9..7ea8adb7a 100644
--- a/apps/web/src/components/security-agent/FindingDetailDialog.tsx
+++ b/apps/web/src/components/security-agent/FindingDetailDialog.tsx
@@ -1,781 +1,2946 @@
 'use client';
 
+import { useEffect, useRef, useState, type ReactNode } from 'react';
+import {
+  Accordion,
+  AccordionContent,
+  AccordionItem,
+  AccordionTrigger,
+} from '@/components/ui/accordion';
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
+  AlertDialogTrigger,
+} from '@/components/ui/alert-dialog';
+import { Badge } from '@/components/ui/badge';
+import { Button } from '@/components/ui/button';
 import {
   Dialog,
+  DialogClose,
   DialogContent,
   DialogDescription,
-  DialogHeader,
   DialogTitle,
 } from '@/components/ui/dialog';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
-import { Badge } from '@/components/ui/badge';
-import { Button } from '@/components/ui/button';
-import { SeverityBadge } from './SeverityBadge';
-import { FindingStatusBadge } from './FindingStatusBadge';
-import { ExploitabilityBadge } from './ExploitabilityBadge';
-import { MarkdownProse } from './MarkdownProse';
-import { format, formatDistanceToNow, isPast } from 'date-fns';
+import { cn } from '@/lib/utils';
+import { useTRPC } from '@/lib/trpc/utils';
+import { useQuery } from '@tanstack/react-query';
+import type { SecurityFinding } from '@kilocode/db/schema';
+import { formatDistanceToNow, isPast } from 'date-fns';
 import {
+  Ban,
+  Brain,
+  Check,
+  CheckCircle2,
+  CircleHelp,
+  Clock3,
   ExternalLink,
+  FileCheck2,
+  FileCode2,
+  FileWarning,
+  GitBranch,
+  GitMerge,
+  GitPullRequest,
+  Info,
+  Loader2,
   Package,
-  Clock,
-  CheckCircle2,
+  RefreshCw,
+  Search,
+  ShieldAlert,
+  ShieldCheck,
+  Sparkles,
+  Square,
+  TriangleAlert,
+  UserRound,
+  Wrench,
+  X,
   XCircle,
-  Brain,
-  Loader2,
-  Zap,
-  GitPullRequest,
-  RotateCw,
-  AlertCircle,
+  type LucideIcon,
 } from 'lucide-react';
-import type { SecurityFinding } from '@kilocode/db/schema';
-import { useTRPC } from '@/lib/trpc/utils';
-import { useQuery } from '@tanstack/react-query';
 import Link from 'next/link';
+import { MarkdownProse } from './MarkdownProse';
 import { useSecurityAgent } from './SecurityAgentContext';
-import { securityAgentCommandAdmissionCopy } from './security-agent-command-copy';
-import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
-import type { SecurityFindingWithRemediation } from './SecurityFindingRow';
-import { getRemediationUnavailableCopy } from './remediation-unavailable-copy';
+import {
+  isAwaitingManualAnalysisAdmission,
+  manualAnalysisAdmissionCopy,
+  manualAnalysisCapacityFullCopy,
+} from './manual-analysis-admission-copy';
+import {
+  getRemediationUnavailableCopy,
+  isCodebaseAnalysisRequiredReason,
+} from './remediation-unavailable-copy';
+import type { SecurityFindingWithRemediation } from '@/lib/security-agent/db/security-remediation';
 
-type Severity = 'critical' | 'high' | 'medium' | 'low';
 type FindingAnalysis = SecurityFinding['analysis'];
-type StartAnalysis = (options?: { forceSandbox?: boolean; retrySandboxOnly?: boolean }) => void;
-
-const ANALYSIS_POLL_INTERVAL_MS = 3000;
-const statusPanelClassName = 'rounded-lg border border-border bg-muted/40 p-3';
-const linkClassName =
-  'text-muted-foreground hover:text-foreground focus-visible:ring-ring inline-flex rounded-sm transition-colors focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-background focus-visible:outline-none';
+type FindingTab = 'details' | 'analysis' | 'remediation';
+type Tone = 'success' | 'warning' | 'destructive' | 'neutral';
+type StartAnalysisOptions = {
+  forceSandbox?: boolean;
+  retrySandboxOnly?: boolean;
+  restartActive?: boolean;
+};
+type StartAnalysis = (options?: StartAnalysisOptions) => void;
+type StartFindingAnalysis = (findingId: string, options?: StartAnalysisOptions) => void;
 
 type RemediationAttempt = {
   id: string;
   status: string;
   origin: string;
   attemptNumber: number;
+  requestedByUserId: string | null;
   remediationModelSlug: string;
   branchName: string;
   prUrl: string | null;
+  prNumber: number | null;
   prDraft: boolean | null;
   failureCode: string | null;
   blockedReason: string | null;
   lastErrorRedacted: string | null;
+  validationEvidence: Record<string, unknown>[] | null;
   riskNotes: string | null;
   draftReason: string | null;
+  cancellationRequestedAt: string | null;
   queuedAt: string;
   launchedAt: string | null;
   completedAt: string | null;
   updatedAt: string;
 };
 
-function isSeverity(value: string): value is Severity {
-  return ['critical', 'high', 'medium', 'low'].includes(value);
-}
+type StatusValue = {
+  value: string;
+  tone: Tone;
+};
+
+type DetailFact = {
+  label: string;
+  value: string;
+  mono?: boolean;
+};
+
+type SummaryItem = {
+  label: string;
+  value: string;
+  detail: string;
+  icon: LucideIcon;
+  tone: Tone;
+};
+
+type ProgressStep = {
+  title: string;
+  detail: string;
+  state: 'done' | 'running' | 'waiting' | 'attention' | 'pending' | 'error';
+};
+
+type AnalysisAction =
+  | 'none'
+  | 'start-analysis'
+  | 'retry-analysis'
+  | 'start-remediation'
+  | 'view-remediation'
+  | 'dismiss'
+  | 'source'
+  | 'cloud-agent';
+
+type AnalysisPresentation = {
+  hero: {
+    title: string;
+    description: string;
+    icon: LucideIcon;
+    tone: Tone;
+    spinning?: boolean;
+  };
+  summary: SummaryItem[];
+  context: string;
+  action: {
+    label: 'Next step' | 'Current status';
+    title: string;
+    description: string;
+    buttonLabel?: string;
+    buttonIcon?: LucideIcon;
+    kind: AnalysisAction;
+    primary?: boolean;
+  };
+  disclosureTitle: string;
+};
+
+type RemediationPresentation = {
+  hero: {
+    title: string;
+    description: string;
+    icon: LucideIcon;
+    tone: Tone;
+    spinning?: boolean;
+  };
+  summary: SummaryItem[];
+  context: string;
+  action: {
+    label: 'Next step' | 'Attempt controls' | 'Current status';
+    title: string;
+    description: string;
+  };
+  disclosureTitle: string;
+  steps: ProgressStep[];
+};
+
+const ANALYSIS_POLL_INTERVAL_MS = 3000;
+const SUPERSEDED_PREFIX = 'superseded:';
+const utcDateFormatter = new Intl.DateTimeFormat('en-US', {
+  month: 'short',
+  day: 'numeric',
+  year: 'numeric',
+  timeZone: 'UTC',
+});
+const utcTimeFormatter = new Intl.DateTimeFormat('en-US', {
+  hour: '2-digit',
+  minute: '2-digit',
+  hour12: false,
+  timeZone: 'UTC',
+});
+
+const toneStyles: Record<
+  Tone,
+  { status: string; icon: string; text: string; step: string; border: string }
+> = {
+  success: {
+    status: 'border-status-success-border bg-status-success-surface text-status-success',
+    icon: 'bg-status-success-surface text-status-success-icon ring-status-success-border',
+    text: 'text-status-success',
+    step: 'bg-status-success-surface text-status-success ring-status-success-border',
+    border: 'border-status-success-border bg-status-success-surface',
+  },
+  warning: {
+    status: 'border-status-warning-border bg-status-warning-surface text-status-warning',
+    icon: 'bg-status-warning-surface text-status-warning-icon ring-status-warning-border',
+    text: 'text-status-warning',
+    step: 'bg-status-warning-surface text-status-warning ring-status-warning-border',
+    border: 'border-status-warning-border bg-status-warning-surface',
+  },
+  destructive: {
+    status:
+      'border-status-destructive-border bg-status-destructive-surface text-status-destructive',
+    icon: 'bg-status-destructive-surface text-status-destructive-icon ring-status-destructive-border',
+    text: 'text-status-destructive',
+    step: 'bg-status-destructive-surface text-status-destructive ring-status-destructive-border',
+    border: 'border-status-destructive-border bg-status-destructive-surface',
+  },
+  neutral: {
+    status: 'border-status-neutral-border bg-status-neutral-surface text-status-neutral',
+    icon: 'bg-status-neutral-surface text-status-neutral-icon ring-status-neutral-border',
+    text: 'text-status-neutral',
+    step: 'bg-status-neutral-surface text-status-neutral-icon ring-status-neutral-border',
+    border: 'border-status-neutral-border bg-surface-inset',
+  },
+};
+
+const dismissalReasonLabels: Record<string, string> = {
+  fix_started: 'a fix has already started',
+  no_bandwidth: 'no bandwidth is available',
+  tolerable_risk: 'the risk is tolerable',
+  inaccurate: 'the finding is inaccurate',
+  not_used: 'vulnerable code is not used',
+};
 
 function LoadingSpinner({ className = 'size-4' }: { className?: string }) {
   return (
     <Loader2
-      className={`${className} animate-spin motion-reduce:animate-none`}
+      className={cn(className, 'animate-spin motion-reduce:animate-none')}
       aria-hidden="true"
     />
   );
 }
 
-function formatRemediationStatus(status: string | null | undefined): string {
+function formatUtcDate(value: string, includeTime = true): string {
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return 'Unknown';
+  const dateText = utcDateFormatter.format(date);
+  if (!includeTime) return dateText;
+  return `${dateText} at ${utcTimeFormatter.format(date)} UTC`;
+}
+
+function formatSource(source: string): string {
+  if (source === 'dependabot') return 'GitHub Dependabot';
+  return source.replace(/_/g, ' ');
+}
+
+function getSupersedingFindingId(finding: SecurityFinding): string | null {
+  if (!finding.ignored_reason?.startsWith(SUPERSEDED_PREFIX)) return null;
+  const findingId = finding.ignored_reason.slice(SUPERSEDED_PREFIX.length);
+  return findingId || null;
+}
+
+function getDismissalReason(reason: string | null): string {
+  if (!reason) return 'after review';
+  return dismissalReasonLabels[reason] ?? reason.replace(/_/g, ' ');
+}
+
+function formatRemediationStatus(
+  status: string | null | undefined,
+  cancellationRequestedAt?: string | null
+): string {
+  if (cancellationRequestedAt && isActiveRemediationStatus(status)) return 'Cancellation requested';
   if (!status) return 'Not started';
   if (status === 'pr_opened') return 'PR opened';
   if (status === 'no_changes_needed') return 'No changes needed';
+  if (status === 'launching') return 'Starting';
   return status.replace(/_/g, ' ');
 }
 
+function formatRemediationOrigin(origin: string): string {
+  if (origin === 'auto_policy') return 'Automatic policy';
+  if (origin === 'bulk_existing') return 'Include existing policy';
+  if (origin === 'manual') return 'Manual';
+  return origin.replace(/_/g, ' ');
+}
+
 function isActiveRemediationStatus(status: string | null | undefined): boolean {
   return status === 'queued' || status === 'launching' || status === 'running';
 }
 
-function getRemediationFailureCopy(failureCode: string | null | undefined): string | null {
-  if (!failureCode) return null;
-  return 'Fix attempt failed. Check attempt details for next steps.';
+function getSeverityStatus(severity: string): StatusValue {
+  if (severity === 'critical') return { value: 'Critical', tone: 'destructive' };
+  if (severity === 'high') return { value: 'High', tone: 'warning' };
+  if (severity === 'medium') return { value: 'Medium', tone: 'warning' };
+  if (severity === 'low') return { value: 'Low', tone: 'neutral' };
+  return { value: severity, tone: 'neutral' };
+}
+
+function getFindingStatus(finding: SecurityFinding): StatusValue {
+  if (getSupersedingFindingId(finding)) return { value: 'Superseded', tone: 'neutral' };
+  if (finding.status === 'fixed') return { value: 'Fixed', tone: 'success' };
+  if (finding.status === 'ignored') return { value: 'Dismissed', tone: 'neutral' };
+  if (finding.status === 'open') return { value: 'Open', tone: 'neutral' };
+  return { value: finding.status, tone: 'neutral' };
+}
+
+function getAnalysisStatus(analysis: FindingAnalysis, analysisStatus: string | null): StatusValue {
+  if (analysisStatus === 'pending') return { value: 'Queued', tone: 'warning' };
+  if (analysisStatus === 'running') return { value: 'Analyzing', tone: 'warning' };
+  if (analysisStatus === 'failed') return { value: 'Failed', tone: 'destructive' };
+  const sandbox = analysis?.sandboxAnalysis;
+  if (sandbox?.extractionStatus === 'failed') return { value: 'Needs review', tone: 'warning' };
+  if (sandbox?.isExploitable === true) return { value: 'Exploitable', tone: 'destructive' };
+  if (sandbox?.isExploitable === false) return { value: 'No reachable path', tone: 'success' };
+  if (sandbox?.isExploitable === 'unknown') return { value: 'Needs review', tone: 'warning' };
+  if (analysis?.triage?.suggestedAction === 'dismiss')
+    return { value: 'Safe to dismiss', tone: 'success' };
+  if (analysis?.triage?.suggestedAction === 'manual_review')
+    return { value: 'Needs review', tone: 'warning' };
+  if (analysis?.triage) return { value: 'Analysis required', tone: 'warning' };
+  return { value: 'Not analyzed', tone: 'neutral' };
 }
 
-function isCodebaseAnalysisRequiredReason(reason: string | null | undefined): boolean {
+function LabeledStatus({ label, value, tone }: StatusValue & { label: string }) {
   return (
-    reason === 'analysis_required' ||
-    reason === 'sandbox_analysis_required' ||
-    reason === 'triage_only'
+    <div
+      className={cn('type-label flex items-center rounded-full border', toneStyles[tone].status)}
+    >
+      <span className="border-status-neutral-border text-muted-foreground px-status border-r py-1">
+        {label}
+      </span>
+      <span className="px-status py-1">{value}</span>
+    </div>
   );
 }
 
-function AnalysisStatusIcon({
-  status,
-  fallback,
+function FindingOutcome({
+  title,
+  description,
+  icon: Icon,
+  tone,
+  spinning = false,
 }: {
-  status: string | null | undefined;
-  fallback: React.ReactNode;
+  title: string;
+  description: string;
+  icon: LucideIcon;
+  tone: Tone;
+  spinning?: boolean;
 }) {
-  switch (status) {
-    case 'completed':
-      return <CheckCircle2 className="size-3.5 text-green-400" aria-hidden="true" />;
-    case 'failed':
-      return <XCircle className="size-3.5 text-red-400" aria-hidden="true" />;
-    case 'running':
-    case 'pending':
-      return <LoadingSpinner className="size-3.5 text-yellow-400" />;
-    default:
-      return <>{fallback}</>;
-  }
+  return (
+    <section className="flex gap-3 sm:gap-4" role="status" aria-live="polite" aria-atomic="true">
+      <div
+        className={cn(
+          'mt-0.5 flex size-10 shrink-0 items-center justify-center rounded-full ring-1',
+          toneStyles[tone].icon
+        )}
+      >
+        <Icon
+          className={cn('size-5', spinning && 'animate-spin motion-reduce:animate-none')}
+          aria-hidden="true"
+        />
+      </div>
+      <div className="min-w-0">
+        <h3 className="type-heading">{title}</h3>
+        <p className="text-muted-foreground type-body mt-1 max-w-[68ch]">{description}</p>
+      </div>
+    </section>
+  );
 }
 
-type FindingDetailDialogProps = {
-  finding: SecurityFindingWithRemediation | null;
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  onDismiss: () => void;
-  canDismiss: boolean;
-  organizationId?: string;
-  showSla?: boolean;
+function FindingActionSection({
+  label,
+  title,
+  description,
+  statusMessage,
+  children,
+}: {
+  label: string;
+  title: string;
+  description: string;
+  statusMessage?: string;
+  children?: ReactNode;
+}) {
+  return (
+    <section className="border-border grid gap-4 border-t pt-5 sm:grid-cols-[minmax(0,1fr)_auto] sm:items-center">
+      <div>
+        <div className="text-muted-foreground type-label">{label}</div>
+        <h4 className="type-body mt-1.5 font-medium">{title}</h4>
+        <p className="text-muted-foreground type-body mt-1 max-w-[62ch]">{description}</p>
+        {statusMessage && (
+          <p className="text-status-warning type-label mt-2" role="status">
+            {statusMessage}
+          </p>
+        )}
+      </div>
+      {children && <div className="flex flex-wrap gap-2 sm:justify-end">{children}</div>}
+    </section>
+  );
+}
+
+function FindingContextNote({ children }: { children: ReactNode }) {
+  return (
+    <div className="text-muted-foreground type-label flex max-w-[70ch] items-start gap-2">
+      <Info className="size-icon-sm mt-0.5 shrink-0" aria-hidden="true" />
+      <p>{children}</p>
+    </div>
+  );
+}
+
+function SummaryGrid({ title, items }: { title: string; items: SummaryItem[] }) {
+  return (
+    <section>
+      <h4 className="type-body mb-3 font-medium">{title}</h4>
+      <div className="border-border grid overflow-hidden rounded-lg border md:grid-cols-3">
+        {items.map((item, index) => {
+          const Icon = item.icon;
+          return (
+            <div
+              key={item.label}
+              className={cn(
+                'min-w-0 p-4',
+                index < items.length - 1 && 'border-border border-b md:border-r md:border-b-0'
+              )}
+            >
+              <div className="text-muted-foreground type-label flex items-center gap-2">
+                <Icon
+                  className={cn('size-icon-sm', toneStyles[item.tone].text)}
+                  aria-hidden="true"
+                />
+                {item.label}
+              </div>
+              <div className={cn('type-body mt-2 font-medium', toneStyles[item.tone].text)}>
+                {item.value}
+              </div>
+              <div className="text-muted-foreground type-label mt-1">{item.detail}</div>
+            </div>
+          );
+        })}
+      </div>
+    </section>
+  );
+}
+
+function ProgressStepRow({ step, index }: { step: ProgressStep; index: number }) {
+  const presentation = {
+    done: { icon: Check, classes: toneStyles.success.step },
+    running: { icon: Loader2, classes: toneStyles.warning.step },
+    waiting: { icon: Clock3, classes: toneStyles.warning.step },
+    attention: { icon: TriangleAlert, classes: toneStyles.warning.step },
+    pending: { icon: null, classes: toneStyles.neutral.step },
+    error: { icon: XCircle, classes: toneStyles.destructive.step },
+  }[step.state];
+  const StepIcon = presentation.icon;
+
+  return (
+    <li className="grid grid-cols-[2.25rem_minmax(0,1fr)] gap-3">
+      <div
+        className={cn(
+          'size-control-default type-code flex items-center justify-center rounded-md ring-1',
+          presentation.classes
+        )}
+      >
+        {StepIcon ? (
+          <StepIcon
+            className={cn(
+              'size-4',
+              step.state === 'running' && 'animate-spin motion-reduce:animate-none'
+            )}
+            aria-hidden="true"
+          />
+        ) : (
+          String(index + 1).padStart(2, '0')
+        )}
+      </div>
+      <div className="pt-0.5">
+        <h5 className="type-body font-medium">{step.title}</h5>
+        <p className="text-muted-foreground type-body mt-0.5">{step.detail}</p>
+      </div>
+    </li>
+  );
+}
+
+function DetailFactCell({ fact }: { fact: DetailFact }) {
+  return (
+    <div className="bg-surface-raised min-w-0 p-4">
+      <dt className="text-muted-foreground type-label">{fact.label}</dt>
+      <dd className={cn('type-body mt-1 break-words', fact.mono ? 'type-code' : 'font-medium')}>
+        {fact.value}
+      </dd>
+    </div>
+  );
+}
+
+function DetailFactItem({ fact }: { fact: DetailFact }) {
+  return (
+    <div className="min-w-0">
+      <dt className="text-muted-foreground type-label">{fact.label}</dt>
+      <dd className={cn('type-body mt-1 break-words', fact.mono ? 'type-code' : 'font-medium')}>
+        {fact.value}
+      </dd>
+    </div>
+  );
+}
+
+type FindingDetailsAction = {
+  title: string;
+  description: string;
+  label: string;
+  kind: 'analyze' | 'remediation' | 'source' | 'current' | 'none';
 };
 
-type FindingHeaderProps = {
-  finding: SecurityFinding;
-  analysis: FindingAnalysis;
-  analysisStatus: string | null;
-  showSla: boolean;
+type FindingDetailsPresentation = {
+  supersedingFindingId: string | null;
+  isOverdue: boolean;
+  hero: {
+    title: string;
+    description: string;
+    icon: LucideIcon;
+    tone: Tone;
+  };
+  action: FindingDetailsAction;
+  facts: DetailFact[];
+  sourceFacts: DetailFact[];
+  contextNote: string;
 };
 
-function FindingHeader({ finding, analysis, analysisStatus, showSla }: FindingHeaderProps) {
-  const severity: Severity = isSeverity(finding.severity) ? finding.severity : 'medium';
+function getFindingDetailsPresentation(
+  finding: SecurityFinding,
+  analysis: FindingAnalysis,
+  showSla: boolean
+): FindingDetailsPresentation {
+  const supersedingFindingId = getSupersedingFindingId(finding);
   const isOverdue =
     showSla &&
     finding.status === 'open' &&
-    finding.sla_due_at &&
-    isPast(new Date(finding.sla_due_at));
+    Boolean(finding.sla_due_at) &&
+    isPast(new Date(finding.sla_due_at ?? ''));
+  const sandbox = analysis?.sandboxAnalysis;
 
-  return (
-    <div className="flex min-w-0 flex-col gap-4 sm:flex-row sm:items-start sm:gap-6">
-      <DialogHeader className="min-w-0 flex-1 text-left">
-        <DialogTitle className="break-words text-xl">{finding.title}</DialogTitle>
-        <div className="text-muted-foreground space-y-2 text-sm">
-          <code className="bg-muted text-foreground inline-block max-w-full break-all rounded-sm px-1.5 py-0.5 font-mono text-xs">
-            {finding.repo_full_name}
-          </code>
-          <div className="flex flex-wrap gap-x-3 gap-y-1 font-mono text-xs tabular-nums">
-            <span>Detected {format(new Date(finding.first_detected_at), 'PPP')}</span>
-            <span>Synced {format(new Date(finding.last_synced_at), 'PPP')}</span>
-          </div>
-        </div>
-        <DialogDescription className="sr-only">
-          {finding.package_name} ({finding.package_ecosystem})
-        </DialogDescription>
-      </DialogHeader>
-
-      <div className="flex min-w-0 flex-col items-start gap-2 sm:shrink-0 sm:items-end sm:pt-4">
-        <div className="flex max-w-full flex-wrap items-center gap-2 sm:justify-end">
-          <SeverityBadge severity={severity} />
-          <FindingStatusBadge status={finding.status} />
-          <ExploitabilityBadge analysis={analysis} />
-        </div>
-        <FindingTimeline finding={finding} isOverdue={Boolean(isOverdue)} showSla={showSla} />
-        <span className="sr-only" aria-live="polite">
-          Analysis status: {analysisStatus ?? 'not started'}
-        </span>
-      </div>
-    </div>
-  );
+  let hero = {
+    title: 'This finding is open',
+    description:
+      'GitHub continues to report the vulnerable package in this repository. Review project-specific analysis before choosing a response.',
+    icon: ShieldAlert,
+    tone: 'warning' as Tone,
+  };
+  if (supersedingFindingId) {
+    hero = {
+      title: 'Replaced by a current finding',
+      description:
+        'Security Agent linked this duplicate to the current finding. Use that record for status, analysis, and remediation.',
+      icon: GitMerge,
+      tone: 'neutral',
+    };
+  } else if (finding.status === 'fixed') {
+    hero = {
+      title: 'The source reports this finding fixed',
+      description:
+        'GitHub no longer reports the vulnerable package version in this repository. No further Security Agent action is required.',
+      icon: ShieldCheck,
+      tone: 'success',
+    };
+  } else if (finding.status === 'ignored') {
+    hero = {
+      title: 'Dismissed after review',
+      description: `This finding was dismissed because ${getDismissalReason(finding.ignored_reason)}. The vulnerable dependency has not been presented as fixed.`,
+      icon: XCircle,
+      tone: 'neutral',
+    };
+  } else if (isOverdue) {
+    hero = {
+      title: 'Resolution deadline has passed',
+      description:
+        'This finding is still open. Review current repository evidence and prioritize the appropriate response.',
+      icon: Clock3,
+      tone: 'destructive',
+    };
+  } else if (sandbox?.isExploitable === true) {
+    hero = {
+      title: 'This finding is open',
+      description:
+        'The vulnerable package remains in the repository. Security Agent found that application code can reach the affected feature.',
+      icon: ShieldAlert,
+      tone: 'destructive',
+    };
+  }
+
+  let action: FindingDetailsAction = {
+    title: 'Determine project risk',
+    description:
+      'Analyze the repository to check whether application code can reach the affected feature and identify safe fix options.',
+    label: 'Analyze repository',
+    kind: 'analyze',
+  };
+  if (supersedingFindingId) {
+    action = {
+      title: 'Continue with the current record',
+      description:
+        'Open the current finding to review its latest status and Security Agent activity.',
+      label: 'Open current finding',
+      kind: 'current',
+    };
+  } else if (finding.status === 'fixed' || finding.status === 'ignored') {
+    action = {
+      title: 'No immediate response needed',
+      description: 'Keep this record for history or review the original source advisory.',
+      label: 'View source record',
+      kind: finding.dependabot_html_url ? 'source' : 'none',
+    };
+  } else if (sandbox) {
+    action = {
+      title: 'Review remediation options',
+      description:
+        sandbox.isExploitable === false
+          ? 'No reachable path was found. Review routine update options and the supporting evidence.'
+          : 'Review the current capability, fix path, and any existing remediation attempts.',
+      label: 'View remediation',
+      kind: 'remediation',
+    };
+  }
+
+  const facts: DetailFact[] = [
+    ...(finding.cve_id ? [{ label: 'CVE', value: finding.cve_id, mono: true }] : []),
+    ...(finding.ghsa_id ? [{ label: 'GHSA', value: finding.ghsa_id, mono: true }] : []),
+    {
+      label: 'Vulnerable versions',
+      value: finding.vulnerable_version_range || 'Unknown',
+      mono: Boolean(finding.vulnerable_version_range),
+    },
+    {
+      label: 'Patched version',
+      value: finding.patched_version || 'No patch available',
+      mono: Boolean(finding.patched_version),
+    },
+    ...(finding.manifest_path
+      ? [{ label: 'Manifest', value: finding.manifest_path, mono: true }]
+      : []),
+  ];
+  const sourceFacts: DetailFact[] = [
+    { label: 'Source', value: formatSource(finding.source) },
+    { label: 'Source ID', value: finding.source_id, mono: true },
+    { label: 'First detected', value: formatUtcDate(finding.first_detected_at), mono: true },
+    { label: 'Last synced', value: formatUtcDate(finding.last_synced_at), mono: true },
+    ...(finding.fixed_at
+      ? [{ label: 'Fixed', value: formatUtcDate(finding.fixed_at), mono: true }]
+      : []),
+    ...(supersedingFindingId
+      ? [{ label: 'Current finding', value: supersedingFindingId, mono: true }]
+      : []),
+  ];
+  const contextNote = supersedingFindingId
+    ? 'Superseded findings remain separate historical records. Analysis and remediation details stay with the current finding.'
+    : finding.status === 'fixed'
+      ? 'Fixed is a source status. A pull request opened by Security Agent would not have changed the finding to fixed by itself.'
+      : finding.status === 'ignored'
+        ? 'Dismissed records a disposition, not a package update. Future source changes can cause Security Agent to reassess the finding.'
+        : 'This finding closes only after GitHub reports the vulnerability fixed or someone dismisses it.';
+
+  return { supersedingFindingId, isOverdue, hero, action, facts, sourceFacts, contextNote };
 }
 
 function FindingTimeline({
   finding,
-  isOverdue,
   showSla,
+  isOverdue,
+  supersedingFindingId,
 }: {
   finding: SecurityFinding;
-  isOverdue: boolean;
   showSla: boolean;
+  isOverdue: boolean;
+  supersedingFindingId: string | null;
 }) {
   if (showSla && finding.status === 'open' && finding.sla_due_at) {
+    const tone = isOverdue ? 'destructive' : 'warning';
     return (
-      <div className="text-left text-xs sm:text-right">
-        <div className="flex items-center gap-1.5 sm:justify-end">
-          <Clock
-            className={`size-3.5 ${isOverdue ? 'text-red-400' : 'text-yellow-400'}`}
-            aria-hidden="true"
-          />
-          <span className={isOverdue ? 'text-red-400' : 'text-yellow-400'}>
-            SLA{' '}
-            {isOverdue
-              ? `overdue by ${formatDistanceToNow(new Date(finding.sla_due_at))}`
-              : `due in ${formatDistanceToNow(new Date(finding.sla_due_at))}`}
-          </span>
-        </div>
-        <div className="text-muted-foreground mt-0.5 font-mono tabular-nums">
-          {format(new Date(finding.sla_due_at), 'PPP')}
+      <section
+        className={cn(
+          'flex flex-col gap-2 rounded-lg border p-4 sm:flex-row sm:items-center sm:justify-between',
+          toneStyles[tone].border
+        )}
+      >
+        <div className={cn('type-body flex items-center gap-2 font-medium', toneStyles[tone].text)}>
+          <Clock3 className="size-4 shrink-0" aria-hidden="true" />
+          {isOverdue
+            ? `Resolution deadline passed ${formatDistanceToNow(new Date(finding.sla_due_at))} ago`
+            : `Resolution deadline in ${formatDistanceToNow(new Date(finding.sla_due_at))}`}
         </div>
-      </div>
+        <span className="text-muted-foreground type-code tabular-nums">
+          {formatUtcDate(finding.sla_due_at)}
+        </span>
+      </section>
     );
   }
 
   if (finding.status === 'fixed' && finding.fixed_at) {
     return (
-      <div className="text-left text-xs sm:text-right">
-        <div className="flex items-center gap-1.5 text-green-400 sm:justify-end">
-          <CheckCircle2 className="size-3.5" aria-hidden="true" />
+      <section
+        className={cn(
+          'flex flex-col gap-2 rounded-lg border p-4 sm:flex-row sm:items-center sm:justify-between',
+          toneStyles.success.border
+        )}
+      >
+        <div className="text-status-success type-body flex items-center gap-2 font-medium">
+          <CheckCircle2 className="size-4 shrink-0" aria-hidden="true" />
           Fixed {formatDistanceToNow(new Date(finding.fixed_at), { addSuffix: true })}
         </div>
-        <div className="text-muted-foreground mt-0.5 font-mono tabular-nums">
-          {format(new Date(finding.fixed_at), 'PPP')}
-        </div>
-      </div>
+        <span className="text-muted-foreground type-code tabular-nums">
+          {formatUtcDate(finding.fixed_at)}
+        </span>
+      </section>
     );
   }
 
-  if (finding.status === 'ignored' && finding.ignored_reason) {
-    return (
-      <div className="text-muted-foreground flex items-center gap-1.5 text-xs">
-        <XCircle className="size-3.5 shrink-0" aria-hidden="true" />
-        <span className="break-words">Dismissed: {finding.ignored_reason.replace(/_/g, ' ')}</span>
+  if (finding.status !== 'ignored') return null;
+  return (
+    <section
+      className={cn(
+        'flex flex-col gap-2 rounded-lg border p-4 sm:flex-row sm:items-center sm:justify-between',
+        toneStyles.neutral.border
+      )}
+    >
+      <div className="type-body flex items-center gap-2 font-medium">
+        {supersedingFindingId ? (
+          <GitMerge className="size-4 shrink-0" aria-hidden="true" />
+        ) : (
+          <XCircle className="size-4 shrink-0" aria-hidden="true" />
+        )}
+        {supersedingFindingId
+          ? 'Superseded during synchronization'
+          : `Dismissed: ${getDismissalReason(finding.ignored_reason)}`}
       </div>
-    );
-  }
+      <span className="text-muted-foreground type-code tabular-nums">
+        {formatUtcDate(finding.updated_at)}
+      </span>
+    </section>
+  );
+}
 
-  return null;
+function FindingDetailActions({
+  finding,
+  action,
+  supersedingFindingId,
+  canDismiss,
+  analysisActionDisabled,
+  analysisActionTitle,
+  onDismiss,
+  onOpenFinding,
+  onSelectTab,
+  onStartCodebaseAnalysis,
+}: Omit<FindingDetailsProps, 'analysis' | 'showSla'> & {
+  action: FindingDetailsAction;
+  supersedingFindingId: string | null;
+}) {
+  return (
+    <FindingActionSection
+      label="Next step"
+      title={action.title}
+      description={action.description}
+      statusMessage={action.kind === 'analyze' ? analysisActionTitle : undefined}
+    >
+      {action.kind === 'analyze' && (
+        <Button
+          className="h-control-touch"
+          onClick={onStartCodebaseAnalysis}
+          disabled={analysisActionDisabled}
+          title={analysisActionTitle}
+        >
+          <Brain aria-hidden="true" />
+          {action.label}
+        </Button>
+      )}
+      {action.kind === 'remediation' && (
+        <Button className="h-control-touch" onClick={() => onSelectTab('remediation')}>
+          <GitPullRequest aria-hidden="true" />
+          {action.label}
+        </Button>
+      )}
+      {action.kind === 'source' && finding.dependabot_html_url && (
+        <Button variant="outline" className="h-control-touch" asChild>
+          <a href={finding.dependabot_html_url} target="_blank" rel="noopener noreferrer">
+            <ExternalLink aria-hidden="true" />
+            {action.label}
+          </a>
+        </Button>
+      )}
+      {action.kind === 'current' && supersedingFindingId && (
+        <Button className="h-control-touch" onClick={() => onOpenFinding(supersedingFindingId)}>
+          <GitMerge aria-hidden="true" />
+          {action.label}
+        </Button>
+      )}
+      {finding.status === 'open' && finding.dependabot_html_url && (
+        <Button variant="ghost" className="h-control-touch" asChild>
+          <a href={finding.dependabot_html_url} target="_blank" rel="noopener noreferrer">
+            <ExternalLink aria-hidden="true" />
+            View on GitHub
+          </a>
+        </Button>
+      )}
+      {canDismiss && finding.status === 'open' && (
+        <Button variant="outline" className="h-control-touch" onClick={onDismiss}>
+          <XCircle aria-hidden="true" />
+          Dismiss finding
+        </Button>
+      )}
+    </FindingActionSection>
+  );
 }
 
-function FindingDetails({ finding }: { finding: SecurityFinding }) {
+type FindingDetailsProps = {
+  finding: SecurityFinding;
+  analysis: FindingAnalysis;
+  showSla: boolean;
+  canDismiss: boolean;
+  analysisActionDisabled: boolean;
+  analysisActionTitle?: string;
+  onDismiss: () => void;
+  onOpenFinding: (findingId: string) => void;
+  onSelectTab: (tab: FindingTab) => void;
+  onStartCodebaseAnalysis: () => void;
+};
+
+function FindingDetails({
+  finding,
+  analysis,
+  showSla,
+  canDismiss,
+  analysisActionDisabled,
+  analysisActionTitle,
+  onDismiss,
+  onOpenFinding,
+  onSelectTab,
+  onStartCodebaseAnalysis,
+}: FindingDetailsProps) {
+  const { supersedingFindingId, isOverdue, hero, action, facts, sourceFacts, contextNote } =
+    getFindingDetailsPresentation(finding, analysis, showSla);
+
   return (
-    <TabsContent value="details" className="space-y-6 pt-2">
-      <div className="text-foreground flex items-center gap-2 text-sm font-medium">
-        <Package className="size-4 shrink-0" aria-hidden="true" />
-        <span className="min-w-0 break-words">
-          {finding.package_name} ({finding.package_ecosystem})
-        </span>
-      </div>
+    <TabsContent value="details" className="m-0 focus-visible:ring-inset">
+      <div className="space-y-6">
+        <FindingOutcome {...hero} />
 
-      <div className="bg-muted/40 flex flex-wrap gap-x-6 gap-y-3 rounded-lg border border-border px-4 py-3 text-sm">
-        {finding.cve_id && <Metadata label="CVE" value={finding.cve_id} />}
-        {finding.ghsa_id && <Metadata label="GHSA" value={finding.ghsa_id} />}
-        <Metadata label="Vulnerable" value={finding.vulnerable_version_range || 'Unknown'} />
-        <Metadata label="Patched" value={finding.patched_version || 'No patch available'} />
-        {finding.manifest_path && <Metadata label="Manifest" value={finding.manifest_path} />}
-      </div>
+        <FindingTimeline
+          finding={finding}
+          showSla={showSla}
+          isOverdue={isOverdue}
+          supersedingFindingId={supersedingFindingId}
+        />
 
-      <div className="min-w-0">
-        <h4 className="mb-2 font-medium">Description</h4>
-        <MarkdownProse markdown={finding.description ?? ''} />
-        {finding.dependabot_html_url && (
-          <Button variant="outline" size="sm" asChild className="mt-3">
-            <a href={finding.dependabot_html_url} target="_blank" rel="noopener noreferrer">
-              <ExternalLink className="mr-2 size-4" aria-hidden="true" />
-              View on GitHub
-            </a>
-          </Button>
-        )}
+        <FindingDetailActions
+          finding={finding}
+          action={action}
+          supersedingFindingId={supersedingFindingId}
+          canDismiss={canDismiss}
+          analysisActionDisabled={analysisActionDisabled}
+          analysisActionTitle={analysisActionTitle}
+          onDismiss={onDismiss}
+          onOpenFinding={onOpenFinding}
+          onSelectTab={onSelectTab}
+          onStartCodebaseAnalysis={onStartCodebaseAnalysis}
+        />
+
+        <section>
+          <div className="mb-3 flex flex-wrap items-center justify-between gap-3">
+            <div className="flex min-w-0 items-center gap-2">
+              <Package className="text-muted-foreground size-4 shrink-0" aria-hidden="true" />
+              <h4 className="type-body min-w-0 break-words font-medium">
+                {finding.package_name} {finding.vulnerable_version_range || ''} (
+                {finding.package_ecosystem})
+              </h4>
+            </div>
+            <span className="text-muted-foreground type-label">Package advisory</span>
+          </div>
+          <dl className="border-border bg-border gap-hairline grid overflow-hidden rounded-lg border sm:grid-cols-2 lg:grid-cols-[repeat(auto-fit,minmax(10rem,1fr))]">
+            {facts.map(fact => (
+              <DetailFactCell key={fact.label} fact={fact} />
+            ))}
+          </dl>
+        </section>
+
+        <section className="max-w-[70ch] space-y-3">
+          <div>
+            <h4 className="type-body font-medium">About this vulnerability</h4>
+            {finding.description ? (
+              <MarkdownProse
+                markdown={finding.description}
+                className="text-muted-foreground mt-2"
+              />
+            ) : (
+              <p className="text-muted-foreground type-body mt-2">
+                No description is available from the source advisory.
+              </p>
+            )}
+          </div>
+          <FindingContextNote>{contextNote}</FindingContextNote>
+        </section>
+
+        <Accordion type="single" collapsible>
+          <AccordionItem value="source" className="border-border border-t">
+            <AccordionTrigger className="min-h-control-touch py-3 no-underline hover:no-underline">
+              Source record and timestamps
+            </AccordionTrigger>
+            <AccordionContent className="pb-5">
+              <div className="space-y-4">
+                <dl className="type-body grid gap-x-6 gap-y-4 sm:grid-cols-2 lg:grid-cols-4">
+                  {sourceFacts.map(fact => (
+                    <DetailFactItem key={fact.label} fact={fact} />
+                  ))}
+                </dl>
+                <div className="text-muted-foreground type-label flex max-w-[68ch] items-start gap-2">
+                  <FileCode2 className="size-icon-sm mt-0.5 shrink-0" aria-hidden="true" />
+                  <p>
+                    Security Agent preserves source identity and synchronization timestamps for
+                    traceability.
+                  </p>
+                </div>
+              </div>
+            </AccordionContent>
+          </AccordionItem>
+        </Accordion>
       </div>
     </TabsContent>
   );
 }
 
-function Metadata({ label, value }: { label: string; value: string }) {
-  return (
-    <div className="min-w-0">
-      <div className="text-muted-foreground text-xs">{label}</div>
-      <div className="break-all font-mono tabular-nums">{value}</div>
-    </div>
-  );
-}
+type AnalysisInteractionState = {
+  isAwaitingAnalysisAdmission: boolean;
+  isAnalyzing: boolean;
+  isRestartingAnalysis: boolean;
+  analysisActionDisabled: boolean;
+  analysisActionTitle?: string;
+  canDismiss: boolean;
+  canStartRemediation: boolean;
+  isAwaitingRemediationStart: boolean;
+};
 
-type AnalysisPanelProps = {
+type FindingAnalysisProps = {
+  finding: SecurityFinding;
   analysis: FindingAnalysis;
   analysisStatus: string | null;
   analysisError: string | null;
-  isAwaitingAnalysisStart: boolean;
-  isAnalyzing: boolean;
+  cliSessionId: string | null;
+  organizationId?: string;
+  interactionState: AnalysisInteractionState;
   onStartAnalysis: StartAnalysis;
+  onRestartAnalysis: () => void;
+  onStartCodebaseAnalysis: () => void;
+  onStartRemediation: () => void;
+  onDismiss: () => void;
+  onSelectTab: (tab: FindingTab) => void;
 };
 
-function FindingTriage({
+function getAnalysisPresentation({
+  finding,
   analysis,
   analysisStatus,
   analysisError,
-  isAwaitingAnalysisStart,
-  isAnalyzing,
-  onStartAnalysis,
-}: AnalysisPanelProps) {
-  if (analysis?.triage) {
-    return (
-      <TabsContent value="triage" className="space-y-4 pt-2">
-        <div className="space-y-4">
-          <div className="flex flex-wrap gap-2">
-            {analysis.triage.suggestedAction === 'dismiss' && (
-              <Badge className="bg-green-500/20 text-green-400 ring-1 ring-green-500/20">
-                <CheckCircle2 className="mr-1 size-3" aria-hidden="true" />
-                Safe to dismiss
-              </Badge>
-            )}
-            {analysis.triage.suggestedAction === 'analyze_codebase' && (
-              <Badge className="bg-yellow-500/20 text-yellow-400 ring-1 ring-yellow-500/20">
-                Needs analysis
-              </Badge>
-            )}
-            {analysis.triage.suggestedAction === 'manual_review' && (
-              <Badge className="bg-red-500/20 text-red-400 ring-1 ring-red-500/20">
-                Manual review
-              </Badge>
-            )}
-            {analysis.triage.confidence && (
-              <Badge variant="outline" className="text-muted-foreground">
-                {analysis.triage.confidence} confidence
-              </Badge>
-            )}
-          </div>
-          {analysis.triage.needsSandboxReasoning && (
-            <MarkdownProse
-              markdown={analysis.triage.needsSandboxReasoning}
-              className="text-muted-foreground text-sm"
-            />
-          )}
-        </div>
-      </TabsContent>
-    );
+  isAwaitingAnalysisAdmission,
+  canStartRemediation,
+}: {
+  finding: SecurityFinding;
+  analysis: FindingAnalysis;
+  analysisStatus: string | null;
+  analysisError: string | null;
+  isAwaitingAnalysisAdmission: boolean;
+  canStartRemediation: boolean;
+}): AnalysisPresentation {
+  const sandbox = analysis?.sandboxAnalysis;
+  const triage = analysis?.triage;
+
+  if (isAwaitingAnalysisAdmission || analysisStatus === 'pending' || analysisStatus === 'running') {
+    const queued = isAwaitingAnalysisAdmission || analysisStatus === 'pending';
+    return {
+      hero: {
+        title: queued ? 'Analysis is queued' : 'Security Agent is analyzing the repository',
+        description: queued
+          ? 'Security Agent accepted the request and will begin when analysis capacity is available.'
+          : 'The agent is searching for affected feature usage and tracing whether application inputs can reach it.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: queued ? 'Waiting for capacity' : 'Repository analysis',
+          detail: queued
+            ? 'No repository work has started'
+            : 'Source and dependency paths are being checked',
+          icon: Clock3,
+          tone: 'warning',
+        },
+        {
+          label: 'What is known?',
+          value: 'Published vulnerability',
+          detail: `${finding.package_name} matches the affected range`,
+          icon: ShieldAlert,
+          tone: 'warning',
+        },
+        {
+          label: 'Next update',
+          value: 'Project risk result',
+          detail: 'Status refreshes automatically',
+          icon: Sparkles,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Published severity is unchanged while analysis runs. Repository risk remains unknown until analysis completes.',
+      action: {
+        label: 'Current status',
+        title: queued ? 'Waiting for analysis capacity' : 'Checking the repository',
+        description: queued
+          ? 'This usually takes 1–2 minutes. You can close this dialog and return later.'
+          : 'This usually takes 1–2 minutes. If progress stops, restart analysis to queue a new run.',
+        kind: 'cloud-agent',
+        buttonLabel: 'Watch in Cloud Agent',
+        buttonIcon: ExternalLink,
+      },
+      disclosureTitle: 'Analysis progress',
+    };
   }
 
-  const isLoading =
-    isAwaitingAnalysisStart || analysisStatus === 'running' || analysisStatus === 'pending';
+  if (analysisStatus === 'failed') {
+    return {
+      hero: {
+        title: 'Analysis did not complete',
+        description:
+          'Security Agent could not finish checking this repository, so no project-specific risk conclusion is available.',
+        icon: TriangleAlert,
+        tone: 'destructive',
+      },
+      summary: [
+        {
+          label: 'What is the result?',
+          value: 'Project risk is unknown',
+          detail: 'No repository risk conclusion was produced',
+          icon: CircleHelp,
+          tone: 'warning',
+        },
+        {
+          label: 'Why?',
+          value: analysisError || 'Analysis failed',
+          detail: 'Review repository access if another attempt fails',
+          icon: TriangleAlert,
+          tone: 'destructive',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Try analysis again',
+          detail: 'Retry when repository access is available',
+          icon: RefreshCw,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Published severity is unchanged. Repository risk remains unknown until analysis completes.',
+      action: {
+        label: 'Next step',
+        title: 'Run analysis again',
+        description:
+          'Retry the analysis. If it fails again, verify repository access before requesting manual review.',
+        buttonLabel: 'Retry analysis',
+        buttonIcon: RefreshCw,
+        kind: 'retry-analysis',
+        primary: true,
+      },
+      disclosureTitle: 'Error details',
+    };
+  }
 
-  return (
-    <TabsContent value="triage" className="space-y-4 pt-2">
-      {isLoading ? (
-        <LoadingPanel
-          message={
-            isAwaitingAnalysisStart || analysisStatus === 'pending'
-              ? `${securityAgentCommandAdmissionCopy.start_analysis.pendingLabel}…`
-              : 'Triage in progress…'
-          }
-        />
-      ) : analysisStatus === 'failed' ? (
-        <ErrorPanel
-          message={
-            analysisError
-              ? `Triage failed: ${analysisError}`
-              : 'Triage failed. Retry analysis. If it fails again, verify repository access.'
-          }
-          retryLabel="Retry triage"
-          onRetry={() => onStartAnalysis()}
-          disabled={isAnalyzing}
-        />
-      ) : (
-        <EmptyPanel text="Run triage to quickly assess if this vulnerability needs attention.">
-          <Button
-            variant="outline"
-            size="sm"
-            onClick={() => onStartAnalysis()}
-            disabled={isAnalyzing}
-          >
-            <Zap className="mr-2 size-4" aria-hidden="true" />
-            Start triage
-          </Button>
-        </EmptyPanel>
-      )}
-    </TabsContent>
-  );
+  if (sandbox?.extractionStatus === 'failed') {
+    return {
+      hero: {
+        title: 'Analysis result needs review',
+        description:
+          'Security Agent analyzed the repository, but could not turn the technical report into a reliable plain-language result.',
+        icon: FileWarning,
+        tone: 'warning',
+      },
+      summary: [
+        {
+          label: 'What is the result?',
+          value: 'No conclusion is available',
+          detail: 'Project risk remains unknown',
+          icon: CircleHelp,
+          tone: 'warning',
+        },
+        {
+          label: 'Did analysis run?',
+          value: 'Yes, a report was created',
+          detail: 'Only structured summary extraction failed',
+          icon: Check,
+          tone: 'neutral',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Review the technical report',
+          detail: 'Use manual review before changing status',
+          icon: Search,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Analysis completed and the technical report is available, but the result still needs human review.',
+      action: {
+        label: 'Next step',
+        title: 'Review the generated report',
+        description:
+          'Read the technical evidence or ask Cloud Agent to explain it. Keep the finding open until the result is clear.',
+        buttonLabel: 'Ask Cloud Agent',
+        buttonIcon: CircleHelp,
+        kind: 'cloud-agent',
+      },
+      disclosureTitle: 'What happened during analysis',
+    };
+  }
+
+  if (sandbox?.isExploitable === true) {
+    return {
+      hero: {
+        title: 'Action required',
+        description:
+          'Analysis found a reachable use of the vulnerable feature in this repository. Prioritize remediation.',
+        icon: ShieldAlert,
+        tone: 'destructive',
+      },
+      summary: [
+        {
+          label: 'Why?',
+          value: 'Vulnerable code is reachable',
+          detail: sandbox.summary || sandbox.exploitabilityReasoning,
+          icon: Search,
+          tone: 'destructive',
+        },
+        {
+          label: 'Do I need to act now?',
+          value: 'Yes, prioritize this finding',
+          detail: `A reachable ${finding.severity}-severity path was found`,
+          icon: Clock3,
+          tone: 'destructive',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Patch and review usage',
+          detail: sandbox.suggestedFix || 'Review the flagged code path',
+          icon: Wrench,
+          tone: 'neutral',
+        },
+      ],
+      context: `Published severity is ${finding.severity}, and application code can reach the affected feature.`,
+      action: {
+        label: 'Next step',
+        title: 'Remediate this finding',
+        description:
+          sandbox.suggestedFix ||
+          'Review the affected call and prepare the smallest safe repository change.',
+        buttonLabel: canStartRemediation ? 'Start remediation' : 'View remediation',
+        buttonIcon: GitPullRequest,
+        kind: canStartRemediation ? 'start-remediation' : 'view-remediation',
+        primary: true,
+      },
+      disclosureTitle: 'How Security Agent reached this decision',
+    };
+  }
+
+  if (sandbox?.isExploitable === false) {
+    return {
+      hero: {
+        title: 'No reachable risk found',
+        description:
+          'Analysis found no path that can trigger this vulnerability in this repository. You can update the dependency during routine maintenance.',
+        icon: ShieldCheck,
+        tone: 'success',
+      },
+      summary: [
+        {
+          label: 'Why?',
+          value: 'The affected feature is not reachable',
+          detail: sandbox.summary || sandbox.exploitabilityReasoning,
+          icon: Search,
+          tone: 'neutral',
+        },
+        {
+          label: 'Do I need to act now?',
+          value: 'No urgent response needed',
+          detail: 'Update during routine maintenance',
+          icon: Clock3,
+          tone: 'success',
+        },
+        {
+          label: 'What should I do?',
+          value: finding.patched_version
+            ? `Update to ${finding.patched_version}`
+            : 'Review update options',
+          detail: sandbox.suggestedFix || 'Keep the dependency current',
+          icon: Wrench,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'This result reflects the repository when it was analyzed. It does not mean the package is fixed.',
+      action: {
+        label: 'Next step',
+        title: 'Update during routine maintenance',
+        description:
+          sandbox.suggestedFix ||
+          'Review the source advisory and update the dependency during routine maintenance.',
+        buttonLabel: 'View source record',
+        buttonIcon: ExternalLink,
+        kind: 'source',
+      },
+      disclosureTitle: 'How Security Agent reached this decision',
+    };
+  }
+
+  if (sandbox?.isExploitable === 'unknown') {
+    return {
+      hero: {
+        title: 'Review recommended',
+        description:
+          'Analysis found relevant repository evidence, but could not confirm whether untrusted input can reach the vulnerable feature.',
+        icon: CircleHelp,
+        tone: 'warning',
+      },
+      summary: [
+        {
+          label: 'Why?',
+          value: 'The available evidence is inconclusive',
+          detail: sandbox.summary || sandbox.exploitabilityReasoning,
+          icon: Search,
+          tone: 'warning',
+        },
+        {
+          label: 'Do I need to act now?',
+          value: 'Review before dismissing',
+          detail: 'The finding is neither confirmed nor cleared',
+          icon: Clock3,
+          tone: 'warning',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Inspect the flagged code',
+          detail: sandbox.suggestedFix || 'Confirm whether untrusted input can reach it',
+          icon: Wrench,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Analysis could not confirm whether the repository is exposed. Review the evidence before changing finding status.',
+      action: {
+        label: 'Next step',
+        title: canStartRemediation ? 'Review remediation options' : 'Review the flagged code',
+        description: canStartRemediation
+          ? 'A concrete fix path is available for a user-reviewed manual remediation.'
+          : 'Inspect the recorded usage locations and ask Cloud Agent for more context.',
+        buttonLabel: canStartRemediation ? 'View remediation' : 'Ask Cloud Agent',
+        buttonIcon: canStartRemediation ? GitPullRequest : CircleHelp,
+        kind: canStartRemediation ? 'view-remediation' : 'cloud-agent',
+        primary: true,
+      },
+      disclosureTitle: 'Why the result is inconclusive',
+    };
+  }
+
+  if (triage?.suggestedAction === 'dismiss') {
+    return {
+      hero: {
+        title: 'Initial review found no codebase analysis need',
+        description:
+          triage.needsSandboxReasoning ||
+          'Triage found enough advisory evidence to recommend dismissal without repository analysis.',
+        icon: ShieldCheck,
+        tone: 'success',
+      },
+      summary: [
+        {
+          label: 'What is known?',
+          value: 'Triage complete',
+          detail: `${triage.confidence} confidence`,
+          icon: Check,
+          tone: 'success',
+        },
+        {
+          label: 'Repository analysis',
+          value: 'Not required by triage',
+          detail: 'No codebase-level verdict was generated',
+          icon: Brain,
+          tone: 'neutral',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Review the dismissal',
+          detail: 'Confirm the advisory context before dismissing',
+          icon: Search,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Triage is advisory-level review. It does not claim that the vulnerable package has been fixed.',
+      action: {
+        label: 'Next step',
+        title: 'Review and dismiss if appropriate',
+        description: 'Confirm the triage reasoning before changing the finding disposition.',
+        buttonLabel: 'Dismiss finding',
+        buttonIcon: XCircle,
+        kind: 'dismiss',
+      },
+      disclosureTitle: 'How Security Agent reached this recommendation',
+    };
+  }
+
+  if (triage) {
+    return {
+      hero: {
+        title: 'Analyze the repository for project risk',
+        description:
+          triage.needsSandboxReasoning ||
+          'Initial review needs repository evidence before Security Agent can assess reachability.',
+        icon: Brain,
+        tone: 'warning',
+      },
+      summary: [
+        {
+          label: 'What is known?',
+          value: 'Published vulnerability',
+          detail: 'The package matches an affected version range',
+          icon: ShieldAlert,
+          tone: 'warning',
+        },
+        {
+          label: 'What is missing?',
+          value: 'Repository evidence',
+          detail: 'Project-specific reachability is unknown',
+          icon: Brain,
+          tone: 'warning',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Analyze repository',
+          detail: 'Security Agent will check usage and fix options',
+          icon: Sparkles,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Initial advisory review is not enough to confirm project-specific risk or start automatic remediation.',
+      action: {
+        label: 'Next step',
+        title: 'Check repository risk and fix options',
+        description:
+          'Run codebase analysis to check affected feature usage and identify a safe response.',
+        buttonLabel: 'Analyze repository',
+        buttonIcon: Brain,
+        kind: 'start-analysis',
+        primary: true,
+      },
+      disclosureTitle: 'What initial review found',
+    };
+  }
+
+  return {
+    hero: {
+      title: 'Repository risk has not been analyzed',
+      description:
+        'The source advisory identifies a vulnerable package. Security Agent needs repository evidence to assess whether application code can reach it.',
+      icon: Brain,
+      tone: 'neutral',
+    },
+    summary: [
+      {
+        label: 'What is known?',
+        value: 'Published vulnerability',
+        detail: `${finding.package_name} matches the affected range`,
+        icon: ShieldAlert,
+        tone: 'warning',
+      },
+      {
+        label: 'What is missing?',
+        value: 'Repository analysis',
+        detail: 'Project-specific reachability is unknown',
+        icon: Brain,
+        tone: 'warning',
+      },
+      {
+        label: 'What should I do?',
+        value: 'Analyze repository',
+        detail: 'Security Agent will check usage and fix options',
+        icon: Sparkles,
+        tone: 'neutral',
+      },
+    ],
+    context:
+      'Published severity does not prove this repository is exploitable. Codebase analysis provides project-specific evidence.',
+    action: {
+      label: 'Next step',
+      title: 'Determine project risk',
+      description:
+        'Analyze the repository to check whether application code can reach the affected feature.',
+      buttonLabel: 'Analyze repository',
+      buttonIcon: Brain,
+      kind: 'start-analysis',
+      primary: true,
+    },
+    disclosureTitle: 'What analysis will check',
+  };
 }
 
-type FindingAnalysisProps = AnalysisPanelProps & {
-  cliSessionId: string | null;
-  organizationId?: string;
-  remediationNeedsCodebaseAnalysis: boolean;
-  codebaseAnalysisActionLabel: string;
-  onStartCodebaseAnalysis: () => void;
-};
+function getAnalysisSteps(
+  finding: SecurityFinding,
+  analysis: FindingAnalysis,
+  analysisStatus: string | null
+): ProgressStep[] {
+  const triage = analysis?.triage;
+  const sandbox = analysis?.sandboxAnalysis;
+  const steps: ProgressStep[] = [
+    {
+      title: 'Found the affected package',
+      detail: `${finding.package_name} matches the published vulnerable version range.`,
+      state: 'done',
+    },
+  ];
 
-function FindingAnalysis({
+  if (triage) {
+    steps.push({
+      title: 'Completed initial advisory review',
+      detail:
+        triage.needsSandboxReasoning || `Triage completed with ${triage.confidence} confidence.`,
+      state: 'done',
+    });
+  } else if (analysisStatus === 'failed') {
+    steps.push({
+      title: 'Initial analysis failed',
+      detail: 'Security Agent could not complete repository review.',
+      state: 'error',
+    });
+    return steps;
+  } else if (analysisStatus === 'pending' || analysisStatus === 'running') {
+    steps.push({
+      title: 'Initial review in progress',
+      detail: 'Security Agent is gathering evidence for the project-specific result.',
+      state: analysisStatus === 'running' ? 'running' : 'waiting',
+    });
+  } else {
+    steps.push({
+      title: 'Review the advisory',
+      detail: 'Triage will determine whether repository analysis is needed.',
+      state: 'pending',
+    });
+  }
+
+  if (sandbox) {
+    steps.push({
+      title: 'Checked repository usage',
+      detail:
+        sandbox.usageLocations.length > 0
+          ? `Security Agent recorded ${sandbox.usageLocations.length} relevant code ${sandbox.usageLocations.length === 1 ? 'location' : 'locations'}.`
+          : 'Security Agent searched the repository for affected feature usage.',
+      state: 'done',
+    });
+    steps.push({
+      title:
+        sandbox.extractionStatus === 'failed'
+          ? 'Structured result needs review'
+          : sandbox.isExploitable === true
+            ? 'Confirmed a reachable path'
+            : sandbox.isExploitable === false
+              ? 'Found no reachable path'
+              : 'Could not confirm exploitability',
+      detail:
+        sandbox.summary ||
+        sandbox.exploitabilityReasoning ||
+        'Review the generated technical report for details.',
+      state:
+        sandbox.extractionStatus === 'failed' || sandbox.isExploitable === 'unknown'
+          ? 'attention'
+          : sandbox.isExploitable
+            ? 'error'
+            : 'done',
+    });
+  } else if (triage?.needsSandboxAnalysis) {
+    steps.push({
+      title: 'Repository analysis required',
+      detail: 'Project-specific usage and reachability still need to be checked.',
+      state: 'attention',
+    });
+  }
+
+  return steps;
+}
+
+function getRecordString(record: Record<string, unknown>, key: string): string | null {
+  const value = record[key];
+  return typeof value === 'string' && value.trim() ? value : null;
+}
+
+function formatValidationEvidence(record: Record<string, unknown>, index: number): string {
+  const label =
+    getRecordString(record, 'name') ??
+    getRecordString(record, 'title') ??
+    getRecordString(record, 'command') ??
+    getRecordString(record, 'check') ??
+    `Validation check ${index + 1}`;
+  const result =
+    getRecordString(record, 'result') ??
+    getRecordString(record, 'status') ??
+    getRecordString(record, 'summary');
+  return result ? `${label}: ${result}` : label;
+}
+
+function FindingAnalysisPanel({
+  finding,
   analysis,
   analysisStatus,
   analysisError,
-  isAwaitingAnalysisStart,
-  isAnalyzing,
-  onStartAnalysis,
   cliSessionId,
   organizationId,
-  remediationNeedsCodebaseAnalysis,
-  codebaseAnalysisActionLabel,
-  onStartCodebaseAnalysis,
-}: FindingAnalysisProps) {
-  const sessionHref = cliSessionId
-    ? organizationId
-      ? `/organizations/${organizationId}/cloud/chat?sessionId=${cliSessionId}`
-      : `/cloud/chat?sessionId=${cliSessionId}`
-    : null;
-
-  let content: React.ReactNode;
-  if (analysis?.sandboxAnalysis && analysisStatus === 'completed') {
-    const sandboxAnalysis = analysis.sandboxAnalysis;
-    const usageLocations = [...new Set(sandboxAnalysis.usageLocations)];
-    content = (
-      <div className="space-y-4">
-        <div className="flex flex-wrap gap-2">
-          {sandboxAnalysis.isExploitable === true && (
-            <Badge className="bg-red-500/20 text-red-400 ring-1 ring-red-500/20">
-              <XCircle className="mr-1 size-3" aria-hidden="true" />
-              Exploitable
-            </Badge>
-          )}
-          {sandboxAnalysis.isExploitable === false && (
-            <Badge className="bg-green-500/20 text-green-400 ring-1 ring-green-500/20">
-              <CheckCircle2 className="mr-1 size-3" aria-hidden="true" />
-              Not exploitable
-            </Badge>
-          )}
-        </div>
-        {sandboxAnalysis.summary && (
-          <p className="text-muted-foreground text-sm">{sandboxAnalysis.summary}</p>
-        )}
-        {usageLocations.length > 0 && (
-          <div>
-            <span className="text-muted-foreground text-xs font-medium">Usage locations:</span>
-            <ul className="text-muted-foreground mt-1 list-inside list-disc font-mono text-xs">
-              {usageLocations.slice(0, 5).map(location => (
-                <li key={location} className="truncate">
-                  {location}
-                </li>
-              ))}
-              {usageLocations.length > 5 && (
-                <li className="text-muted-foreground/70">…and {usageLocations.length - 5} more</li>
-              )}
-            </ul>
-          </div>
-        )}
-        {sandboxAnalysis.suggestedFix && (
-          <div>
-            <span className="text-muted-foreground text-xs font-medium">Suggested fix:</span>
-            <p className="text-muted-foreground mt-1 text-xs">{sandboxAnalysis.suggestedFix}</p>
-          </div>
-        )}
-        {sandboxAnalysis.rawMarkdown && (
-          <MarkdownProse markdown={sandboxAnalysis.rawMarkdown} className="text-muted-foreground" />
-        )}
-        {sessionHref && (
-          <Link href={sessionHref} className={`${linkClassName} items-center gap-1 text-sm`}>
-            <ExternalLink className="size-4" aria-hidden="true" />
-            Continue conversation in Cloud Agent
-          </Link>
-        )}
-      </div>
-    );
-  } else if (analysisStatus === 'completed' && analysis?.rawMarkdown) {
-    content = <MarkdownProse markdown={analysis.rawMarkdown} className="text-muted-foreground" />;
-  } else if (
-    isAwaitingAnalysisStart ||
-    analysisStatus === 'running' ||
-    analysisStatus === 'pending'
-  ) {
-    content = (
-      <LoadingPanel
-        message={
-          isAwaitingAnalysisStart || analysisStatus === 'pending'
-            ? `${securityAgentCommandAdmissionCopy.start_analysis.pendingLabel}…`
-            : 'Codebase analysis in progress…'
-        }
-        detail="This usually takes 1–2 minutes. The agent is searching your codebase."
-      >
-        {sessionHref && (
-          <Link href={sessionHref} className={`${linkClassName} items-center gap-1 text-xs`}>
-            <ExternalLink className="size-3" aria-hidden="true" />
-            Watch analysis in Cloud Agent
-          </Link>
-        )}
-      </LoadingPanel>
-    );
-  } else if (analysisStatus === 'failed') {
-    content = (
-      <ErrorPanel
-        message={
-          analysisError
-            ? `Codebase analysis failed: ${analysisError}`
-            : 'Codebase analysis failed. Retry analysis. If it fails again, verify repository access.'
-        }
-        retryLabel="Retry analysis"
-        onRetry={() => onStartAnalysis({ retrySandboxOnly: Boolean(analysis?.triage) })}
-        disabled={isAnalyzing}
-      />
-    );
-  } else if (analysis?.triage?.needsSandboxAnalysis === false) {
-    content = (
-      <EmptyPanel
-        text={
-          remediationNeedsCodebaseAnalysis
-            ? 'Remediation needs codebase analysis before it can open a PR.'
-            : 'Triage determined codebase analysis is not needed for this finding.'
+  interactionState: {
+    isAwaitingAnalysisAdmission,
+    isAnalyzing,
+    isRestartingAnalysis,
+    analysisActionDisabled,
+    analysisActionTitle,
+    canDismiss,
+    canStartRemediation,
+    isAwaitingRemediationStart,
+  },
+  onStartAnalysis,
+  onRestartAnalysis,
+  onStartCodebaseAnalysis,
+  onStartRemediation,
+  onDismiss,
+  onSelectTab,
+}: FindingAnalysisProps) {
+  const canRestartAnalysis = analysisStatus === 'running' && finding.status === 'open';
+  const presentation = getAnalysisPresentation({
+    finding,
+    analysis,
+    analysisStatus,
+    analysisError,
+    isAwaitingAnalysisAdmission,
+    canStartRemediation,
+  });
+  const sessionHref = cliSessionId
+    ? organizationId
+      ? `/organizations/${organizationId}/cloud/chat?sessionId=${cliSessionId}`
+      : `/cloud/chat?sessionId=${cliSessionId}`
+    : null;
+  const sandbox = analysis?.sandboxAnalysis;
+  const technicalMarkdown = sandbox?.rawMarkdown || analysis?.rawMarkdown;
+  const analysisSteps = getAnalysisSteps(finding, analysis, analysisStatus);
+  const ActionIcon = presentation.action.buttonIcon;
+  const canShowAction =
+    presentation.action.kind !== 'none' &&
+    !(presentation.action.kind === 'cloud-agent' && !sessionHref) &&
+    !(presentation.action.kind === 'source' && !finding.dependabot_html_url) &&
+    !(presentation.action.kind === 'dismiss' && !canDismiss);
+
+  const actionButton = canShowAction && ActionIcon && presentation.action.buttonLabel && (
+    <Button
+      variant={presentation.action.primary ? 'default' : 'outline'}
+      className="h-control-touch"
+      disabled={
+        ((presentation.action.kind === 'start-analysis' ||
+          presentation.action.kind === 'retry-analysis') &&
+          analysisActionDisabled) ||
+        (presentation.action.kind === 'start-remediation' && isAwaitingRemediationStart)
+      }
+      title={
+        presentation.action.kind === 'start-analysis' ||
+        presentation.action.kind === 'retry-analysis'
+          ? analysisActionTitle
+          : undefined
+      }
+      onClick={() => {
+        if (presentation.action.kind === 'start-analysis') onStartCodebaseAnalysis();
+        if (presentation.action.kind === 'retry-analysis') {
+          onStartAnalysis({ retrySandboxOnly: Boolean(analysis?.triage) });
         }
-      >
-        {remediationNeedsCodebaseAnalysis && (
-          <Button
-            variant="outline"
-            size="sm"
-            onClick={onStartCodebaseAnalysis}
-            disabled={isAnalyzing}
-          >
-            {isAnalyzing ? (
-              <LoadingSpinner className="mr-2 size-4" />
-            ) : (
-              <Brain className="mr-2 size-4" aria-hidden="true" />
-            )}
-            {codebaseAnalysisActionLabel}
-          </Button>
-        )}
-      </EmptyPanel>
-    );
-  } else if (!analysis) {
-    content = (
-      <EmptyPanel text="Run deep codebase analysis to verify exploitability. Triage runs first.">
-        <Button
-          variant="outline"
-          size="sm"
-          onClick={() =>
-            remediationNeedsCodebaseAnalysis ? onStartCodebaseAnalysis() : onStartAnalysis()
+        if (presentation.action.kind === 'start-remediation') onStartRemediation();
+        if (presentation.action.kind === 'view-remediation') onSelectTab('remediation');
+        if (presentation.action.kind === 'dismiss') onDismiss();
+      }}
+      asChild={presentation.action.kind === 'source' || presentation.action.kind === 'cloud-agent'}
+    >
+      {presentation.action.kind === 'source' && finding.dependabot_html_url ? (
+        <a href={finding.dependabot_html_url} target="_blank" rel="noopener noreferrer">
+          <ActionIcon aria-hidden="true" />
+          {presentation.action.buttonLabel}
+        </a>
+      ) : presentation.action.kind === 'cloud-agent' && sessionHref ? (
+        <Link href={sessionHref}>
+          <ActionIcon aria-hidden="true" />
+          {presentation.action.buttonLabel}
+        </Link>
+      ) : (
+        <>
+          {isAnalyzing &&
+          (presentation.action.kind === 'start-analysis' ||
+            presentation.action.kind === 'retry-analysis') ? (
+            <LoadingSpinner />
+          ) : isAwaitingRemediationStart && presentation.action.kind === 'start-remediation' ? (
+            <LoadingSpinner />
+          ) : (
+            <ActionIcon aria-hidden="true" />
+          )}
+          {isAwaitingRemediationStart && presentation.action.kind === 'start-remediation'
+            ? 'Queueing remediation'
+            : presentation.action.buttonLabel}
+        </>
+      )}
+    </Button>
+  );
+
+  return (
+    <TabsContent value="analysis" className="m-0 focus-visible:ring-inset">
+      <div className="space-y-6">
+        <FindingOutcome {...presentation.hero} />
+        <FindingActionSection
+          label={presentation.action.label}
+          title={presentation.action.title}
+          description={presentation.action.description}
+          statusMessage={
+            presentation.action.kind === 'start-analysis' ||
+            presentation.action.kind === 'retry-analysis'
+              ? analysisActionTitle
+              : undefined
           }
-          disabled={isAnalyzing}
         >
-          <Brain className="mr-2 size-4" aria-hidden="true" />
-          {remediationNeedsCodebaseAnalysis ? codebaseAnalysisActionLabel : 'Start analysis'}
-        </Button>
-      </EmptyPanel>
-    );
-  } else {
-    content = (
-      <EmptyPanel text="Codebase analysis has not run yet. It starts automatically if triage determines it is needed." />
-    );
-  }
+          {actionButton}
+          {canRestartAnalysis && (
+            <AlertDialog>
+              <AlertDialogTrigger asChild>
+                <Button
+                  type="button"
+                  variant="outline"
+                  className="h-control-touch"
+                  disabled={isRestartingAnalysis}
+                >
+                  {isRestartingAnalysis ? <LoadingSpinner /> : <RefreshCw aria-hidden="true" />}
+                  {isRestartingAnalysis ? 'Restarting analysis' : 'Restart analysis'}
+                </Button>
+              </AlertDialogTrigger>
+              <AlertDialogContent>
+                <AlertDialogHeader>
+                  <AlertDialogTitle>Restart this analysis?</AlertDialogTitle>
+                  <AlertDialogDescription>
+                    Security Agent will stop waiting for the current run and queue a new analysis.
+                    Any result that arrives from the current run will be ignored.
+                  </AlertDialogDescription>
+                </AlertDialogHeader>
+                <AlertDialogFooter>
+                  <AlertDialogCancel className="h-control-touch">Keep waiting</AlertDialogCancel>
+                  <DialogClose asChild>
+                    <AlertDialogAction
+                      className="h-control-touch"
+                      disabled={isRestartingAnalysis}
+                      onClick={onRestartAnalysis}
+                    >
+                      Restart analysis
+                    </AlertDialogAction>
+                  </DialogClose>
+                </AlertDialogFooter>
+              </AlertDialogContent>
+            </AlertDialog>
+          )}
+          {sessionHref && presentation.action.kind !== 'cloud-agent' && (
+            <Button variant="ghost" className="h-control-touch" asChild>
+              <Link href={sessionHref}>
+                <CircleHelp aria-hidden="true" />
+                Ask Cloud Agent
+              </Link>
+            </Button>
+          )}
+        </FindingActionSection>
 
-  return (
-    <TabsContent value="analysis" className="space-y-4 pt-2">
-      {content}
+        <SummaryGrid title="What this means" items={presentation.summary} />
+        <FindingContextNote>{presentation.context}</FindingContextNote>
+
+        <Accordion type="single" collapsible>
+          <AccordionItem value="decision" className="border-border border-t">
+            <AccordionTrigger className="min-h-control-touch py-3 no-underline hover:no-underline">
+              {presentation.disclosureTitle}
+            </AccordionTrigger>
+            <AccordionContent className="pb-5">
+              <ol className="max-w-2xl space-y-3">
+                {analysisSteps.map((step, index) => (
+                  <ProgressStepRow key={`${step.title}-${index}`} step={step} index={index} />
+                ))}
+              </ol>
+            </AccordionContent>
+          </AccordionItem>
+
+          {(sandbox || technicalMarkdown) && (
+            <AccordionItem value="technical" className="border-border">
+              <AccordionTrigger className="min-h-control-touch py-3 no-underline hover:no-underline">
+                Technical evidence and generated report
+              </AccordionTrigger>
+              <AccordionContent className="pb-5">
+                <div className="space-y-6">
+                  {sandbox && (
+                    <dl className="type-body grid gap-x-6 gap-y-4 sm:grid-cols-2 lg:grid-cols-4">
+                      <DetailFactItem
+                        fact={{
+                          label: 'Affected package',
+                          value: `${finding.package_name}${finding.vulnerable_version_range ? ` ${finding.vulnerable_version_range}` : ''}`,
+                          mono: true,
+                        }}
+                      />
+                      <DetailFactItem
+                        fact={{
+                          label: 'Recommendation',
+                          value: sandbox.suggestedAction.replace(/_/g, ' '),
+                        }}
+                      />
+                      <DetailFactItem
+                        fact={{
+                          label: 'Analysis model',
+                          value: sandbox.modelUsed || analysis?.analysisModel || 'Not recorded',
+                          mono: Boolean(sandbox.modelUsed || analysis?.analysisModel),
+                        }}
+                      />
+                      <DetailFactItem
+                        fact={{
+                          label: 'Analyzed',
+                          value: formatUtcDate(sandbox.analysisAt),
+                          mono: true,
+                        }}
+                      />
+                    </dl>
+                  )}
+
+                  {sandbox && sandbox.usageLocations.length > 0 && (
+                    <UsageLocations locations={sandbox.usageLocations} />
+                  )}
+
+                  {sandbox?.suggestedFix && (
+                    <div className="max-w-[68ch]">
+                      <h5 className="type-body font-medium">Suggested fix</h5>
+                      <p className="text-muted-foreground type-body mt-1">{sandbox.suggestedFix}</p>
+                    </div>
+                  )}
+
+                  {technicalMarkdown && (
+                    <div className="border-border border-t pt-5">
+                      <div className="mb-4 flex flex-wrap items-center justify-between gap-2">
+                        <h5 className="type-body font-medium">Full generated report</h5>
+                        {analysis?.analyzedAt && (
+                          <span className="text-muted-foreground type-code">
+                            {formatUtcDate(analysis.analyzedAt)}
+                          </span>
+                        )}
+                      </div>
+                      <MarkdownProse
+                        markdown={technicalMarkdown}
+                        className="text-muted-foreground"
+                      />
+                    </div>
+                  )}
+                </div>
+              </AccordionContent>
+            </AccordionItem>
+          )}
+        </Accordion>
+      </div>
     </TabsContent>
   );
 }
 
-function LoadingPanel({
-  message,
-  detail,
-  children,
-}: {
-  message: string;
-  detail?: string;
-  children?: React.ReactNode;
-}) {
+function UsageLocations({ locations }: { locations: string[] }) {
+  const [showAll, setShowAll] = useState(false);
+  const uniqueLocations = [...new Set(locations)];
+  const visibleLocations = showAll ? uniqueLocations : uniqueLocations.slice(0, 2);
+
   return (
-    <div
-      className="block rounded-lg border border-yellow-500/20 bg-yellow-500/10 p-3"
-      aria-live="polite"
-    >
-      <div className="flex items-center gap-2 text-yellow-400">
-        <LoadingSpinner />
-        <p className="text-sm">{message}</p>
+    <div>
+      <div className="flex items-center justify-between gap-4">
+        <h5 className="type-body font-medium">Where this was found</h5>
+        <span className="text-muted-foreground type-code">
+          {uniqueLocations.length} code {uniqueLocations.length === 1 ? 'location' : 'locations'}
+        </span>
       </div>
-      {detail && <p className="text-muted-foreground mt-1 text-xs">{detail}</p>}
-      {children && <div className="mt-2">{children}</div>}
+      <ul className="mt-2 space-y-1.5">
+        {visibleLocations.map(location => (
+          <li
+            key={location}
+            className="bg-surface-inset text-syntax-plain type-code flex min-w-0 items-start gap-2 rounded-md px-3 py-2"
+          >
+            <FileCode2 className="size-icon-sm mt-0.5 shrink-0" aria-hidden="true" />
+            <span className="break-all">{location}</span>
+          </li>
+        ))}
+      </ul>
+      {uniqueLocations.length > 2 && (
+        <Button
+          variant="ghost"
+          size="sm"
+          className="h-control-default mt-2 px-2"
+          onClick={() => setShowAll(current => !current)}
+        >
+          {showAll ? 'Show fewer locations' : `Show all ${uniqueLocations.length} locations`}
+        </Button>
+      )}
     </div>
   );
 }
 
-function ErrorPanel({
-  message,
-  retryLabel,
-  onRetry,
-  disabled,
+type RemediationPresentationSummary = {
+  prUrl: string | null;
+  prNumber: number | null;
+  prDraft: boolean | null;
+  failureCode: string | null;
+  blockedReason: string | null;
+};
+
+function getRemediationPresentation({
+  status,
+  finding,
+  latestAttempt,
+  summary,
+  canStart,
+  unavailableReason,
+  unavailableCopy,
+  isAwaitingStart,
 }: {
-  message: string;
-  retryLabel: string;
-  onRetry: () => void;
-  disabled: boolean;
-}) {
-  return (
-    <div className="rounded-lg border border-destructive/30 bg-destructive/10 p-3" role="alert">
-      <p className="text-destructive text-sm">{message}</p>
-      <Button variant="outline" size="sm" onClick={onRetry} disabled={disabled} className="mt-2">
-        {retryLabel}
-      </Button>
-    </div>
-  );
-}
+  status: string | null;
+  finding: SecurityFinding;
+  latestAttempt: RemediationAttempt | null;
+  summary: RemediationPresentationSummary;
+  canStart: boolean;
+  unavailableReason: string | null | undefined;
+  unavailableCopy: string | null;
+  isAwaitingStart: boolean;
+}): RemediationPresentation {
+  const cancellationRequested = Boolean(latestAttempt?.cancellationRequestedAt);
+  const requester = latestAttempt?.origin === 'manual' ? 'User request' : 'Security Agent';
+  const prUrl = latestAttempt?.prUrl ?? summary.prUrl;
+  const prNumber = latestAttempt?.prNumber ?? summary.prNumber;
+  const prDraft = latestAttempt?.prDraft ?? summary.prDraft;
+  const failureCode = latestAttempt?.failureCode ?? summary.failureCode;
+  const blockedReason = latestAttempt?.blockedReason ?? summary.blockedReason;
 
-function EmptyPanel({ children, text }: { children?: React.ReactNode; text: string }) {
-  return (
-    <div className={statusPanelClassName}>
-      <p className={`text-muted-foreground text-sm ${children ? 'mb-2' : ''}`}>{text}</p>
-      {children}
-    </div>
-  );
+  if (isAwaitingStart) {
+    return {
+      hero: {
+        title: 'Queueing remediation',
+        description:
+          'Security Agent is creating the remediation attempt and reserving its repository branch.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: 'Request in progress',
+          detail: 'The attempt is not persisted yet',
+          icon: Clock3,
+          tone: 'warning',
+        },
+        {
+          label: 'How did it start?',
+          value: 'Manual request',
+          detail: 'Duplicate starts remain suppressed',
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'What happens next?',
+          value: 'Cloud Agent queue',
+          detail: 'Status refreshes automatically',
+          icon: Sparkles,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Starting remediation creates an attempt. It does not mark the Security Finding fixed.',
+      action: {
+        label: 'Current status',
+        title: 'Creating the remediation attempt',
+        description: 'Wait for Security Agent to confirm the queued attempt.',
+      },
+      disclosureTitle: 'Remediation progress',
+      steps: [
+        {
+          title: 'Create remediation attempt',
+          detail: 'Security Agent is validating and saving the request.',
+          state: 'running',
+        },
+        {
+          title: 'Wait for Cloud Agent',
+          detail: 'Execution begins after the request is accepted.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (cancellationRequested && isActiveRemediationStatus(status)) {
+    return {
+      hero: {
+        title: 'Cancellation has been requested',
+        description:
+          'Security Agent asked Cloud Agent to stop. The attempt remains active until Cloud Agent confirms cancellation or returns another final result.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: 'Waiting for confirmation',
+          detail: 'The attempt is not cancelled yet',
+          icon: Clock3,
+          tone: 'warning',
+        },
+        {
+          label: 'Cancellation requested',
+          value: latestAttempt?.cancellationRequestedAt
+            ? formatUtcDate(latestAttempt.cancellationRequestedAt)
+            : 'Recently',
+          detail: 'Security Agent accepted the request',
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'Possible outcome',
+          value: 'Cancelled or PR opened',
+          detail: 'A pull request can still win the race',
+          icon: GitPullRequest,
+          tone: 'warning',
+        },
+      ],
+      context:
+        'Cancellation is best effort. If Cloud Agent opens a verified pull request before stopping, Security Agent will show that result.',
+      action: {
+        label: 'Current status',
+        title: 'Waiting for Cloud Agent',
+        description:
+          'No further action is available until Cloud Agent confirms cancellation or returns a pull request.',
+      },
+      disclosureTitle: 'Cancellation progress',
+      steps: [
+        {
+          title: 'Remediation started',
+          detail: 'Cloud Agent began repository work.',
+          state: 'done',
+        },
+        {
+          title: 'Cancellation requested',
+          detail: 'Security Agent accepted the request and asked Cloud Agent to interrupt.',
+          state: 'done',
+        },
+        {
+          title: 'Waiting for Cloud Agent',
+          detail: 'Cloud Agent has not confirmed interruption or returned a pull request.',
+          state: 'waiting',
+        },
+      ],
+    };
+  }
+
+  if (!status && canStart) {
+    return {
+      hero: {
+        title: 'Ready to prepare a fix',
+        description: `Security Agent can ask Cloud Agent to update ${finding.package_name}, review affected usage, and open a pull request for your team.`,
+        icon: GitPullRequest,
+        tone: 'neutral',
+      },
+      summary: [
+        {
+          label: 'Why available?',
+          value: 'Concrete fix path',
+          detail: 'Analysis supports a user-reviewed repository change',
+          icon: ShieldCheck,
+          tone: 'success',
+        },
+        {
+          label: 'How does it start?',
+          value: 'Manual request',
+          detail: 'This action is independent of Auto Remediation',
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'What happens next?',
+          value: 'Review a pull request',
+          detail: 'The finding remains open until source sync',
+          icon: GitPullRequest,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Starting remediation creates a Security Remediation Attempt. It does not mark the finding fixed.',
+      action: {
+        label: 'Next step',
+        title: 'Prepare a fix',
+        description:
+          'Cloud Agent will make the smallest safe change it can identify, run focused checks, and open a pull request for review.',
+      },
+      disclosureTitle: 'Why remediation is available',
+      steps: [
+        {
+          title: 'Finding is still open',
+          detail: 'GitHub continues to report the vulnerable package in this repository.',
+          state: 'done',
+        },
+        {
+          title: 'Analysis is current',
+          detail: 'The latest codebase analysis matches current finding data.',
+          state: 'done',
+        },
+        {
+          title: 'A concrete response is available',
+          detail: 'Analysis provides enough evidence for a user-reviewed remediation attempt.',
+          state: 'done',
+        },
+        {
+          title: 'No remediation is active',
+          detail: 'No other attempt or known remediation pull request blocks a new start.',
+          state: 'done',
+        },
+      ],
+    };
+  }
+
+  if (!status) {
+    const analysisRequired = isCodebaseAnalysisRequiredReason(unavailableReason);
+    return {
+      hero: {
+        title: analysisRequired ? 'Analyze the repository first' : 'Remediation is unavailable',
+        description:
+          unavailableCopy ||
+          'Security Agent cannot start a remediation attempt for this finding in its current state.',
+        icon: analysisRequired ? Brain : Ban,
+        tone: 'warning',
+      },
+      summary: [
+        {
+          label: 'What is known?',
+          value: 'Published vulnerability',
+          detail: 'The source advisory remains available',
+          icon: ShieldAlert,
+          tone: 'warning',
+        },
+        {
+          label: 'What is missing?',
+          value: analysisRequired ? 'Repository analysis' : 'An eligible fix path',
+          detail: unavailableCopy || 'Current safety gates block a new attempt',
+          icon: analysisRequired ? Brain : Ban,
+          tone: 'warning',
+        },
+        {
+          label: 'What should I do?',
+          value: analysisRequired ? 'Analyze repository' : 'Review finding state',
+          detail: 'Resolve the recorded blocker before starting remediation',
+          icon: Search,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Security Agent derives remediation availability from server-provided safety and policy checks.',
+      action: {
+        label: 'Next step',
+        title: analysisRequired ? 'Check repository risk and fix options' : 'Resolve the blocker',
+        description:
+          unavailableCopy || 'Review analysis and finding status before trying remediation again.',
+      },
+      disclosureTitle: analysisRequired
+        ? 'What blocks remediation'
+        : 'Why remediation is unavailable',
+      steps: [
+        {
+          title: 'Source advisory is available',
+          detail: `${finding.package_name} matches the published affected range.`,
+          state: 'done',
+        },
+        {
+          title: analysisRequired
+            ? 'Repository analysis is required'
+            : 'A safety gate blocks remediation',
+          detail: unavailableCopy || 'Security Agent cannot safely admit a new attempt.',
+          state: 'attention',
+        },
+        {
+          title: 'Remediation decision is pending',
+          detail: 'A new attempt remains unavailable until the blocker is resolved.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (status === 'queued') {
+    return {
+      hero: {
+        title: 'Remediation is queued',
+        description:
+          'Security Agent accepted the request. Cloud Agent will begin when execution capacity is available.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: 'Waiting for capacity',
+          detail: 'No repository changes have started',
+          icon: Clock3,
+          tone: 'warning',
+        },
+        {
+          label: 'Attempt started by',
+          value: requester,
+          detail: formatRemediationOrigin(latestAttempt?.origin ?? 'manual'),
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'Next update',
+          value: 'Cloud Agent starts',
+          detail: 'Status refreshes automatically',
+          icon: Sparkles,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Only one active remediation attempt can exist for this finding. Another start is unavailable while this attempt is queued.',
+      action: {
+        label: 'Attempt controls',
+        title: 'Manage this attempt',
+        description:
+          'You can cancel before Cloud Agent starts if this remediation is no longer needed.',
+      },
+      disclosureTitle: 'Remediation progress',
+      steps: [
+        {
+          title: 'Request accepted',
+          detail: `Security Agent created attempt #${latestAttempt?.attemptNumber ?? 1}.`,
+          state: 'done',
+        },
+        {
+          title: 'Waiting for Cloud Agent',
+          detail: 'The attempt will start when execution capacity is available.',
+          state: 'waiting',
+        },
+        {
+          title: 'Prepare repository change',
+          detail: 'Cloud Agent has not started repository work.',
+          state: 'pending',
+        },
+        {
+          title: 'Open pull request',
+          detail: 'No pull request exists yet.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (status === 'launching') {
+    return {
+      hero: {
+        title: 'Cloud Agent is starting',
+        description:
+          'Security Agent claimed the queued attempt and is opening the isolated session that will prepare the repository change.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: 'Launching session',
+          detail: 'Repository work has not been confirmed yet',
+          icon: Sparkles,
+          tone: 'warning',
+        },
+        {
+          label: 'Attempt started by',
+          value: requester,
+          detail: formatRemediationOrigin(latestAttempt?.origin ?? 'manual'),
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'Next update',
+          value: 'Repository work begins',
+          detail: 'Status refreshes automatically',
+          icon: GitBranch,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Launching is an active Security Remediation Attempt. A launch failure can return the attempt to queued or end it as failed.',
+      action: {
+        label: 'Attempt controls',
+        title: 'Manage this attempt',
+        description:
+          'You can request cancellation while Security Agent finishes starting the session.',
+      },
+      disclosureTitle: 'Remediation progress',
+      steps: [
+        {
+          title: 'Request accepted',
+          detail: `Security Agent created attempt #${latestAttempt?.attemptNumber ?? 1}.`,
+          state: 'done',
+        },
+        {
+          title: 'Cloud Agent session starting',
+          detail: 'The attempt is creating an isolated execution session.',
+          state: 'running',
+        },
+        {
+          title: 'Prepare repository change',
+          detail: 'Repository work has not started yet.',
+          state: 'pending',
+        },
+        {
+          title: 'Open pull request',
+          detail: 'No pull request exists yet.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (status === 'running') {
+    return {
+      hero: {
+        title: 'Cloud Agent is preparing a fix',
+        description:
+          'The agent is updating the dependency, reviewing affected usage, and running focused validation before deciding whether to open a pull request.',
+        icon: Loader2,
+        tone: 'warning',
+        spinning: true,
+      },
+      summary: [
+        {
+          label: 'Current state',
+          value: 'Repository work',
+          detail: 'Changes and validation are in progress',
+          icon: Wrench,
+          tone: 'warning',
+        },
+        {
+          label: 'Attempt started by',
+          value: requester,
+          detail: formatRemediationOrigin(latestAttempt?.origin ?? 'manual'),
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'Expected outcome',
+          value: 'Pull request or explanation',
+          detail: 'No-change and failure outcomes stay explicit',
+          icon: GitPullRequest,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'A running remediation does not change finding status. The source record remains open until GitHub reports it fixed or it is dismissed.',
+      action: {
+        label: 'Attempt controls',
+        title: 'Manage this attempt',
+        description:
+          'Status updates automatically. Cancellation asks Cloud Agent to stop but cannot guarantee it stops before opening a pull request.',
+      },
+      disclosureTitle: 'Remediation progress',
+      steps: [
+        {
+          title: 'Request accepted',
+          detail: `Security Agent created attempt #${latestAttempt?.attemptNumber ?? 1}.`,
+          state: 'done',
+        },
+        {
+          title: 'Cloud Agent started',
+          detail: 'The isolated session and remediation branch are ready.',
+          state: 'done',
+        },
+        {
+          title: 'Prepare and validate change',
+          detail: `Cloud Agent is working on ${finding.package_name} and affected usage.`,
+          state: 'running',
+        },
+        {
+          title: 'Open pull request',
+          detail: 'No verified pull request exists yet.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (status === 'pr_opened') {
+    const draft = Boolean(prDraft);
+    return {
+      hero: {
+        title: draft
+          ? 'Draft remediation pull request is ready'
+          : 'Remediation pull request is ready',
+        description: draft
+          ? 'Cloud Agent prepared a concrete fix, but incomplete validation or recorded risk needs reviewer attention.'
+          : `Cloud Agent prepared a repository change and opened${prNumber ? ` pull request #${prNumber}` : ' a pull request'} for team review.`,
+        icon: GitPullRequest,
+        tone: draft ? 'warning' : 'success',
+      },
+      summary: [
+        {
+          label: 'Outcome',
+          value: `${draft ? 'Draft ' : ''}PR${prNumber ? ` #${prNumber}` : ' opened'}`,
+          detail: 'Expected repository and remediation branch recorded',
+          icon: GitPullRequest,
+          tone: 'success',
+        },
+        {
+          label: 'Validation',
+          value: latestAttempt?.validationEvidence?.length
+            ? 'Evidence recorded'
+            : 'Review required',
+          detail: draft
+            ? latestAttempt?.draftReason || 'Validation or risk requires reviewer attention'
+            : 'Review recorded checks before merging',
+          icon: FileCheck2,
+          tone: draft ? 'warning' : 'success',
+        },
+        {
+          label: 'Finding state',
+          value: 'Still open',
+          detail: 'GitHub confirms when the vulnerability is fixed',
+          icon: ShieldAlert,
+          tone: 'warning',
+        },
+      ],
+      context:
+        'A pull request is not the same as a fixed finding. The finding stays open until GitHub reports the vulnerability resolved.',
+      action: {
+        label: 'Next step',
+        title: draft ? 'Review validation gaps and code changes' : 'Review the pull request',
+        description: draft
+          ? latestAttempt?.draftReason ||
+            'Run missing validation and review recorded risks before marking the pull request ready.'
+          : 'Review the dependency update and related code changes before merging into the default branch.',
+      },
+      disclosureTitle: draft ? 'Why the pull request is a draft' : 'How remediation completed',
+      steps: [
+        {
+          title: 'Prepared a concrete fix',
+          detail: 'Cloud Agent recorded a repository change for this finding.',
+          state: 'done',
+        },
+        {
+          title: 'Ran available validation',
+          detail: latestAttempt?.validationEvidence?.length
+            ? `${latestAttempt.validationEvidence.length} validation ${latestAttempt.validationEvidence.length === 1 ? 'record' : 'records'} available in attempt history.`
+            : 'No structured validation evidence was recorded.',
+          state: draft ? 'attention' : 'done',
+        },
+        {
+          title: 'Verified pull request outcome',
+          detail: prNumber
+            ? `Pull request #${prNumber} belongs to the recorded remediation attempt.`
+            : 'A pull request URL is recorded for this remediation attempt.',
+          state: 'done',
+        },
+      ],
+    };
+  }
+
+  if (status === 'blocked') {
+    return {
+      hero: {
+        title: 'Remediation was blocked',
+        description:
+          blockedReason ||
+          'Security Agent intentionally stopped before creating a competing or unsafe repository change.',
+        icon: Ban,
+        tone: 'warning',
+      },
+      summary: [
+        {
+          label: 'Block reason',
+          value: blockedReason || 'Safety gate stopped the attempt',
+          detail: 'Security Agent did not continue past the blocker',
+          icon: Ban,
+          tone: 'warning',
+        },
+        {
+          label: 'Repository outcome',
+          value: prUrl ? 'Related pull request recorded' : 'No remediation PR opened',
+          detail: 'Review attempt history for context',
+          icon: GitBranch,
+          tone: 'neutral',
+        },
+        {
+          label: 'What should I do?',
+          value: prUrl ? 'Review the existing PR' : 'Resolve the blocker',
+          detail: 'Retry only when current safety gates allow it',
+          icon: Search,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Blocked is distinct from failed. Security Agent intentionally stopped because proceeding could create unsafe or conflicting work.',
+      action: {
+        label: 'Next step',
+        title: prUrl ? 'Review the existing remediation' : 'Resolve the recorded blocker',
+        description:
+          blockedReason ||
+          'Review the attempt evidence before deciding whether another remediation attempt is appropriate.',
+      },
+      disclosureTitle: 'Why remediation was blocked',
+      steps: [
+        {
+          title: 'Attempt admitted',
+          detail: 'Security Agent accepted remediation for this finding.',
+          state: 'done',
+        },
+        {
+          title: 'Checked safety gates',
+          detail: blockedReason || 'A blocking condition was detected.',
+          state: 'done',
+        },
+        {
+          title: 'Stopped remediation',
+          detail: 'Security Agent ended the attempt before unsafe or conflicting work continued.',
+          state: 'error',
+        },
+      ],
+    };
+  }
+
+  if (status === 'failed') {
+    return {
+      hero: {
+        title: 'Remediation did not complete',
+        description:
+          latestAttempt?.lastErrorRedacted ||
+          'Cloud Agent could not complete the repository change or open a trustworthy pull request.',
+        icon: XCircle,
+        tone: 'destructive',
+      },
+      summary: [
+        {
+          label: 'What happened?',
+          value: failureCode?.replace(/_/g, ' ') || 'Attempt failed',
+          detail: latestAttempt?.lastErrorRedacted || 'Review attempt details before retrying',
+          icon: TriangleAlert,
+          tone: 'destructive',
+        },
+        {
+          label: 'Pull request',
+          value: 'Not opened',
+          detail: 'No trustworthy pull request outcome was recorded',
+          icon: GitBranch,
+          tone: 'neutral',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Resolve the error and retry',
+          detail: 'A retry creates a new preserved attempt',
+          icon: RefreshCw,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Failure leaves the finding open. Retrying creates a new Security Remediation Attempt and preserves this attempt in history.',
+      action: {
+        label: 'Next step',
+        title: 'Retry after resolving the recorded error',
+        description:
+          latestAttempt?.lastErrorRedacted ||
+          'Review repository access and attempt details before starting another attempt.',
+      },
+      disclosureTitle: 'What failed',
+      steps: [
+        {
+          title: 'Request accepted',
+          detail: `Security Agent created attempt #${latestAttempt?.attemptNumber ?? 1}.`,
+          state: 'done',
+        },
+        {
+          title: 'Cloud Agent could not complete remediation',
+          detail:
+            latestAttempt?.lastErrorRedacted ||
+            'The attempt ended before a safe outcome was recorded.',
+          state: 'error',
+        },
+        {
+          title: 'No pull request opened',
+          detail: 'No verified code change or pull request exists.',
+          state: 'pending',
+        },
+      ],
+    };
+  }
+
+  if (status === 'no_changes_needed') {
+    return {
+      hero: {
+        title: 'Cloud Agent found no safe change to make',
+        description:
+          'The attempt ended without a repository change. Security Agent correctly did not open a no-change pull request.',
+        icon: CheckCircle2,
+        tone: 'neutral',
+      },
+      summary: [
+        {
+          label: 'Outcome',
+          value: 'No repository changes',
+          detail: 'A no-change pull request was not opened',
+          icon: Check,
+          tone: 'neutral',
+        },
+        {
+          label: 'Finding state',
+          value: 'Still open',
+          detail: 'Source synchronization controls closure',
+          icon: ShieldAlert,
+          tone: 'warning',
+        },
+        {
+          label: 'What should I do?',
+          value: 'Review source state',
+          detail: 'Retry only after new evidence or re-analysis',
+          icon: Info,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'No changes needed is not the same as fixed. Security Agent does not close the finding or invent a pull request.',
+      action: {
+        label: 'Next step',
+        title: 'No immediate remediation action',
+        description:
+          'Review the finding. If source data or repository evidence changes, run fresh analysis before retrying.',
+      },
+      disclosureTitle: 'Why no changes were made',
+      steps: [
+        {
+          title: 'Inspected repository evidence',
+          detail: 'Cloud Agent reviewed the current dependency and source state.',
+          state: 'done',
+        },
+        {
+          title: 'Found no safe repository change',
+          detail: 'The attempt determined that no change should be published.',
+          state: 'done',
+        },
+        {
+          title: 'Skipped a no-change pull request',
+          detail: 'Cloud Agent correctly ended without creating repository noise.',
+          state: 'done',
+        },
+      ],
+    };
+  }
+
+  if (status === 'cancelled') {
+    return {
+      hero: {
+        title: 'Remediation was cancelled',
+        description:
+          'Cloud Agent confirmed interruption before opening a pull request. Any partial session work was not presented as a repository outcome.',
+        icon: XCircle,
+        tone: 'neutral',
+      },
+      summary: [
+        {
+          label: 'Outcome',
+          value: 'Cancelled',
+          detail: 'Cloud Agent confirmed interruption',
+          icon: XCircle,
+          tone: 'neutral',
+        },
+        {
+          label: 'Attempt started by',
+          value: requester,
+          detail: formatRemediationOrigin(latestAttempt?.origin ?? 'manual'),
+          icon: UserRound,
+          tone: 'neutral',
+        },
+        {
+          label: 'Pull request',
+          value: 'Not opened',
+          detail: 'No repository outcome was published',
+          icon: GitPullRequest,
+          tone: 'neutral',
+        },
+      ],
+      context:
+        'Cancelled is a terminal attempt outcome, not a finding status. The Security Finding remains open.',
+      action: {
+        label: 'Next step',
+        title: 'Start a new attempt when ready',
+        description:
+          'Retry remains available only when current analysis and safety gates provide a concrete fix path.',
+      },
+      disclosureTitle: 'How cancellation completed',
+      steps: [
+        {
+          title: 'Remediation started',
+          detail: 'Cloud Agent began repository work.',
+          state: 'done',
+        },
+        {
+          title: 'Cancellation requested',
+          detail: 'Security Agent asked Cloud Agent to stop the attempt.',
+          state: 'done',
+        },
+        {
+          title: 'Interruption confirmed',
+          detail: 'Cloud Agent stopped before opening a pull request.',
+          state: 'done',
+        },
+      ],
+    };
+  }
+
+  return {
+    hero: {
+      title: 'Review remediation status',
+      description: `Security Agent recorded this remediation as ${formatRemediationStatus(status)}.`,
+      icon: GitPullRequest,
+      tone: 'neutral',
+    },
+    summary: [
+      {
+        label: 'Current state',
+        value: formatRemediationStatus(status),
+        detail: 'Review attempt history for more context',
+        icon: GitPullRequest,
+        tone: 'neutral',
+      },
+      {
+        label: 'Finding state',
+        value: finding.status,
+        detail: 'Remediation does not directly close findings',
+        icon: ShieldAlert,
+        tone: 'warning',
+      },
+      {
+        label: 'Next step',
+        value: 'Review recorded evidence',
+        detail: 'Use the latest source and attempt state',
+        icon: Search,
+        tone: 'neutral',
+      },
+    ],
+    context:
+      'Security Finding status and Security Remediation status are separate recorded outcomes.',
+    action: {
+      label: 'Current status',
+      title: 'Review remediation history',
+      description: 'Use the recorded attempts to understand the current state.',
+    },
+    disclosureTitle: 'Remediation progress',
+    steps: [
+      {
+        title: 'Remediation status recorded',
+        detail: formatRemediationStatus(status),
+        state: 'done',
+      },
+    ],
+  };
 }
 
 type FindingRemediationProps = {
+  finding: SecurityFinding;
   status: string | null;
-  prDraft: boolean | null;
+  summary: RemediationPresentationSummary;
   outcomeSummary: string | null;
-  blockedReason: string | null;
-  updatedAt: string | null;
-  failureCopy: string | null;
+  unavailableReason: string | null | undefined;
   unavailableCopy: string | null;
   attempts: RemediationAttempt[];
-  action: React.ReactNode;
+  canStart: boolean;
+  isAwaitingStart: boolean;
+  actionStatusMessage?: string;
+  action: ReactNode;
 };
 
 function FindingRemediation({
+  finding,
   status,
-  prDraft,
+  summary,
   outcomeSummary,
-  blockedReason,
-  updatedAt,
-  failureCopy,
+  unavailableReason,
   unavailableCopy,
   attempts,
+  canStart,
+  isAwaitingStart,
+  actionStatusMessage,
   action,
 }: FindingRemediationProps) {
-  const isActive = isActiveRemediationStatus(status);
+  const latestAttempt = attempts[0] ?? null;
+  const presentation = getRemediationPresentation({
+    status,
+    finding,
+    latestAttempt,
+    summary,
+    canStart,
+    unavailableReason,
+    unavailableCopy,
+    isAwaitingStart,
+  });
 
   return (
-    <TabsContent value="remediation" className="space-y-4 pt-2">
-      <div className={statusPanelClassName}>
-        <div className="flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
-          <div className="min-w-0 space-y-1">
-            <div className="flex flex-wrap items-center gap-2">
-              {isActive ? (
-                <LoadingSpinner className="size-4 text-emerald-400" />
-              ) : (
-                <GitPullRequest className="size-4 text-emerald-400" aria-hidden="true" />
-              )}
-              <h4 className="font-medium capitalize">{formatRemediationStatus(status)}</h4>
-              {prDraft && (
-                <Badge variant="outline" className="text-muted-foreground">
-                  Draft
-                </Badge>
-              )}
-            </div>
-            {outcomeSummary && <p className="text-muted-foreground text-sm">{outcomeSummary}</p>}
-            {blockedReason && <p className="text-sm text-yellow-400">Blocked: {blockedReason}</p>}
-            {failureCopy && <p className="text-sm text-red-400">{failureCopy}</p>}
-            {updatedAt && (
-              <p className="text-muted-foreground font-mono text-xs tabular-nums">
-                Updated {formatDistanceToNow(new Date(updatedAt), { addSuffix: true })}
-              </p>
-            )}
+    <TabsContent value="remediation" className="m-0 focus-visible:ring-inset">
+      <div className="space-y-6">
+        <FindingOutcome {...presentation.hero} />
+        {outcomeSummary && !isActiveRemediationStatus(status) && (
+          <div className="border-border bg-surface-inset type-body rounded-lg border p-4">
+            <div className="text-muted-foreground type-label mb-1">Recorded outcome</div>
+            <p>{outcomeSummary}</p>
           </div>
+        )}
+        <FindingActionSection
+          label={presentation.action.label}
+          title={presentation.action.title}
+          description={presentation.action.description}
+          statusMessage={actionStatusMessage}
+        >
+          {action}
+        </FindingActionSection>
+        <SummaryGrid title="Remediation summary" items={presentation.summary} />
+        <FindingContextNote>{presentation.context}</FindingContextNote>
+
+        <Accordion type="single" collapsible>
+          <AccordionItem value="progress" className="border-border border-t">
+            <AccordionTrigger className="min-h-control-touch py-3 no-underline hover:no-underline">
+              {presentation.disclosureTitle}
+            </AccordionTrigger>
+            <AccordionContent className="pb-5">
+              <ol className="max-w-2xl space-y-3">
+                {presentation.steps.map((step, index) => (
+                  <ProgressStepRow key={`${step.title}-${index}`} step={step} index={index} />
+                ))}
+              </ol>
+            </AccordionContent>
+          </AccordionItem>
+
+          {attempts.length > 0 && (
+            <AccordionItem value="attempts" className="border-border">
+              <AccordionTrigger className="min-h-control-touch py-3 no-underline hover:no-underline">
+                Remediation attempt history ({attempts.length})
+              </AccordionTrigger>
+              <AccordionContent className="pb-5">
+                <div className="space-y-3">
+                  {attempts.map(attempt => (
+                    <AttemptRecord key={attempt.id} attempt={attempt} />
+                  ))}
+                </div>
+              </AccordionContent>
+            </AccordionItem>
+          )}
+        </Accordion>
+      </div>
+    </TabsContent>
+  );
+}
+
+function getAttemptTone(attempt: RemediationAttempt): Tone {
+  if (attempt.status === 'pr_opened') return 'success';
+  if (attempt.status === 'failed') return 'destructive';
+  if (
+    attempt.status === 'queued' ||
+    attempt.status === 'launching' ||
+    attempt.status === 'running' ||
+    attempt.status === 'blocked'
+  )
+    return 'warning';
+  return 'neutral';
+}
+
+function AttemptRecord({ attempt }: { attempt: RemediationAttempt }) {
+  const tone = getAttemptTone(attempt);
+  const requestedBy = attempt.origin === 'manual' ? 'Kilo user' : 'Security Agent';
+  const outcome = attempt.blockedReason || attempt.lastErrorRedacted;
+  const validation = attempt.validationEvidence?.map(formatValidationEvidence) ?? [];
 
-          {action && <div className="flex flex-wrap justify-end gap-2">{action}</div>}
+  return (
+    <section className="border-border bg-surface-inset rounded-lg border p-4">
+      <div className="flex flex-wrap items-start justify-between gap-3">
+        <div className="flex flex-wrap items-center gap-2">
+          <Badge variant="outline" className="type-code">
+            #{attempt.attemptNumber}
+          </Badge>
+          <span
+            className={cn('type-label px-status rounded-full border py-1', toneStyles[tone].status)}
+          >
+            {formatRemediationStatus(attempt.status, attempt.cancellationRequestedAt)}
+          </span>
+          <span className="text-muted-foreground type-label">
+            {formatRemediationOrigin(attempt.origin)}
+          </span>
         </div>
+        <span className="text-muted-foreground type-code tabular-nums">
+          {formatUtcDate(attempt.updatedAt)}
+        </span>
+      </div>
 
-        {unavailableCopy && (
-          <div className="mt-3 flex gap-2 rounded-lg border border-yellow-500/20 bg-yellow-500/10 p-3 text-sm text-yellow-200">
-            <AlertCircle className="mt-0.5 size-4 shrink-0 text-yellow-400" aria-hidden="true" />
-            <p>{unavailableCopy}</p>
-          </div>
-        )}
+      <div className="type-body mt-4 grid gap-x-6 gap-y-3 sm:grid-cols-2 lg:grid-cols-4">
+        <DetailFactItem fact={{ label: 'Attempt started by', value: requestedBy }} />
+        <DetailFactItem
+          fact={{ label: 'Model', value: attempt.remediationModelSlug, mono: true }}
+        />
+        <DetailFactItem fact={{ label: 'Branch', value: attempt.branchName, mono: true }} />
+        <DetailFactItem
+          fact={{
+            label: 'Started',
+            value: formatUtcDate(attempt.launchedAt || attempt.queuedAt),
+            mono: true,
+          }}
+        />
       </div>
 
-      {attempts.length > 0 ? (
-        <div className="space-y-2">
-          <h4 className="text-sm font-medium">Attempts</h4>
-          <div className="space-y-2">
-            {attempts.map(attempt => (
-              <div key={attempt.id} className={statusPanelClassName}>
-                <div className="flex flex-wrap items-center justify-between gap-2">
-                  <div className="flex flex-wrap items-center gap-2">
-                    <Badge variant="outline">#{attempt.attemptNumber}</Badge>
-                    <span className="text-sm capitalize">
-                      {formatRemediationStatus(attempt.status)}
-                    </span>
-                    <span className="text-muted-foreground text-xs">{attempt.origin}</span>
-                  </div>
-                  <span className="text-muted-foreground font-mono text-xs tabular-nums">
-                    {format(new Date(attempt.updatedAt), 'PPp')}
-                  </span>
-                </div>
-                <div className="text-muted-foreground mt-2 grid grid-cols-1 gap-2 text-xs md:grid-cols-2">
-                  <div className="min-w-0">
-                    <span className="text-foreground font-medium">Branch:</span>{' '}
-                    <span className="break-all font-mono">{attempt.branchName}</span>
-                  </div>
-                  <div className="min-w-0">
-                    <span className="text-foreground font-medium">Model:</span>{' '}
-                    <span className="break-all font-mono">{attempt.remediationModelSlug}</span>
-                  </div>
-                </div>
-                {attempt.lastErrorRedacted && (
-                  <p className="mt-2 text-xs text-red-400">{attempt.lastErrorRedacted}</p>
-                )}
-                {attempt.blockedReason && (
-                  <p className="mt-2 text-xs text-yellow-400">{attempt.blockedReason}</p>
-                )}
-                {attempt.riskNotes && (
-                  <p className="text-muted-foreground mt-2 text-xs">{attempt.riskNotes}</p>
-                )}
-                {attempt.prUrl && (
-                  <Button variant="link" size="sm" asChild className="mt-1 h-auto px-0">
-                    <a href={attempt.prUrl} target="_blank" rel="noopener noreferrer">
-                      Open attempt PR
-                      <ExternalLink className="ml-1 size-3" aria-hidden="true" />
-                    </a>
-                  </Button>
-                )}
-              </div>
-            ))}
+      {outcome && (
+        <div className="border-border mt-4 border-t pt-4">
+          <div className="text-muted-foreground type-label">Outcome</div>
+          <p className="type-body mt-1 max-w-[68ch]">{outcome}</p>
+        </div>
+      )}
+
+      {validation.length > 0 && (
+        <div className="type-body mt-3 flex max-w-[68ch] items-start gap-2">
+          <FileCheck2
+            className="text-status-success-icon mt-0.5 size-4 shrink-0"
+            aria-hidden="true"
+          />
+          <div>
+            <span className="font-medium">Validation:</span>
+            <ul className="text-muted-foreground mt-1 list-inside list-disc">
+              {validation.map(item => (
+                <li key={item}>{item}</li>
+              ))}
+            </ul>
           </div>
         </div>
-      ) : (
-        <EmptyPanel text="No remediation attempts have run for this finding." />
       )}
-    </TabsContent>
-  );
-}
 
-function FindingFooter({
-  finding,
-  canDismiss,
-  onDismiss,
-  onClose,
-}: {
-  finding: SecurityFinding;
-  canDismiss: boolean;
-  onDismiss: () => void;
-  onClose: () => void;
-}) {
-  return (
-    <div className="mt-6 flex justify-end border-t border-border pt-4">
-      <div className="flex flex-wrap items-stretch justify-end gap-2">
-        {canDismiss && finding.status === 'open' && (
-          <Button variant="outline" size="sm" onClick={onDismiss}>
-            <XCircle className="mr-2 size-4" aria-hidden="true" />
-            Dismiss finding
-          </Button>
-        )}
-        <Button variant="outline" size="sm" onClick={onClose}>
-          Close
+      {(attempt.riskNotes || attempt.draftReason) && (
+        <div className="type-body mt-3 flex max-w-[68ch] items-start gap-2">
+          <TriangleAlert
+            className="text-status-warning mt-0.5 size-4 shrink-0"
+            aria-hidden="true"
+          />
+          <p>
+            <span className="font-medium">Reviewer note:</span>{' '}
+            <span className="text-muted-foreground">
+              {attempt.riskNotes || attempt.draftReason}
+            </span>
+          </p>
+        </div>
+      )}
+
+      {attempt.prUrl && (
+        <Button variant="link" size="sm" className="h-control-default mt-2 px-0" asChild>
+          <a href={attempt.prUrl} target="_blank" rel="noopener noreferrer">
+            Open {attempt.prDraft ? 'draft ' : ''}pull request
+            {attempt.prNumber ? ` #${attempt.prNumber}` : ''}
+            <ExternalLink className="size-3" aria-hidden="true" />
+          </a>
         </Button>
-      </div>
-    </div>
+      )}
+    </section>
   );
 }
 
+type FindingDetailDialogProps = {
+  finding: SecurityFindingWithRemediation | null;
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  onDismiss: (analysis: FindingAnalysis) => void;
+  canDismiss: boolean;
+  onOpenFinding: (findingId: string) => void;
+  onStartAnalysis: StartFindingAnalysis;
+  analysisAtCapacity: boolean;
+  organizationId?: string;
+  showSla?: boolean;
+};
+
 export function FindingDetailDialog({
-  finding,
+  finding: initialFinding,
   open,
   onOpenChange,
   onDismiss,
   canDismiss,
+  onOpenFinding,
+  onStartAnalysis,
+  analysisAtCapacity,
   organizationId,
   showSla = true,
 }: FindingDetailDialogProps) {
   const trpc = useTRPC();
   const isOrg = Boolean(organizationId);
   const {
-    handleStartAnalysis: triggerStartAnalysis,
+    handleStartAnalysis: startAnalysisCommand,
     handleStartRemediation,
     handleRetryRemediation,
     handleCancelRemediation,
+    trackUiInteraction,
     startingAnalysisIds,
     startingRemediationIds,
     cancellingRemediationAttemptIds,
   } = useSecurityAgent();
-  const isAwaitingAnalysisStart = finding ? startingAnalysisIds.has(finding.id) : false;
-  const isAwaitingRemediationStart = finding ? startingRemediationIds.has(finding.id) : false;
+  const trackedOpenFindingIdRef = useRef<string | null>(null);
+  const settledAnalysisCompletionRef = useRef<string | null>(null);
+  const openerRef = useRef<HTMLElement | null>(null);
+  const scrollContainerRef = useRef<HTMLDivElement | null>(null);
+  const [tabState, setTabState] = useState<{ findingId: string | null; tab: FindingTab }>({
+    findingId: null,
+    tab: 'details',
+  });
+  const findingId = initialFinding?.id;
+
+  useEffect(() => {
+    if (!open || !findingId) {
+      trackedOpenFindingIdRef.current = null;
+      return;
+    }
+    if (trackedOpenFindingIdRef.current === findingId) return;
+
+    trackedOpenFindingIdRef.current = findingId;
+    trackUiInteraction('finding_detail_opened');
+  }, [findingId, open, trackUiInteraction]);
+
+  const hasActiveAnalysisStartCommand = findingId ? startingAnalysisIds.has(findingId) : false;
+  const isAwaitingRemediationStart = findingId ? startingRemediationIds.has(findingId) : false;
 
   const pollWhileActive = (query: {
     state: {
@@ -790,7 +2955,7 @@ export function FindingDetailDialog({
       isActiveRemediationStatus(attempt.status)
     );
     if (
-      isAwaitingAnalysisStart ||
+      hasActiveAnalysisStartCommand ||
       isAwaitingRemediationStart ||
       status === 'pending' ||
       status === 'running' ||
@@ -800,26 +2965,89 @@ export function FindingDetailDialog({
     }
     return false as const;
   };
+
   const orgAnalysisQuery = useQuery({
     ...trpc.organizations.securityAgent.getAnalysis.queryOptions({
       organizationId: organizationId ?? '',
-      findingId: finding?.id ?? '',
+      findingId: findingId ?? '',
     }),
-    enabled: open && Boolean(finding) && isOrg,
+    enabled: open && Boolean(initialFinding) && isOrg,
     refetchInterval: pollWhileActive,
   });
   const personalAnalysisQuery = useQuery({
     ...trpc.securityAgent.getAnalysis.queryOptions({
-      findingId: finding?.id ?? '',
+      findingId: findingId ?? '',
     }),
-    enabled: open && Boolean(finding) && !isOrg,
+    enabled: open && Boolean(initialFinding) && !isOrg,
     refetchInterval: pollWhileActive,
   });
   const analysisData = isOrg ? orgAnalysisQuery.data : personalAnalysisQuery.data;
+  const refetchAnalysis = isOrg ? orgAnalysisQuery.refetch : personalAnalysisQuery.refetch;
+  const analysisSettlementKey =
+    findingId && analysisData?.completedAt ? `${findingId}:${analysisData.completedAt}` : null;
+
+  useEffect(() => {
+    if (
+      !open ||
+      !analysisSettlementKey ||
+      analysisData?.status !== 'completed' ||
+      analysisData.findingState.status !== 'open' ||
+      settledAnalysisCompletionRef.current === analysisSettlementKey
+    ) {
+      return;
+    }
+
+    const timeoutId = window.setTimeout(() => {
+      settledAnalysisCompletionRef.current = analysisSettlementKey;
+      void refetchAnalysis();
+    }, ANALYSIS_POLL_INTERVAL_MS);
 
+    return () => window.clearTimeout(timeoutId);
+  }, [
+    analysisData?.findingState.status,
+    analysisData?.status,
+    analysisSettlementKey,
+    open,
+    refetchAnalysis,
+  ]);
+
+  const finding =
+    initialFinding && analysisData
+      ? {
+          ...initialFinding,
+          status: analysisData.findingState.status,
+          ignored_reason: analysisData.findingState.ignoredReason,
+          ignored_by: analysisData.findingState.ignoredBy,
+          fixed_at: analysisData.findingState.fixedAt,
+          updated_at: analysisData.findingState.updatedAt,
+          analysis_status: analysisData.status,
+          analysis_started_at: analysisData.startedAt,
+          analysis_completed_at: analysisData.completedAt,
+          analysis_error: analysisData.error,
+          analysis: analysisData.analysis,
+          session_id: analysisData.sessionId,
+          cli_session_id: analysisData.cliSessionId,
+          remediationSummary: analysisData.remediationSummary,
+          remediationCapability: analysisData.remediationCapability,
+        }
+      : initialFinding;
   if (!finding) return null;
 
+  const selectedTab = tabState.findingId === finding.id ? tabState.tab : 'details';
+  const handleTabChange = (value: string) => {
+    if (value !== 'details' && value !== 'analysis' && value !== 'remediation') return;
+    setTabState({ findingId: finding.id, tab: value });
+    scrollContainerRef.current?.scrollTo({ top: 0 });
+    if (value === 'analysis') trackUiInteraction('finding_analysis_viewed');
+    if (value === 'remediation') trackUiInteraction('finding_remediation_viewed');
+  };
+
   const analysisStatus = analysisData?.status ?? finding.analysis_status;
+  const isAwaitingAnalysisAdmission = isAwaitingManualAnalysisAdmission(
+    hasActiveAnalysisStartCommand,
+    analysisStatus
+  );
+  const isRestartingAnalysis = hasActiveAnalysisStartCommand && analysisStatus === 'running';
   const analysis = analysisData?.analysis ?? finding.analysis;
   const analysisError = analysisData?.error ?? finding.analysis_error;
   const cliSessionId = analysisData?.cliSessionId ?? finding.cli_session_id;
@@ -833,16 +3061,9 @@ export function FindingDetailDialog({
   const isEffectiveRemediationActive = isActiveRemediationStatus(effectiveRemediationStatus);
   const effectiveRemediationPrUrl =
     remediationSummary?.prUrl ?? latestHistoryAttempt?.prUrl ?? null;
-  const effectiveRemediationPrDraft =
-    remediationSummary?.prDraft ?? latestHistoryAttempt?.prDraft ?? null;
   const effectiveRemediationOutcomeSummary = isEffectiveRemediationActive
     ? null
     : (remediationSummary?.outcomeSummary ?? null);
-  const effectiveRemediationBlockedReason = isEffectiveRemediationActive
-    ? null
-    : (latestHistoryAttempt?.blockedReason ?? remediationSummary?.blockedReason ?? null);
-  const effectiveRemediationUpdatedAt =
-    latestHistoryAttempt?.updatedAt ?? remediationSummary?.updatedAt ?? null;
   const hasRegisteredRemediationAttempt =
     remediationAttempts.length > 0 ||
     Boolean(remediationSummary?.latestAttemptId ?? remediationSummary?.latestAttempt?.id);
@@ -852,8 +3073,10 @@ export function FindingDetailDialog({
       remediationSummary?.latestAttemptId ??
       null)
     : null;
+  const cancellationRequestedAt = latestHistoryAttempt?.cancellationRequestedAt ?? null;
   const isCancellingRemediation =
-    !!activeRemediationAttemptId && cancellingRemediationAttemptIds.has(activeRemediationAttemptId);
+    Boolean(activeRemediationAttemptId) &&
+    cancellingRemediationAttemptIds.has(activeRemediationAttemptId ?? '');
   const remediationUnavailableCopy =
     remediationCapability &&
     !remediationCapability.canStart &&
@@ -878,33 +3101,41 @@ export function FindingDetailDialog({
     Boolean(remediationCapability?.canStart) &&
     !hasRegisteredRemediationAttempt &&
     !isEffectiveRemediationActive;
-  const canCancelRemediation = Boolean(activeRemediationAttemptId);
+  const canCancelRemediation = Boolean(activeRemediationAttemptId) && !cancellationRequestedAt;
   const canRetryRemediation =
     Boolean(remediationCapability?.canRetry) &&
     !isEffectiveRemediationActive &&
     effectiveRemediationStatus !== 'pr_opened';
-  const remediationFailureCopy = isEffectiveRemediationActive
-    ? null
-    : getRemediationFailureCopy(
-        latestHistoryAttempt?.failureCode ?? remediationSummary?.failureCode
-      );
   const isAnalyzing =
-    isAwaitingAnalysisStart || analysisStatus === 'pending' || analysisStatus === 'running';
-  const remediationAnalysisRefreshLabel =
-    isAwaitingAnalysisStart || analysisStatus === 'pending'
-      ? manualAnalysisAdmissionCopy.pendingLabel
+    isAwaitingAnalysisAdmission || analysisStatus === 'pending' || analysisStatus === 'running';
+  const analysisActionDisabled = isAnalyzing || analysisAtCapacity;
+  const canDismissFinding = canDismiss && finding.status === 'open';
+  const analysisActionTitle =
+    analysisAtCapacity && !isAnalyzing ? manualAnalysisCapacityFullCopy : undefined;
+  const remediationAnalysisRefreshLabel = isAwaitingAnalysisAdmission
+    ? manualAnalysisAdmissionCopy.pendingLabel
+    : analysisStatus === 'pending'
+      ? manualAnalysisAdmissionCopy.successTitle
       : analysisStatus === 'running'
         ? 'Analysis running'
         : 'Rerun analysis';
-  const codebaseAnalysisActionLabel =
-    isAwaitingAnalysisStart || analysisStatus === 'pending'
-      ? manualAnalysisAdmissionCopy.pendingLabel
+  const codebaseAnalysisActionLabel = isAwaitingAnalysisAdmission
+    ? manualAnalysisAdmissionCopy.pendingLabel
+    : analysisStatus === 'pending'
+      ? manualAnalysisAdmissionCopy.successTitle
       : analysisStatus === 'running'
         ? 'Analysis running'
-        : 'Run codebase analysis';
+        : 'Analyze repository';
 
-  const handleStartAnalysis: StartAnalysis = ({ forceSandbox, retrySandboxOnly } = {}) => {
-    triggerStartAnalysis(finding.id, { forceSandbox, retrySandboxOnly });
+  const handleStartAnalysis: StartAnalysis = ({
+    forceSandbox,
+    retrySandboxOnly,
+    restartActive,
+  } = {}) => {
+    onStartAnalysis(finding.id, { forceSandbox, retrySandboxOnly, restartActive });
+  };
+  const handleRestartAnalysis = () => {
+    startAnalysisCommand(finding.id, { restartActive: true });
   };
   const handleStartCodebaseAnalysis = () => {
     handleStartAnalysis({ forceSandbox: true });
@@ -912,154 +3143,235 @@ export function FindingDetailDialog({
   const handleCancelRemediationClick = () => {
     if (activeRemediationAttemptId) handleCancelRemediation(activeRemediationAttemptId, finding.id);
   };
+  const handleDismiss = () => onDismiss(analysis);
+  const handleDialogOpenChange = (nextOpen: boolean) => {
+    if (!nextOpen) setTabState({ findingId: null, tab: 'details' });
+    onOpenChange(nextOpen);
+  };
+
   const remediationAction = effectiveRemediationPrUrl ? (
-    <Button variant="outline" size="sm" asChild>
+    <Button className="h-control-touch" asChild>
       <a href={effectiveRemediationPrUrl} target="_blank" rel="noopener noreferrer">
-        <ExternalLink className="mr-2 size-4" aria-hidden="true" />
-        View PR
+        <ExternalLink aria-hidden="true" />
+        View pull request
       </a>
     </Button>
   ) : isAwaitingRemediationStart ? (
-    <Button variant="outline" size="sm" disabled>
-      <LoadingSpinner className="mr-2 size-4" />
-      Queueing
+    <Button className="h-control-touch" disabled>
+      <LoadingSpinner />
+      Queueing remediation
     </Button>
   ) : canCancelRemediation ? (
     <Button
       variant="outline"
-      size="sm"
+      className="h-control-touch"
       onClick={handleCancelRemediationClick}
       disabled={isCancellingRemediation}
     >
-      {isCancellingRemediation ? (
-        <LoadingSpinner className="mr-2 size-4" />
-      ) : (
-        <XCircle className="mr-2 size-4" aria-hidden="true" />
-      )}
-      Cancel
+      {isCancellingRemediation ? <LoadingSpinner /> : <Square aria-hidden="true" />}
+      {isCancellingRemediation ? 'Requesting cancellation' : 'Cancel remediation'}
     </Button>
   ) : canRetryRemediation ? (
-    <Button variant="outline" size="sm" onClick={() => handleRetryRemediation(finding.id)}>
-      <RotateCw className="mr-2 size-4" aria-hidden="true" />
-      Retry fix
+    <Button className="h-control-touch" onClick={() => handleRetryRemediation(finding.id)}>
+      <RefreshCw aria-hidden="true" />
+      Retry remediation
     </Button>
   ) : canStartRemediation ? (
-    <Button variant="outline" size="sm" onClick={() => handleStartRemediation(finding.id)}>
-      <GitPullRequest className="mr-2 size-4" aria-hidden="true" />
-      Fix with PR
+    <Button className="h-control-touch" onClick={() => handleStartRemediation(finding.id)}>
+      <Sparkles aria-hidden="true" />
+      Start remediation
     </Button>
   ) : remediationNeedsCodebaseAnalysis ? (
     <Button
-      variant="outline"
-      size="sm"
+      className="h-control-touch"
       onClick={handleStartCodebaseAnalysis}
-      disabled={isAnalyzing}
+      disabled={analysisActionDisabled}
+      title={analysisActionTitle}
     >
-      {isAnalyzing ? (
-        <LoadingSpinner className="mr-2 size-4" />
-      ) : (
-        <Brain className="mr-2 size-4" aria-hidden="true" />
-      )}
+      {isAnalyzing ? <LoadingSpinner /> : <Brain aria-hidden="true" />}
       {codebaseAnalysisActionLabel}
     </Button>
   ) : remediationNeedsAnalysisRefresh ? (
     <Button
-      variant="outline"
-      size="sm"
+      className="h-control-touch"
       onClick={() => handleStartAnalysis()}
-      disabled={isAnalyzing}
+      disabled={analysisActionDisabled}
+      title={analysisActionTitle}
     >
-      {isAnalyzing ? (
-        <LoadingSpinner className="mr-2 size-4" />
-      ) : (
-        <Brain className="mr-2 size-4" aria-hidden="true" />
-      )}
+      {isAnalyzing ? <LoadingSpinner /> : <RefreshCw aria-hidden="true" />}
       {remediationAnalysisRefreshLabel}
     </Button>
-  ) : hasRegisteredRemediationAttempt || effectiveRemediationUnavailableCopy ? (
-    <Button variant="outline" size="sm" disabled>
-      <GitPullRequest className="mr-2 size-4" aria-hidden="true" />
-      Fix with PR
-    </Button>
   ) : null;
 
-  const analysisPanelProps = {
-    analysis,
-    analysisStatus,
-    analysisError,
-    isAwaitingAnalysisStart,
-    isAnalyzing,
-    onStartAnalysis: handleStartAnalysis,
-  } satisfies AnalysisPanelProps;
+  const statuses = [
+    { label: 'Severity', ...getSeverityStatus(finding.severity) },
+    { label: 'Finding', ...getFindingStatus(finding) },
+    { label: 'Analysis', ...getAnalysisStatus(analysis, analysisStatus) },
+  ];
 
   return (
-    <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="max-h-[calc(100dvh-2rem)] w-[calc(100vw-2rem)] max-w-4xl overflow-x-hidden overflow-y-auto p-4 sm:max-h-[90vh] sm:p-6">
-        <FindingHeader
-          finding={finding}
-          analysis={analysis}
-          analysisStatus={analysisStatus}
-          showSla={showSla}
-        />
+    <Dialog open={open} onOpenChange={handleDialogOpenChange}>
+      <DialogContent
+        showCloseButton={false}
+        onOpenAutoFocus={() => {
+          if (document.activeElement instanceof HTMLElement) {
+            openerRef.current = document.activeElement;
+          }
+        }}
+        onCloseAutoFocus={event => {
+          const opener = openerRef.current;
+          openerRef.current = null;
+          if (!opener?.isConnected || opener === document.body) return;
+          event.preventDefault();
+          opener.focus();
+        }}
+        className="bg-surface-raised max-h-[calc(100dvh-1rem)] w-[calc(100vw-1rem)] max-w-5xl grid-rows-[auto_minmax(0,1fr)] gap-0 overflow-hidden p-0 sm:max-h-[calc(100dvh-3rem)]"
+      >
+        <Tabs value={selectedTab} onValueChange={handleTabChange} className="contents">
+          <header className="border-border border-b px-4 pt-5 sm:px-6 sm:pt-6">
+            <div className="relative">
+              <div className="min-w-0">
+                <DialogTitle className="type-title min-h-control-touch pr-14 leading-tight">
+                  {finding.title}
+                </DialogTitle>
+                <DialogDescription className="sr-only">
+                  Security Finding for {finding.package_name} in {finding.repo_full_name}
+                </DialogDescription>
+                <div className="mt-2 flex flex-wrap items-center gap-x-3 gap-y-2">
+                  <code className="bg-surface-inset text-syntax-plain type-code max-w-full break-words rounded-sm px-1.5 py-0.5">
+                    {finding.repo_full_name}
+                  </code>
+                  <span className="text-muted-foreground type-code tabular-nums">
+                    Detected {formatUtcDate(finding.first_detected_at, false)}
+                  </span>
+                  <span className="text-muted-foreground type-code tabular-nums">
+                    Updated {formatUtcDate(finding.updated_at, false)}
+                  </span>
+                </div>
+              </div>
+              <DialogClose asChild>
+                <Button
+                  type="button"
+                  variant="ghost"
+                  size="icon"
+                  className="size-control-touch absolute top-0 right-0"
+                  aria-label="Close finding details"
+                >
+                  <X className="size-4" aria-hidden="true" />
+                </Button>
+              </DialogClose>
+            </div>
 
-        <Tabs key={finding.id} defaultValue="details" className="min-w-0">
-          <TabsList className="grid w-full grid-cols-4 sm:max-w-xl">
-            <TabsTrigger value="details">Details</TabsTrigger>
-            <TabsTrigger value="triage" className="flex min-w-0 items-center gap-1.5">
-              <AnalysisStatusIcon
-                status={analysis?.triage ? 'completed' : analysisStatus}
-                fallback={<Zap className="size-3.5" aria-hidden="true" />}
-              />
-              Triage
-            </TabsTrigger>
-            <TabsTrigger value="analysis" className="flex min-w-0 items-center gap-1.5">
-              <AnalysisStatusIcon
-                status={
-                  analysis?.sandboxAnalysis && analysisStatus === 'completed'
-                    ? 'completed'
-                    : analysisStatus
-                }
-                fallback={<Brain className="size-3.5" aria-hidden="true" />}
-              />
-              Analysis
-            </TabsTrigger>
-            <TabsTrigger value="remediation" className="flex min-w-0 items-center gap-1.5">
-              {isEffectiveRemediationActive ? (
-                <LoadingSpinner className="size-3.5 text-emerald-400" />
-              ) : (
-                <GitPullRequest className="size-3.5" aria-hidden="true" />
-              )}
-              Remediation
-            </TabsTrigger>
-          </TabsList>
-
-          <FindingDetails finding={finding} />
-          <FindingTriage {...analysisPanelProps} />
-          <FindingAnalysis
-            {...analysisPanelProps}
-            cliSessionId={cliSessionId}
-            organizationId={organizationId}
-            remediationNeedsCodebaseAnalysis={remediationNeedsCodebaseAnalysis}
-            codebaseAnalysisActionLabel={codebaseAnalysisActionLabel}
-            onStartCodebaseAnalysis={handleStartCodebaseAnalysis}
-          />
-          <FindingRemediation
-            status={effectiveRemediationStatus}
-            prDraft={effectiveRemediationPrDraft}
-            outcomeSummary={effectiveRemediationOutcomeSummary}
-            blockedReason={effectiveRemediationBlockedReason}
-            updatedAt={effectiveRemediationUpdatedAt}
-            failureCopy={remediationFailureCopy}
-            unavailableCopy={effectiveRemediationUnavailableCopy}
-            attempts={remediationAttempts}
-            action={remediationAction}
-          />
-          <FindingFooter
-            finding={finding}
-            canDismiss={canDismiss}
-            onDismiss={onDismiss}
-            onClose={() => onOpenChange(false)}
-          />
+            <div className="mt-5 flex flex-wrap items-center gap-2">
+              {statuses.map(status => (
+                <LabeledStatus
+                  key={status.label}
+                  label={status.label}
+                  value={status.value}
+                  tone={status.tone}
+                />
+              ))}
+            </div>
+
+            <nav aria-label="Finding detail sections" className="mt-5 pb-3">
+              <TabsList className="border-border bg-surface-raised flex h-auto w-full gap-1 rounded-xl border p-1.5 shadow-sm">
+                <TabsTrigger
+                  value="details"
+                  className="data-[state=active]:border-border-strong data-[state=active]:bg-surface-selected flex-1 gap-1 px-1.5 py-2 data-[state=active]:shadow-sm sm:gap-2 sm:px-3"
+                >
+                  <Package className="hidden size-4 sm:block" aria-hidden="true" />
+                  Details
+                </TabsTrigger>
+                <TabsTrigger
+                  value="analysis"
+                  className="data-[state=active]:border-border-strong data-[state=active]:bg-surface-selected flex-1 gap-1 px-1.5 py-2 data-[state=active]:shadow-sm sm:gap-2 sm:px-3"
+                >
+                  {isAnalyzing ? (
+                    <LoadingSpinner className="hidden size-4 sm:block" />
+                  ) : (
+                    <Brain className="hidden size-4 sm:block" aria-hidden="true" />
+                  )}
+                  Analysis
+                </TabsTrigger>
+                <TabsTrigger
+                  value="remediation"
+                  className="data-[state=active]:border-border-strong data-[state=active]:bg-surface-selected flex-1 gap-1 px-1.5 py-2 data-[state=active]:shadow-sm sm:gap-2 sm:px-3"
+                >
+                  {isEffectiveRemediationActive ? (
+                    <LoadingSpinner className="hidden size-4 sm:block" />
+                  ) : (
+                    <GitPullRequest className="hidden size-4 sm:block" aria-hidden="true" />
+                  )}
+                  Remediation
+                </TabsTrigger>
+              </TabsList>
+            </nav>
+          </header>
+
+          <div
+            ref={scrollContainerRef}
+            className="min-h-0 overflow-x-hidden overflow-y-auto px-4 py-5 sm:px-6 sm:py-6"
+          >
+            <FindingDetails
+              finding={finding}
+              analysis={analysis}
+              showSla={showSla}
+              canDismiss={canDismissFinding}
+              analysisActionDisabled={analysisActionDisabled}
+              analysisActionTitle={analysisActionTitle}
+              onDismiss={handleDismiss}
+              onOpenFinding={onOpenFinding}
+              onSelectTab={handleTabChange}
+              onStartCodebaseAnalysis={handleStartCodebaseAnalysis}
+            />
+            <FindingAnalysisPanel
+              finding={finding}
+              analysis={analysis}
+              analysisStatus={analysisStatus}
+              analysisError={analysisError}
+              cliSessionId={cliSessionId}
+              organizationId={organizationId}
+              interactionState={{
+                isAwaitingAnalysisAdmission,
+                isAnalyzing,
+                isRestartingAnalysis,
+                analysisActionDisabled,
+                analysisActionTitle,
+                canDismiss: canDismissFinding,
+                canStartRemediation,
+                isAwaitingRemediationStart,
+              }}
+              onStartAnalysis={handleStartAnalysis}
+              onRestartAnalysis={handleRestartAnalysis}
+              onStartCodebaseAnalysis={handleStartCodebaseAnalysis}
+              onStartRemediation={() => handleStartRemediation(finding.id)}
+              onDismiss={handleDismiss}
+              onSelectTab={handleTabChange}
+            />
+            <FindingRemediation
+              finding={finding}
+              status={effectiveRemediationStatus}
+              summary={{
+                prUrl: remediationSummary?.prUrl ?? null,
+                prNumber: remediationSummary?.prNumber ?? null,
+                prDraft: remediationSummary?.prDraft ?? null,
+                failureCode: remediationSummary?.failureCode ?? null,
+                blockedReason: remediationSummary?.blockedReason ?? null,
+              }}
+              outcomeSummary={effectiveRemediationOutcomeSummary}
+              unavailableReason={remediationCapability?.startReason}
+              unavailableCopy={effectiveRemediationUnavailableCopy}
+              attempts={remediationAttempts}
+              canStart={canStartRemediation}
+              isAwaitingStart={isAwaitingRemediationStart}
+              actionStatusMessage={
+                remediationNeedsCodebaseAnalysis || remediationNeedsAnalysisRefresh
+                  ? analysisActionTitle
+                  : undefined
+              }
+              action={remediationAction}
+            />
+          </div>
         </Tabs>
       </DialogContent>
     </Dialog>
diff --git a/apps/web/src/components/security-agent/RepositoryFilter.tsx b/apps/web/src/components/security-agent/RepositoryFilter.tsx
index 259d2ba76..80943a5f3 100644
--- a/apps/web/src/components/security-agent/RepositoryFilter.tsx
+++ b/apps/web/src/components/security-agent/RepositoryFilter.tsx
@@ -7,6 +7,7 @@ import {
   SelectTrigger,
   SelectValue,
 } from '@/components/ui/select';
+import { cn } from '@/lib/utils';
 
 type Repository = {
   id: number;
@@ -20,6 +21,8 @@ type RepositoryFilterProps = {
   value: string | undefined;
   onValueChange: (value: string | undefined) => void;
   isLoading?: boolean;
+  id?: string;
+  className?: string;
 };
 
 export function RepositoryFilter({
@@ -27,6 +30,8 @@ export function RepositoryFilter({
   value,
   onValueChange,
   isLoading,
+  id,
+  className,
 }: RepositoryFilterProps) {
   return (
     <Select
@@ -34,7 +39,11 @@ export function RepositoryFilter({
       onValueChange={v => onValueChange(v === 'all' ? undefined : v)}
       disabled={isLoading}
     >
-      <SelectTrigger className="w-full sm:w-52" aria-label="Filter by repository">
+      <SelectTrigger
+        id={id}
+        className={cn('w-full sm:w-52', className)}
+        aria-label={id ? undefined : 'Filter by repository'}
+      >
         <SelectValue placeholder="All repositories" />
       </SelectTrigger>
       <SelectContent>
diff --git a/apps/web/src/components/security-agent/SecurityAgentActionBar.tsx b/apps/web/src/components/security-agent/SecurityAgentActionBar.tsx
new file mode 100644
index 000000000..77af5284f
--- /dev/null
+++ b/apps/web/src/components/security-agent/SecurityAgentActionBar.tsx
@@ -0,0 +1,49 @@
+'use client';
+
+import { Slot } from '@radix-ui/react-slot';
+import type { ComponentProps, ReactNode } from 'react';
+import { Label } from '@/components/ui/label';
+import { cn } from '@/lib/utils';
+
+type SecurityAgentActionBarProps = Omit<ComponentProps<'section'>, 'aria-label'> & {
+  label: string;
+  asChild?: boolean;
+};
+
+export function SecurityAgentActionBar({
+  label,
+  asChild = false,
+  className,
+  ...props
+}: SecurityAgentActionBarProps) {
+  const Component = asChild ? Slot : 'section';
+
+  return (
+    <Component
+      aria-label={label}
+      className={cn('border-border bg-surface-raised rounded-xl border p-3 sm:p-4', className)}
+      {...props}
+    />
+  );
+}
+
+export function SecurityAgentActionBarField({
+  id,
+  label,
+  className,
+  children,
+}: {
+  id: string;
+  label: string;
+  className?: string;
+  children: ReactNode;
+}) {
+  return (
+    <div className={cn('grid min-w-0 gap-2', className)}>
+      <Label htmlFor={id} className="text-muted-foreground text-xs font-medium leading-none">
+        {label}
+      </Label>
+      {children}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/security-agent/SecurityAgentContext.test.ts b/apps/web/src/components/security-agent/SecurityAgentContext.test.ts
index be74f34be..0b561d259 100644
--- a/apps/web/src/components/security-agent/SecurityAgentContext.test.ts
+++ b/apps/web/src/components/security-agent/SecurityAgentContext.test.ts
@@ -6,6 +6,7 @@ import {
   shouldRunSecurityAgentCommandSuccessCallback,
   type SecurityAgentCommand,
 } from './SecurityAgentContext';
+import { getSecurityAgentHelpContent, getSecurityAgentNavItems } from './SecurityAgentLayout';
 
 function command(overrides: Partial<SecurityAgentCommand>): SecurityAgentCommand {
   return {
@@ -19,6 +20,66 @@ function command(overrides: Partial<SecurityAgentCommand>): SecurityAgentCommand
   };
 }
 
+describe('Security Agent help content', () => {
+  const personalBasePath = '/security-agent';
+  const organizationBasePath = '/organizations/org-1/security-agent';
+
+  it.each([
+    [personalBasePath, 'Dashboard help', '#use-the-dashboard'],
+    [`${personalBasePath}/findings`, 'Findings help', '#browse-findings'],
+    [`${personalBasePath}/audit-report`, 'Audit report help', '#audit-reports'],
+    [`${personalBasePath}/config`, 'Settings help', '#configure-security-agent'],
+  ])('matches personal route %s to its page help', (pathname, title, docsAnchor) => {
+    const content = getSecurityAgentHelpContent(pathname, personalBasePath);
+
+    expect(content.title).toBe(title);
+    expect(content.docsUrl).toContain(docsAnchor);
+  });
+
+  it.each([
+    [organizationBasePath, 'Dashboard help'],
+    [`${organizationBasePath}/findings`, 'Findings help'],
+    [`${organizationBasePath}/audit-report`, 'Audit report help'],
+    [`${organizationBasePath}/config`, 'Settings help'],
+  ])('matches organization route %s to its page help', (pathname, title) => {
+    expect(getSecurityAgentHelpContent(pathname, organizationBasePath).title).toBe(title);
+  });
+
+  it('uses overview help outside known Security Agent routes', () => {
+    expect(getSecurityAgentHelpContent('/security-agent/unknown', personalBasePath).title).toBe(
+      'Security Agent help'
+    );
+    expect(getSecurityAgentHelpContent('/another-page', personalBasePath).title).toBe(
+      'Security Agent help'
+    );
+  });
+});
+
+describe('Security Agent navigation', () => {
+  const basePath = '/security-agent';
+
+  it('keeps historical reports available during setup', () => {
+    expect(
+      getSecurityAgentNavItems({ basePath, showSetupOnly: true, isEnabled: undefined }).map(
+        item => item.label
+      )
+    ).toEqual(['Audit report', 'Settings']);
+  });
+
+  it('preserves configured navigation', () => {
+    expect(
+      getSecurityAgentNavItems({ basePath, showSetupOnly: false, isEnabled: true }).map(
+        item => item.label
+      )
+    ).toEqual(['Dashboard', 'Findings', 'Audit report', 'Settings']);
+    expect(
+      getSecurityAgentNavItems({ basePath, showSetupOnly: false, isEnabled: false }).map(
+        item => item.label
+      )
+    ).toEqual(['Dashboard', 'Audit report', 'Settings']);
+  });
+});
+
 describe('SecurityAgentContext command helpers', () => {
   it('recovers active commands after reload and dedupes polled state', () => {
     const recovered = command({
@@ -42,6 +103,21 @@ describe('SecurityAgentContext command helpers', () => {
     ]);
   });
 
+  it('removes recovered commands after polling observes a terminal state', () => {
+    const recovered = command({
+      id: 'bbbbbbbb-bbbb-4bbb-8bbb-bbbbbbbbbbbb',
+      commandType: 'start_analysis',
+      findingId: 'finding-id',
+      status: 'running',
+    });
+    const terminal = command({
+      ...recovered,
+      status: 'succeeded',
+    });
+
+    expect(mergeSecurityAgentActiveCommands([recovered], [terminal])).toEqual([]);
+  });
+
   it('derives active-action disabling and optimistic analysis ids', () => {
     const state = getSecurityAgentActiveCommandState(
       [
diff --git a/apps/web/src/components/security-agent/SecurityAgentContext.tsx b/apps/web/src/components/security-agent/SecurityAgentContext.tsx
index cbb22edb9..ee3820757 100644
--- a/apps/web/src/components/security-agent/SecurityAgentContext.tsx
+++ b/apps/web/src/components/security-agent/SecurityAgentContext.tsx
@@ -11,8 +11,11 @@ import {
 } from '@tanstack/react-query';
 import { toast } from 'sonner';
 import type { SecurityFinding } from '@kilocode/db/schema';
+import type { SecurityRemediationAdmissionRejectionReason } from '@kilocode/worker-utils/security-remediation-policy';
+import type { SecurityAgentUiInteraction } from '@/lib/security-agent/core/schemas';
 import { isGitHubIntegrationError } from '@/lib/security-agent/core/error-display';
 import type { DismissReason } from './DismissFindingDialog';
+import { getRemediationUnavailableCopy } from './remediation-unavailable-copy';
 import type { SlaConfig } from './security-config-types';
 import {
   getSecurityAgentCommandFailureTitle,
@@ -36,8 +39,10 @@ type SecurityAgentContextValue = {
   isLoadingConfig: boolean;
   reauthorizeUrl: string | undefined;
   isEnabled: boolean | undefined;
+  hasConfig: boolean;
   configData:
     | {
+        hasConfig: boolean;
         isEnabled: boolean;
         slaCriticalDays: number;
         slaHighDays: number;
@@ -74,6 +79,7 @@ type SecurityAgentContextValue = {
   filteredRepositories: Array<{ id: number; fullName: string; name: string; private: boolean }>;
 
   // Mutation handlers
+  trackUiInteraction: (interaction: SecurityAgentUiInteraction) => void;
   handleSync: (repoFullName?: string) => void;
   handleDismiss: (
     finding: SecurityFinding,
@@ -116,7 +122,7 @@ type SecurityAgentContextValue = {
   ) => void;
   handleStartAnalysis: (
     findingId: string,
-    options?: { forceSandbox?: boolean; retrySandboxOnly?: boolean }
+    options?: { forceSandbox?: boolean; retrySandboxOnly?: boolean; restartActive?: boolean }
   ) => void;
   handleStartRemediation: (findingId: string) => void;
   handleRetryRemediation: (findingId: string) => void;
@@ -187,7 +193,12 @@ export function mergeSecurityAgentActiveCommands(
     if (isActiveSecurityAgentCommand(command)) activeCommands.set(command.id, command);
   }
   for (const command of polledCommands) {
-    if (command && isActiveSecurityAgentCommand(command)) activeCommands.set(command.id, command);
+    if (!command) continue;
+    if (isActiveSecurityAgentCommand(command)) {
+      activeCommands.set(command.id, command);
+    } else {
+      activeCommands.delete(command.id);
+    }
   }
   return [...activeCommands.values()];
 }
@@ -577,6 +588,31 @@ function useSecurityAgentProviderValue(
     );
   }
 
+  function settleRemediationAdmission(
+    result:
+      | { queued: true }
+      | { queued: false; reason: SecurityRemediationAdmissionRejectionReason },
+    findingId: string,
+    messages: { queued: string; unavailable: string }
+  ) {
+    if (result.queued) {
+      toast.success(messages.queued);
+    } else {
+      toast.error(messages.unavailable, {
+        description: getRemediationUnavailableCopy(result.reason),
+        duration: 8000,
+      });
+    }
+    dispatchProviderState({ type: 'remove-optimistic-remediation', findingId });
+    invalidateRemediationQueries();
+  }
+
+  function settleRemediationError(error: { message: string }, findingId: string, title: string) {
+    toast.error(title, { description: error.message, duration: 8000 });
+    dispatchProviderState({ type: 'remove-optimistic-remediation', findingId });
+    invalidateRemediationQueries();
+  }
+
   // Permission status query
   const { data: permissionData, isLoading: isLoadingPermission } = useQuery(
     isOrg
@@ -711,6 +747,9 @@ function useSecurityAgentProviderValue(
   ]);
 
   // ---- Mutations (org) ----
+  const { mutate: orgTrackUiInteractionMutate } = useMutation(
+    trpc.organizations.securityAgent.trackUiInteraction.mutationOptions()
+  );
   const { mutate: orgSyncMutate, isPending: isOrgSyncPending } = useMutation(
     trpc.organizations.securityAgent.triggerSync.mutationOptions({
       onSuccess: data => {
@@ -807,20 +846,28 @@ function useSecurityAgentProviderValue(
 
   const { mutate: orgStartAnalysisMutate } = useMutation(
     trpc.organizations.securityAgent.startAnalysis.mutationOptions({
-      onSuccess: async data => {
+      onSuccess: async (data, variables) => {
         dispatchProviderState({ type: 'set-github-error', error: null });
-        toast.success(securityAgentCommandAdmissionCopy.start_analysis.successTitle);
+        toast.success(
+          variables.restartActive
+            ? 'Analysis restart queued'
+            : securityAgentCommandAdmissionCopy.start_analysis.successTitle
+        );
         trackCommand(data.commandId);
       },
       onError: (error, variables) => {
         const message = error instanceof Error ? error.message : String(error);
+        const isRestart = variables.restartActive === true;
+        const failureTitle = isRestart
+          ? 'Failed to restart analysis'
+          : securityAgentCommandAdmissionCopy.start_analysis.failureTitle;
         if (isGitHubIntegrationError(error)) {
           dispatchProviderState({ type: 'set-github-error', error: message });
-          toast.error('GitHub integration error', {
+          toast.error(isRestart ? failureTitle : 'GitHub integration error', {
             description: 'GitHub App may have been uninstalled. Check integrations, then retry.',
           });
         } else {
-          toast.error(securityAgentCommandAdmissionCopy.start_analysis.failureTitle, {
+          toast.error(failureTitle, {
             description: message,
             duration: 8000,
           });
@@ -838,40 +885,28 @@ function useSecurityAgentProviderValue(
 
   const { mutate: orgStartRemediationMutate } = useMutation(
     trpc.organizations.securityAgent.startRemediation.mutationOptions({
-      onSuccess: async (_data, variables) => {
-        toast.success('Remediation queued');
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
+      onSuccess: (data, variables) => {
+        settleRemediationAdmission(data, variables.findingId, {
+          queued: 'Remediation queued',
+          unavailable: 'Remediation unavailable',
         });
-        invalidateRemediationQueries();
       },
       onError: (error, variables) => {
-        toast.error('Failed to queue remediation', { description: error.message, duration: 8000 });
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
-        });
+        settleRemediationError(error, variables.findingId, 'Failed to queue remediation');
       },
     })
   );
 
   const { mutate: orgRetryRemediationMutate } = useMutation(
     trpc.organizations.securityAgent.retryRemediation.mutationOptions({
-      onSuccess: async (_data, variables) => {
-        toast.success('Remediation retry queued');
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
+      onSuccess: (data, variables) => {
+        settleRemediationAdmission(data, variables.findingId, {
+          queued: 'Remediation retry queued',
+          unavailable: 'Remediation retry unavailable',
         });
-        invalidateRemediationQueries();
       },
       onError: (error, variables) => {
-        toast.error('Failed to retry remediation', { description: error.message, duration: 8000 });
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
-        });
+        settleRemediationError(error, variables.findingId, 'Failed to retry remediation');
       },
     })
   );
@@ -911,6 +946,9 @@ function useSecurityAgentProviderValue(
   );
 
   // ---- Mutations (personal) ----
+  const { mutate: personalTrackUiInteractionMutate } = useMutation(
+    trpc.securityAgent.trackUiInteraction.mutationOptions()
+  );
   const { mutate: personalSyncMutate, isPending: isPersonalSyncPending } = useMutation(
     trpc.securityAgent.triggerSync.mutationOptions({
       onSuccess: data => {
@@ -1007,20 +1045,28 @@ function useSecurityAgentProviderValue(
 
   const { mutate: personalStartAnalysisMutate } = useMutation(
     trpc.securityAgent.startAnalysis.mutationOptions({
-      onSuccess: async data => {
+      onSuccess: async (data, variables) => {
         dispatchProviderState({ type: 'set-github-error', error: null });
-        toast.success(securityAgentCommandAdmissionCopy.start_analysis.successTitle);
+        toast.success(
+          variables.restartActive
+            ? 'Analysis restart queued'
+            : securityAgentCommandAdmissionCopy.start_analysis.successTitle
+        );
         trackCommand(data.commandId);
       },
       onError: (error, variables) => {
         const message = error instanceof Error ? error.message : String(error);
+        const isRestart = variables.restartActive === true;
+        const failureTitle = isRestart
+          ? 'Failed to restart analysis'
+          : securityAgentCommandAdmissionCopy.start_analysis.failureTitle;
         if (isGitHubIntegrationError(error)) {
           dispatchProviderState({ type: 'set-github-error', error: message });
-          toast.error('GitHub integration error', {
+          toast.error(isRestart ? failureTitle : 'GitHub integration error', {
             description: 'GitHub App may have been uninstalled. Check integrations, then retry.',
           });
         } else {
-          toast.error(securityAgentCommandAdmissionCopy.start_analysis.failureTitle, {
+          toast.error(failureTitle, {
             description: message,
             duration: 8000,
           });
@@ -1038,40 +1084,28 @@ function useSecurityAgentProviderValue(
 
   const { mutate: personalStartRemediationMutate } = useMutation(
     trpc.securityAgent.startRemediation.mutationOptions({
-      onSuccess: async (_data, variables) => {
-        toast.success('Remediation queued');
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
+      onSuccess: (data, variables) => {
+        settleRemediationAdmission(data, variables.findingId, {
+          queued: 'Remediation queued',
+          unavailable: 'Remediation unavailable',
         });
-        invalidateRemediationQueries();
       },
       onError: (error, variables) => {
-        toast.error('Failed to queue remediation', { description: error.message, duration: 8000 });
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
-        });
+        settleRemediationError(error, variables.findingId, 'Failed to queue remediation');
       },
     })
   );
 
   const { mutate: personalRetryRemediationMutate } = useMutation(
     trpc.securityAgent.retryRemediation.mutationOptions({
-      onSuccess: async (_data, variables) => {
-        toast.success('Remediation retry queued');
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
+      onSuccess: (data, variables) => {
+        settleRemediationAdmission(data, variables.findingId, {
+          queued: 'Remediation retry queued',
+          unavailable: 'Remediation retry unavailable',
         });
-        invalidateRemediationQueries();
       },
       onError: (error, variables) => {
-        toast.error('Failed to retry remediation', { description: error.message, duration: 8000 });
-        dispatchProviderState({
-          type: 'remove-optimistic-remediation',
-          findingId: variables.findingId,
-        });
+        settleRemediationError(error, variables.findingId, 'Failed to retry remediation');
       },
     })
   );
@@ -1264,13 +1298,24 @@ function useSecurityAgentProviderValue(
       {
         forceSandbox,
         retrySandboxOnly,
-      }: { forceSandbox?: boolean; retrySandboxOnly?: boolean } = {}
+        restartActive,
+      }: {
+        forceSandbox?: boolean;
+        retrySandboxOnly?: boolean;
+        restartActive?: boolean;
+      } = {}
     ) => {
       dispatchProviderState({ type: 'add-optimistic-analysis', findingId });
       if (isOrg && organizationId) {
-        orgStartAnalysisMutate({ organizationId, findingId, forceSandbox, retrySandboxOnly });
+        orgStartAnalysisMutate({
+          organizationId,
+          findingId,
+          forceSandbox,
+          retrySandboxOnly,
+          restartActive,
+        });
       } else {
-        personalStartAnalysisMutate({ findingId, forceSandbox, retrySandboxOnly });
+        personalStartAnalysisMutate({ findingId, forceSandbox, retrySandboxOnly, restartActive });
       }
     },
     [isOrg, organizationId, orgStartAnalysisMutate, personalStartAnalysisMutate]
@@ -1333,6 +1378,7 @@ function useSecurityAgentProviderValue(
   const hasPermission = permissionData?.hasPermissions ?? false;
   const reauthorizeUrl = permissionData?.reauthorizeUrl ?? undefined;
   const isEnabled = configData ? configData.isEnabled : undefined;
+  const hasConfig = configData?.hasConfig ?? false;
   const allRepositories = reposData ?? EMPTY_REPOSITORIES;
   const repositorySelectionMode = configData?.repositorySelectionMode ?? 'selected';
   const selectedRepositoryIds = configData?.selectedRepositoryIds ?? EMPTY_REPOSITORY_IDS;
@@ -1359,6 +1405,7 @@ function useSecurityAgentProviderValue(
       isLoadingConfig,
       reauthorizeUrl,
       isEnabled,
+      hasConfig,
       configData: configData
         ? {
             ...configData,
@@ -1383,6 +1430,13 @@ function useSecurityAgentProviderValue(
       refetchConfig,
       allRepositories,
       filteredRepositories,
+      trackUiInteraction: interaction => {
+        if (isOrg && organizationId) {
+          orgTrackUiInteractionMutate({ organizationId, interaction });
+        } else {
+          personalTrackUiInteractionMutate({ interaction });
+        }
+      },
       handleSync,
       handleDismiss,
       handleSaveConfig,
@@ -1413,10 +1467,13 @@ function useSecurityAgentProviderValue(
       isLoadingConfig,
       reauthorizeUrl,
       isEnabled,
+      hasConfig,
       configData,
       refetchConfig,
       allRepositories,
       filteredRepositories,
+      orgTrackUiInteractionMutate,
+      personalTrackUiInteractionMutate,
       handleSync,
       handleDismiss,
       handleSaveConfig,
diff --git a/apps/web/src/components/security-agent/SecurityAgentGitHubInstallCta.tsx b/apps/web/src/components/security-agent/SecurityAgentGitHubInstallCta.tsx
new file mode 100644
index 000000000..bf4b75d1f
--- /dev/null
+++ b/apps/web/src/components/security-agent/SecurityAgentGitHubInstallCta.tsx
@@ -0,0 +1,28 @@
+'use client';
+
+import Link from 'next/link';
+import { Shield } from 'lucide-react';
+import { Button } from '@/components/ui/button';
+
+type SecurityAgentGitHubInstallCtaProps = {
+  installUrl: string;
+};
+
+export function SecurityAgentGitHubInstallCta({ installUrl }: SecurityAgentGitHubInstallCtaProps) {
+  return (
+    <div className="border-border flex flex-col items-center justify-center rounded-xl border border-dashed px-6 py-16 text-center">
+      <Shield className="text-muted-foreground mb-4 size-12 opacity-40" aria-hidden="true" />
+      <h3 className="text-lg font-medium">Connect GitHub to get started</h3>
+      <p className="text-muted-foreground mt-2 max-w-md text-center text-sm">
+        Install the Kilo GitHub App to automatically sync Dependabot alerts and manage security
+        findings across your repositories.
+      </p>
+      <Button
+        asChild
+        className="bg-brand-primary text-primary-foreground hover:bg-brand-primary/90 mt-6"
+      >
+        <Link href={installUrl}>Install GitHub App</Link>
+      </Button>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/security-agent/SecurityAgentLayout.tsx b/apps/web/src/components/security-agent/SecurityAgentLayout.tsx
index 5ff9ab8d9..a9ea839bd 100644
--- a/apps/web/src/components/security-agent/SecurityAgentLayout.tsx
+++ b/apps/web/src/components/security-agent/SecurityAgentLayout.tsx
@@ -2,17 +2,29 @@
 
 import { usePathname } from 'next/navigation';
 import Link from 'next/link';
-import { Badge } from '@/components/ui/badge';
 import { Alert, AlertDescription, AlertTitle } from '@/components/ui/alert';
-import { SetPageTitle } from '@/components/SetPageTitle';
 import { Button } from '@/components/ui/button';
+import {
+  Sheet,
+  SheetContent,
+  SheetDescription,
+  SheetHeader,
+  SheetTitle,
+  SheetTrigger,
+} from '@/components/ui/sheet';
+import { SidebarTrigger } from '@/components/ui/sidebar';
+import { HideAppTopbar } from '@/components/gastown/HideAppTopbar';
 import {
   AlertTriangle,
+  BookOpenText,
+  CircleHelp,
   ExternalLink,
-  RefreshCw,
+  FileClock,
   LayoutDashboard,
   ListChecks,
+  RefreshCw,
   Settings2,
+  type LucideIcon,
 } from 'lucide-react';
 import { cn } from '@/lib/utils';
 import { useTRPC } from '@/lib/trpc/utils';
@@ -20,10 +32,266 @@ import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { toast } from 'sonner';
 import { useSecurityAgent } from './SecurityAgentContext';
 
+const SECURITY_AGENT_DOCS_URL = 'https://kilo.ai/docs/deploy-secure/security-reviews';
+
+const SECURITY_AGENT_HELP_CONTENT = {
+  dashboard: {
+    title: 'Dashboard help',
+    description:
+      'Review current security posture, SLA pressure, and the Security Finding that needs attention first.',
+    sections: [
+      {
+        title: 'Review current posture',
+        items: [
+          'Use the repository filter to update every dashboard metric for one repository or all repositories.',
+          'With SLA tracking on, review compliance, passed deadlines, upcoming deadlines, and findings without deadlines.',
+          'With SLA tracking off, focus on open findings, confirmed exploitability, human review, and incomplete analysis.',
+        ],
+      },
+      {
+        title: 'Choose the next action',
+        items: [
+          'The recommended finding prioritizes overdue work, incomplete analysis, confirmed exploitability, and findings needing review.',
+          'Open a dashboard metric or recommendation to view matching findings.',
+        ],
+      },
+    ],
+    docsUrl: `${SECURITY_AGENT_DOCS_URL}#use-the-dashboard`,
+    docsLabel: 'Read about the dashboard',
+    docsDescription: 'Metrics, filters, and prioritization',
+  },
+  findings: {
+    title: 'Findings help',
+    description:
+      'Filter the vulnerability backlog, review evidence, and take the next safe action.',
+    sections: [
+      {
+        title: 'Focus the backlog',
+        items: [
+          'Filter by repository, severity, or analysis outcome, then sort by severity or SLA due date.',
+          'Each finding shows its analysis outcome, remediation status, and available next action.',
+        ],
+      },
+      {
+        title: 'Inspect and act',
+        items: [
+          'Details shows Dependabot metadata, repository context, status, and timing.',
+          'Analysis shows triage and sandbox evidence, progress, reasoning, suggested fixes, and retry actions.',
+          'Remediation shows eligibility, attempt history, pull request outcomes, validation evidence, and cancellation state.',
+        ],
+      },
+    ],
+    docsUrl: `${SECURITY_AGENT_DOCS_URL}#browse-findings`,
+    docsLabel: 'Read about findings',
+    docsDescription: 'Filters, analysis, and remediation actions',
+  },
+  auditReport: {
+    title: 'Audit report help',
+    description: 'Review Security Finding activity recorded by Kilo for a selected UTC period.',
+    sections: [
+      {
+        title: 'Generate a report',
+        items: [
+          'Choose a UTC date range of up to 90 inclusive calendar days.',
+          'Filter finding groups by severity, recorded state, or repository. Matching groups keep their complete in-period timeline.',
+        ],
+      },
+      {
+        title: 'Understand the evidence',
+        items: [
+          'Reports include recorded imports, status and severity changes, analysis outcomes, dismissals, remediation activity, and deletions.',
+          'Reports do not prove complete legacy history, repository scan coverage, or aggregate historical SLA compliance.',
+          'If report generation fails, Kilo returns no partial report. Select a shorter period and generate it again.',
+        ],
+      },
+    ],
+    docsUrl: `${SECURITY_AGENT_DOCS_URL}#audit-reports`,
+    docsLabel: 'Read about audit reports',
+    docsDescription: 'Periods, filters, evidence, and access',
+  },
+  settings: {
+    title: 'Settings help',
+    description: 'Control repository scope, analysis, automation, notifications, and SLA policy.',
+    sections: [
+      {
+        title: 'General',
+        items: [
+          'Turn Security Agent on or off, select repositories, choose models, and set analysis mode.',
+          'Auto mode runs triage first and starts sandbox analysis only when project-specific evidence is needed.',
+        ],
+      },
+      {
+        title: 'Automation',
+        items: [
+          'Configure Auto Analysis, Auto Remediation, and Auto Dismiss thresholds and include-existing behavior.',
+          'Auto Remediation is off by default and only starts work for eligible findings that pass safety checks.',
+        ],
+      },
+      {
+        title: 'Notifications and SLA',
+        items: [
+          'New-finding Notifications email eligible recipients when Kilo first inserts a finding. Historical insertions are not replayed.',
+          'SLA settings control severity deadlines, warning lead time, SLA Warning Notifications, and SLA Breach Notifications.',
+          'Organization emails go only to current organization owners.',
+        ],
+      },
+    ],
+    docsUrl: `${SECURITY_AGENT_DOCS_URL}#configure-security-agent`,
+    docsLabel: 'Read about settings',
+    docsDescription: 'General, automation, notifications, and SLA',
+  },
+  overview: {
+    title: 'Security Agent help',
+    description:
+      'Learn how Security Agent syncs Security Findings, analyzes risk, and guides remediation.',
+    sections: [
+      {
+        title: 'How Security Agent works',
+        items: [
+          'Sync imports Dependabot alerts from repositories in scope as Security Findings.',
+          'Triage and sandbox analysis determine project-specific risk and recommend the next action.',
+          'Remediation can ask Cloud Agent to prepare a fix and open a pull request for an eligible finding.',
+        ],
+      },
+    ],
+    docsUrl: `${SECURITY_AGENT_DOCS_URL}#how-security-agent-works`,
+    docsLabel: 'View Security Agent documentation',
+    docsDescription: 'Setup, analysis, remediation, and settings',
+  },
+} satisfies Record<
+  string,
+  {
+    title: string;
+    description: string;
+    sections: { title: string; items: string[] }[];
+    docsUrl: string;
+    docsLabel: string;
+    docsDescription: string;
+  }
+>;
+
+export function getSecurityAgentHelpContent(pathname: string, basePath: string) {
+  const relativePath = pathname.startsWith(basePath) ? pathname.slice(basePath.length) : null;
+
+  if (relativePath === '' || relativePath === '/') return SECURITY_AGENT_HELP_CONTENT.dashboard;
+  if (relativePath === '/findings' || relativePath?.startsWith('/findings/')) {
+    return SECURITY_AGENT_HELP_CONTENT.findings;
+  }
+  if (relativePath === '/audit-report' || relativePath?.startsWith('/audit-report/')) {
+    return SECURITY_AGENT_HELP_CONTENT.auditReport;
+  }
+  if (relativePath === '/config' || relativePath?.startsWith('/config/')) {
+    return SECURITY_AGENT_HELP_CONTENT.settings;
+  }
+  return SECURITY_AGENT_HELP_CONTENT.overview;
+}
+
 type SecurityAgentLayoutProps = {
   children: React.ReactNode;
 };
 
+type SecurityAgentNavItem = {
+  label: string;
+  href: string;
+  icon: LucideIcon;
+};
+
+export function getSecurityAgentNavItems({
+  basePath,
+  showSetupOnly,
+  isEnabled,
+}: {
+  basePath: string;
+  showSetupOnly: boolean;
+  isEnabled: boolean | undefined;
+}): SecurityAgentNavItem[] {
+  const auditReport = {
+    label: 'Audit report',
+    href: `${basePath}/audit-report`,
+    icon: FileClock,
+  } satisfies SecurityAgentNavItem;
+  const settings = {
+    label: 'Settings',
+    href: `${basePath}/config`,
+    icon: Settings2,
+  } satisfies SecurityAgentNavItem;
+
+  if (showSetupOnly) return [auditReport, settings];
+
+  return [
+    { label: 'Dashboard', href: basePath, icon: LayoutDashboard },
+    ...(isEnabled ? [{ label: 'Findings', href: `${basePath}/findings`, icon: ListChecks }] : []),
+    auditReport,
+    settings,
+  ];
+}
+
+type SecurityAgentHelpProps = {
+  pathname: string;
+  basePath: string;
+  initiallyOpen?: boolean;
+};
+
+export function SecurityAgentHelp({
+  pathname,
+  basePath,
+  initiallyOpen = false,
+}: SecurityAgentHelpProps) {
+  const content = getSecurityAgentHelpContent(pathname, basePath);
+
+  return (
+    <Sheet defaultOpen={initiallyOpen}>
+      <SheetTrigger asChild>
+        <Button
+          type="button"
+          variant="outline"
+          className="min-h-control-touch self-center px-3 sm:h-control-default sm:min-h-0"
+        >
+          <CircleHelp aria-hidden="true" />
+          Help
+        </Button>
+      </SheetTrigger>
+      <SheetContent side="right" className="w-full gap-0 sm:max-w-sm">
+        <SheetHeader className="border-border border-b p-6 pr-12">
+          <SheetTitle className="type-heading">{content.title}</SheetTitle>
+          <SheetDescription className="type-body">{content.description}</SheetDescription>
+        </SheetHeader>
+        <div className="flex-1 space-y-6 overflow-y-auto p-4 sm:p-6">
+          {content.sections.map(section => (
+            <section key={section.title} className="space-y-2">
+              <h3 className="type-body font-medium">{section.title}</h3>
+              <ul className="text-muted-foreground type-body list-disc space-y-2 pl-5">
+                {section.items.map(item => (
+                  <li key={item}>{item}</li>
+                ))}
+              </ul>
+            </section>
+          ))}
+          <section>
+            <div className="text-muted-foreground type-eyebrow">Resources</div>
+            <a
+              href={content.docsUrl}
+              target="_blank"
+              rel="noopener noreferrer"
+              aria-label={`${content.docsLabel} (opens in a new tab)`}
+              className="border-border bg-input-background focus-visible:ring-ring hover:bg-surface-hover mt-3 flex min-h-control-touch items-center gap-3 rounded-md border px-3 py-3 transition-colors focus-visible:ring-[3px] focus-visible:outline-none"
+            >
+              <BookOpenText className="text-muted-foreground size-4 shrink-0" aria-hidden="true" />
+              <span className="min-w-0 flex-1">
+                <span className="type-body block font-medium">{content.docsLabel}</span>
+                <span className="text-muted-foreground type-label block">
+                  {content.docsDescription}
+                </span>
+              </span>
+              <ExternalLink className="text-muted-foreground size-4 shrink-0" aria-hidden="true" />
+            </a>
+          </section>
+        </div>
+      </SheetContent>
+    </Sheet>
+  );
+}
+
 export function SecurityAgentLayout({ children }: SecurityAgentLayoutProps) {
   const pathname = usePathname();
   const trpc = useTRPC();
@@ -34,17 +302,17 @@ export function SecurityAgentLayout({ children }: SecurityAgentLayoutProps) {
     hasIntegration,
     hasPermission,
     isLoadingPermission,
+    isLoadingConfig,
     isEnabled,
+    hasConfig,
     reauthorizeUrl,
   } = useSecurityAgent();
 
   const basePath = isOrg ? `/organizations/${organizationId}/security-agent` : '/security-agent';
+  const showSetupOnly =
+    (!isLoadingPermission && !hasIntegration) || (!isLoadingConfig && !hasConfig);
 
-  const navItems = [
-    { label: 'Dashboard', href: basePath, icon: LayoutDashboard },
-    ...(isEnabled ? [{ label: 'Findings', href: `${basePath}/findings`, icon: ListChecks }] : []),
-    { label: 'Settings', href: `${basePath}/config`, icon: Settings2 },
-  ];
+  const navItems = getSecurityAgentNavItems({ basePath, showSetupOnly, isEnabled });
 
   // Refresh installation mutation (only used in layout for permission alert)
   const { mutate: refreshMutate, isPending: isRefreshing } = useMutation(
@@ -101,32 +369,33 @@ export function SecurityAgentLayout({ children }: SecurityAgentLayoutProps) {
   }
 
   return (
-    <div className="space-y-6">
-      <SetPageTitle title="Security Agent">
-        <Badge variant="beta">Beta</Badge>
-      </SetPageTitle>
-      {/* Header */}
-      <div className="space-y-2">
-        <p className="text-muted-foreground">
-          Monitor and manage Dependabot security alerts across your repositories.
-        </p>
-        <a
-          href="https://kilo.ai/docs/contributing/architecture/security-reviews"
-          target="_blank"
-          rel="noopener noreferrer"
-          className="focus-visible:ring-ring mt-2 inline-flex items-center gap-1 rounded-sm text-sm text-blue-400 underline decoration-blue-400/40 underline-offset-4 transition-colors hover:text-blue-300 focus-visible:ring-2 focus-visible:outline-none"
-        >
-          Learn how to use it
-          <ExternalLink className="size-4" />
-        </a>
-      </div>
+    <div className="flex min-h-full flex-col">
+      <HideAppTopbar />
+      <header className="border-border bg-surface-raised border-b">
+        <div className="flex min-w-0">
+          <div className="flex w-14 shrink-0 items-start justify-center pt-4 sm:w-16 sm:pt-5">
+            <SidebarTrigger
+              aria-label="Toggle sidebar"
+              className="size-control-touch sm:size-control-default"
+            />
+          </div>
 
-      {/* Sub-navigation — hidden when GitHub is not installed */}
-      {hasIntegration && (
-        <nav
-          className="border-border flex gap-1 overflow-x-auto border-b"
-          aria-label="Security Agent"
-        >
+          <div className="grid min-w-0 flex-1 grid-cols-[minmax(0,1fr)_auto] gap-x-3 gap-y-2 py-4 pr-4 sm:gap-x-6 sm:py-5 sm:pr-6 lg:pr-10">
+            <h1 id="security-agent-title" className="type-title self-center font-bold text-balance">
+              Security Agent
+            </h1>
+            <div className="col-start-2 row-start-1 self-center sm:row-span-2">
+              <SecurityAgentHelp pathname={pathname} basePath={basePath} />
+            </div>
+            <p className="text-muted-foreground type-body col-span-2 col-start-1 row-start-2 text-pretty sm:col-span-1 md:whitespace-nowrap">
+              Monitor and manage Security Findings synced from Dependabot across your repositories.
+            </p>
+          </div>
+        </div>
+      </header>
+
+      <nav className="border-border bg-surface-background border-b" aria-label="Security Agent">
+        <div className="m-auto flex w-full max-w-[1140px] gap-1 overflow-x-auto px-4 md:px-6">
           {navItems.map(item => {
             const Icon = item.icon;
             const active = isActive(item.href);
@@ -136,64 +405,65 @@ export function SecurityAgentLayout({ children }: SecurityAgentLayoutProps) {
                 href={item.href}
                 aria-current={active ? 'page' : undefined}
                 className={cn(
-                  'focus-visible:ring-ring flex shrink-0 items-center gap-2 rounded-t-md border-b-2 px-4 py-2.5 text-sm font-medium transition-colors focus-visible:ring-2 focus-visible:outline-none',
+                  'focus-visible:ring-ring flex min-h-control-touch shrink-0 items-center gap-2 rounded-t-md border-b-2 px-4 type-body font-medium transition-colors focus-visible:ring-2 focus-visible:outline-none',
                   active
-                    ? 'border-brand-primary text-foreground'
+                    ? 'border-primary text-foreground'
                     : 'text-muted-foreground hover:text-foreground border-transparent hover:border-border'
                 )}
               >
-                <Icon className="h-4 w-4" />
+                <Icon className="size-4" aria-hidden="true" />
                 {item.label}
               </Link>
             );
           })}
-        </nav>
-      )}
-
-      {/* Additional Permissions Required Alert */}
-      {showPermissionRequired && (
-        <Alert variant="destructive">
-          <AlertTriangle className="h-4 w-4" />
-          <AlertTitle>Additional permissions required</AlertTitle>
-          <AlertDescription className="space-y-3">
-            <p>
-              Security Agent requires the <code>vulnerability_alerts</code> permission to access
-              Dependabot alerts. Re-authorize GitHub App to grant this permission.
-            </p>
-            <div className="flex flex-wrap gap-3">
-              {reauthorizeUrl && (
+        </div>
+      </nav>
+
+      <div className="m-auto flex w-full max-w-[1140px] flex-1 flex-col gap-6 p-4 md:p-6">
+        {showPermissionRequired && (
+          <Alert variant="destructive">
+            <AlertTriangle className="size-4" aria-hidden="true" />
+            <AlertTitle>Additional permissions required</AlertTitle>
+            <AlertDescription className="space-y-3">
+              <p>
+                Security Agent requires the <code>vulnerability_alerts</code> permission to access
+                Dependabot alerts. Re-authorize GitHub App to grant this permission.
+              </p>
+              <div className="flex flex-wrap gap-3">
+                {reauthorizeUrl && (
+                  <Button
+                    asChild
+                    className="bg-brand-primary text-primary-foreground hover:bg-brand-primary/90"
+                  >
+                    <a href={reauthorizeUrl} target="_blank" rel="noopener noreferrer">
+                      <ExternalLink className="size-4" aria-hidden="true" />
+                      Re-authorize GitHub App
+                    </a>
+                  </Button>
+                )}
                 <Button
-                  asChild
-                  className="bg-brand-primary text-primary-foreground hover:bg-brand-primary/90"
+                  variant="outline"
+                  onClick={handleRefreshPermissions}
+                  disabled={isRefreshing}
+                  className="border-border bg-background text-foreground hover:bg-accent hover:text-accent-foreground"
                 >
-                  <a href={reauthorizeUrl} target="_blank" rel="noopener noreferrer">
-                    <ExternalLink className="size-4" aria-hidden="true" />
-                    Re-authorize GitHub App
-                  </a>
+                  <RefreshCw
+                    className={`size-4 ${isRefreshing ? 'animate-spin motion-reduce:animate-none' : ''}`}
+                    aria-hidden="true"
+                  />
+                  {isRefreshing ? 'Refreshing...' : 'Refresh permissions'}
                 </Button>
-              )}
-              <Button
-                variant="outline"
-                onClick={handleRefreshPermissions}
-                disabled={isRefreshing}
-                className="border-border bg-background text-foreground hover:bg-accent hover:text-accent-foreground"
-              >
-                <RefreshCw
-                  className={`size-4 ${isRefreshing ? 'animate-spin motion-reduce:animate-none' : ''}`}
-                  aria-hidden="true"
-                />
-                {isRefreshing ? 'Refreshing...' : 'Refresh permissions'}
-              </Button>
-            </div>
-            <p className="text-sm opacity-80">
-              Already approved permissions in GitHub? Refresh permissions to update Security Agent.
-            </p>
-          </AlertDescription>
-        </Alert>
-      )}
+              </div>
+              <p className="text-sm opacity-80">
+                Already approved permissions in GitHub? Refresh permissions to update Security
+                Agent.
+              </p>
+            </AlertDescription>
+          </Alert>
+        )}
 
-      {/* Page content */}
-      {children}
+        {children}
+      </div>
     </div>
   );
 }
diff --git a/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts b/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
new file mode 100644
index 000000000..6ffa15e0e
--- /dev/null
+++ b/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
@@ -0,0 +1,443 @@
+import { describe, expect, it } from '@jest/globals';
+import { createElement } from 'react';
+import { renderToStaticMarkup } from 'react-dom/server';
+import type {
+  SecurityAgentAuditReport,
+  SecurityAgentAuditReportEvent,
+  SecurityFindingAuditSection,
+} from '@/lib/security-agent/db/security-audit-report';
+import {
+  AuditReportProvenance,
+  filterSecurityAgentAuditReport,
+  formatAuditEventTime,
+  formatDateTime24Hour,
+  getAuditEventDetails,
+  getDefaultAuditReportDateRange,
+  getAuditReportProvenance,
+  getAuditReportRepositoryHref,
+  getAuditReportRepositoryOptions,
+  hasSecurityAgentAuditReportOwnerContext,
+  normalizeAuditReportRepositoryFilter,
+  parseAuditReportFilters,
+} from './SecurityAuditReportPage';
+
+function finding(
+  overrides: Partial<SecurityFindingAuditSection> &
+    Pick<SecurityFindingAuditSection, 'findingId' | 'severity' | 'status'>
+): SecurityFindingAuditSection {
+  return {
+    source: 'dependabot',
+    sourceId: '1',
+    repository: 'kilo/repo',
+    title: 'Test finding',
+    packageName: 'test-package',
+    packageEcosystem: 'npm',
+    manifestPath: 'package.json',
+    patchedVersion: null,
+    ghsaId: null,
+    cveId: null,
+    cweIds: [],
+    cvssScore: null,
+    dependabotUrl: null,
+    firstDetectedAt: '2026-06-01T00:00:00.000Z',
+    canonicalFindingId: null,
+    deleted: false,
+    sla: { status: 'unknown', deadline: null, reason: 'not recorded' },
+    events: [],
+    hasLegacySupplementalActivity: false,
+    ...overrides,
+  };
+}
+
+function event(
+  overrides: Partial<SecurityAgentAuditReportEvent> & Pick<SecurityAgentAuditReportEvent, 'action'>
+): SecurityAgentAuditReportEvent {
+  return {
+    id: 'event-1',
+    label: 'Event',
+    occurredAt: '2026-06-15T16:04:00.000Z',
+    sourceOccurredAt: null,
+    recordedAt: '2026-06-15T16:04:00.000Z',
+    actor: { type: 'system', displayName: 'Kilo system', masked: false },
+    beforeState: null,
+    afterState: null,
+    metadata: null,
+    legacySupplemental: false,
+    ...overrides,
+  };
+}
+
+function report(findings: SecurityFindingAuditSection[]): SecurityAgentAuditReport {
+  return {
+    reportVersion: 1,
+    owner: { type: 'user', id: 'user-1', displayName: 'Test User' },
+    period: {
+      start: '2026-06-01T00:00:00.000Z',
+      endExclusive: '2026-06-16T00:00:00.000Z',
+      displayEnd: '2026-06-15',
+      timeZone: 'UTC',
+    },
+    generatedAt: '2026-06-16T00:00:00.000Z',
+    dataThrough: '2026-06-16T00:00:00.000Z',
+    reliableCoverageStart: '2026-06-12T00:00:00.000Z',
+    evidenceBasis: 'recorded_by_kilo',
+    hasLegacySupplementalActivity: true,
+    summary: {
+      findingCount: findings.length,
+      activityCount: findings.reduce((count, item) => count + item.events.length, 0),
+      bySeverity: { critical: 0, high: 2, medium: 0, low: 1 },
+      byAction: {},
+    },
+    findings,
+  };
+}
+
+describe('audit report date range', () => {
+  it('defaults to 90 UTC calendar days ending on the current day', () => {
+    expect(getDefaultAuditReportDateRange(new Date('2026-06-16T21:08:07+02:00'))).toEqual({
+      startDate: '2026-03-19',
+      endDate: '2026-06-16',
+    });
+  });
+});
+
+describe('audit report owner context', () => {
+  it('allows personal reports and gates organization reports only on organization context', () => {
+    expect(hasSecurityAgentAuditReportOwnerContext(false, undefined)).toBe(true);
+    expect(hasSecurityAgentAuditReportOwnerContext(true, 'org-1')).toBe(true);
+    expect(hasSecurityAgentAuditReportOwnerContext(true, undefined)).toBe(false);
+  });
+});
+
+describe('audit report filters', () => {
+  it('parses supported URL filters and defaults unsupported values to all', () => {
+    expect(
+      parseAuditReportFilters(
+        new URLSearchParams('severity=high&state=ignored&repoFullName=kilo%2Fweb')
+      )
+    ).toEqual({
+      severity: 'high',
+      state: 'ignored',
+      repository: 'kilo/web',
+    });
+    expect(parseAuditReportFilters(new URLSearchParams('severity=unknown&state=deleted'))).toEqual({
+      severity: 'all',
+      state: 'deleted',
+      repository: null,
+    });
+    expect(parseAuditReportFilters(new URLSearchParams('state=closed'))).toEqual({
+      severity: 'all',
+      state: 'all',
+      repository: null,
+    });
+  });
+
+  it('filters finding groups by severity, state, and repository while preserving complete timelines', () => {
+    const input = report([
+      finding({
+        findingId: 'high-open',
+        severity: 'high',
+        status: 'open',
+        events: [
+          {
+            id: 'event-1',
+            action: 'security.finding.created',
+          } as SecurityFindingAuditSection['events'][number],
+        ],
+      }),
+      finding({
+        findingId: 'high-dismissed',
+        severity: 'high',
+        status: 'ignored',
+        repository: 'kilo/web',
+        events: [
+          {
+            id: 'event-2',
+            action: 'security.finding.created',
+          } as SecurityFindingAuditSection['events'][number],
+          {
+            id: 'event-3',
+            action: 'security.finding.dismissed',
+          } as SecurityFindingAuditSection['events'][number],
+        ],
+        hasLegacySupplementalActivity: true,
+      }),
+      finding({
+        findingId: 'high-dismissed-other-repository',
+        severity: 'high',
+        status: 'ignored',
+        repository: 'kilo/api',
+        events: [
+          {
+            id: 'event-other-repository',
+            action: 'security.finding.dismissed',
+          } as SecurityFindingAuditSection['events'][number],
+        ],
+      }),
+      finding({
+        findingId: 'low-dismissed',
+        severity: 'low',
+        status: 'ignored',
+        repository: 'kilo/web',
+        events: [
+          {
+            id: 'event-4',
+            action: 'security.finding.dismissed',
+          } as SecurityFindingAuditSection['events'][number],
+        ],
+      }),
+    ]);
+
+    const filtered = filterSecurityAgentAuditReport(input, {
+      severity: 'high',
+      state: 'ignored',
+      repository: 'kilo/web',
+    });
+
+    expect(filtered.findings.map(item => item.findingId)).toEqual(['high-dismissed']);
+    expect(filtered.findings[0]?.events).toHaveLength(2);
+    expect(filtered.summary).toEqual({
+      findingCount: 1,
+      activityCount: 2,
+      bySeverity: { critical: 0, high: 1, medium: 0, low: 0 },
+      byAction: {
+        'security.finding.created': 1,
+        'security.finding.dismissed': 1,
+      },
+    });
+    expect(filtered.hasLegacySupplementalActivity).toBe(true);
+  });
+
+  it('filters deleted and superseded finding evidence by displayed state', () => {
+    const input = report([
+      finding({
+        findingId: 'deleted',
+        severity: 'low',
+        status: 'ignored',
+        deleted: true,
+      }),
+      finding({
+        findingId: 'superseded',
+        severity: 'high',
+        status: 'ignored',
+        canonicalFindingId: 'current-finding',
+      }),
+      finding({ findingId: 'dismissed', severity: 'high', status: 'ignored' }),
+    ]);
+
+    expect(
+      filterSecurityAgentAuditReport(input, {
+        severity: 'all',
+        state: 'deleted',
+        repository: null,
+      }).findings.map(item => item.findingId)
+    ).toEqual(['deleted']);
+    expect(
+      filterSecurityAgentAuditReport(input, {
+        severity: 'all',
+        state: 'superseded',
+        repository: null,
+      }).findings.map(item => item.findingId)
+    ).toEqual(['superseded']);
+    expect(
+      filterSecurityAgentAuditReport(input, {
+        severity: 'all',
+        state: 'ignored',
+        repository: null,
+      }).findings.map(item => item.findingId)
+    ).toEqual(['dismissed']);
+  });
+
+  it('keeps report unchanged when all values are selected', () => {
+    const input = report([]);
+    expect(
+      filterSecurityAgentAuditReport(input, {
+        severity: 'all',
+        state: 'all',
+        repository: null,
+      })
+    ).toBe(input);
+  });
+
+  it('builds safe GitHub links for recorded repository names', () => {
+    expect(getAuditReportRepositoryHref('Kilo-Org/security-agent')).toBe(
+      'https://github.com/Kilo-Org/security-agent'
+    );
+    expect(getAuditReportRepositoryHref('invalid/repository/path')).toBeNull();
+    expect(getAuditReportRepositoryHref('owner/repository?tab=settings')).toBeNull();
+    expect(getAuditReportRepositoryHref(null)).toBeNull();
+  });
+
+  it('builds sorted repository options only from report evidence', () => {
+    const findings = [
+      finding({ findingId: '2', severity: 'high', status: 'open', repository: 'kilo/web' }),
+      finding({ findingId: '1', severity: 'low', status: 'fixed', repository: 'kilo/api' }),
+      finding({ findingId: '3', severity: 'low', status: 'fixed', repository: 'kilo/web' }),
+      finding({ findingId: '4', severity: 'low', status: null, repository: null }),
+    ];
+
+    expect(getAuditReportRepositoryOptions(findings)).toEqual(['kilo/api', 'kilo/web']);
+  });
+
+  it('normalizes stale repository filters once report evidence is available', () => {
+    const staleFilters = {
+      severity: 'high',
+      state: 'open',
+      repository: 'legacy/renamed',
+    } as const;
+    const validFilters = { ...staleFilters, repository: 'kilo/web' };
+
+    expect(normalizeAuditReportRepositoryFilter(staleFilters, ['kilo/api', 'kilo/web'])).toEqual({
+      severity: 'high',
+      state: 'open',
+      repository: null,
+    });
+    expect(normalizeAuditReportRepositoryFilter(validFilters, ['kilo/api', 'kilo/web'])).toBe(
+      validFilters
+    );
+  });
+});
+
+describe('audit report provenance', () => {
+  it('renders provenance and coverage warning for a successful empty report', () => {
+    const html = renderToStaticMarkup(createElement(AuditReportProvenance, { report: report([]) }));
+
+    expect(html).toContain('Security Finding activity recorded by Kilo.');
+    expect(html).toContain('Data cutoff');
+    expect(html).toContain('Jun 16, 2026 at 00:00 UTC');
+    expect(html).toContain('Reliable coverage starts');
+    expect(html).toContain('Jun 12, 2026 at 00:00 UTC');
+    expect(html).toContain(
+      'This period starts before reliable event coverage, and supplemental legacy activity may be incomplete.'
+    );
+  });
+
+  it('warns independently for pre-coverage periods and supplemental legacy activity', () => {
+    const baseReport = report([]);
+    const preCoverage = {
+      ...baseReport,
+      hasLegacySupplementalActivity: false,
+    };
+    const legacySupplemental = {
+      ...baseReport,
+      period: { ...baseReport.period, start: baseReport.reliableCoverageStart },
+    };
+    const completeCoverage = {
+      ...legacySupplemental,
+      hasLegacySupplementalActivity: false,
+    };
+
+    expect(getAuditReportProvenance(preCoverage).warning).toBe(
+      'Activity before reliable event coverage may be incomplete.'
+    );
+    expect(getAuditReportProvenance(legacySupplemental).warning).toBe(
+      'Supplemental legacy activity may be incomplete.'
+    );
+    expect(getAuditReportProvenance(completeCoverage).warning).toBeNull();
+  });
+});
+
+describe('audit report event presentation', () => {
+  it('formats event time as 24-hour UTC', () => {
+    expect(formatAuditEventTime('2026-06-15T16:04:00.000Z')).toBe('16:04 UTC');
+  });
+
+  it('formats SLA deadlines as 24-hour UTC without AM or PM', () => {
+    expect(formatDateTime24Hour('2026-03-19T16:04:00.000Z')).toBe('Mar 19, 2026, 16:04 UTC');
+  });
+
+  it('describes not-used dismissals without claiming the dependency is absent', () => {
+    const details = getAuditEventDetails(
+      event({
+        action: 'security.finding.auto_dismissed' as SecurityAgentAuditReportEvent['action'],
+        beforeState: { status: 'open' },
+        afterState: { status: 'ignored', reason_code: 'not_used' },
+      })
+    );
+
+    expect(details).toEqual([
+      { label: 'State', value: 'Dismissed', previousValue: 'Open' },
+      { label: 'Reason', value: 'Vulnerable code is not used' },
+    ]);
+  });
+
+  it('presents successful structured analysis without unrelated triage confidence', () => {
+    const details = getAuditEventDetails(
+      event({
+        action: 'security.finding.analysis_completed' as SecurityAgentAuditReportEvent['action'],
+        afterState: {
+          analysis_status: 'completed',
+          structured_extraction_status: 'succeeded',
+          is_exploitable: false,
+          suggested_action: 'dismiss',
+          confidence: 'low',
+        },
+      })
+    );
+
+    expect(details).toEqual([
+      { label: 'Exploitability', value: 'Not exploitable' },
+      { label: 'Recommended next step', value: 'Dismiss finding' },
+    ]);
+  });
+
+  it('presents a structured extraction failure without claiming an exploitability result', () => {
+    const details = getAuditEventDetails(
+      event({
+        action: 'security.finding.analysis_completed' as SecurityAgentAuditReportEvent['action'],
+        afterState: {
+          analysis_status: 'completed',
+          structured_extraction_status: 'failed',
+          is_exploitable: 'unknown',
+          suggested_action: 'manual_review',
+          confidence: 'low',
+        },
+      })
+    );
+
+    expect(details).toEqual([
+      { label: 'Structured result', value: 'Unavailable' },
+      { label: 'Recommended next step', value: 'Manual review' },
+    ]);
+  });
+
+  it('presents remediation requests without raw state and evidence groups', () => {
+    const details = getAuditEventDetails(
+      event({
+        action: 'security.remediation.queued' as SecurityAgentAuditReportEvent['action'],
+        afterState: { remediation_status: 'queued', attempt_number: 1 },
+        metadata: { origin: 'manual' },
+      })
+    );
+
+    expect(details).toEqual([
+      { label: 'Attempt', value: '1' },
+      { label: 'Requested', value: 'Manually' },
+    ]);
+  });
+
+  it('presents pull request outcomes with one safe link and useful status', () => {
+    const details = getAuditEventDetails(
+      event({
+        action: 'security.remediation.pr_opened' as SecurityAgentAuditReportEvent['action'],
+        beforeState: { remediation_status: 'running' },
+        afterState: { remediation_status: 'pr_opened', pr_number: 5, pr_draft: false },
+        metadata: {
+          origin: 'manual',
+          pr_url: 'https://github.com/kilo/repo/pull/5',
+          validation_count: 1,
+        },
+      })
+    );
+
+    expect(details).toEqual([
+      {
+        label: 'Pull request',
+        value: '#5',
+        href: 'https://github.com/kilo/repo/pull/5',
+      },
+      { label: 'Review state', value: 'Ready for review' },
+      { label: 'Validation checks', value: '1' },
+    ]);
+  });
+});
diff --git a/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx b/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
new file mode 100644
index 000000000..715eabce8
--- /dev/null
+++ b/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
@@ -0,0 +1,1549 @@
+'use client';
+
+import { useSearchParams } from 'next/navigation';
+import React, { type FormEvent, type ReactNode, useState } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { differenceInCalendarDays, format as formatCalendarDateLabel } from 'date-fns';
+import {
+  Activity,
+  Brain,
+  CalendarDays,
+  CheckCircle2,
+  CircleDot,
+  ExternalLink,
+  FileClock,
+  GitMerge,
+  GitPullRequest,
+  Info,
+  Loader2,
+  RefreshCw,
+  ShieldCheck,
+  Trash2,
+  TriangleAlert,
+  UserRound,
+  XCircle,
+  type LucideIcon,
+} from 'lucide-react';
+import type { DateRange as DayPickerDateRange } from 'react-day-picker';
+import {
+  Accordion,
+  AccordionContent,
+  AccordionItem,
+  AccordionTrigger,
+} from '@/components/ui/accordion';
+import { Alert, AlertDescription, AlertTitle } from '@/components/ui/alert';
+import { Badge } from '@/components/ui/badge';
+import { Button } from '@/components/ui/button';
+import { Calendar } from '@/components/ui/calendar';
+import { Popover, PopoverContent, PopoverTrigger } from '@/components/ui/popover';
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@/components/ui/select';
+import { Skeleton } from '@/components/ui/skeleton';
+import { Tooltip, TooltipContent, TooltipTrigger } from '@/components/ui/tooltip';
+import { useTRPC } from '@/lib/trpc/utils';
+import { cn } from '@/lib/utils';
+import { useSecurityAgent } from './SecurityAgentContext';
+import { SecurityAgentActionBar, SecurityAgentActionBarField } from './SecurityAgentActionBar';
+import { SeverityBadge } from './SeverityBadge';
+import type {
+  SecurityAgentAuditReport,
+  SecurityAgentAuditReportEvent,
+  SecurityFindingAuditSection,
+} from '@/lib/security-agent/db/security-audit-report';
+
+type DateRange = {
+  startDate: string;
+  endDate: string;
+};
+
+type AuditReportSeverityFilter = 'all' | 'critical' | 'high' | 'medium' | 'low';
+type AuditReportStateFilter = 'all' | 'open' | 'fixed' | 'ignored' | 'superseded' | 'deleted';
+
+export type AuditReportFilters = {
+  severity: AuditReportSeverityFilter;
+  state: AuditReportStateFilter;
+  repository: string | null;
+};
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low'] as const;
+const FINDING_SUPERSEDED_ACTION = 'security.finding.superseded';
+const MAX_AUDIT_REPORT_DAYS = 90;
+const MAX_AUDIT_REPORT_RANGE_NIGHTS = MAX_AUDIT_REPORT_DAYS - 1;
+const ALL_AUDIT_REPORT_FILTERS: AuditReportFilters = {
+  severity: 'all',
+  state: 'all',
+  repository: null,
+};
+
+type Tone = 'success' | 'warning' | 'destructive' | 'neutral';
+type FindingDisplayState = 'open' | 'fixed' | 'dismissed' | 'superseded' | 'deleted' | 'unknown';
+
+type EventPresentation = {
+  icon: LucideIcon;
+  tone: Tone;
+};
+
+const toneStyles = {
+  success: {
+    status: 'border-status-success-border bg-status-success-surface text-status-success',
+    icon: 'bg-status-success-surface text-status-success-icon ring-status-success-border',
+    text: 'text-status-success',
+  },
+  warning: {
+    status: 'border-status-warning-border bg-status-warning-surface text-status-warning',
+    icon: 'bg-status-warning-surface text-status-warning-icon ring-status-warning-border',
+    text: 'text-status-warning',
+  },
+  destructive: {
+    status:
+      'border-status-destructive-border bg-status-destructive-surface text-status-destructive',
+    icon: 'bg-status-destructive-surface text-status-destructive-icon ring-status-destructive-border',
+    text: 'text-status-destructive',
+  },
+  neutral: {
+    status: 'border-status-neutral-border bg-status-neutral-surface text-status-neutral',
+    icon: 'bg-status-neutral-surface text-status-neutral-icon ring-status-neutral-border',
+    text: 'text-status-neutral',
+  },
+} satisfies Record<Tone, { status: string; icon: string; text: string }>;
+
+const findingStateConfig = {
+  open: { label: 'Open', tone: 'neutral', icon: CircleDot },
+  fixed: { label: 'Fixed', tone: 'success', icon: CheckCircle2 },
+  dismissed: { label: 'Dismissed', tone: 'neutral', icon: XCircle },
+  superseded: { label: 'Superseded', tone: 'neutral', icon: GitMerge },
+  deleted: { label: 'Deleted', tone: 'neutral', icon: Trash2 },
+  unknown: { label: 'Unknown', tone: 'neutral', icon: CircleDot },
+} satisfies Record<FindingDisplayState, { label: string; tone: Tone; icon: LucideIcon }>;
+
+const REPORT_DATE_FORMATTER = new Intl.DateTimeFormat('en', {
+  year: 'numeric',
+  month: 'short',
+  day: 'numeric',
+  timeZone: 'UTC',
+});
+const REPORT_DATE_TIME_FORMATTER = new Intl.DateTimeFormat('en', {
+  year: 'numeric',
+  month: 'short',
+  day: 'numeric',
+  hour: '2-digit',
+  minute: '2-digit',
+  timeZone: 'UTC',
+  timeZoneName: 'short',
+});
+const REPORT_DATE_TIME_24_HOUR_FORMATTER = new Intl.DateTimeFormat('en', {
+  year: 'numeric',
+  month: 'short',
+  day: 'numeric',
+  hour: '2-digit',
+  minute: '2-digit',
+  hourCycle: 'h23',
+  timeZone: 'UTC',
+  timeZoneName: 'short',
+});
+const AUDIT_EVENT_TIME_FORMATTER = new Intl.DateTimeFormat('en-GB', {
+  hour: '2-digit',
+  minute: '2-digit',
+  hourCycle: 'h23',
+  timeZone: 'UTC',
+  timeZoneName: 'short',
+});
+
+export function hasSecurityAgentAuditReportOwnerContext(
+  isOrg: boolean,
+  organizationId: string | undefined
+): boolean {
+  return !isOrg || Boolean(organizationId);
+}
+
+export function SecurityAuditReportPage() {
+  const trpc = useTRPC();
+  const searchParams = useSearchParams();
+  const { isOrg, organizationId } = useSecurityAgent();
+  const requestedRange = {
+    startDate: searchParams.get('startDate') ?? '',
+    endDate: searchParams.get('endDate') ?? '',
+  };
+  const initialRange = isValidAuditReportDateRange(requestedRange)
+    ? requestedRange
+    : getDefaultAuditReportDateRange();
+  const initialFilters = parseAuditReportFilters(searchParams);
+  const [draftRange, setDraftRange] = useState<DayPickerDateRange | undefined>(() =>
+    toDayPickerDateRange(initialRange)
+  );
+  const [submittedRange, setSubmittedRange] = useState<DateRange>(initialRange);
+  const [draftFilters, setDraftFilters] = useState<AuditReportFilters>(initialFilters);
+  const [submittedFilters, setSubmittedFilters] = useState<AuditReportFilters>(initialFilters);
+  const [isRangePickerOpen, setIsRangePickerOpen] = useState(false);
+  const completeDraftRange = toAuditReportDateRange(draftRange);
+  const latestSelectableDate = utcDateAsLocalCalendarDate(new Date());
+  const hasOwnerContext = hasSecurityAgentAuditReportOwnerContext(isOrg, organizationId);
+
+  const queryOptions = isOrg
+    ? trpc.organizations.securityAgent.getAuditReport.queryOptions({
+        organizationId: organizationId ?? '',
+        ...submittedRange,
+      })
+    : trpc.securityAgent.getAuditReport.queryOptions(submittedRange);
+
+  const {
+    data: reportQueryData,
+    isFetching: isReportFetching,
+    isLoading: isReportLoading,
+    isError: isReportError,
+  } = useQuery({
+    ...queryOptions,
+    enabled: hasOwnerContext,
+  });
+
+  const unfilteredReport = reportQueryData?.status === 'ok' ? reportQueryData.report : null;
+  const repositoryOptions = getAuditReportRepositoryOptions(unfilteredReport?.findings ?? []);
+  const effectiveDraftFilters = unfilteredReport
+    ? normalizeAuditReportRepositoryFilter(draftFilters, repositoryOptions)
+    : draftFilters;
+  const effectiveSubmittedFilters = unfilteredReport
+    ? normalizeAuditReportRepositoryFilter(submittedFilters, repositoryOptions)
+    : submittedFilters;
+  const report = unfilteredReport
+    ? filterSecurityAgentAuditReport(unfilteredReport, effectiveSubmittedFilters)
+    : null;
+
+  function handleGenerateReport(event: FormEvent<HTMLFormElement>) {
+    event.preventDefault();
+    if (!completeDraftRange) return;
+    setSubmittedRange(completeDraftRange);
+    setDraftFilters(effectiveDraftFilters);
+    setSubmittedFilters(effectiveDraftFilters);
+  }
+
+  function handleDateRangeSelect(nextRange: DayPickerDateRange | undefined) {
+    if (nextRange?.from && nextRange.to && !isWithinAuditReportRangeLimit(nextRange)) return;
+    setDraftRange(nextRange);
+    if (nextRange?.from && nextRange.to) setIsRangePickerOpen(false);
+  }
+
+  function handleClearFilters() {
+    setDraftFilters(ALL_AUDIT_REPORT_FILTERS);
+    setSubmittedFilters(ALL_AUDIT_REPORT_FILTERS);
+  }
+
+  return (
+    <div className="space-y-6">
+      {!hasOwnerContext && (
+        <div className="text-muted-foreground type-body flex items-center justify-center gap-2 py-16">
+          <Loader2 className="size-6 animate-spin motion-reduce:animate-none" aria-hidden="true" />
+          Loading audit report...
+        </div>
+      )}
+
+      {hasOwnerContext && (
+        <>
+          <SecurityAgentActionBar label="Audit report filters" asChild>
+            <form onSubmit={handleGenerateReport}>
+              <div className="grid gap-3 md:grid-cols-2 xl:grid-cols-[minmax(18rem,2fr)_minmax(9rem,1fr)_minmax(9rem,1fr)_minmax(13rem,1.3fr)_auto] xl:items-end">
+                <SecurityAgentActionBarField
+                  id="audit-report-date-range"
+                  label="Report period"
+                  className="md:col-span-2 xl:col-span-1"
+                >
+                  <Popover open={isRangePickerOpen} onOpenChange={setIsRangePickerOpen}>
+                    <PopoverTrigger asChild>
+                      <Button
+                        id="audit-report-date-range"
+                        type="button"
+                        variant="outline"
+                        aria-invalid={Boolean(draftRange?.from && !completeDraftRange)}
+                        className="type-body min-h-11 w-full justify-start text-left font-normal sm:min-h-9"
+                      >
+                        <CalendarDays aria-hidden="true" />
+                        <span className="truncate">{formatDayPickerDateRange(draftRange)}</span>
+                      </Button>
+                    </PopoverTrigger>
+                    <PopoverContent
+                      align="start"
+                      sideOffset={6}
+                      className="max-h-[calc(100vh-2rem)] w-auto max-w-[calc(100vw-2rem)] overflow-y-auto p-0"
+                    >
+                      <Calendar
+                        mode="range"
+                        selected={draftRange}
+                        onSelect={handleDateRangeSelect}
+                        defaultMonth={draftRange?.from}
+                        numberOfMonths={2}
+                        max={MAX_AUDIT_REPORT_RANGE_NIGHTS}
+                        disabled={{ after: latestSelectableDate }}
+                        excludeDisabled
+                        autoFocus
+                      />
+                      <p className="border-border text-muted-foreground type-label border-t px-3 py-2">
+                        Report periods can include up to {MAX_AUDIT_REPORT_DAYS} calendar days.
+                      </p>
+                    </PopoverContent>
+                  </Popover>
+                </SecurityAgentActionBarField>
+
+                <SecurityAgentActionBarField id="audit-report-severity" label="Severity">
+                  <Select
+                    value={draftFilters.severity}
+                    onValueChange={severity =>
+                      setDraftFilters(current => ({
+                        ...current,
+                        severity: parseAuditReportSeverityFilter(severity),
+                      }))
+                    }
+                  >
+                    <SelectTrigger
+                      id="audit-report-severity"
+                      className="min-h-11 w-full sm:min-h-9"
+                    >
+                      <SelectValue />
+                    </SelectTrigger>
+                    <SelectContent>
+                      <SelectItem value="all">All severities</SelectItem>
+                      <SelectItem value="critical">Critical</SelectItem>
+                      <SelectItem value="high">High</SelectItem>
+                      <SelectItem value="medium">Medium</SelectItem>
+                      <SelectItem value="low">Low</SelectItem>
+                    </SelectContent>
+                  </Select>
+                </SecurityAgentActionBarField>
+
+                <SecurityAgentActionBarField id="audit-report-state" label="Recorded state">
+                  <Select
+                    value={draftFilters.state}
+                    onValueChange={state =>
+                      setDraftFilters(current => ({
+                        ...current,
+                        state: parseAuditReportStateFilter(state),
+                      }))
+                    }
+                  >
+                    <SelectTrigger id="audit-report-state" className="min-h-11 w-full sm:min-h-9">
+                      <SelectValue />
+                    </SelectTrigger>
+                    <SelectContent>
+                      <SelectItem value="all">All states</SelectItem>
+                      <SelectItem value="open">Open</SelectItem>
+                      <SelectItem value="fixed">Fixed</SelectItem>
+                      <SelectItem value="ignored">Dismissed</SelectItem>
+                      <SelectItem value="superseded">Superseded</SelectItem>
+                      <SelectItem value="deleted">Deleted</SelectItem>
+                    </SelectContent>
+                  </Select>
+                </SecurityAgentActionBarField>
+
+                <SecurityAgentActionBarField id="audit-report-repository" label="Repository">
+                  <Select
+                    value={effectiveDraftFilters.repository ?? 'all'}
+                    onValueChange={repository =>
+                      setDraftFilters(current => ({
+                        ...current,
+                        repository: parseAuditReportRepositoryFilter(repository),
+                      }))
+                    }
+                  >
+                    <SelectTrigger
+                      id="audit-report-repository"
+                      className="min-h-11 w-full sm:min-h-9"
+                    >
+                      <SelectValue placeholder="All repositories" />
+                    </SelectTrigger>
+                    <SelectContent>
+                      <SelectItem value="all">All repositories</SelectItem>
+                      {repositoryOptions.map(repository => (
+                        <SelectItem key={repository} value={repository}>
+                          {repository}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+                </SecurityAgentActionBarField>
+
+                <Button
+                  type="submit"
+                  disabled={isReportFetching || !completeDraftRange}
+                  className="min-h-11 w-full self-end sm:min-h-9 xl:w-fit"
+                >
+                  <RefreshCw
+                    className={cn(isReportFetching && 'animate-spin motion-reduce:animate-none')}
+                    aria-hidden="true"
+                  />
+                  {isReportFetching ? 'Generating report...' : 'Generate report'}
+                </Button>
+              </div>
+            </form>
+          </SecurityAgentActionBar>
+        </>
+      )}
+
+      {hasOwnerContext && isReportLoading && <AuditReportSkeleton />}
+
+      {hasOwnerContext && isReportError && (
+        <Alert variant="destructive">
+          <TriangleAlert aria-hidden="true" />
+          <AlertTitle>Audit report could not be loaded</AlertTitle>
+          <AlertDescription>
+            Kilo did not return partial report content. Check your connection and generate the
+            report again.
+          </AlertDescription>
+        </Alert>
+      )}
+
+      {hasOwnerContext && reportQueryData?.status === 'query_failed' && (
+        <Alert variant="warning">
+          <TriangleAlert aria-hidden="true" />
+          <AlertTitle>Report query did not finish</AlertTitle>
+          <AlertDescription>
+            Kilo did not return partial report content. Choose a shorter UTC period and generate the
+            report again.
+          </AlertDescription>
+        </Alert>
+      )}
+
+      {hasOwnerContext && report && unfilteredReport && (
+        <AuditReportView
+          report={report}
+          provenanceReport={unfilteredReport}
+          totalFindingCount={unfilteredReport.summary.findingCount}
+          hasActiveFilters={hasActiveAuditReportFilters(effectiveSubmittedFilters)}
+          onClearFilters={handleClearFilters}
+        />
+      )}
+    </div>
+  );
+}
+
+function AuditReportView({
+  report,
+  provenanceReport,
+  totalFindingCount,
+  hasActiveFilters,
+  onClearFilters,
+}: {
+  report: SecurityAgentAuditReport;
+  provenanceReport: SecurityAgentAuditReport;
+  totalFindingCount: number;
+  hasActiveFilters: boolean;
+  onClearFilters: () => void;
+}) {
+  return (
+    <div className="space-y-6">
+      <AuditReportProvenance report={provenanceReport} />
+      <ReportSummary report={report} />
+
+      {report.findings.length === 0 ? (
+        <AuditReportEmptyState
+          startDate={formatDate(report.period.start)}
+          endDate={formatDate(report.period.displayEnd)}
+          hasActiveFilters={hasActiveFilters}
+          onClearFilters={onClearFilters}
+        />
+      ) : (
+        <FindingTimelineList findings={report.findings} totalFindingCount={totalFindingCount} />
+      )}
+    </div>
+  );
+}
+
+export function getAuditReportProvenance(report: SecurityAgentAuditReport) {
+  const startsBeforeReliableCoverage =
+    Date.parse(report.period.start) < Date.parse(report.reliableCoverageStart);
+  let warning: string | null = null;
+
+  if (startsBeforeReliableCoverage && report.hasLegacySupplementalActivity) {
+    warning =
+      'This period starts before reliable event coverage, and supplemental legacy activity may be incomplete.';
+  } else if (startsBeforeReliableCoverage) {
+    warning = 'Activity before reliable event coverage may be incomplete.';
+  } else if (report.hasLegacySupplementalActivity) {
+    warning = 'Supplemental legacy activity may be incomplete.';
+  }
+
+  return {
+    evidence: {
+      recorded_by_kilo: 'Security Finding activity recorded by Kilo.',
+    }[report.evidenceBasis],
+    dataThrough: formatReportDateTime(report.dataThrough),
+    reliableCoverageStart: formatReportDateTime(report.reliableCoverageStart),
+    warning,
+  };
+}
+
+export function AuditReportProvenance({ report }: { report: SecurityAgentAuditReport }) {
+  const provenance = getAuditReportProvenance(report);
+
+  return (
+    <section
+      className="border-border bg-surface-inset rounded-lg border px-4 py-3"
+      aria-labelledby="report-provenance-title"
+    >
+      <div className="flex items-start gap-3">
+        <Info className="text-muted-foreground mt-0.5 size-4 shrink-0" aria-hidden="true" />
+        <div className="min-w-0 flex-1">
+          <h2 id="report-provenance-title" className="type-label text-foreground">
+            Report provenance
+          </h2>
+          <p className="text-muted-foreground type-body mt-0.5">{provenance.evidence}</p>
+          <dl className="text-muted-foreground type-label mt-2 flex flex-wrap gap-x-5 gap-y-1">
+            <div className="flex flex-wrap gap-x-1.5">
+              <dt>Data cutoff</dt>
+              <dd className="text-foreground tabular-nums">
+                <time dateTime={report.dataThrough}>{provenance.dataThrough}</time>
+              </dd>
+            </div>
+            <div className="flex flex-wrap gap-x-1.5">
+              <dt>Reliable coverage starts</dt>
+              <dd className="text-foreground tabular-nums">
+                <time dateTime={report.reliableCoverageStart}>
+                  {provenance.reliableCoverageStart}
+                </time>
+              </dd>
+            </div>
+          </dl>
+          {provenance.warning && (
+            <p className="text-status-warning type-label mt-2 flex items-start gap-1.5">
+              <TriangleAlert className="mt-px size-3.5 shrink-0" aria-hidden="true" />
+              <span>{provenance.warning}</span>
+            </p>
+          )}
+        </div>
+      </div>
+    </section>
+  );
+}
+
+function ReportSummary({ report }: { report: SecurityAgentAuditReport }) {
+  const metrics = [
+    { label: 'Findings', value: report.summary.findingCount },
+    { label: 'Events', value: report.summary.activityCount },
+    {
+      label: 'Superseded',
+      value: report.summary.byAction[FINDING_SUPERSEDED_ACTION] ?? 0,
+    },
+    ...SEVERITY_ORDER.map(severity => ({
+      label: titleCase(severity),
+      value: report.summary.bySeverity[severity],
+    })),
+  ];
+
+  return (
+    <section
+      className="border-border bg-surface-raised overflow-hidden rounded-xl border"
+      aria-labelledby="report-summary-title"
+    >
+      <div className="border-border border-b px-4 py-3 sm:px-5">
+        <h2 id="report-summary-title" className="type-body font-medium">
+          Report summary
+        </h2>
+      </div>
+      <div className="grid grid-cols-2 sm:grid-cols-4 lg:grid-cols-7">
+        {metrics.map(metric => (
+          <div
+            key={metric.label}
+            className="border-border min-w-0 border-r border-b px-4 py-4 last:border-r-0 sm:[&:nth-child(4n)]:border-r-0 lg:border-b-0 lg:[&:nth-child(4n)]:border-r lg:[&:nth-child(7n)]:border-r-0"
+          >
+            <div className="text-2xl font-semibold tabular-nums">
+              {metric.value.toLocaleString()}
+            </div>
+            <div className="text-muted-foreground type-label mt-1">{metric.label}</div>
+          </div>
+        ))}
+      </div>
+    </section>
+  );
+}
+
+function AuditReportEmptyState({
+  startDate,
+  endDate,
+  hasActiveFilters,
+  onClearFilters,
+}: {
+  startDate: string;
+  endDate: string;
+  hasActiveFilters: boolean;
+  onClearFilters: () => void;
+}) {
+  return (
+    <section className="border-border bg-surface-raised flex items-start gap-4 rounded-xl border p-5 sm:p-6">
+      <div className="bg-surface-overlay text-muted-foreground flex size-10 shrink-0 items-center justify-center rounded-lg">
+        <FileClock className="size-5" aria-hidden="true" />
+      </div>
+      <div className="min-w-0">
+        <h2 className="type-heading">
+          {hasActiveFilters ? 'No findings match selected filters' : 'No recorded activity'}
+        </h2>
+        <p className="text-muted-foreground type-body mt-1 max-w-[65ch]">
+          {hasActiveFilters
+            ? 'No Security Finding groups in this report match the selected severity, state, and repository.'
+            : `Kilo has no reportable Security Finding activity from ${startDate} to ${endDate}.`}
+        </p>
+        {hasActiveFilters && (
+          <Button type="button" variant="outline" className="mt-4" onClick={onClearFilters}>
+            Clear filters
+          </Button>
+        )}
+      </div>
+    </section>
+  );
+}
+
+function FindingTimelineList({
+  findings,
+  totalFindingCount,
+}: {
+  findings: SecurityFindingAuditSection[];
+  totalFindingCount: number;
+}) {
+  return (
+    <section className="space-y-3" aria-label="Finding activity">
+      <div className="flex flex-col gap-1 sm:flex-row sm:items-end sm:justify-between">
+        <p className="text-muted-foreground type-body">
+          Expand a Security Finding to review its complete in-period timeline.
+        </p>
+        <p className="text-muted-foreground type-code tabular-nums">
+          Showing {findings.length.toLocaleString()} of {totalFindingCount.toLocaleString()}
+        </p>
+      </div>
+
+      <div className="border-border bg-surface-raised overflow-hidden rounded-xl border">
+        <div
+          className="border-border bg-surface-inset text-muted-foreground type-label hidden grid-cols-[minmax(0,1fr)_9rem_11rem] gap-4 border-b py-2.5 pr-4 pl-11 lg:grid"
+          aria-hidden="true"
+        >
+          <span>Security Finding</span>
+          <span>Recorded state</span>
+          <span>Latest activity</span>
+        </div>
+        <Accordion type="multiple">
+          {findings.map(finding => (
+            <AccordionItem
+              key={finding.findingId}
+              value={finding.findingId}
+              className="[&>[data-slot=accordion-content]]:mt-0"
+            >
+              <AccordionTrigger className="hover:bg-surface-hover data-[state=open]:bg-surface-selected min-h-control-touch items-center rounded-none px-4 py-3 hover:no-underline [&>svg]:translate-y-0">
+                <FindingSummary finding={finding} />
+              </AccordionTrigger>
+              <AccordionContent className="border-border bg-surface-inset border-t px-4 py-5 sm:px-5 sm:py-6">
+                <FindingDetails finding={finding} />
+              </AccordionContent>
+            </AccordionItem>
+          ))}
+        </Accordion>
+      </div>
+    </section>
+  );
+}
+
+function FindingSummary({ finding }: { finding: SecurityFindingAuditSection }) {
+  const latestEvent = finding.events[finding.events.length - 1];
+  const eventCountLabel = `${finding.events.length.toLocaleString()} ${finding.events.length === 1 ? 'event' : 'events'}`;
+
+  return (
+    <div className="grid min-w-0 flex-1 grid-cols-[minmax(0,1fr)_auto] gap-x-4 gap-y-3 lg:grid-cols-[minmax(0,1fr)_9rem_11rem] lg:items-center lg:gap-4">
+      <div className="col-span-2 min-w-0 lg:col-span-1">
+        <div className="flex min-w-0 items-center gap-3">
+          <div className="flex w-20 shrink-0 items-center">
+            {finding.severity === 'unknown' ? (
+              <Badge variant="outline">Unknown</Badge>
+            ) : (
+              <SeverityBadge severity={finding.severity} size="sm" />
+            )}
+          </div>
+          <div className="min-w-0">
+            <div className="type-body break-words font-medium">{finding.title}</div>
+          </div>
+        </div>
+      </div>
+
+      <div className="col-start-1 row-start-2 lg:col-start-2 lg:row-start-1">
+        <FindingStateBadge finding={finding} />
+      </div>
+
+      <div className="col-start-2 row-start-2 min-w-0 text-right lg:col-start-3 lg:row-start-1 lg:text-left">
+        {latestEvent && (
+          <div className="type-label truncate text-foreground">{latestEvent.label}</div>
+        )}
+        <div className="text-muted-foreground type-label mt-0.5 tabular-nums">
+          {latestEvent ? (
+            <time dateTime={latestEvent.occurredAt}>{formatDate(latestEvent.occurredAt)}</time>
+          ) : (
+            'No activity'
+          )}
+          <span aria-hidden="true"> · </span>
+          <span>{eventCountLabel}</span>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function FindingStateBadge({ finding }: { finding: SecurityFindingAuditSection }) {
+  const state = getFindingDisplayState(finding);
+  const config = findingStateConfig[state];
+  const Icon = config.icon;
+
+  return (
+    <span
+      className={cn(
+        'type-label inline-flex items-center gap-1.5 rounded-full border px-2.5 py-1',
+        toneStyles[config.tone].status
+      )}
+    >
+      <Icon className="size-3.5" aria-hidden="true" />
+      {config.label}
+    </span>
+  );
+}
+
+function FindingDetails({ finding }: { finding: SecurityFindingAuditSection }) {
+  return (
+    <div className="grid gap-6 lg:grid-cols-[minmax(0,1fr)_17rem] lg:gap-8">
+      <div className="min-w-0">
+        <div className="mb-5 flex items-center justify-between gap-4">
+          <h3 className="type-body font-medium">Chronological activity</h3>
+          <span className="text-muted-foreground type-label">UTC</span>
+        </div>
+        <ol>
+          {finding.events.map((event, index) => (
+            <AuditEventRow
+              key={event.id}
+              event={event}
+              isLast={index === finding.events.length - 1}
+            />
+          ))}
+        </ol>
+      </div>
+      <FindingMetadata finding={finding} />
+    </div>
+  );
+}
+
+function FindingMetadata({ finding }: { finding: SecurityFindingAuditSection }) {
+  const advisoryReferences = [finding.cveId, finding.ghsaId].filter((value): value is string =>
+    Boolean(value)
+  );
+  const repositoryHref = getAuditReportRepositoryHref(finding.repository);
+  const sourceHref =
+    finding.dependabotUrl && isSafeHttpUrl(finding.dependabotUrl) ? finding.dependabotUrl : null;
+  const slaTone = getSlaTone(finding.sla.status);
+
+  return (
+    <aside
+      className="border-border min-w-0 border-t pt-5 lg:border-t-0 lg:border-l lg:pt-0 lg:pl-6"
+      aria-label="Finding record"
+    >
+      <h3 className="type-body font-medium">Finding record</h3>
+      <dl className="mt-4 grid gap-4 sm:grid-cols-2 lg:grid-cols-1">
+        <MetadataItem label="Security Finding ID" value={finding.findingId} mono />
+        {finding.canonicalFindingId && (
+          <MetadataItem label="Current finding" value={finding.canonicalFindingId} mono />
+        )}
+        <MetadataItem label="Source">
+          {sourceHref ? (
+            <ExternalLinkValue href={sourceHref}>{formatFindingSource(finding)}</ExternalLinkValue>
+          ) : (
+            formatFindingSource(finding)
+          )}
+        </MetadataItem>
+        <MetadataItem label="Repository">
+          {repositoryHref ? (
+            <ExternalLinkValue href={repositoryHref}>
+              {finding.repository ?? 'Not recorded'}
+            </ExternalLinkValue>
+          ) : (
+            (finding.repository ?? 'Not recorded')
+          )}
+        </MetadataItem>
+        <MetadataItem label="Package" value={formatFindingPackage(finding)} />
+        <MetadataItem label="Manifest" value={finding.manifestPath ?? 'Not recorded'} mono />
+        <MetadataItem
+          label="First detected"
+          value={
+            finding.firstDetectedAt ? formatReportDateTime(finding.firstDetectedAt) : 'Unknown'
+          }
+          mono
+        />
+        <MetadataItem label="SLA status">
+          <span className={cn('type-label font-medium', toneStyles[slaTone].text)}>
+            {slaLabel(finding.sla)}
+          </span>
+        </MetadataItem>
+        <MetadataItem
+          label="SLA deadline"
+          value={finding.sla.deadline ? formatReportDateTime(finding.sla.deadline) : 'Not recorded'}
+          mono
+        />
+        <AdvisoryMetadata references={advisoryReferences} cvssScore={finding.cvssScore} />
+        <MetadataItem
+          label="Patched version"
+          value={finding.patchedVersion ?? 'Not recorded'}
+          mono
+        />
+      </dl>
+    </aside>
+  );
+}
+
+function AuditEventRow({
+  event,
+  isLast,
+}: {
+  event: SecurityAgentAuditReportEvent;
+  isLast: boolean;
+}) {
+  const presentation = getEventPresentation(event);
+  const Icon = presentation.icon;
+  const actorReference = event.actor.type === 'user' ? `user:${event.actor.id ?? 'deleted'}` : null;
+
+  return (
+    <li className="grid grid-cols-[1.75rem_minmax(0,1fr)] gap-x-3 pb-7 last:pb-0 sm:grid-cols-[7.5rem_1.75rem_minmax(0,1fr)]">
+      <time
+        dateTime={event.occurredAt}
+        className="text-muted-foreground type-label col-start-2 row-start-1 mb-2 flex flex-wrap gap-x-1.5 tabular-nums sm:col-start-1 sm:mb-0 sm:block sm:pr-1 sm:text-right"
+      >
+        <span className="sm:block">{formatDate(event.occurredAt)}</span>
+        <span className="sm:mt-0.5 sm:block">{formatAuditEventTime(event.occurredAt)}</span>
+      </time>
+
+      <div
+        className="relative col-start-1 row-span-2 row-start-1 flex justify-center sm:col-start-2"
+        aria-hidden="true"
+      >
+        {!isLast && <span className="bg-border absolute top-7 -bottom-7 w-px" />}
+        <span
+          className={cn(
+            'relative flex size-7 items-center justify-center rounded-full ring-1',
+            toneStyles[presentation.tone].icon
+          )}
+        >
+          <Icon className="size-3.5" />
+        </span>
+      </div>
+
+      <div className="col-start-2 row-start-2 min-w-0 sm:col-start-3 sm:row-span-2 sm:row-start-1">
+        <div className="flex flex-wrap items-center gap-2">
+          <h4 className="type-body font-medium">{event.label}</h4>
+          {event.legacySupplemental && (
+            <Tooltip>
+              <TooltipTrigger asChild>
+                <button
+                  type="button"
+                  aria-label="Legacy event information"
+                  className="border-border bg-surface-overlay text-muted-foreground focus-visible:ring-ring type-label inline-flex items-center gap-1 rounded-full border px-2 py-0.5 outline-none focus-visible:ring-[3px]"
+                >
+                  <Info className="size-3" aria-hidden="true" />
+                  Legacy
+                </button>
+              </TooltipTrigger>
+              <TooltipContent className="max-w-72">
+                This event comes from an older record mapped to this finding. Earlier activity may
+                be incomplete.
+              </TooltipContent>
+            </Tooltip>
+          )}
+        </div>
+        <div className="text-muted-foreground type-label mt-1 flex flex-wrap gap-x-2 gap-y-1">
+          <span>{event.actor.displayName}</span>
+          {actorReference && <code className="type-code">{actorReference}</code>}
+        </div>
+        <EventDetails event={event} />
+      </div>
+    </li>
+  );
+}
+
+function getFindingDisplayState(finding: SecurityFindingAuditSection): FindingDisplayState {
+  if (finding.deleted) return 'deleted';
+  if (finding.canonicalFindingId) return 'superseded';
+  if (finding.status === 'open') return 'open';
+  if (finding.status === 'fixed') return 'fixed';
+  if (finding.status === 'ignored' || finding.status === 'dismissed') return 'dismissed';
+  return 'unknown';
+}
+
+function getSlaTone(status: SecurityFindingAuditSection['sla']['status']): Tone {
+  if (status === 'terminal_met') return 'success';
+  if (status === 'terminal_missed' || status === 'open_past_deadline') return 'destructive';
+  if (status === 'open_within_deadline') return 'warning';
+  return 'neutral';
+}
+
+function getEventPresentation(event: SecurityAgentAuditReportEvent): EventPresentation {
+  switch (event.action) {
+    case 'security.finding.severity_changed':
+      return { icon: TriangleAlert, tone: 'warning' };
+    case 'security.finding.status_change':
+      return event.afterState?.status === 'fixed'
+        ? { icon: CheckCircle2, tone: 'success' }
+        : { icon: XCircle, tone: 'neutral' };
+    case 'security.finding.dismissed':
+    case 'security.finding.auto_dismissed':
+      return { icon: XCircle, tone: 'neutral' };
+    case 'security.finding.superseded':
+      return { icon: GitMerge, tone: 'neutral' };
+    case 'security.finding.analysis_completed':
+      if (event.afterState?.is_exploitable === true) return { icon: Brain, tone: 'destructive' };
+      if (event.afterState?.is_exploitable === false) return { icon: Brain, tone: 'success' };
+      return { icon: Brain, tone: 'warning' };
+    case 'security.finding.analysis_failed':
+    case 'security.remediation.failed':
+      return { icon: XCircle, tone: 'destructive' };
+    case 'security.remediation.queued':
+      return { icon: event.actor.type === 'user' ? UserRound : Activity, tone: 'neutral' };
+    case 'security.remediation.pr_opened':
+      return { icon: GitPullRequest, tone: 'success' };
+    case 'security.remediation.blocked':
+      return { icon: TriangleAlert, tone: 'warning' };
+    case 'security.remediation.no_changes_needed':
+      return { icon: ShieldCheck, tone: 'success' };
+    case 'security.remediation.cancelled':
+      return { icon: XCircle, tone: 'neutral' };
+    case 'security.finding.deleted':
+      return { icon: Trash2, tone: 'neutral' };
+    default:
+      return { icon: Activity, tone: 'neutral' };
+  }
+}
+
+export type AuditEventDetail = {
+  label: string;
+  value: string;
+  previousValue?: string;
+  href?: string;
+};
+
+function eventDetail(
+  label: string,
+  value: unknown,
+  fieldKey: string,
+  previousValue?: unknown
+): AuditEventDetail | null {
+  if (value === null || value === undefined || value === '') return null;
+  const detail: AuditEventDetail = {
+    label,
+    value: formatEvidenceScalar(value, fieldKey),
+  };
+  if (previousValue !== null && previousValue !== undefined && previousValue !== '') {
+    const previousLabel = formatEvidenceScalar(previousValue, fieldKey);
+    if (previousLabel !== detail.value) detail.previousValue = previousLabel;
+  }
+  return detail;
+}
+
+function presentEventDetails(
+  details: Array<AuditEventDetail | null | undefined>
+): AuditEventDetail[] {
+  return details.filter((detail): detail is AuditEventDetail => Boolean(detail));
+}
+
+export function getAuditEventDetails(event: SecurityAgentAuditReportEvent): AuditEventDetail[] {
+  const before = event.beforeState ?? {};
+  const after = event.afterState ?? {};
+  const metadata = event.metadata ?? {};
+
+  switch (event.action) {
+    case 'security.finding.created':
+      return presentEventDetails([
+        eventDetail('Severity', after.severity, 'severity'),
+        eventDetail('State', after.status, 'status'),
+        eventDetail('Dependabot alert', metadata.source_alert_number, 'source_alert_number'),
+      ]);
+    case 'security.finding.severity_changed':
+      return presentEventDetails([
+        eventDetail('Severity', after.severity, 'severity', before.severity),
+      ]);
+    case 'security.finding.status_change':
+      return presentEventDetails([
+        eventDetail('State', after.status, 'status', before.status),
+        eventDetail('Fixed', after.fixed_at, 'fixed_at'),
+      ]);
+    case 'security.finding.dismissed':
+    case 'security.finding.auto_dismissed':
+    case 'security.finding.superseded':
+      return presentEventDetails([
+        eventDetail('State', after.status, 'status', before.status),
+        eventDetail('Reason', after.reason_code ?? metadata.reason_code, 'reason_code'),
+      ]);
+    case 'security.finding.analysis_completed': {
+      const structuredExtractionStatus = after.structured_extraction_status;
+      const structuredExtractionFailed = structuredExtractionStatus === 'failed';
+      return presentEventDetails([
+        structuredExtractionFailed
+          ? eventDetail(
+              'Structured result',
+              structuredExtractionStatus,
+              'structured_extraction_status'
+            )
+          : eventDetail('Exploitability', after.is_exploitable, 'is_exploitable'),
+        eventDetail('Recommended next step', after.suggested_action, 'suggested_action'),
+        eventDetail(
+          'Confidence',
+          structuredExtractionStatus === undefined ? after.confidence : undefined,
+          'confidence'
+        ),
+      ]);
+    }
+    case 'security.finding.analysis_failed':
+      return presentEventDetails([eventDetail('Reason', metadata.failure_code, 'failure_code')]);
+    case 'security.remediation.queued':
+      return presentEventDetails([
+        eventDetail('Attempt', after.attempt_number, 'attempt_number'),
+        eventDetail('Requested', metadata.origin, 'origin'),
+      ]);
+    case 'security.remediation.pr_opened': {
+      const pullRequest = eventDetail('Pull request', after.pr_number, 'pr_number');
+      if (pullRequest && typeof metadata.pr_url === 'string' && isSafeHttpUrl(metadata.pr_url)) {
+        pullRequest.href = metadata.pr_url;
+      }
+      return presentEventDetails([
+        pullRequest,
+        eventDetail('Review state', after.pr_draft, 'pr_draft'),
+        eventDetail('Validation checks', metadata.validation_count, 'validation_count'),
+      ]);
+    }
+    case 'security.remediation.failed':
+      return presentEventDetails([
+        eventDetail('Reason', after.failure_code ?? metadata.failure_code, 'failure_code'),
+      ]);
+    case 'security.remediation.blocked':
+      return presentEventDetails([
+        eventDetail(
+          'Reason',
+          after.blocked_reason_code ?? metadata.blocked_reason_code,
+          'blocked_reason_code'
+        ),
+      ]);
+    case 'security.finding.deleted':
+      return presentEventDetails([eventDetail('Previous state', before.status, 'status')]);
+    default:
+      return [];
+  }
+}
+
+function EventDetails({ event }: { event: SecurityAgentAuditReportEvent }) {
+  const details = getAuditEventDetails(event);
+  if (details.length === 0) return null;
+
+  return (
+    <dl className="border-border mt-3 grid gap-x-6 gap-y-3 border-t pt-3 sm:grid-cols-2 xl:grid-cols-3">
+      {details.map(detail => (
+        <div key={detail.label} className="min-w-0">
+          <dt className="text-muted-foreground type-label">{detail.label}</dt>
+          <dd
+            className={cn(
+              'type-body mt-1 break-words',
+              isMonospaceEventDetail(detail.label) && 'type-code'
+            )}
+          >
+            {detail.href ? (
+              <ExternalLinkValue href={detail.href}>{detail.value}</ExternalLinkValue>
+            ) : detail.previousValue ? (
+              <span>
+                <span className="text-muted-foreground">{detail.previousValue}</span>
+                <span className="text-muted-foreground" aria-hidden="true">
+                  {' '}
+                  →{' '}
+                </span>
+                <span className="sr-only"> changed to </span>
+                {detail.value}
+              </span>
+            ) : (
+              detail.value
+            )}
+          </dd>
+        </div>
+      ))}
+    </dl>
+  );
+}
+
+function isMonospaceEventDetail(label: string): boolean {
+  return label === 'Dependabot alert' || label === 'Pull request';
+}
+
+function MetadataItem({
+  label,
+  value,
+  mono = false,
+  children,
+}: {
+  label: string;
+  value?: string;
+  mono?: boolean;
+  children?: ReactNode;
+}) {
+  return (
+    <div className="min-w-0">
+      <dt className="text-muted-foreground type-label">{label}</dt>
+      <dd className={cn('type-body mt-1 break-words', mono && 'type-code')}>{children ?? value}</dd>
+    </div>
+  );
+}
+
+function ExternalLinkValue({ href, children }: { href: string; children: ReactNode }) {
+  return (
+    <a
+      href={href}
+      target="_blank"
+      rel="noopener noreferrer"
+      className="text-link hover:text-link-hover focus-visible:ring-ring inline-flex max-w-full items-center gap-1 rounded-sm underline decoration-current/40 underline-offset-4 outline-none focus-visible:ring-[3px]"
+    >
+      <span className="min-w-0 break-words">{children}</span>
+      <ExternalLink className="size-3 shrink-0" aria-hidden="true" />
+    </a>
+  );
+}
+
+function AdvisoryMetadata({
+  references,
+  cvssScore,
+}: {
+  references: string[];
+  cvssScore: SecurityFindingAuditSection['cvssScore'];
+}) {
+  const hasAdvisoryMetadata = references.length > 0 || cvssScore !== null;
+
+  return (
+    <div className="min-w-0">
+      <dt className="text-muted-foreground type-label">Advisory</dt>
+      <dd className="mt-1">
+        {hasAdvisoryMetadata ? (
+          <div className="flex flex-wrap gap-1.5">
+            {references.map(reference => (
+              <Badge key={reference} variant="outline" className="type-code font-normal">
+                {reference}
+              </Badge>
+            ))}
+            {cvssScore !== null && (
+              <Badge variant="secondary" className="font-normal">
+                CVSS {cvssScore}
+              </Badge>
+            )}
+          </div>
+        ) : (
+          <span className="type-body">Not recorded</span>
+        )}
+      </dd>
+    </div>
+  );
+}
+
+function AuditReportSkeleton() {
+  return (
+    <output className="block space-y-6" aria-live="polite">
+      <span className="sr-only">Loading recorded activity</span>
+      <Skeleton className="motion-reduce:animate-none h-16" />
+      <Skeleton className="motion-reduce:animate-none h-32" />
+      <div className="space-y-2">
+        <Skeleton className="motion-reduce:animate-none h-16" />
+        <Skeleton className="motion-reduce:animate-none h-16" />
+        <Skeleton className="motion-reduce:animate-none h-16" />
+      </div>
+    </output>
+  );
+}
+
+type SearchParamsReader = {
+  get(name: string): string | null;
+};
+
+export function parseAuditReportFilters(searchParams: SearchParamsReader): AuditReportFilters {
+  return {
+    severity: parseAuditReportSeverityFilter(searchParams.get('severity')),
+    state: parseAuditReportStateFilter(searchParams.get('state')),
+    repository: parseAuditReportRepositoryFilter(searchParams.get('repoFullName')),
+  };
+}
+
+function parseAuditReportSeverityFilter(value: string | null): AuditReportSeverityFilter {
+  if (value === 'critical' || value === 'high' || value === 'medium' || value === 'low') {
+    return value;
+  }
+  return 'all';
+}
+
+function parseAuditReportStateFilter(value: string | null): AuditReportStateFilter {
+  if (
+    value === 'open' ||
+    value === 'fixed' ||
+    value === 'ignored' ||
+    value === 'superseded' ||
+    value === 'deleted'
+  ) {
+    return value;
+  }
+  return 'all';
+}
+
+function parseAuditReportRepositoryFilter(value: string | null): string | null {
+  const repository = value?.trim();
+  return repository && repository !== 'all' ? repository : null;
+}
+
+function hasActiveAuditReportFilters(filters: AuditReportFilters): boolean {
+  return filters.severity !== 'all' || filters.state !== 'all' || filters.repository !== null;
+}
+
+export function getAuditReportRepositoryOptions(findings: SecurityFindingAuditSection[]): string[] {
+  return [
+    ...new Set(
+      findings
+        .map(finding => finding.repository)
+        .filter((repository): repository is string => Boolean(repository))
+    ),
+  ].toSorted((left, right) => left.localeCompare(right));
+}
+
+export function normalizeAuditReportRepositoryFilter(
+  filters: AuditReportFilters,
+  repositoryOptions: readonly string[]
+): AuditReportFilters {
+  if (filters.repository === null || repositoryOptions.includes(filters.repository)) return filters;
+  return { ...filters, repository: null };
+}
+
+export function filterSecurityAgentAuditReport(
+  report: SecurityAgentAuditReport,
+  filters: AuditReportFilters
+): SecurityAgentAuditReport {
+  if (!hasActiveAuditReportFilters(filters)) return report;
+
+  const findings = report.findings.filter(finding => {
+    const matchesSeverity = filters.severity === 'all' || finding.severity === filters.severity;
+    const displayState = getFindingDisplayState(finding);
+    const matchesState =
+      filters.state === 'all' ||
+      displayState === filters.state ||
+      (filters.state === 'ignored' && displayState === 'dismissed');
+    const matchesRepository =
+      filters.repository === null || finding.repository === filters.repository;
+    return matchesSeverity && matchesState && matchesRepository;
+  });
+  const bySeverity = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+  } satisfies SecurityAgentAuditReport['summary']['bySeverity'];
+  const byAction: Record<string, number> = {};
+  let activityCount = 0;
+
+  for (const finding of findings) {
+    if (finding.severity !== 'unknown') bySeverity[finding.severity] += 1;
+    activityCount += finding.events.length;
+    for (const event of finding.events) {
+      byAction[event.action] = (byAction[event.action] ?? 0) + 1;
+    }
+  }
+
+  return {
+    ...report,
+    hasLegacySupplementalActivity: findings.some(finding => finding.hasLegacySupplementalActivity),
+    summary: {
+      findingCount: findings.length,
+      activityCount,
+      bySeverity,
+      byAction,
+    },
+    findings,
+  };
+}
+
+function isValidAuditReportDateRange(range: DateRange, now = new Date()): boolean {
+  const dayPickerRange = toDayPickerDateRange(range);
+  if (!dayPickerRange?.from || !dayPickerRange.to) return false;
+  return (
+    isWithinAuditReportRangeLimit(dayPickerRange) &&
+    dayPickerRange.to.getTime() <= utcDateAsLocalCalendarDate(now).getTime()
+  );
+}
+
+function toDayPickerDateRange(range: DateRange): DayPickerDateRange | undefined {
+  const from = parseDateOnlyAsLocalCalendarDate(range.startDate);
+  const to = parseDateOnlyAsLocalCalendarDate(range.endDate);
+  if (!from || !to) return undefined;
+  return { from, to };
+}
+
+function toAuditReportDateRange(range: DayPickerDateRange | undefined): DateRange | null {
+  if (!range?.from || !range.to || !isWithinAuditReportRangeLimit(range)) return null;
+  return {
+    startDate: formatLocalCalendarDateAsUtcDate(range.from),
+    endDate: formatLocalCalendarDateAsUtcDate(range.to),
+  };
+}
+
+function isWithinAuditReportRangeLimit(range: DayPickerDateRange): boolean {
+  if (!range.from || !range.to) return false;
+  const inclusiveDays = differenceInCalendarDays(range.to, range.from) + 1;
+  return inclusiveDays >= 1 && inclusiveDays <= MAX_AUDIT_REPORT_DAYS;
+}
+
+function parseDateOnlyAsLocalCalendarDate(value: string): Date | undefined {
+  const match = /^(\d{4})-(\d{2})-(\d{2})$/.exec(value);
+  if (!match) return undefined;
+
+  const year = Number(match[1]);
+  const monthIndex = Number(match[2]) - 1;
+  const day = Number(match[3]);
+  const date = new Date(year, monthIndex, day);
+  if (date.getFullYear() !== year || date.getMonth() !== monthIndex || date.getDate() !== day) {
+    return undefined;
+  }
+  return date;
+}
+
+function formatLocalCalendarDateAsUtcDate(value: Date): string {
+  const year = value.getFullYear();
+  const month = String(value.getMonth() + 1).padStart(2, '0');
+  const day = String(value.getDate()).padStart(2, '0');
+  return `${year}-${month}-${day}`;
+}
+
+function utcDateAsLocalCalendarDate(value: Date): Date {
+  return new Date(value.getUTCFullYear(), value.getUTCMonth(), value.getUTCDate());
+}
+
+function formatDayPickerDateRange(range: DayPickerDateRange | undefined): string {
+  if (!range?.from) return 'Select date range';
+  const from = formatCalendarDateLabel(range.from, 'MMM d, yyyy');
+  if (!range.to) return `${from} - Select end date`;
+  return `${from} - ${formatCalendarDateLabel(range.to, 'MMM d, yyyy')}`;
+}
+
+export function getDefaultAuditReportDateRange(now = new Date()): DateRange {
+  const end = startOfUtcDay(now);
+  const start = new Date(end);
+  start.setUTCDate(start.getUTCDate() - 89);
+  return {
+    startDate: formatDateInput(start),
+    endDate: formatDateInput(end),
+  };
+}
+
+function startOfUtcDay(value: Date): Date {
+  return new Date(Date.UTC(value.getUTCFullYear(), value.getUTCMonth(), value.getUTCDate()));
+}
+
+function formatDateInput(value: Date): string {
+  return value.toISOString().slice(0, 10);
+}
+
+function formatDate(value: string): string {
+  return REPORT_DATE_FORMATTER.format(new Date(value));
+}
+
+function formatReportDateTime(value: string): string {
+  return formatDateTime24Hour(value).replace(/, (\d{2}:\d{2} UTC)$/, ' at $1');
+}
+
+function formatDateTime(value: string): string {
+  return REPORT_DATE_TIME_FORMATTER.format(new Date(value));
+}
+
+export function formatDateTime24Hour(value: string): string {
+  return REPORT_DATE_TIME_24_HOUR_FORMATTER.format(new Date(value));
+}
+
+export function formatAuditEventTime(value: string): string {
+  return AUDIT_EVENT_TIME_FORMATTER.format(new Date(value));
+}
+
+function formatFindingSource(finding: SecurityFindingAuditSection): string {
+  if (!finding.source) return 'Not recorded';
+  if (finding.source === 'dependabot') {
+    return finding.sourceId ? `Dependabot alert #${finding.sourceId}` : 'Dependabot';
+  }
+  return titleCase(finding.source);
+}
+
+export function getAuditReportRepositoryHref(repository: string | null): string | null {
+  if (!repository) return null;
+  const segments = repository.split('/');
+  if (segments.length !== 2 || segments.some(segment => !/^[A-Za-z0-9_.-]+$/.test(segment))) {
+    return null;
+  }
+  return `https://github.com/${segments.map(segment => encodeURIComponent(segment)).join('/')}`;
+}
+
+function formatFindingPackage(finding: SecurityFindingAuditSection): string {
+  if (!finding.packageName) return 'Not recorded';
+  if (!finding.packageEcosystem) return finding.packageName;
+  return `${finding.packageName} (${formatPackageEcosystem(finding.packageEcosystem)})`;
+}
+
+function formatPackageEcosystem(ecosystem: string): string {
+  const knownEcosystems: Record<string, string> = {
+    npm: 'npm',
+    maven: 'Maven',
+    nuget: 'NuGet',
+    pip: 'pip',
+    rubygems: 'RubyGems',
+    composer: 'Composer',
+    go_modules: 'Go modules',
+    github_actions: 'GitHub Actions',
+  };
+  return knownEcosystems[ecosystem] ?? titleCase(ecosystem);
+}
+
+const EVIDENCE_VALUE_LABELS: Record<string, Record<string, string>> = {
+  analysis_status: {
+    unknown: 'Previous state unavailable',
+    pending: 'Pending',
+    running: 'In progress',
+    completed: 'Completed',
+    failed: 'Failed',
+  },
+  blocked_reason_code: {
+    COVERED_BY_EXISTING_REMEDIATION_PR:
+      'An existing remediation pull request already covers this package',
+    blocked: 'Remediation could not proceed',
+  },
+  confidence: {
+    high: 'High',
+    medium: 'Medium',
+    low: 'Low',
+  },
+  failure_code: {
+    analysis_failed: 'Analysis did not complete',
+    QUEUE_ADMISSION_FAILED: 'Remediation could not be queued',
+    ACTOR_RESOLUTION_FAILED: 'Remediation requester could not be resolved',
+    INSUFFICIENT_CREDITS: 'Insufficient credits to start remediation',
+    LAUNCH_UPSTREAM_5XX: 'Remediation service was temporarily unavailable',
+    CLOUD_AGENT_INTERRUPTED: 'Remediation run was interrupted',
+    CLOUD_AGENT_FAILED: 'Cloud Agent could not complete remediation',
+    INVALID_PR_OUTCOME: 'Pull request outcome could not be verified',
+    MISSING_REMEDIATION_RESULT: 'Remediation result was unavailable',
+  },
+  is_exploitable: {
+    true: 'Exploitable',
+    false: 'Not exploitable',
+    unknown: 'Unknown',
+  },
+  origin: {
+    manual: 'Manually',
+    auto_policy: 'Automatically by policy',
+    bulk_existing: 'Automatically for existing findings',
+  },
+  reason_code: {
+    not_used: 'Vulnerable code is not used',
+    tolerable_risk: 'Risk accepted',
+    inaccurate: 'Finding is inaccurate',
+    no_bandwidth: 'Deferred due to capacity',
+    superseded: 'Superseded by another finding',
+  },
+  remediation_status: {
+    queued: 'Requested',
+    launching: 'Starting',
+    running: 'In progress',
+    pr_opened: 'Pull request opened',
+    failed: 'Failed',
+    blocked: 'Blocked',
+    no_changes_needed: 'No changes needed',
+    cancelled: 'Cancelled',
+  },
+  severity: {
+    critical: 'Critical',
+    high: 'High',
+    medium: 'Medium',
+    low: 'Low',
+  },
+  source_state: {
+    open: 'Open',
+    fixed: 'Fixed',
+    dismissed: 'Dismissed',
+    auto_dismissed: 'Automatically dismissed',
+  },
+  status: {
+    open: 'Open',
+    fixed: 'Fixed',
+    ignored: 'Dismissed',
+  },
+  structured_extraction_status: {
+    succeeded: 'Available',
+    failed: 'Unavailable',
+  },
+  suggested_action: {
+    dismiss: 'Dismiss finding',
+    analyze_codebase: 'Analyze codebase',
+    manual_review: 'Manual review',
+    open_pr: 'Open remediation pull request',
+    monitor: 'Monitor',
+  },
+};
+
+const INTERNAL_DETAIL_FALLBACK_FIELDS = new Set([
+  'blocked_reason_code',
+  'failure_code',
+  'reason_code',
+]);
+
+const USER_FACING_TOKEN_FIELDS = new Set(Object.keys(EVIDENCE_VALUE_LABELS));
+
+const DATE_FIELD_PATTERN = /(^|_)(at|date|deadline|cutoff|through|start|end)$/i;
+
+function formatEvidenceScalar(value: unknown, fieldKey: string): string {
+  if (value === null || value === undefined) return 'Not recorded';
+  if (typeof value === 'boolean') {
+    if (fieldKey === 'is_exploitable') {
+      return EVIDENCE_VALUE_LABELS.is_exploitable[String(value)] ?? 'Unknown';
+    }
+    if (fieldKey === 'pr_draft') return value ? 'Draft' : 'Ready for review';
+    if (fieldKey === 'deleted') return value ? 'Deleted' : 'Active';
+    return value ? 'Yes' : 'No';
+  }
+  if (typeof value === 'number') {
+    if (fieldKey === 'pr_number' || fieldKey === 'source_alert_number') return `#${value}`;
+    return value.toLocaleString();
+  }
+  if (typeof value !== 'string') return String(value);
+
+  const trimmed = value.trim();
+  if (!trimmed) return 'Not recorded';
+
+  if (DATE_FIELD_PATTERN.test(fieldKey) && isValidDateString(trimmed)) {
+    return trimmed.length <= 10 ? formatDate(trimmed) : formatDateTime(trimmed);
+  }
+
+  const knownValue = EVIDENCE_VALUE_LABELS[fieldKey]?.[trimmed];
+  if (knownValue) return knownValue;
+  if (INTERNAL_DETAIL_FALLBACK_FIELDS.has(fieldKey)) return 'Additional details unavailable';
+  if (USER_FACING_TOKEN_FIELDS.has(fieldKey)) return 'Unknown';
+
+  return trimmed;
+}
+
+function titleCase(value: string): string {
+  return value
+    .replaceAll('_', ' ')
+    .replaceAll('-', ' ')
+    .replace(/\b\w/g, first => first.toUpperCase());
+}
+
+function isValidDateString(value: string): boolean {
+  return !Number.isNaN(Date.parse(value));
+}
+
+function isSafeHttpUrl(value: string): boolean {
+  try {
+    const url = new URL(value);
+    return url.protocol === 'https:' || url.protocol === 'http:';
+  } catch {
+    return false;
+  }
+}
+
+function slaLabel(sla: SecurityFindingAuditSection['sla']): string {
+  if (sla.status === 'unknown') return 'Unknown';
+  if (sla.status === 'terminal_met') return 'Terminal before deadline';
+  if (sla.status === 'terminal_missed') return 'Terminal after deadline';
+  if (sla.status === 'open_within_deadline') return 'Open before deadline';
+  return 'Open past deadline';
+}
diff --git a/apps/web/src/components/security-agent/SecurityConfigForm.tsx b/apps/web/src/components/security-agent/SecurityConfigForm.tsx
index 74d17a881..9911f85d3 100644
--- a/apps/web/src/components/security-agent/SecurityConfigForm.tsx
+++ b/apps/web/src/components/security-agent/SecurityConfigForm.tsx
@@ -1,8 +1,8 @@
 'use client';
 
-import { type SetStateAction, useEffect, useState } from 'react';
+import { type SetStateAction, useEffect, useRef, useState } from 'react';
 import { useRouter, useSearchParams } from 'next/navigation';
-import { Loader2, Save } from 'lucide-react';
+import { Bell, Bot, Clock, Loader2, RotateCcw, Save, SlidersHorizontal } from 'lucide-react';
 import { useOrganizationModels } from '@/components/cloud-agent/hooks/useOrganizationModels';
 import type { ModelOption } from '@/components/shared/ModelCombobox';
 import {
@@ -17,6 +17,8 @@ import {
 } from '@/components/ui/alert-dialog';
 import { Button } from '@/components/ui/button';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
+import { cn } from '@/lib/utils';
+import type { SecurityAgentUiInteraction } from '@/lib/security-agent/core/schemas';
 import {
   DEFAULT_SECURITY_AGENT_ANALYSIS_MODEL,
   DEFAULT_SECURITY_AGENT_REMEDIATION_MODEL,
@@ -40,6 +42,8 @@ import type {
   SecurityRepository,
   SlaConfig,
 } from './security-config-types';
+import { useSecurityAgent } from './SecurityAgentContext';
+import { SecurityAgentActionBar } from './SecurityAgentActionBar';
 
 type SecurityConfigFormProps = {
   organizationId?: string;
@@ -137,15 +141,43 @@ function configsMatch(left: SecurityConfigFormState, right: SecurityConfigFormSt
 }
 
 const SETTINGS_TAB_TRIGGER_CLASS =
-  'data-[state=active]:bg-background data-[state=active]:border-border data-[state=active]:text-foreground data-[state=active]:shadow-sm';
+  'min-h-9 gap-2 border-0 px-3 text-muted-foreground shadow-none hover:bg-surface-hover hover:text-foreground data-[state=active]:border-0 data-[state=active]:bg-surface-selected data-[state=active]:text-foreground data-[state=active]:shadow-none';
 const SETTINGS_TABS = ['config', 'automation', 'notifications', 'sla'] as const;
 
 type SettingsTab = (typeof SETTINGS_TABS)[number];
 
+const SETTINGS_TAB_INTERACTIONS = {
+  config: 'settings_config_viewed',
+  automation: 'settings_automation_viewed',
+  notifications: 'settings_notifications_viewed',
+  sla: 'settings_sla_viewed',
+} satisfies Record<SettingsTab, SecurityAgentUiInteraction>;
+
 function settingsTabFromParam(tab: string | null): SettingsTab {
   return SETTINGS_TABS.find(value => value === tab) ?? 'config';
 }
 
+function useSettingsTabTracking(enabled: boolean, initialTab: SettingsTab) {
+  const { trackUiInteraction } = useSecurityAgent();
+  const trackedInitialTabRef = useRef(false);
+
+  useEffect(() => {
+    if (!enabled) {
+      trackedInitialTabRef.current = false;
+      return;
+    }
+    if (trackedInitialTabRef.current) return;
+
+    trackedInitialTabRef.current = true;
+    trackUiInteraction(SETTINGS_TAB_INTERACTIONS[initialTab]);
+  }, [enabled, initialTab, trackUiInteraction]);
+
+  return (value: string) => {
+    const tab = SETTINGS_TABS.find(settingsTab => settingsTab === value);
+    if (tab) trackUiInteraction(SETTINGS_TAB_INTERACTIONS[tab]);
+  };
+}
+
 const SECURITY_AGENT_DEFAULT_MODEL_OPTIONS: ModelOption[] = SECURITY_AGENT_MODELS.map(model => ({
   id: model.id,
   name: model.name,
@@ -178,7 +210,8 @@ export function SecurityConfigForm({
   const { enabled, isLoadingRepositories, isSaving, isToggling } = viewState;
   const router = useRouter();
   const searchParams = useSearchParams();
-  const defaultSettingsTab = settingsTabFromParam(searchParams.get('tab'));
+  const defaultSettingsTab = enabled ? settingsTabFromParam(searchParams.get('tab')) : 'config';
+  const handleSettingsTabChange = useSettingsTabTracking(enabled, defaultSettingsTab);
   const initialConfigFingerprint = configFingerprint(initialConfig);
   const [pendingNavigationHref, setPendingNavigationHref] = useState<string | null>(null);
   const [savingBeforeNavigation, setSavingBeforeNavigation] = useState(false);
@@ -320,38 +353,113 @@ export function SecurityConfigForm({
 
   return (
     <div className="space-y-6">
-      <AgentStatusSection
-        enabled={enabled}
-        isToggling={isToggling}
-        availableRepositoryCount={repositories.length}
-        repositoryCount={repositoryCount}
-        slaEnabled={state.slaEnabled}
-        onToggle={nextEnabled =>
-          onToggleEnabled(nextEnabled, {
-            repositorySelectionMode: state.repositorySelectionMode,
-            selectedRepositoryIds: state.selectedRepositoryIds,
-          })
-        }
-      />
-      {enabled && (
-        <>
-          <Tabs defaultValue={defaultSettingsTab} className="space-y-6">
-            <TabsList className="h-auto w-full justify-start gap-1 overflow-x-auto rounded-xl p-1 sm:w-fit">
-              <TabsTrigger value="config" className={SETTINGS_TAB_TRIGGER_CLASS}>
-                Config
-              </TabsTrigger>
-              <TabsTrigger value="automation" className={SETTINGS_TAB_TRIGGER_CLASS}>
-                Automation
-              </TabsTrigger>
-              <TabsTrigger value="notifications" className={SETTINGS_TAB_TRIGGER_CLASS}>
-                Notifications
-              </TabsTrigger>
-              <TabsTrigger value="sla" className={SETTINGS_TAB_TRIGGER_CLASS}>
-                SLA
-              </TabsTrigger>
-            </TabsList>
-
-            <TabsContent value="config" className="mt-0 space-y-6">
+      <Tabs
+        defaultValue={defaultSettingsTab}
+        className="space-y-6"
+        onValueChange={handleSettingsTabChange}
+      >
+        <SecurityAgentActionBar label="Settings controls">
+          <div className="grid gap-3 xl:grid-cols-[minmax(0,1fr)_auto] xl:items-end">
+            <div className="min-w-0">
+              <TabsList
+                aria-label="Security Agent settings sections"
+                className="border-input bg-input-background h-auto w-full justify-start gap-1 overflow-x-auto rounded-lg border p-1 sm:w-max sm:max-w-full"
+              >
+                <TabsTrigger value="config" className={SETTINGS_TAB_TRIGGER_CLASS}>
+                  <SlidersHorizontal className="size-4" aria-hidden="true" />
+                  General
+                </TabsTrigger>
+                <TabsTrigger
+                  value="automation"
+                  className={SETTINGS_TAB_TRIGGER_CLASS}
+                  disabled={!enabled}
+                >
+                  <Bot className="size-4" aria-hidden="true" />
+                  Automation
+                </TabsTrigger>
+                <TabsTrigger
+                  value="notifications"
+                  className={SETTINGS_TAB_TRIGGER_CLASS}
+                  disabled={!enabled}
+                >
+                  <Bell className="size-4" aria-hidden="true" />
+                  Notifications
+                </TabsTrigger>
+                <TabsTrigger value="sla" className={SETTINGS_TAB_TRIGGER_CLASS} disabled={!enabled}>
+                  <Clock className="size-4" aria-hidden="true" />
+                  SLA
+                </TabsTrigger>
+              </TabsList>
+            </div>
+
+            {enabled && (
+              <div className="flex flex-col gap-3 sm:flex-row sm:flex-wrap sm:items-center xl:justify-end">
+                <span
+                  aria-live="polite"
+                  className={cn(
+                    'flex min-h-8 items-center text-xs whitespace-nowrap',
+                    isSaving || hasChanges ? 'text-status-warning' : 'text-muted-foreground'
+                  )}
+                >
+                  {isSaving
+                    ? 'Saving changes...'
+                    : hasChanges
+                      ? 'Unsaved changes'
+                      : 'All changes saved'}
+                </span>
+                <Button
+                  type="button"
+                  variant="outline"
+                  className="min-h-11 w-full sm:min-h-9 sm:w-auto"
+                  onClick={() =>
+                    setState({
+                      ...DEFAULT_FORM_CONFIG,
+                      slaConfig: { ...DEFAULT_FORM_CONFIG.slaConfig },
+                      selectedRepositoryIds: [],
+                    })
+                  }
+                  disabled={isSaving}
+                >
+                  <RotateCcw aria-hidden="true" />
+                  Reset defaults
+                </Button>
+                <Button
+                  type="button"
+                  className="min-h-11 w-full sm:min-h-9 sm:w-auto"
+                  onClick={() => handleSave()}
+                  disabled={saveDisabled}
+                >
+                  {isSaving ? (
+                    <Loader2
+                      className="animate-spin motion-reduce:animate-none"
+                      aria-hidden="true"
+                    />
+                  ) : (
+                    <Save aria-hidden="true" />
+                  )}
+                  {isSaving ? 'Saving changes...' : 'Save changes'}
+                </Button>
+              </div>
+            )}
+          </div>
+        </SecurityAgentActionBar>
+
+        <TabsContent value="config" className="mt-0 space-y-6">
+          <AgentStatusSection
+            enabled={enabled}
+            isToggling={isToggling}
+            availableRepositoryCount={repositories.length}
+            repositoryCount={repositoryCount}
+            slaEnabled={state.slaEnabled}
+            onToggle={nextEnabled =>
+              onToggleEnabled(nextEnabled, {
+                repositorySelectionMode: state.repositorySelectionMode,
+                selectedRepositoryIds: state.selectedRepositoryIds,
+              })
+            }
+          />
+          {enabled && (
+            <>
               <RepositorySection
                 {...stateProps}
                 repositories={repositories}
@@ -363,64 +471,32 @@ export function SecurityConfigForm({
                 isLoading={isLoadingModels}
               />
               <AnalysisModeSection {...stateProps} />
-            </TabsContent>
-
-            <TabsContent value="automation" className="mt-0 space-y-6">
-              <AutoAnalysisSection {...stateProps} />
-              <AutoRemediationSection {...stateProps} />
-              <AutoDismissSection {...stateProps} />
-            </TabsContent>
-
-            <TabsContent value="notifications" className="mt-0 space-y-6">
-              <NotificationSection
-                {...stateProps}
-                isOrganization={Boolean(organizationId)}
-                disabled={isSaving}
-              />
-            </TabsContent>
-
-            <TabsContent value="sla" className="mt-0 space-y-6">
-              <SlaSection
-                {...stateProps}
-                isOrganization={Boolean(organizationId)}
-                disabled={isSaving}
-              />
-            </TabsContent>
-          </Tabs>
-          <div className="border-border flex flex-col-reverse gap-3 border-t pt-4 sm:flex-row sm:justify-between">
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() =>
-                setState({
-                  ...DEFAULT_FORM_CONFIG,
-                  slaConfig: { ...DEFAULT_FORM_CONFIG.slaConfig },
-                  selectedRepositoryIds: [],
-                })
-              }
-              disabled={isSaving}
-            >
-              Reset to defaults
-            </Button>
-            <Button
-              type="button"
-              className="bg-brand-primary text-primary-foreground hover:bg-brand-primary/90 disabled:bg-muted disabled:text-muted-foreground disabled:opacity-60"
-              onClick={() => handleSave()}
-              disabled={saveDisabled}
-            >
-              {isSaving ? (
-                <Loader2
-                  className="size-4 animate-spin motion-reduce:animate-none"
-                  aria-hidden="true"
-                />
-              ) : (
-                <Save className="size-4" aria-hidden="true" />
-              )}
-              {isSaving ? 'Saving...' : 'Save changes'}
-            </Button>
-          </div>
-        </>
-      )}
+            </>
+          )}
+        </TabsContent>
+
+        <TabsContent value="automation" className="mt-0 space-y-6">
+          <AutoAnalysisSection {...stateProps} />
+          <AutoRemediationSection {...stateProps} />
+          <AutoDismissSection {...stateProps} />
+        </TabsContent>
+
+        <TabsContent value="notifications" className="mt-0 space-y-6">
+          <NotificationSection
+            {...stateProps}
+            isOrganization={Boolean(organizationId)}
+            disabled={isSaving}
+          />
+        </TabsContent>
+
+        <TabsContent value="sla" className="mt-0 space-y-6">
+          <SlaSection
+            {...stateProps}
+            isOrganization={Boolean(organizationId)}
+            disabled={isSaving}
+          />
+        </TabsContent>
+      </Tabs>
       <AlertDialog
         open={Boolean(pendingNavigationHref)}
         onOpenChange={open => !open && clearPendingNavigation()}
diff --git a/apps/web/src/components/security-agent/SecurityConfigPage.tsx b/apps/web/src/components/security-agent/SecurityConfigPage.tsx
index eb42054b0..f88489265 100644
--- a/apps/web/src/components/security-agent/SecurityConfigPage.tsx
+++ b/apps/web/src/components/security-agent/SecurityConfigPage.tsx
@@ -4,6 +4,7 @@ import { Loader2 } from 'lucide-react';
 import { ClearFindingsCard } from './ClearFindingsCard';
 import { SecurityConfigForm } from './SecurityConfigForm';
 import { useSecurityAgent } from './SecurityAgentContext';
+import { SecurityAgentGitHubInstallCta } from './SecurityAgentGitHubInstallCta';
 import {
   DEFAULT_SECURITY_AGENT_ANALYSIS_MODEL,
   DEFAULT_SECURITY_AGENT_REMEDIATION_MODEL,
@@ -14,6 +15,9 @@ import type { SecurityConfigFormState } from './security-config-types';
 export function SecurityConfigPage() {
   const {
     organizationId,
+    isOrg,
+    hasIntegration,
+    isLoadingPermission,
     isEnabled,
     configData,
     allRepositories,
@@ -27,7 +31,7 @@ export function SecurityConfigPage() {
     orphanedRepositories,
   } = useSecurityAgent();
 
-  if (isLoadingConfig) {
+  if (isLoadingPermission || isLoadingConfig) {
     return (
       <div className="text-muted-foreground flex items-center justify-center gap-2 py-16 text-sm">
         <Loader2 className="size-6 animate-spin motion-reduce:animate-none" aria-hidden="true" />
@@ -36,6 +40,14 @@ export function SecurityConfigPage() {
     );
   }
 
+  if (!hasIntegration) {
+    const installUrl =
+      isOrg && organizationId
+        ? `/organizations/${organizationId}/integrations`
+        : '/integrations/github';
+    return <SecurityAgentGitHubInstallCta installUrl={installUrl} />;
+  }
+
   const initialConfig = {
     slaConfig: {
       critical: configData?.slaCriticalDays ?? 15,
diff --git a/apps/web/src/components/security-agent/SecurityConfigSections.tsx b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
index 8757ee609..6ac75eeda 100644
--- a/apps/web/src/components/security-agent/SecurityConfigSections.tsx
+++ b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
@@ -64,7 +64,7 @@ function SectionHeader({
         )}
       >
         <div className={cn('flex gap-3', hasContent ? 'items-start' : 'items-center')}>
-          <div className="bg-muted text-muted-foreground flex size-10 shrink-0 items-center justify-center rounded-lg">
+          <div className="bg-surface-overlay text-muted-foreground flex size-10 shrink-0 items-center justify-center rounded-lg">
             <Icon className="size-5" aria-hidden="true" />
           </div>
           <div className="space-y-1">
diff --git a/apps/web/src/components/security-agent/SecurityDashboard.tsx b/apps/web/src/components/security-agent/SecurityDashboard.tsx
index 2d1e8c3b8..ca5ba0dfa 100644
--- a/apps/web/src/components/security-agent/SecurityDashboard.tsx
+++ b/apps/web/src/components/security-agent/SecurityDashboard.tsx
@@ -1,59 +1,142 @@
 'use client';
 
-import { useState } from 'react';
-import { useSecurityAgent } from './SecurityAgentContext';
-import { useTRPC } from '@/lib/trpc/utils';
+import { useState, type ReactNode } from 'react';
+import Link from 'next/link';
 import { useQuery } from '@tanstack/react-query';
-import { Shield, RefreshCw, Loader2 } from 'lucide-react';
 import { formatDistanceToNow } from 'date-fns';
+import {
+  AlertCircle,
+  ArrowRight,
+  CalendarClock,
+  CheckCircle2,
+  CircleHelp,
+  Clock,
+  FileSearch,
+  Loader2,
+  RefreshCw,
+  Settings2,
+  ShieldAlert,
+  ShieldCheck,
+  Sparkles,
+  TriangleAlert,
+  type LucideIcon,
+} from 'lucide-react';
+import { Alert, AlertDescription, AlertTitle } from '@/components/ui/alert';
 import { Button } from '@/components/ui/button';
-import Link from 'next/link';
+import { Progress } from '@/components/ui/progress';
+import { Skeleton } from '@/components/ui/skeleton';
+import { cn } from '@/lib/utils';
+import type { DashboardStats } from '@/lib/security-agent/db/dashboard-stats';
+import { useTRPC } from '@/lib/trpc/utils';
 import { RepositoryFilter } from './RepositoryFilter';
-import { SlaComplianceHero } from './dashboard/SlaComplianceHero';
-import { SeverityBreakdown } from './dashboard/SeverityBreakdown';
-import { StatusOverview } from './dashboard/StatusOverview';
-import { AnalysisCoverage } from './dashboard/AnalysisCoverage';
-import { MeanTimeToResolution } from './dashboard/MeanTimeToResolution';
-import { OverdueFindingsTable } from './dashboard/OverdueFindingsTable';
-import { RepositoryHealthTable } from './dashboard/RepositoryHealthTable';
-
-const emptySla = {
-  overall: { total: 0, withinSla: 0, overdue: 0 },
-  bySeverity: {
-    critical: { total: 0, withinSla: 0, overdue: 0 },
-    high: { total: 0, withinSla: 0, overdue: 0 },
-    medium: { total: 0, withinSla: 0, overdue: 0 },
-    low: { total: 0, withinSla: 0, overdue: 0 },
+import { SecurityAgentActionBar, SecurityAgentActionBarField } from './SecurityAgentActionBar';
+import { SecurityAgentGitHubInstallCta } from './SecurityAgentGitHubInstallCta';
+import { useSecurityAgent } from './SecurityAgentContext';
+
+const emptyDashboardStats: DashboardStats = {
+  sla: {
+    overall: { total: 0, withinSla: 0, overdue: 0 },
+    bySeverity: {
+      critical: { total: 0, withinSla: 0, overdue: 0 },
+      high: { total: 0, withinSla: 0, overdue: 0 },
+      medium: { total: 0, withinSla: 0, overdue: 0 },
+      low: { total: 0, withinSla: 0, overdue: 0 },
+    },
+    dueSoon: { total: 0, exploitable: 0 },
+    untrackedCount: 0,
   },
-  untrackedCount: 0,
+  severity: { critical: 0, high: 0, medium: 0, low: 0 },
+  status: { open: 0, fixed: 0, ignored: 0 },
+  analysis: {
+    total: 0,
+    analyzed: 0,
+    exploitable: 0,
+    notExploitable: 0,
+    triageComplete: 0,
+    safeToDismiss: 0,
+    needsReview: 0,
+    analyzing: 0,
+    notAnalyzed: 0,
+    failed: 0,
+  },
+  mttr: {
+    bySeverity: {
+      critical: { avgDays: null, medianDays: null, count: 0, slaDays: 15 },
+      high: { avgDays: null, medianDays: null, count: 0, slaDays: 30 },
+      medium: { avgDays: null, medianDays: null, count: 0, slaDays: 45 },
+      low: { avgDays: null, medianDays: null, count: 0, slaDays: 90 },
+    },
+  },
+  overdue: [],
+  priorityFinding: null,
+  repoHealth: [],
+  repositoryCount: 0,
 };
 
-const emptySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
-
-const emptyStatus = { open: 0, fixed: 0, ignored: 0 };
-
-const emptyAnalysis = {
-  total: 0,
-  analyzed: 0,
-  exploitable: 0,
-  notExploitable: 0,
-  triageComplete: 0,
-  safeToDismiss: 0,
-  needsReview: 0,
-  analyzing: 0,
-  notAnalyzed: 0,
-  failed: 0,
+type Repository = {
+  id: number;
+  fullName: string;
+  name: string;
+  private: boolean;
 };
 
-const emptyMttr = {
-  bySeverity: {
-    critical: { avgDays: null, medianDays: null, count: 0, slaDays: 15 },
-    high: { avgDays: null, medianDays: null, count: 0, slaDays: 30 },
-    medium: { avgDays: null, medianDays: null, count: 0, slaDays: 45 },
-    low: { avgDays: null, medianDays: null, count: 0, slaDays: 90 },
-  },
+type MetricTone = 'danger' | 'warning' | 'neutral';
+
+type DashboardMetric = {
+  label: string;
+  value: string;
+  detail: string;
+  icon: LucideIcon;
+  tone: MetricTone;
+};
+
+type SecurityDashboardViewProps = {
+  basePath: string;
+  data: DashboardStats;
+  isLoading: boolean;
+  isError: boolean;
+  slaEnabled: boolean;
+  repositories: Repository[];
+  repoFullName: string | undefined;
+  lastUpdated: string | null;
+  isSyncing: boolean;
+  onRepositoryChange: (repoFullName: string | undefined) => void;
+  onSync: () => void;
+  onRetry: () => void;
 };
 
+type SummaryTone = 'danger' | 'warning' | 'success' | 'neutral';
+
+function getAnalysisIncompleteCount(analysis: DashboardStats['analysis']): number {
+  return analysis.triageComplete + analysis.analyzing + analysis.notAnalyzed + analysis.failed;
+}
+
+function getNeedsActionCount(analysis: DashboardStats['analysis']): number {
+  return (
+    analysis.exploitable +
+    analysis.needsReview +
+    analysis.triageComplete +
+    analysis.notAnalyzed +
+    analysis.failed
+  );
+}
+
+function findingsHref(
+  basePath: string,
+  params: Record<string, string | number | boolean | undefined>
+): string {
+  const searchParams = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value !== undefined) searchParams.set(key, String(value));
+  }
+  const query = searchParams.toString();
+  return `${basePath}/findings${query ? `?${query}` : ''}`;
+}
+
+function titleCaseSeverity(severity: string): string {
+  return severity.length > 0 ? `${severity[0].toUpperCase()}${severity.slice(1)}` : 'Security';
+}
+
 export function SecurityDashboard() {
   const {
     hasIntegration,
@@ -67,37 +150,34 @@ export function SecurityDashboard() {
   } = useSecurityAgent();
   const trpc = useTRPC();
   const [repoFullName, setRepoFullName] = useState<string | undefined>(undefined);
-
   const basePath = isOrg ? `/organizations/${organizationId}/security-agent` : '/security-agent';
-
-  // Build a query string suffix for drill-down links so the selected repo filter carries through
-  const repoFilterParam = repoFullName ? `&repoFullName=${encodeURIComponent(repoFullName)}` : '';
   const slaEnabled = configData?.slaEnabled ?? true;
 
-  const { data, isLoading } = useQuery({
+  const {
+    data: dashboardData,
+    isLoading: isDashboardLoading,
+    isError: dashboardHasError,
+    refetch: refetchDashboard,
+  } = useQuery({
     ...(isOrg
       ? trpc.organizations.securityAgent.getDashboardStats.queryOptions({
           organizationId: organizationId ?? '',
           repoFullName,
         })
-      : trpc.securityAgent.getDashboardStats.queryOptions({
-          repoFullName,
-        })),
+      : trpc.securityAgent.getDashboardStats.queryOptions({ repoFullName })),
     staleTime: 30_000,
     enabled: hasIntegration,
   });
 
-  // Use real sync time from DB rather than React Query fetch time
-  const { data: lastSyncData } = useQuery(
-    isOrg
+  const { data: lastSyncData } = useQuery({
+    ...(isOrg
       ? trpc.organizations.securityAgent.getLastSyncTime.queryOptions({
           organizationId: organizationId ?? '',
           repoFullName,
         })
-      : trpc.securityAgent.getLastSyncTime.queryOptions({
-          repoFullName,
-        })
-  );
+      : trpc.securityAgent.getLastSyncTime.queryOptions({ repoFullName })),
+    enabled: hasIntegration,
+  });
 
   if (isLoadingPermission) {
     return (
@@ -112,120 +192,940 @@ export function SecurityDashboard() {
     const installUrl = isOrg
       ? `/organizations/${organizationId}/integrations`
       : '/integrations/github';
-    return (
-      <div className="border-border flex flex-col items-center justify-center rounded-xl border border-dashed px-6 py-16 text-center">
-        <Shield className="text-muted-foreground mb-4 size-12 opacity-40" aria-hidden="true" />
-        <h3 className="text-lg font-medium">Connect GitHub to get started</h3>
-        <p className="text-muted-foreground mt-2 max-w-md text-center text-sm">
-          Install the Kilo GitHub App to automatically sync Dependabot alerts and manage security
-          findings across your repositories.
-        </p>
-        <Button
-          asChild
-          className="bg-brand-primary text-primary-foreground hover:bg-brand-primary/90 mt-6"
-        >
-          <Link href={installUrl}>Install GitHub App</Link>
-        </Button>
-      </div>
-    );
+    return <SecurityAgentGitHubInstallCta installUrl={installUrl} />;
   }
 
-  const sla = data?.sla ?? emptySla;
-  const severity = data?.severity ?? emptySeverity;
-  const status = data?.status ?? emptyStatus;
-  const analysis = data?.analysis ?? emptyAnalysis;
-  const mttr = data?.mttr ?? emptyMttr;
-  const overdue = data?.overdue ?? [];
-  const repoHealth = data?.repoHealth ?? [];
-
   const lastSyncTime = lastSyncData?.lastSyncTime;
   const lastUpdated = lastSyncTime
     ? `Last synced ${formatDistanceToNow(new Date(lastSyncTime), { addSuffix: true })}`
     : null;
 
+  return (
+    <SecurityDashboardView
+      basePath={basePath}
+      data={dashboardData ?? emptyDashboardStats}
+      isLoading={isDashboardLoading}
+      isError={dashboardHasError}
+      slaEnabled={slaEnabled}
+      repositories={filteredRepositories}
+      repoFullName={repoFullName}
+      lastUpdated={lastUpdated}
+      isSyncing={isSyncing}
+      onRepositoryChange={setRepoFullName}
+      onSync={() => handleSync(repoFullName)}
+      onRetry={() => void refetchDashboard()}
+    />
+  );
+}
+
+export function SecurityDashboardView({
+  basePath,
+  data,
+  isLoading,
+  isError,
+  slaEnabled,
+  repositories,
+  repoFullName,
+  lastUpdated,
+  isSyncing,
+  onRepositoryChange,
+  onSync,
+  onRetry,
+}: SecurityDashboardViewProps) {
+  const metrics = buildDashboardMetrics(data, slaEnabled);
+
   return (
     <div className="space-y-6">
-      {/* Header: filters and actions */}
-      <div className="flex flex-wrap items-center justify-between gap-3">
-        <RepositoryFilter
-          repositories={filteredRepositories}
-          value={repoFullName}
-          onValueChange={setRepoFullName}
-          isLoading={isLoading}
-        />
-        <div className="flex w-full flex-wrap items-center justify-between gap-3 sm:w-auto sm:justify-end">
-          {lastUpdated && <span className="text-muted-foreground text-xs">{lastUpdated}</span>}
+      <DashboardToolbar
+        repositories={repositories}
+        repoFullName={repoFullName}
+        isLoading={isLoading}
+        lastUpdated={lastUpdated}
+        isSyncing={isSyncing}
+        onRepositoryChange={onRepositoryChange}
+        onSync={onSync}
+      />
+
+      {isError ? (
+        <DashboardError onRetry={onRetry} />
+      ) : isLoading ? (
+        <DashboardSkeleton />
+      ) : (
+        <>
+          <section
+            className="border-border bg-border grid gap-px overflow-hidden rounded-xl border sm:grid-cols-2 xl:grid-cols-4"
+            aria-label="Security overview"
+          >
+            {metrics.map(metric => (
+              <DashboardMetricCard key={metric.label} {...metric} />
+            ))}
+          </section>
+
+          <AttentionCard
+            data={data}
+            basePath={basePath}
+            repoFullName={repoFullName}
+            slaEnabled={slaEnabled}
+          />
+
+          <div className="grid gap-6 lg:grid-cols-2">
+            {slaEnabled ? (
+              <DeadlinePostureCard data={data} basePath={basePath} />
+            ) : (
+              <ActionPostureCard data={data} basePath={basePath} repoFullName={repoFullName} />
+            )}
+            <UnderstandingSummary
+              data={data}
+              basePath={basePath}
+              repoFullName={repoFullName}
+              slaEnabled={slaEnabled}
+            />
+          </div>
+
+          <RepositoryActionPlan
+            repositories={data.repoHealth}
+            basePath={basePath}
+            slaEnabled={slaEnabled}
+          />
+        </>
+      )}
+    </div>
+  );
+}
+
+function DashboardToolbar({
+  repositories,
+  repoFullName,
+  isLoading,
+  lastUpdated,
+  isSyncing,
+  onRepositoryChange,
+  onSync,
+}: {
+  repositories: Repository[];
+  repoFullName: string | undefined;
+  isLoading: boolean;
+  lastUpdated: string | null;
+  isSyncing: boolean;
+  onRepositoryChange: (repoFullName: string | undefined) => void;
+  onSync: () => void;
+}) {
+  return (
+    <SecurityAgentActionBar label="Dashboard controls">
+      <div className="grid gap-3 md:grid-cols-[minmax(0,20rem)_1fr] md:items-end">
+        <SecurityAgentActionBarField id="dashboard-repository" label="Repository scope">
+          <RepositoryFilter
+            id="dashboard-repository"
+            className="min-h-11 sm:min-h-9 sm:w-full"
+            repositories={repositories}
+            value={repoFullName}
+            onValueChange={onRepositoryChange}
+            isLoading={isLoading}
+          />
+        </SecurityAgentActionBarField>
+        <div className="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between md:justify-end">
+          {lastUpdated && (
+            <span className="text-muted-foreground flex min-h-8 items-center gap-1.5 text-xs whitespace-nowrap">
+              <Clock className="size-3.5" aria-hidden="true" />
+              {lastUpdated}
+            </span>
+          )}
           <Button
             variant="outline"
-            size="sm"
             type="button"
-            onClick={() => {
-              handleSync(repoFullName);
-            }}
-            disabled={isSyncing || isLoading}
+            className="min-h-11 w-full sm:min-h-9 sm:w-auto"
+            onClick={onSync}
+            disabled={isSyncing}
           >
             <RefreshCw
-              className={`size-3.5 ${isSyncing ? 'animate-spin motion-reduce:animate-none' : ''}`}
+              className={isSyncing ? 'animate-spin motion-reduce:animate-none' : ''}
               aria-hidden="true"
             />
-            {isSyncing ? 'Syncing...' : 'Sync findings'}
+            {isSyncing ? 'Syncing findings...' : 'Sync findings'}
           </Button>
         </div>
       </div>
+    </SecurityAgentActionBar>
+  );
+}
 
-      {slaEnabled && (
-        <SlaComplianceHero
-          sla={sla}
-          isLoading={isLoading}
-          basePath={basePath}
-          extraParams={repoFilterParam}
-        />
-      )}
+function DashboardError({ onRetry }: { onRetry: () => void }) {
+  return (
+    <Alert variant="destructive">
+      <AlertCircle aria-hidden="true" />
+      <AlertTitle>Dashboard data could not load</AlertTitle>
+      <AlertDescription>
+        <p>
+          Security Agent could not load current finding statistics. Check your connection and try
+          again.
+        </p>
+        <Button variant="outline" size="sm" type="button" onClick={onRetry} className="mt-2">
+          <RefreshCw aria-hidden="true" />
+          Retry dashboard
+        </Button>
+      </AlertDescription>
+    </Alert>
+  );
+}
+
+function DashboardSkeleton() {
+  return (
+    <output
+      className="block space-y-6"
+      aria-label="Loading dashboard data"
+      aria-live="polite"
+      aria-busy="true"
+    >
+      <div className="grid gap-px overflow-hidden rounded-xl sm:grid-cols-2 xl:grid-cols-4">
+        {[0, 1, 2, 3].map(index => (
+          <div key={index} className="bg-card space-y-3 p-5">
+            <Skeleton className="h-4 w-28" />
+            <Skeleton className="h-8 w-16" />
+            <Skeleton className="h-3 w-36" />
+          </div>
+        ))}
+      </div>
+      <Skeleton className="h-64 w-full rounded-xl" />
+      <div className="grid gap-6 lg:grid-cols-2">
+        <Skeleton className="h-96 w-full rounded-xl" />
+        <Skeleton className="h-96 w-full rounded-xl" />
+      </div>
+      <Skeleton className="h-72 w-full rounded-xl" />
+    </output>
+  );
+}
+
+function buildDashboardMetrics(data: DashboardStats, slaEnabled: boolean): DashboardMetric[] {
+  if (!slaEnabled) {
+    return [
+      {
+        label: 'Open findings',
+        value: String(data.analysis.total),
+        detail: `${data.severity.critical} critical, ${data.severity.high} high`,
+        icon: ShieldAlert,
+        tone: 'danger',
+      },
+      {
+        label: 'Confirmed exploitable',
+        value: String(data.analysis.exploitable),
+        detail: 'Project risk confirmed by analysis',
+        icon: TriangleAlert,
+        tone: 'danger',
+      },
+      {
+        label: 'Needs your review',
+        value: String(data.analysis.needsReview),
+        detail: 'Human decision required',
+        icon: CircleHelp,
+        tone: 'warning',
+      },
+      {
+        label: 'Analysis not complete',
+        value: String(getAnalysisIncompleteCount(data.analysis)),
+        detail: 'Project risk still unknown',
+        icon: FileSearch,
+        tone: 'neutral',
+      },
+    ];
+  }
+
+  const compliance =
+    data.sla.overall.total > 0
+      ? Math.round((data.sla.overall.withinSla / data.sla.overall.total) * 100)
+      : 100;
+
+  return [
+    {
+      label: 'SLA compliance',
+      value: `${compliance}%`,
+      detail:
+        data.sla.overall.total > 0
+          ? `${data.sla.overall.withinSla} of ${data.sla.overall.total} within deadline`
+          : 'No assigned deadlines',
+      icon: ShieldCheck,
+      tone: compliance < 70 ? 'danger' : compliance < 90 ? 'warning' : 'neutral',
+    },
+    {
+      label: 'Deadline passed',
+      value: String(data.sla.overall.overdue),
+      detail: `${data.sla.bySeverity.critical.overdue} critical, ${data.sla.bySeverity.high.overdue} high`,
+      icon: AlertCircle,
+      tone: data.sla.overall.overdue > 0 ? 'danger' : 'neutral',
+    },
+    {
+      label: 'Due this week',
+      value: String(data.sla.dueSoon.total),
+      detail: `${data.sla.dueSoon.exploitable} confirmed exploitable`,
+      icon: CalendarClock,
+      tone: data.sla.dueSoon.total > 0 ? 'warning' : 'neutral',
+    },
+    {
+      label: 'No deadline',
+      value: String(data.sla.untrackedCount),
+      detail: data.sla.untrackedCount > 0 ? 'Review SLA assignment' : 'All open findings tracked',
+      icon: CircleHelp,
+      tone: 'neutral',
+    },
+  ];
+}
+
+function DashboardMetricCard({ label, value, detail, icon: Icon, tone }: DashboardMetric) {
+  const toneClass = {
+    danger: 'text-status-destructive',
+    warning: 'text-status-warning',
+    neutral: 'text-muted-foreground',
+  }[tone];
+
+  return (
+    <div className="bg-card p-5">
+      <div className="text-muted-foreground flex items-center gap-2 text-xs">
+        <Icon className={cn('size-3.5', toneClass)} aria-hidden="true" />
+        {label}
+      </div>
+      <div className={cn('mt-3 font-mono text-2xl font-semibold tabular-nums', toneClass)}>
+        {value}
+      </div>
+      <p className="text-muted-foreground mt-1 text-xs">{detail}</p>
+    </div>
+  );
+}
+
+function AttentionCard({
+  data,
+  basePath,
+  repoFullName,
+  slaEnabled,
+}: {
+  data: DashboardStats;
+  basePath: string;
+  repoFullName: string | undefined;
+  slaEnabled: boolean;
+}) {
+  const finding = data.priorityFinding;
+  const needsAction = getNeedsActionCount(data.analysis);
+  const closed = data.status.fixed + data.status.ignored;
+  const openFindingsHref = findingsHref(basePath, { status: 'open', repoFullName });
+
+  if (!finding) {
+    return (
+      <section
+        className="border-status-success-border bg-status-success-surface rounded-xl border p-6"
+        aria-labelledby="attention-heading"
+      >
+        <div className="flex items-start gap-3">
+          <CheckCircle2 className="text-status-success-icon mt-0.5 size-5" aria-hidden="true" />
+          <div>
+            <h2 id="attention-heading" className="font-semibold">
+              No open findings need attention
+            </h2>
+            <p className="text-muted-foreground mt-1 text-sm leading-6">
+              Security Agent will rank new work here after the next sync.
+            </p>
+            <Button asChild variant="outline" size="sm" className="mt-4">
+              <Link href={openFindingsHref}>View all findings</Link>
+            </Button>
+          </div>
+        </div>
+      </section>
+    );
+  }
+
+  const severity = titleCaseSeverity(finding.severity);
+  const isOverdue = slaEnabled && finding.daysOverdue !== null;
+  let heading = `${severity} finding needs attention`;
+  let description = 'Review the current evidence and choose the next action.';
+
+  if (isOverdue) {
+    heading = `${severity} finding is overdue`;
+    description =
+      finding.analysisStatus === null || finding.analysisStatus === 'failed'
+        ? 'Its deadline passed before Security Agent confirmed project risk. Review it now and start analysis if needed.'
+        : 'Its resolution deadline has passed. Review current analysis and remediation options.';
+  } else if (finding.analysisStatus === null || finding.analysisStatus === 'failed') {
+    heading = `${severity} finding needs analysis`;
+    description =
+      'Advisory severity is known, but project risk is not. Review code usage before choosing remediation or dismissal.';
+  } else if (finding.analysisStatus === 'pending' || finding.analysisStatus === 'running') {
+    heading = `${severity} finding analysis is in progress`;
+    description = 'Open the finding to review current analysis status and source details.';
+  } else if (finding.isExploitable === true) {
+    heading = `${severity} exploitable finding needs review`;
+    description =
+      'Codebase analysis confirmed project risk. Review evidence and available remediation actions.';
+  } else if (finding.suggestedAction === 'manual_review') {
+    heading = `${severity} finding needs your review`;
+    description =
+      'Security Agent found evidence that requires a human decision before the finding can proceed.';
+  }
+
+  return (
+    <section
+      className="border-border bg-card overflow-hidden rounded-xl border"
+      aria-labelledby="attention-heading"
+    >
+      <div className="grid lg:grid-cols-[minmax(0,1.35fr)_minmax(20rem,0.65fr)]">
+        <div className="p-5 sm:p-6 lg:p-8">
+          <div className="text-status-destructive flex items-center gap-2 text-sm font-medium">
+            <ShieldAlert className="size-4" aria-hidden="true" />
+            Act first
+          </div>
+          <h2 id="attention-heading" className="mt-3 text-xl font-semibold sm:text-2xl">
+            {heading}
+          </h2>
+          <p className="text-muted-foreground mt-2 text-sm leading-6">{description}</p>
+          <div className="bg-surface-overlay mt-5 rounded-lg p-4">
+            <p className="truncate text-sm font-medium">{finding.title}</p>
+            <p className="text-muted-foreground mt-2 truncate font-mono text-xs">
+              {finding.repoFullName}
+              {isOverdue &&
+                ` · ${finding.daysOverdue === 0 ? 'Deadline reached today' : `${finding.daysOverdue} days overdue`}`}
+            </p>
+          </div>
+          <div className="mt-5 flex flex-wrap gap-2">
+            <Button asChild>
+              <Link href={findingsHref(basePath, { findingId: finding.id })}>
+                Review finding
+                <ArrowRight aria-hidden="true" />
+              </Link>
+            </Button>
+            <Button asChild variant="ghost">
+              <Link href={openFindingsHref}>View all open findings</Link>
+            </Button>
+          </div>
+        </div>
+        <div className="border-border grid border-t sm:grid-cols-3 lg:grid-cols-1 lg:border-t-0 lg:border-l">
+          <GuidanceFact
+            icon={TriangleAlert}
+            label="Needs action"
+            value={`${needsAction} findings`}
+            detail="Analysis, remediation, or review required"
+            tone="danger"
+          />
+          <GuidanceFact
+            icon={ShieldCheck}
+            label="Confirmed risk"
+            value={`${data.analysis.exploitable} exploitable`}
+            detail="Code can reach affected behavior"
+            tone="warning"
+          />
+          <GuidanceFact
+            icon={Sparkles}
+            label="Closed findings"
+            value={`${closed} total`}
+            detail="Fixed or dismissed"
+            tone="success"
+          />
+        </div>
+      </div>
+    </section>
+  );
+}
+
+function GuidanceFact({
+  icon: Icon,
+  label,
+  value,
+  detail,
+  tone,
+}: {
+  icon: LucideIcon;
+  label: string;
+  value: string;
+  detail: string;
+  tone: 'danger' | 'warning' | 'success';
+}) {
+  const iconClass = {
+    danger: 'text-status-destructive-icon',
+    warning: 'text-status-warning-icon',
+    success: 'text-status-success-icon',
+  }[tone];
+
+  return (
+    <div className="border-border p-4 not-last:border-b sm:not-last:border-r sm:not-last:border-b-0 lg:not-last:border-r-0 lg:not-last:border-b">
+      <div className="text-muted-foreground flex items-center gap-2 text-xs">
+        <Icon className={cn('size-3.5', iconClass)} aria-hidden="true" />
+        {label}
+      </div>
+      <div className="mt-2 font-mono text-lg font-semibold tabular-nums">{value}</div>
+      <p className="text-muted-foreground mt-1 text-xs leading-5">{detail}</p>
+    </div>
+  );
+}
+
+function DeadlinePostureCard({ data, basePath }: { data: DashboardStats; basePath: string }) {
+  const total = data.sla.overall.total;
+  const within = data.sla.overall.withinSla;
+  const compliance = total > 0 ? Math.round((within / total) * 100) : 100;
+  const postureTone = compliance < 70 ? 'danger' : compliance < 90 ? 'warning' : 'success';
+
+  return (
+    <DashboardSection
+      title="SLA posture"
+      description="Tracks open Security Findings with assigned SLA deadlines to show where resolution work is on track or overdue."
+    >
+      <div className="flex items-end justify-between gap-4">
+        <div>
+          <div className="font-mono text-3xl font-semibold tabular-nums">
+            {within} / {total}
+          </div>
+          <div className="text-muted-foreground mt-1 text-xs">within resolution deadline</div>
+        </div>
+        <span
+          className={cn('font-mono text-sm font-medium tabular-nums', toneTextClass(postureTone))}
+        >
+          {compliance}% · {postureLabel(compliance)}
+        </span>
+      </div>
+      <Progress
+        value={compliance}
+        aria-label="Security Findings within resolution deadline"
+        className="bg-surface-inset mt-4"
+        indicatorClassName={toneIndicatorClass(postureTone)}
+      />
+      <div className="mt-6 space-y-5">
+        {(['critical', 'high', 'medium', 'low'] as const).map(severity => {
+          const sla = data.sla.bySeverity[severity];
+          const severityCompliance =
+            sla.total > 0 ? Math.round((sla.withinSla / sla.total) * 100) : 100;
+          const tone =
+            sla.overdue === 0 ? 'success' : severityCompliance < 70 ? 'danger' : 'warning';
+          return (
+            <DeadlineBar
+              key={severity}
+              label={titleCaseSeverity(severity)}
+              within={sla.withinSla}
+              total={sla.total}
+              overdue={sla.overdue}
+              tone={tone}
+            />
+          );
+        })}
+      </div>
+      <div className="border-border mt-6 border-t pt-4">
+        <Button asChild variant="ghost" size="sm">
+          <Link href={`${basePath}/config?tab=sla`}>
+            <Settings2 aria-hidden="true" />
+            Review SLA rules
+          </Link>
+        </Button>
+      </div>
+    </DashboardSection>
+  );
+}
+
+function ActionPostureCard({
+  data,
+  basePath,
+  repoFullName,
+}: {
+  data: DashboardStats;
+  basePath: string;
+  repoFullName: string | undefined;
+}) {
+  const analysisIncomplete = getAnalysisIncompleteCount(data.analysis);
+  const decisionsPending = data.analysis.needsReview;
+  const total = data.analysis.total;
+  const decisionPercentage = total > 0 ? Math.round((decisionsPending / total) * 100) : 0;
+  const noImmediateAction = Math.max(
+    0,
+    total - data.analysis.exploitable - decisionsPending - analysisIncomplete
+  );
 
-      {/* Severity Breakdown + Status Overview */}
-      <div className="grid grid-cols-1 gap-6 lg:grid-cols-2">
-        <SeverityBreakdown
-          severity={severity}
-          isLoading={isLoading}
-          basePath={basePath}
-          extraParams={repoFilterParam}
+  return (
+    <DashboardSection
+      title="Action posture"
+      description="Open Security Findings grouped by their clearest next step."
+      action={
+        <Button asChild variant="ghost" size="sm" className="shrink-0">
+          <Link href={`${basePath}/config?tab=sla`}>
+            <Settings2 aria-hidden="true" />
+            Configure SLA
+          </Link>
+        </Button>
+      }
+    >
+      <div className="flex items-end justify-between gap-4">
+        <div>
+          <div className="font-mono text-3xl font-semibold tabular-nums">
+            {decisionsPending} / {total}
+          </div>
+          <div className="text-muted-foreground mt-1 text-xs">need a team decision</div>
+        </div>
+        <span className="text-status-warning text-sm font-medium">
+          {decisionsPending} decisions pending
+        </span>
+      </div>
+      <Progress
+        value={decisionPercentage}
+        aria-label="Open Security Findings needing a team decision"
+        className="bg-surface-inset mt-4"
+        indicatorClassName="bg-status-warning-icon"
+      />
+      <dl className="mt-6 space-y-4 text-sm">
+        <PostureLine
+          label="Confirmed exploitable"
+          value={data.analysis.exploitable}
+          detail="Project risk confirmed"
+        />
+        <PostureLine
+          label="Needs evidence review"
+          value={decisionsPending}
+          detail="Human decision required"
+        />
+        <PostureLine
+          label="Analysis not complete"
+          value={analysisIncomplete}
+          detail="Project risk still unknown"
         />
-        <StatusOverview
-          status={status}
-          isLoading={isLoading}
-          basePath={basePath}
-          extraParams={repoFilterParam}
+        <PostureLine
+          label="No immediate action"
+          value={noImmediateAction}
+          detail="Monitored or not exploitable"
         />
+      </dl>
+      <Button asChild variant="ghost" size="sm" className="mt-5 px-0">
+        <Link href={findingsHref(basePath, { status: 'open', repoFullName })}>
+          Review open findings
+          <ArrowRight aria-hidden="true" />
+        </Link>
+      </Button>
+    </DashboardSection>
+  );
+}
+
+function DashboardSection({
+  title,
+  description,
+  action,
+  children,
+}: {
+  title: string;
+  description: string;
+  action?: ReactNode;
+  children: ReactNode;
+}) {
+  const headingId = `dashboard-${title.toLowerCase().replaceAll(' ', '-')}`;
+  return (
+    <section className="border-border bg-card rounded-xl border" aria-labelledby={headingId}>
+      <div className="border-border flex items-start justify-between gap-4 border-b p-5 sm:p-6">
+        <div>
+          <h2 id={headingId} className="font-semibold">
+            {title}
+          </h2>
+          <p className="text-muted-foreground mt-1 text-sm">{description}</p>
+        </div>
+        {action}
       </div>
+      <div className="p-5 sm:p-6">{children}</div>
+    </section>
+  );
+}
 
-      {/* Analysis Coverage + MTTR */}
-      <div className={slaEnabled ? 'grid grid-cols-1 gap-6 lg:grid-cols-2' : 'grid gap-6'}>
-        <AnalysisCoverage
-          analysis={analysis}
-          isLoading={isLoading}
-          basePath={basePath}
-          extraParams={repoFilterParam}
-        />
-        {slaEnabled && <MeanTimeToResolution mttr={mttr} isLoading={isLoading} />}
+function PostureLine({ label, value, detail }: { label: string; value: number; detail: string }) {
+  return (
+    <div className="flex items-center justify-between gap-4">
+      <dt>
+        <div>{label}</div>
+        <div className="text-muted-foreground mt-0.5 text-xs">{detail}</div>
+      </dt>
+      <dd className="text-muted-foreground font-mono tabular-nums">{value}</dd>
+    </div>
+  );
+}
+
+function DeadlineBar({
+  label,
+  within,
+  total,
+  overdue,
+  tone,
+}: {
+  label: string;
+  within: number;
+  total: number;
+  overdue: number;
+  tone: 'danger' | 'warning' | 'success';
+}) {
+  const percentage = total > 0 ? Math.round((within / total) * 100) : 100;
+
+  return (
+    <div>
+      <div className="mb-2 flex items-center justify-between gap-3 text-xs">
+        <span className="font-medium">{label}</span>
+        <span className="text-muted-foreground font-mono text-right tabular-nums">
+          {overdue} overdue · {within} of {total} within
+        </span>
       </div>
+      <Progress
+        value={percentage}
+        aria-label={`${label} Security Findings within resolution deadline`}
+        className="bg-surface-inset"
+        indicatorClassName={toneIndicatorClass(tone)}
+      />
+    </div>
+  );
+}
 
-      {slaEnabled && (
-        <OverdueFindingsTable
-          findings={overdue}
-          isLoading={isLoading}
-          basePath={basePath}
-          extraParams={repoFilterParam}
-        />
-      )}
+function UnderstandingSummary({
+  data,
+  basePath,
+  repoFullName,
+  slaEnabled,
+}: {
+  data: DashboardStats;
+  basePath: string;
+  repoFullName: string | undefined;
+  slaEnabled: boolean;
+}) {
+  const progress =
+    data.analysis.total > 0
+      ? Math.round((data.analysis.analyzed / data.analysis.total) * 100)
+      : 100;
+  const analysisIncomplete = getAnalysisIncompleteCount(data.analysis);
 
-      {/* Repository Health */}
-      <RepositoryHealthTable
-        repos={repoHealth}
-        isLoading={isLoading}
-        basePath={basePath}
-        extraParams={repoFilterParam}
-        showSla={slaEnabled}
+  return (
+    <DashboardSection
+      title="Codebase risk"
+      description="Analysis shows which Security Findings can affect your codebase beyond published severity."
+    >
+      <div className="flex items-end justify-between gap-4">
+        <div>
+          <div className="font-mono text-3xl font-semibold tabular-nums">{progress}%</div>
+          <div className="text-muted-foreground mt-1 text-xs">
+            {data.analysis.analyzed} of {data.analysis.total} open findings analyzed
+          </div>
+        </div>
+        <CheckCircle2 className="text-status-success-icon size-6" aria-label="Analysis coverage" />
+      </div>
+      <Progress
+        value={progress}
+        aria-label="Open findings analyzed"
+        className="bg-surface-inset mt-4"
+        indicatorClassName="bg-status-success-icon"
       />
+      <dl className="mt-6 space-y-1 text-sm">
+        <SummaryLine
+          label="Confirmed exploitable"
+          value={data.analysis.exploitable}
+          tone="danger"
+          href={findingsHref(basePath, { outcomeFilter: 'exploitable', repoFullName })}
+        />
+        <SummaryLine
+          label="Not exploitable"
+          value={data.analysis.notExploitable}
+          tone="success"
+          href={findingsHref(basePath, { outcomeFilter: 'not_exploitable', repoFullName })}
+        />
+        <SummaryLine
+          label="Needs your review"
+          value={data.analysis.needsReview}
+          tone="warning"
+          href={findingsHref(basePath, { outcomeFilter: 'needs_review', repoFullName })}
+        />
+        <SummaryLine
+          label="Analysis not complete"
+          value={analysisIncomplete}
+          tone="neutral"
+          href={findingsHref(basePath, { status: 'open', repoFullName })}
+        />
+        {slaEnabled && (
+          <SummaryLine
+            label="No SLA deadline assigned"
+            value={data.sla.untrackedCount}
+            tone="neutral"
+            href={findingsHref(basePath, { status: 'open', repoFullName })}
+          />
+        )}
+      </dl>
+      <p className="text-muted-foreground border-border mt-5 border-t pt-4 text-xs leading-5">
+        Severity comes from the advisory. Exploitability reflects how this repository uses the
+        affected package.
+      </p>
+    </DashboardSection>
+  );
+}
+
+function SummaryLine({
+  label,
+  value,
+  tone,
+  href,
+}: {
+  label: string;
+  value: number;
+  tone: SummaryTone;
+  href: string;
+}) {
+  const dotClass = {
+    danger: 'bg-status-destructive-icon',
+    warning: 'bg-status-warning-icon',
+    success: 'bg-status-success-icon',
+    neutral: 'bg-status-neutral-icon',
+  }[tone];
+
+  return (
+    <div className="flex items-center justify-between gap-4">
+      <dt>
+        <Link
+          href={href}
+          className="focus-visible:ring-ring hover:bg-accent flex items-center gap-2 rounded-md px-2 py-1.5 transition-colors focus-visible:ring-2 focus-visible:outline-none"
+        >
+          <span className={cn('size-2 rounded-full', dotClass)} aria-hidden="true" />
+          {label}
+        </Link>
+      </dt>
+      <dd className="text-muted-foreground font-mono tabular-nums">{value}</dd>
     </div>
   );
 }
+
+function RepositoryActionPlan({
+  repositories,
+  basePath,
+  slaEnabled,
+}: {
+  repositories: DashboardStats['repoHealth'];
+  basePath: string;
+  slaEnabled: boolean;
+}) {
+  return (
+    <section
+      className="border-border overflow-hidden rounded-xl border"
+      aria-labelledby="repository-plan-heading"
+    >
+      <div className="bg-card border-border border-b p-5 sm:p-6">
+        <h2 id="repository-plan-heading" className="font-semibold">
+          Repository action plan
+        </h2>
+        <p className="text-muted-foreground mt-1 text-sm">
+          {slaEnabled
+            ? 'Ranked by critical severity, missed deadlines, then findings requiring action.'
+            : 'Ranked by critical severity, confirmed project risk, then findings requiring action.'}
+        </p>
+      </div>
+      {repositories.length > 0 ? (
+        <div className="divide-border divide-y">
+          {repositories.map((repository, index) => (
+            <RepositoryActionRow
+              key={repository.repoFullName}
+              repository={repository}
+              rank={index + 1}
+              basePath={basePath}
+              slaEnabled={slaEnabled}
+            />
+          ))}
+        </div>
+      ) : (
+        <div className="bg-card p-6 text-center">
+          <ShieldCheck className="text-status-success-icon mx-auto size-6" aria-hidden="true" />
+          <h3 className="mt-3 font-medium">No repositories have open findings</h3>
+          <p className="text-muted-foreground mt-1 text-sm">
+            Repository priorities will appear after findings are synced.
+          </p>
+        </div>
+      )}
+    </section>
+  );
+}
+
+function RepositoryActionRow({
+  repository,
+  rank,
+  basePath,
+  slaEnabled,
+}: {
+  repository: DashboardStats['repoHealth'][number];
+  rank: number;
+  basePath: string;
+  slaEnabled: boolean;
+}) {
+  const needsActionPercentage =
+    repository.open > 0 ? Math.round((repository.needsAction / repository.open) * 100) : 0;
+  const complianceTone = repository.slaCompliancePercent < 70 ? 'danger' : 'success';
+  const actionTone = repository.needsAction > 0 ? 'warning' : 'success';
+
+  return (
+    <article className="bg-card grid grid-cols-[2rem_minmax(0,1fr)] gap-4 p-4 sm:p-5 lg:grid-cols-[2rem_minmax(14rem,1fr)_minmax(16rem,0.8fr)_auto] lg:items-center">
+      <div className="bg-muted text-muted-foreground flex size-8 items-center justify-center rounded-md font-mono text-xs">
+        {String(rank).padStart(2, '0')}
+      </div>
+      <div className="min-w-0">
+        <h3 className="truncate font-mono text-sm font-medium">{repository.repoFullName}</h3>
+        <p className="text-muted-foreground mt-1 text-xs">
+          {repository.open} open · {repository.critical} critical · {repository.high} high
+        </p>
+      </div>
+      <div className="col-span-2 lg:col-span-1">
+        <div className="mb-2 flex items-center justify-between gap-3 text-xs">
+          <span className="text-muted-foreground">
+            {slaEnabled ? 'SLA compliance' : 'Needs action'}
+          </span>
+          <span
+            className={cn(
+              'font-mono tabular-nums',
+              toneTextClass(slaEnabled ? complianceTone : actionTone)
+            )}
+          >
+            {slaEnabled
+              ? `${repository.slaCompliancePercent}%`
+              : `${repository.needsAction} findings`}
+          </span>
+        </div>
+        <Progress
+          value={slaEnabled ? repository.slaCompliancePercent : needsActionPercentage}
+          aria-label={
+            slaEnabled
+              ? `${repository.repoFullName} SLA compliance`
+              : `${repository.repoFullName} findings needing action`
+          }
+          className="bg-surface-inset"
+          indicatorClassName={toneIndicatorClass(slaEnabled ? complianceTone : actionTone)}
+        />
+        <p className="text-muted-foreground mt-2 text-xs">
+          {slaEnabled
+            ? repository.overdue > 0
+              ? `${repository.overdue} overdue · ${repository.needsAction} need action`
+              : 'No overdue findings'
+            : repository.needsAction > 0
+              ? `${repository.exploitable} exploitable · ${repository.needsAction} need action`
+              : 'No findings need action'}
+        </p>
+      </div>
+      <Button
+        asChild
+        variant="outline"
+        size="sm"
+        className="col-span-2 w-full sm:w-auto lg:col-span-1"
+      >
+        <Link
+          href={findingsHref(basePath, { status: 'open', repoFullName: repository.repoFullName })}
+        >
+          Review
+          <ArrowRight aria-hidden="true" />
+        </Link>
+      </Button>
+    </article>
+  );
+}
+
+function postureLabel(compliance: number): string {
+  if (compliance < 70) return 'At risk';
+  if (compliance < 90) return 'Needs attention';
+  return 'On track';
+}
+
+function toneTextClass(tone: 'danger' | 'warning' | 'success'): string {
+  return {
+    danger: 'text-status-destructive',
+    warning: 'text-status-warning',
+    success: 'text-status-success',
+  }[tone];
+}
+
+function toneIndicatorClass(tone: 'danger' | 'warning' | 'success'): string {
+  return {
+    danger: 'bg-status-destructive-icon',
+    warning: 'bg-status-warning-icon',
+    success: 'bg-status-success-icon',
+  }[tone];
+}
diff --git a/apps/web/src/components/security-agent/SecurityFindingRow.test.ts b/apps/web/src/components/security-agent/SecurityFindingRow.test.ts
new file mode 100644
index 000000000..c2da7f0b1
--- /dev/null
+++ b/apps/web/src/components/security-agent/SecurityFindingRow.test.ts
@@ -0,0 +1,102 @@
+import { describe, expect, it } from '@jest/globals';
+import type {
+  SecurityFindingWithRemediation,
+  SecurityRemediationCapability,
+} from '@/lib/security-agent/db/security-remediation';
+import {
+  getAnalysisPresentation,
+  getDeadlinePresentation,
+} from './security-finding-list-presentation';
+
+const baseRemediationCapability: SecurityRemediationCapability = {
+  canStart: false,
+  startReason: 'analysis_required',
+  canRetry: false,
+  retryReason: 'retry_not_allowed',
+  canCancel: false,
+  cancelAttemptId: null,
+};
+
+const baseFinding = {
+  id: 'finding-1',
+  status: 'open',
+  severity: 'high',
+  title: 'Command Injection in lodash',
+  analysis_status: null,
+  analysis: null,
+  analysis_error: null,
+  fixed_at: null,
+  ignored_reason: null,
+  sla_due_at: null,
+  updated_at: '2026-06-17T12:00:00.000Z',
+  remediationSummary: null,
+  remediationCapability: baseRemediationCapability,
+} as SecurityFindingWithRemediation;
+
+function findingWith(
+  overrides: Partial<SecurityFindingWithRemediation>
+): SecurityFindingWithRemediation {
+  return { ...baseFinding, ...overrides };
+}
+
+describe('Security Finding list presentation', () => {
+  it('preserves analysis outcome for a closed finding', () => {
+    const finding = findingWith({
+      status: 'fixed',
+      analysis_status: 'completed',
+      analysis: {
+        sandboxAnalysis: {
+          isExploitable: true,
+          summary: 'Reachable vulnerable path found.',
+        },
+      } as SecurityFindingWithRemediation['analysis'],
+    });
+
+    expect(getAnalysisPresentation(finding)).toMatchObject({
+      label: 'Exploitable',
+      tone: 'destructive',
+    });
+  });
+
+  it('formats open SLA deadlines with urgency labels', () => {
+    const now = new Date('2026-06-17T12:00:00.000Z');
+
+    expect(
+      getDeadlinePresentation(findingWith({ sla_due_at: '2026-06-16T12:00:00.000Z' }), now)
+    ).toMatchObject({
+      label: '1 day overdue',
+      detail: 'Due Jun 16, 2026',
+      tone: 'destructive',
+    });
+    expect(
+      getDeadlinePresentation(findingWith({ sla_due_at: '2026-06-17T10:00:00.000Z' }), now)
+    ).toMatchObject({
+      label: 'Overdue',
+      detail: 'Due Jun 17, 2026',
+      tone: 'destructive',
+    });
+    expect(
+      getDeadlinePresentation(findingWith({ sla_due_at: '2026-06-18T12:00:00.000Z' }), now)
+    ).toMatchObject({
+      label: 'Due tomorrow',
+      detail: 'Due Jun 18, 2026',
+      tone: 'warning',
+    });
+  });
+
+  it('shows whether a fixed finding met its recorded deadline', () => {
+    const presentation = getDeadlinePresentation(
+      findingWith({
+        status: 'fixed',
+        sla_due_at: '2026-06-18T12:00:00.000Z',
+        fixed_at: '2026-06-17T12:00:00.000Z',
+      })
+    );
+
+    expect(presentation).toMatchObject({
+      label: 'Fixed before deadline',
+      detail: 'Fixed Jun 17, 2026',
+      tone: 'success',
+    });
+  });
+});
diff --git a/apps/web/src/components/security-agent/SecurityFindingRow.tsx b/apps/web/src/components/security-agent/SecurityFindingRow.tsx
index 23576be62..d854d1e6e 100644
--- a/apps/web/src/components/security-agent/SecurityFindingRow.tsx
+++ b/apps/web/src/components/security-agent/SecurityFindingRow.tsx
@@ -1,182 +1,34 @@
 'use client';
 
-import { differenceInDays, differenceInHours, differenceInMinutes, isPast } from 'date-fns';
 import {
   Brain,
-  CheckCircle2,
   ChevronRight,
   Eye,
   ExternalLink,
   GitPullRequest,
   Loader2,
-  Package,
   RotateCw,
-  Shield,
-  ShieldAlert,
-  ShieldCheck,
-  ShieldX,
   XCircle,
 } from 'lucide-react';
 import { Button } from '@/components/ui/button';
-import { Tooltip, TooltipContent, TooltipTrigger } from '@/components/ui/tooltip';
-import type { SecurityFinding } from '@kilocode/db/schema';
+import type { SecurityFindingWithRemediation } from '@/lib/security-agent/db/security-remediation';
 import { cn } from '@/lib/utils';
 import { SeverityBadge } from './SeverityBadge';
-import { securityAgentCommandAdmissionCopy } from './security-agent-command-copy';
-
-type Outcome = {
-  icon: typeof CheckCircle2;
-  label: string;
-  className: string;
-  spin: boolean;
-  tooltip: string | null;
-};
-
-function getOutcome(finding: SecurityFinding): Outcome | null {
-  if (finding.status === 'fixed') {
-    return {
-      icon: CheckCircle2,
-      label: 'Fixed',
-      className: 'text-green-400',
-      spin: false,
-      tooltip: finding.fixed_at
-        ? `Fixed ${formatCompactDistance(new Date(finding.fixed_at))} ago`
-        : null,
-    };
-  }
-  if (finding.status === 'ignored') {
-    return {
-      icon: XCircle,
-      label: 'Dismissed',
-      className: 'text-muted-foreground',
-      spin: false,
-      tooltip: finding.ignored_reason?.replace(/_/g, ' ') ?? null,
-    };
-  }
-  if (finding.analysis_status === 'pending' || finding.analysis_status === 'running') {
-    return {
-      icon: Loader2,
-      label: 'Analyzing',
-      className: 'text-yellow-400',
-      spin: true,
-      tooltip: finding.analysis_status === 'pending' ? 'Analysis is queued' : 'Analysis is running',
-    };
-  }
-  if (finding.analysis_status === 'failed') {
-    return {
-      icon: XCircle,
-      label: 'Analysis failed',
-      className: 'text-red-400',
-      spin: false,
-      tooltip: finding.analysis_error || 'Analysis failed. Retry to run it again.',
-    };
-  }
-  if (finding.analysis_status !== 'completed') return null;
-
-  const sandbox = finding.analysis?.sandboxAnalysis;
-  const triage = finding.analysis?.triage;
-  if (sandbox?.isExploitable === true) {
-    return {
-      icon: ShieldAlert,
-      label: 'Exploitable',
-      className: 'text-red-400',
-      spin: false,
-      tooltip: sandbox.summary || 'Codebase analysis confirmed this vulnerability is exploitable',
-    };
-  }
-  if (sandbox?.isExploitable === false) {
-    return {
-      icon: ShieldCheck,
-      label: 'Not exploitable',
-      className: 'text-green-400',
-      spin: false,
-      tooltip: sandbox.summary || 'Codebase analysis determined this is not exploitable',
-    };
-  }
-  if (triage?.suggestedAction === 'dismiss') {
-    return {
-      icon: ShieldX,
-      label: 'Safe to dismiss',
-      className: 'text-green-400',
-      spin: false,
-      tooltip: triage.needsSandboxReasoning || 'Triage determined this can be safely dismissed',
-    };
-  }
-  if (triage?.suggestedAction === 'manual_review') {
-    return {
-      icon: Eye,
-      label: 'Needs review',
-      className: 'text-yellow-400',
-      spin: false,
-      tooltip: triage.needsSandboxReasoning || 'Triage flagged this for manual review',
-    };
-  }
-  return {
-    icon: Shield,
-    label: triage ? 'Triage complete' : 'Analyzed',
-    className: 'text-muted-foreground',
-    spin: false,
-    tooltip: triage?.needsSandboxReasoning || null,
-  };
-}
-
-function OutcomeLabel({ outcome }: { outcome: Outcome }) {
-  const content = (
-    <span className={cn('flex items-center gap-1.5', outcome.className)}>
-      <outcome.icon
-        className={cn('size-3.5', outcome.spin && 'animate-spin motion-reduce:animate-none')}
-        aria-hidden="true"
-      />
-      {outcome.label}
-    </span>
-  );
-  if (!outcome.tooltip) return content;
-  return (
-    <Tooltip>
-      <TooltipTrigger asChild>{content}</TooltipTrigger>
-      <TooltipContent side="top" sideOffset={4} className="max-w-xs">
-        {outcome.tooltip}
-      </TooltipContent>
-    </Tooltip>
-  );
-}
+import {
+  isAwaitingManualAnalysisAdmission,
+  manualAnalysisAdmissionCopy,
+  manualAnalysisCapacityFullCopy,
+} from './manual-analysis-admission-copy';
+import {
+  getAnalysisPresentation,
+  getDeadlinePresentation,
+  getFindingListGridClass,
+  type FindingStatusPresentation,
+  type FindingTone,
+} from './security-finding-list-presentation';
 
 type Severity = 'critical' | 'high' | 'medium' | 'low';
 
-function isSeverity(value: string): value is Severity {
-  return ['critical', 'high', 'medium', 'low'].includes(value);
-}
-
-export type RemediationSummary = {
-  status: string;
-  latestAttemptId: string | null;
-  prUrl: string | null;
-  prNumber: number | null;
-  prDraft: boolean | null;
-  prHeadBranch: string | null;
-  prBaseBranch: string | null;
-  outcomeSummary: string | null;
-  failureCode: string | null;
-  blockedReason: string | null;
-  completedAt: string | null;
-  updatedAt: string;
-  latestAttempt?: { id: string; status: string } | null;
-};
-
-export type RemediationCapability = {
-  canStart: boolean;
-  startReason: string;
-  canRetry: boolean;
-  retryReason: string;
-  canCancel: boolean;
-  cancelAttemptId: string | null;
-};
-
-export type SecurityFindingWithRemediation = SecurityFinding & {
-  remediationSummary?: RemediationSummary | null;
-  remediationCapability?: RemediationCapability;
-};
-
 type SecurityFindingRowProps = {
   finding: SecurityFindingWithRemediation;
   onClick: () => void;
@@ -185,6 +37,7 @@ type SecurityFindingRowProps = {
     options?: { forceSandbox?: boolean; retrySandboxOnly?: boolean }
   ) => void;
   isStartingAnalysis?: boolean;
+  analysisAtCapacity?: boolean;
   onStartRemediation?: (findingId: string) => void;
   onRetryRemediation?: (findingId: string) => void;
   onCancelRemediation?: (attemptId: string, findingId?: string) => void;
@@ -193,23 +46,64 @@ type SecurityFindingRowProps = {
   slaDisplay?: 'visible' | 'hidden';
 };
 
-function formatCompactDistance(date: Date) {
-  const now = new Date();
-  const days = Math.abs(differenceInDays(now, date));
-  if (days >= 1) return `${days}d`;
-  const hours = Math.abs(differenceInHours(now, date));
-  if (hours >= 1) return `${hours}h`;
-  return `${Math.abs(differenceInMinutes(now, date))}m`;
+const toneStyles: Record<FindingTone, { status: string; text: string }> = {
+  success: {
+    status: 'border-status-success-border bg-status-success-surface text-status-success',
+    text: 'text-status-success',
+  },
+  warning: {
+    status: 'border-status-warning-border bg-status-warning-surface text-status-warning',
+    text: 'text-status-warning',
+  },
+  destructive: {
+    status:
+      'border-status-destructive-border bg-status-destructive-surface text-status-destructive',
+    text: 'text-status-destructive',
+  },
+  neutral: {
+    status: 'border-status-neutral-border bg-status-neutral-surface text-status-neutral',
+    text: 'text-status-neutral',
+  },
+};
+
+function isSeverity(value: string): value is Severity {
+  return ['critical', 'high', 'medium', 'low'].includes(value);
 }
 
-function isActiveRemediationStatus(status: string | null | undefined) {
-  return status === 'queued' || status === 'launching' || status === 'running';
+function FindingStatusCell({
+  label,
+  children,
+  className,
+}: {
+  label: string;
+  children: React.ReactNode;
+  className?: string;
+}) {
+  return (
+    <div className={cn('relative z-10 min-w-0 pointer-events-none', className)}>
+      <div className="text-muted-foreground type-label mb-2 xl:hidden">{label}</div>
+      {children}
+    </div>
+  );
 }
 
-function formatRemediationStatus(status: string | null | undefined) {
-  if (status === 'pr_opened') return 'PR opened';
-  if (status === 'no_changes_needed') return 'No changes';
-  return status?.replace(/_/g, ' ') ?? null;
+function StatusPill({ status }: { status: FindingStatusPresentation }) {
+  const Icon = status.icon;
+  return (
+    <span
+      className={cn(
+        'type-label inline-flex items-center gap-1.5 rounded-full border px-2.5 py-1',
+        toneStyles[status.tone].status
+      )}
+      title={status.tooltip ?? undefined}
+    >
+      <Icon
+        className={cn('size-3.5', status.spinning && 'animate-spin motion-reduce:animate-none')}
+        aria-hidden="true"
+      />
+      {status.label}
+    </span>
+  );
 }
 
 export function SecurityFindingRow({
@@ -217,6 +111,7 @@ export function SecurityFindingRow({
   onClick,
   onStartAnalysis,
   isStartingAnalysis,
+  analysisAtCapacity = false,
   onStartRemediation,
   onRetryRemediation,
   onCancelRemediation,
@@ -225,171 +120,171 @@ export function SecurityFindingRow({
   slaDisplay = 'visible',
 }: SecurityFindingRowProps) {
   const severity: Severity = isSeverity(finding.severity) ? finding.severity : 'medium';
-  const canStartAnalysis =
+  const showAnalysisAction =
     finding.status === 'open' &&
     (!finding.analysis_status || finding.analysis_status === 'failed') &&
     Boolean(onStartAnalysis) &&
     !isStartingAnalysis;
-  const outcome = getOutcome(finding);
+  const isAwaitingAnalysisAdmission = isAwaitingManualAnalysisAdmission(
+    Boolean(isStartingAnalysis),
+    finding.analysis_status
+  );
+  const analysis = getAnalysisPresentation(finding);
+  const deadline = getDeadlinePresentation(finding);
   const remediation = finding.remediationSummary;
   const capability = finding.remediationCapability;
   const remediationStatus = remediation?.status ?? null;
-  const remediationAttemptId = capability?.cancelAttemptId ?? remediation?.latestAttemptId;
-  const remediationIsActive = isActiveRemediationStatus(remediationStatus) || isStartingRemediation;
-  const remediationStatusLabel = formatRemediationStatus(remediationStatus);
+  const remediationAttemptId = capability.cancelAttemptId ?? remediation?.latestAttemptId;
   const openRemediationPrUrl =
     remediationStatus === 'pr_opened' && remediation?.prUrl ? remediation.prUrl : null;
-  const isHighlighted =
-    finding.status === 'open' &&
-    slaDisplay === 'visible' &&
-    finding.sla_due_at !== null &&
-    isPast(new Date(finding.sla_due_at));
+  const showSla = slaDisplay === 'visible';
 
   const startAnalysis = () => {
     const retrySandboxOnly =
       Boolean(finding.analysis?.triage) && finding.analysis_status === 'failed';
     onStartAnalysis?.(finding.id, { retrySandboxOnly });
   };
-  const startRemediation = () => onStartRemediation?.(finding.id);
-  const retryRemediation = () => onRetryRemediation?.(finding.id);
   const cancelRemediation = () => {
     if (remediationAttemptId) onCancelRemediation?.(remediationAttemptId, finding.id);
   };
 
   return (
-    <article
+    <li
       className={cn(
-        'hover:bg-muted/50 grid grid-cols-[minmax(0,1fr)_auto] items-center transition-colors',
-        isHighlighted && 'bg-red-500/5'
+        'hover:bg-surface-hover relative grid gap-4 px-4 py-4 transition-colors sm:grid-cols-2 sm:px-5 xl:items-center',
+        getFindingListGridClass(showSla)
       )}
     >
       <button
         type="button"
         onClick={onClick}
-        className="focus-visible:ring-ring group grid min-w-0 grid-cols-[auto_minmax(0,1fr)_auto] items-center gap-x-3 gap-y-2 rounded-md px-4 py-3 text-left focus-visible:ring-2 focus-visible:outline-none md:grid-cols-[72px_minmax(0,1fr)_140px_16px] md:gap-x-3"
+        className="focus-visible:ring-ring absolute inset-0 z-0 cursor-pointer rounded-sm outline-none focus-visible:ring-2 focus-visible:ring-inset"
         aria-label={`View ${finding.title}`}
-      >
-        <SeverityBadge severity={severity} size="sm" />
-        <span className="min-w-0">
-          <span className="block truncate text-sm font-medium">{finding.title}</span>
-          <span className="text-muted-foreground mt-0.5 flex items-center gap-1 text-xs">
-            <Package className="size-3 shrink-0" aria-hidden="true" />
-            <span className="truncate">{finding.package_name}</span>
-          </span>
-        </span>
-        <ChevronRight
-          className="text-muted-foreground size-4 md:col-start-4 md:row-start-1"
-          aria-hidden="true"
-        />
-        <span className="col-start-2 space-y-1 text-xs md:col-start-3 md:row-start-1">
-          {outcome ? (
-            <OutcomeLabel outcome={outcome} />
-          ) : (
-            <span className="text-muted-foreground flex items-center gap-1.5">
-              <Shield className="size-3.5" aria-hidden="true" />
-              Not analyzed
-            </span>
-          )}
-          {remediationStatusLabel && (
-            <span
-              className={cn(
-                'text-muted-foreground flex items-center gap-1.5 capitalize',
-                remediationStatus === 'pr_opened' && 'text-green-400',
-                remediationStatus === 'failed' && 'text-red-400',
-                remediationStatus === 'blocked' && 'text-yellow-400',
-                remediationIsActive && 'text-emerald-400'
-              )}
-            >
-              {remediationIsActive ? (
-                <Loader2
-                  className="size-3.5 animate-spin motion-reduce:animate-none"
-                  aria-hidden="true"
-                />
-              ) : (
-                <GitPullRequest className="size-3.5" aria-hidden="true" />
-              )}
-              {remediationStatusLabel}
-            </span>
-          )}
-        </span>
-      </button>
+      />
+
+      <div className="relative z-10 min-w-0 pointer-events-none sm:col-span-2 xl:col-span-1">
+        <div className="flex min-w-0 items-center gap-3">
+          <div className="flex w-20 shrink-0 items-center">
+            <SeverityBadge severity={severity} size="sm" />
+          </div>
+          <span className="type-body min-w-0 font-medium text-pretty">{finding.title}</span>
+        </div>
+      </div>
 
-      <div className="flex items-center justify-end pr-4">
+      <FindingStatusCell label="Analysis">
+        <StatusPill status={analysis} />
+      </FindingStatusCell>
+
+      {showSla && (
+        <FindingStatusCell label="SLA Deadline">
+          <div className={cn('type-label flex items-start gap-2', toneStyles[deadline.tone].text)}>
+            <deadline.icon className="mt-0.5 size-3.5 shrink-0" aria-hidden="true" />
+            <div>
+              <div className="font-medium">{deadline.label}</div>
+              <div className="text-muted-foreground mt-0.5 tabular-nums">{deadline.detail}</div>
+            </div>
+          </div>
+        </FindingStatusCell>
+      )}
+
+      <div className="relative z-10 flex items-center justify-end gap-2 pointer-events-auto sm:col-span-2 xl:col-span-2 xl:grid xl:grid-cols-[minmax(9rem,auto)_2.25rem]">
         {openRemediationPrUrl ? (
-          <Button variant="outline" size="sm" asChild className="gap-1">
-            <a
-              href={openRemediationPrUrl}
-              target="_blank"
-              rel="noopener noreferrer"
-              onClick={event => event.stopPropagation()}
-              onKeyDown={event => event.stopPropagation()}
-            >
-              <ExternalLink className="size-3" aria-hidden="true" />
+          <Button
+            variant="outline"
+            asChild
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <a href={openRemediationPrUrl} target="_blank" rel="noopener noreferrer">
+              <ExternalLink aria-hidden="true" />
               View PR
             </a>
           </Button>
         ) : isStartingRemediation ? (
-          <Button variant="outline" size="sm" disabled className="gap-1">
-            <Loader2
-              className="size-3 animate-spin motion-reduce:animate-none"
-              aria-hidden="true"
-            />
+          <Button
+            variant="outline"
+            disabled
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <Loader2 className="animate-spin motion-reduce:animate-none" aria-hidden="true" />
             Queueing
           </Button>
-        ) : capability?.canCancel && remediationAttemptId && onCancelRemediation ? (
+        ) : capability.canCancel && remediationAttemptId && onCancelRemediation ? (
           <Button
             variant="outline"
-            size="sm"
             onClick={cancelRemediation}
             disabled={isCancellingRemediation}
-            className="gap-1"
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
           >
             {isCancellingRemediation ? (
-              <Loader2
-                className="size-3 animate-spin motion-reduce:animate-none"
-                aria-hidden="true"
-              />
+              <Loader2 className="animate-spin motion-reduce:animate-none" aria-hidden="true" />
             ) : (
-              <XCircle className="size-3" aria-hidden="true" />
+              <XCircle aria-hidden="true" />
             )}
             Cancel
           </Button>
-        ) : capability?.canRetry && onRetryRemediation ? (
-          <Button variant="outline" size="sm" onClick={retryRemediation} className="gap-1">
-            <RotateCw className="size-3" aria-hidden="true" />
+        ) : capability.canRetry && onRetryRemediation ? (
+          <Button
+            variant="outline"
+            onClick={() => onRetryRemediation(finding.id)}
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <RotateCw aria-hidden="true" />
             Retry fix
           </Button>
-        ) : capability?.canStart && onStartRemediation ? (
-          <Button variant="outline" size="sm" onClick={startRemediation} className="gap-1">
-            <GitPullRequest className="size-3" aria-hidden="true" />
+        ) : capability.canStart && onStartRemediation ? (
+          <Button
+            variant="outline"
+            onClick={() => onStartRemediation(finding.id)}
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <GitPullRequest aria-hidden="true" />
             Fix
           </Button>
-        ) : canStartAnalysis ? (
-          <Button variant="outline" size="sm" onClick={startAnalysis} className="gap-1">
-            <Brain className="size-3" aria-hidden="true" />
+        ) : showAnalysisAction ? (
+          <Button
+            variant="outline"
+            onClick={startAnalysis}
+            disabled={analysisAtCapacity}
+            title={analysisAtCapacity ? manualAnalysisCapacityFullCopy : undefined}
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <Brain aria-hidden="true" />
             {finding.analysis_status === 'failed' ? 'Retry' : 'Analyze'}
           </Button>
-        ) : isStartingAnalysis ? (
-          <Button variant="outline" size="sm" disabled className="gap-1">
-            <Loader2
-              className="size-3 animate-spin motion-reduce:animate-none"
-              aria-hidden="true"
-            />
-            {securityAgentCommandAdmissionCopy.start_analysis.pendingLabel}
+        ) : isAwaitingAnalysisAdmission ? (
+          <Button
+            variant="outline"
+            disabled
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <Loader2 className="animate-spin motion-reduce:animate-none" aria-hidden="true" />
+            {manualAnalysisAdmissionCopy.pendingLabel}
           </Button>
         ) : finding.analysis?.triage?.suggestedAction === 'manual_review' &&
           finding.status === 'open' ? (
-          <Button variant="outline" size="sm" onClick={onClick} className="gap-1">
-            <Eye className="size-3" aria-hidden="true" />
+          <Button
+            variant="outline"
+            onClick={onClick}
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <Eye aria-hidden="true" />
             Review
           </Button>
         ) : finding.status === 'fixed' || finding.status === 'ignored' ? (
-          <Button variant="outline" size="sm" onClick={onClick} className="gap-1">
-            <Eye className="size-3" aria-hidden="true" />
+          <Button
+            variant="outline"
+            onClick={onClick}
+            className="min-h-control-touch w-full sm:h-control-default sm:min-h-0 sm:w-auto xl:justify-self-end"
+          >
+            <Eye aria-hidden="true" />
             View details
           </Button>
         ) : null}
+        <ChevronRight
+          className="text-muted-foreground size-4 shrink-0 xl:col-start-2 xl:justify-self-center"
+          aria-hidden="true"
+        />
       </div>
-    </article>
+    </li>
   );
 }
diff --git a/apps/web/src/components/security-agent/SecurityFindingsCard.tsx b/apps/web/src/components/security-agent/SecurityFindingsCard.tsx
index a0e46162d..ee53b73c8 100644
--- a/apps/web/src/components/security-agent/SecurityFindingsCard.tsx
+++ b/apps/web/src/components/security-agent/SecurityFindingsCard.tsx
@@ -15,6 +15,7 @@ import {
   RefreshCw,
   Settings2,
   Shield,
+  ShieldCheck,
 } from 'lucide-react';
 import Link from 'next/link';
 import { Badge } from '@/components/ui/badge';
@@ -26,9 +27,13 @@ import {
   SelectTrigger,
   SelectValue,
 } from '@/components/ui/select';
-import { Tooltip, TooltipContent, TooltipTrigger } from '@/components/ui/tooltip';
+import { Skeleton } from '@/components/ui/skeleton';
+import type { SecurityFindingWithRemediation } from '@/lib/security-agent/db/security-remediation';
+import { cn } from '@/lib/utils';
 import { RepositoryFilter } from './RepositoryFilter';
-import { SecurityFindingRow, type SecurityFindingWithRemediation } from './SecurityFindingRow';
+import { SecurityAgentActionBar, SecurityAgentActionBarField } from './SecurityAgentActionBar';
+import { SecurityFindingRow } from './SecurityFindingRow';
+import { getFindingListGridClass } from './security-finding-list-presentation';
 
 type Repository = {
   id: number;
@@ -110,6 +115,8 @@ const STATUS_IMPLYING_OUTCOMES = new Set([
   'dismissed',
 ]);
 
+const skeletonRowKeys = ['skeleton-1', 'skeleton-2', 'skeleton-3', 'skeleton-4', 'skeleton-5'];
+
 export function SecurityFindingsCard({
   findings,
   repositories,
@@ -143,6 +150,11 @@ export function SecurityFindingsCard({
   const startItem = (page - 1) * pageSize + 1;
   const endItem = Math.min(page * pageSize, totalCount);
   const closedCount = stats.fixed + stats.ignored;
+  const analysisAtCapacity = runningCount >= concurrencyLimit;
+  const hasActiveFilters = Boolean(
+    filters.severity || filters.repoFullName || filters.outcomeFilter || filters.overdue
+  );
+  const listGridClass = getFindingListGridClass(showSla);
 
   const handleStatusChange = (value: string) => {
     const status = value === 'all' ? undefined : value;
@@ -189,175 +201,208 @@ export function SecurityFindingsCard({
 
   return (
     <div className="space-y-4">
-      <div className="bg-card border-border flex flex-wrap items-center justify-between gap-3 rounded-xl border px-4 py-3">
-        <div className="flex min-w-0 flex-wrap items-center gap-4">
-          <button
-            type="button"
-            onClick={() => handleStatusChange(filters.status === 'open' ? 'all' : 'open')}
-            aria-pressed={filters.status === 'open'}
-            className="focus-visible:ring-ring flex items-center gap-2 rounded-md text-sm transition-colors focus-visible:ring-2 focus-visible:outline-none"
-          >
-            <AlertCircle className="size-4" aria-hidden="true" />
-            <span className={filters.status === 'open' ? 'font-semibold' : 'text-muted-foreground'}>
-              <span className="font-mono tabular-nums">{stats.open}</span> open
-            </span>
-          </button>
-          <button
-            type="button"
-            onClick={() => handleStatusChange(filters.status === 'closed' ? 'all' : 'closed')}
-            aria-pressed={filters.status === 'closed'}
-            className="focus-visible:ring-ring flex items-center gap-2 rounded-md text-sm transition-colors focus-visible:ring-2 focus-visible:outline-none"
-          >
-            <CheckCircle2 className="size-4" aria-hidden="true" />
-            <span
-              className={filters.status === 'closed' ? 'font-semibold' : 'text-muted-foreground'}
-            >
-              <span className="font-mono tabular-nums">{closedCount}</span> closed
-            </span>
-          </button>
-        </div>
-
-        <div className="flex flex-wrap items-center justify-end gap-3">
-          <Tooltip>
-            <TooltipTrigger asChild>
-              <Badge variant={runningCount >= concurrencyLimit ? 'destructive' : 'secondary'}>
-                <span className="font-mono tabular-nums">
-                  {runningCount}/{concurrencyLimit}
-                </span>{' '}
-                capacity
-              </Badge>
-            </TooltipTrigger>
-            <TooltipContent side="bottom" sideOffset={4}>
-              {runningCount} of {concurrencyLimit} concurrent analyses running. New requests are
-              rejected at capacity.
-            </TooltipContent>
-          </Tooltip>
-          {state.isEnabled ? (
-            <>
-              {lastSyncTime && (
-                <span className="text-muted-foreground flex items-center gap-1 text-xs">
-                  <Clock className="size-3" aria-hidden="true" />
-                  Last synced {formatDistanceToNow(new Date(lastSyncTime), { addSuffix: true })}
+      <SecurityAgentActionBar label="Findings controls">
+        <div className="flex flex-col gap-3 lg:flex-row lg:items-end lg:justify-between">
+          <fieldset className="min-w-0">
+            <legend className="sr-only">Finding state</legend>
+            <div className="border-input bg-input-background flex min-h-11 w-full items-center gap-1 rounded-lg border p-1 sm:min-h-9 sm:w-fit">
+              <button
+                type="button"
+                onClick={() => handleStatusChange(filters.status === 'open' ? 'all' : 'open')}
+                aria-pressed={filters.status === 'open'}
+                className={cn(
+                  'focus-visible:ring-ring flex min-h-9 flex-1 items-center justify-center gap-2 rounded-md px-3 text-sm transition-colors focus-visible:ring-2 focus-visible:outline-none sm:flex-none',
+                  filters.status === 'open'
+                    ? 'bg-surface-selected text-foreground'
+                    : 'text-muted-foreground hover:bg-surface-hover hover:text-foreground'
+                )}
+              >
+                <AlertCircle className="size-4" aria-hidden="true" />
+                <span>
+                  <span className="font-mono tabular-nums">{stats.open}</span> open
                 </span>
-              )}
+              </button>
+              <button
+                type="button"
+                onClick={() => handleStatusChange(filters.status === 'closed' ? 'all' : 'closed')}
+                aria-pressed={filters.status === 'closed'}
+                className={cn(
+                  'focus-visible:ring-ring flex min-h-9 flex-1 items-center justify-center gap-2 rounded-md px-3 text-sm transition-colors focus-visible:ring-2 focus-visible:outline-none sm:flex-none',
+                  filters.status === 'closed'
+                    ? 'bg-surface-selected text-foreground'
+                    : 'text-muted-foreground hover:bg-surface-hover hover:text-foreground'
+                )}
+              >
+                <CheckCircle2 className="size-4" aria-hidden="true" />
+                <span>
+                  <span className="font-mono tabular-nums">{closedCount}</span> closed
+                </span>
+              </button>
+            </div>
+          </fieldset>
+
+          <div className="flex flex-col gap-3 sm:flex-row sm:flex-wrap sm:items-center lg:justify-end">
+            <Badge
+              variant={analysisAtCapacity ? 'destructive' : 'secondary'}
+              className="min-h-8 px-3"
+              title={`${runningCount} of ${concurrencyLimit} analysis slots are active or queued. New requests are disabled at capacity.`}
+            >
+              <span className="font-mono tabular-nums">
+                {runningCount}/{concurrencyLimit}
+              </span>{' '}
+              analysis capacity
+            </Badge>
+            {state.isEnabled ? (
+              <>
+                {lastSyncTime && (
+                  <span className="text-muted-foreground flex min-h-8 items-center gap-1.5 text-xs whitespace-nowrap">
+                    <Clock className="size-3.5" aria-hidden="true" />
+                    Last synced {formatDistanceToNow(new Date(lastSyncTime), { addSuffix: true })}
+                  </span>
+                )}
+                <Button
+                  variant="outline"
+                  className="min-h-11 w-full sm:min-h-9 sm:w-auto"
+                  onClick={() => onSync()}
+                  disabled={state.isSyncing}
+                >
+                  {state.isSyncing ? (
+                    <Loader2
+                      className="animate-spin motion-reduce:animate-none"
+                      aria-hidden="true"
+                    />
+                  ) : (
+                    <RefreshCw aria-hidden="true" />
+                  )}
+                  {state.isSyncing ? 'Syncing findings...' : 'Sync findings'}
+                </Button>
+              </>
+            ) : (
               <Button
                 variant="outline"
-                size="sm"
-                onClick={() => onSync()}
-                disabled={state.isSyncing}
+                className="min-h-11 w-full sm:min-h-9 sm:w-auto"
+                onClick={onEnableClick}
               >
-                {state.isSyncing ? (
-                  <Loader2
-                    className="size-4 animate-spin motion-reduce:animate-none"
-                    aria-hidden="true"
-                  />
-                ) : (
-                  <RefreshCw className="size-4" aria-hidden="true" />
-                )}
-                {state.isSyncing ? 'Syncing...' : 'Sync findings'}
+                <Settings2 aria-hidden="true" />
+                Enable Security Agent
               </Button>
-            </>
-          ) : (
-            <Button variant="outline" size="sm" onClick={onEnableClick}>
-              <Settings2 className="size-4" aria-hidden="true" />
-              Enable Security Agent
-            </Button>
-          )}
+            )}
+          </div>
         </div>
-      </div>
 
-      <div className="grid gap-3 sm:grid-cols-2 lg:flex lg:flex-wrap">
-        <RepositoryFilter
-          repositories={repositories}
-          value={filters.repoFullName}
-          onValueChange={repoFullName => onFiltersChange({ ...filters, repoFullName })}
-          isLoading={state.isLoading}
-        />
+        <div className="border-border mt-3 grid gap-3 border-t pt-3 sm:grid-cols-2 xl:grid-cols-[minmax(12rem,1.4fr)_minmax(9rem,1fr)_minmax(11rem,1fr)_minmax(12rem,1fr)]">
+          <SecurityAgentActionBarField id="findings-repository" label="Repository">
+            <RepositoryFilter
+              id="findings-repository"
+              className="min-h-11 sm:min-h-9 sm:w-full"
+              repositories={repositories}
+              value={filters.repoFullName}
+              onValueChange={repoFullName => onFiltersChange({ ...filters, repoFullName })}
+              isLoading={state.isLoading}
+            />
+          </SecurityAgentActionBarField>
 
-        <Select
-          value={filters.severity || 'all'}
-          onValueChange={severity =>
-            onFiltersChange({ ...filters, severity: severity === 'all' ? undefined : severity })
-          }
-        >
-          <SelectTrigger className="w-full sm:w-auto sm:min-w-36" aria-label="Filter by severity">
-            <SelectValue placeholder="Severity" />
-          </SelectTrigger>
-          <SelectContent>
-            <SelectItem value="all">All severities</SelectItem>
-            <SelectItem value="critical">Critical</SelectItem>
-            <SelectItem value="high">High</SelectItem>
-            <SelectItem value="medium">Medium</SelectItem>
-            <SelectItem value="low">Low</SelectItem>
-          </SelectContent>
-        </Select>
+          <SecurityAgentActionBarField id="findings-severity" label="Severity">
+            <Select
+              value={filters.severity || 'all'}
+              onValueChange={severity =>
+                onFiltersChange({ ...filters, severity: severity === 'all' ? undefined : severity })
+              }
+            >
+              <SelectTrigger id="findings-severity" className="min-h-11 w-full sm:min-h-9">
+                <SelectValue placeholder="Severity" />
+              </SelectTrigger>
+              <SelectContent>
+                <SelectItem value="all">All severities</SelectItem>
+                <SelectItem value="critical">Critical</SelectItem>
+                <SelectItem value="high">High</SelectItem>
+                <SelectItem value="medium">Medium</SelectItem>
+                <SelectItem value="low">Low</SelectItem>
+              </SelectContent>
+            </Select>
+          </SecurityAgentActionBarField>
 
-        <Select value={filters.outcomeFilter || 'all'} onValueChange={handleOutcomeFilterChange}>
-          <SelectTrigger className="w-full sm:w-auto sm:min-w-44" aria-label="Filter by outcome">
-            <SelectValue placeholder="Outcome" />
-          </SelectTrigger>
-          <SelectContent>
-            <SelectItem value="all">All outcomes</SelectItem>
-            <SelectItem value="not_analyzed">Not analyzed</SelectItem>
-            <SelectItem value="failed">Analysis failed</SelectItem>
-            <SelectItem value="exploitable">Exploitable</SelectItem>
-            <SelectItem value="not_exploitable">Not exploitable</SelectItem>
-            <SelectItem value="safe_to_dismiss">Safe to dismiss</SelectItem>
-            <SelectItem value="needs_review">Needs review</SelectItem>
-            <SelectItem value="triage_complete">Triage complete</SelectItem>
-            <SelectItem value="fixed">Fixed</SelectItem>
-            <SelectItem value="dismissed">Dismissed</SelectItem>
-          </SelectContent>
-        </Select>
+          <SecurityAgentActionBarField id="findings-outcome" label="Analysis outcome">
+            <Select
+              value={filters.outcomeFilter || 'all'}
+              onValueChange={handleOutcomeFilterChange}
+            >
+              <SelectTrigger id="findings-outcome" className="min-h-11 w-full sm:min-h-9">
+                <SelectValue placeholder="Outcome" />
+              </SelectTrigger>
+              <SelectContent>
+                <SelectItem value="all">All outcomes</SelectItem>
+                <SelectItem value="not_analyzed">Not analyzed</SelectItem>
+                <SelectItem value="failed">Analysis failed</SelectItem>
+                <SelectItem value="exploitable">Exploitable</SelectItem>
+                <SelectItem value="not_exploitable">Not exploitable</SelectItem>
+                <SelectItem value="safe_to_dismiss">Safe to dismiss</SelectItem>
+                <SelectItem value="needs_review">Needs review</SelectItem>
+                <SelectItem value="triage_complete">Triage complete</SelectItem>
+                <SelectItem value="fixed">Fixed</SelectItem>
+                <SelectItem value="dismissed">Dismissed</SelectItem>
+              </SelectContent>
+            </Select>
+          </SecurityAgentActionBarField>
 
-        <Select value={sortBy} onValueChange={onSortByChange}>
-          <SelectTrigger
-            className="w-full sm:w-auto sm:min-w-48 lg:ml-auto"
-            aria-label="Sort findings"
-          >
-            <ArrowUpDown className="size-3.5 shrink-0 opacity-50" aria-hidden="true" />
-            <SelectValue placeholder="Sort findings" />
-          </SelectTrigger>
-          <SelectContent>
-            <SelectItem value="severity_desc">
-              <span className="flex items-center gap-1.5">
-                Severity <ArrowDown className="size-3" aria-hidden="true" />
-              </span>
-            </SelectItem>
-            <SelectItem value="severity_asc">
-              <span className="flex items-center gap-1.5">
-                Severity <ArrowUp className="size-3" aria-hidden="true" />
-              </span>
-            </SelectItem>
-            {showSla && <SelectItem value="sla_due_at_asc">SLA due date</SelectItem>}
-          </SelectContent>
-        </Select>
-      </div>
+          <SecurityAgentActionBarField id="findings-sort" label="Sort by">
+            <Select value={sortBy} onValueChange={onSortByChange}>
+              <SelectTrigger id="findings-sort" className="min-h-11 w-full sm:min-h-9">
+                <ArrowUpDown className="size-3.5 shrink-0 opacity-50" aria-hidden="true" />
+                <SelectValue placeholder="Sort findings" />
+              </SelectTrigger>
+              <SelectContent>
+                <SelectItem value="severity_desc">
+                  <span className="flex items-center gap-1.5">
+                    Severity <ArrowDown className="size-3" aria-hidden="true" />
+                  </span>
+                </SelectItem>
+                <SelectItem value="severity_asc">
+                  <span className="flex items-center gap-1.5">
+                    Severity <ArrowUp className="size-3" aria-hidden="true" />
+                  </span>
+                </SelectItem>
+                {showSla && <SelectItem value="sla_due_at_asc">SLA due date</SelectItem>}
+              </SelectContent>
+            </Select>
+          </SecurityAgentActionBarField>
+        </div>
+      </SecurityAgentActionBar>
+
+      <section
+        aria-label={
+          filters.status === 'closed'
+            ? 'Closed findings'
+            : filters.status === 'open'
+              ? 'Open findings'
+              : 'Security findings'
+        }
+        className="border-border bg-surface-raised overflow-hidden rounded-xl border"
+      >
+        <div
+          className={cn(
+            'border-border bg-surface-inset text-muted-foreground type-label hidden gap-4 border-b px-5 py-2.5 xl:grid',
+            listGridClass
+          )}
+          aria-hidden="true"
+        >
+          <span>Security Finding</span>
+          <span>Analysis</span>
+          {showSla && <span>SLA Deadline</span>}
+          <span className="text-right">Action</span>
+          <span />
+        </div>
 
-      <div className="border-border overflow-hidden rounded-xl border">
         {state.isLoading ? (
-          <div className="text-muted-foreground flex items-center justify-center gap-2 py-12 text-sm">
-            <RefreshCw
-              className="size-5 animate-spin motion-reduce:animate-none"
-              aria-hidden="true"
-            />
-            Loading findings...
-          </div>
+          <FindingsSkeleton showSla={showSla} />
         ) : findings.length === 0 ? (
-          <div className="text-muted-foreground flex flex-col items-center justify-center px-6 py-12 text-center">
-            <AlertTriangle className="mb-2 size-8" aria-hidden="true" />
-            <p>No findings match current filters.</p>
-            {(filters.status ||
-              filters.severity ||
-              filters.repoFullName ||
-              filters.outcomeFilter) && (
-              <Button variant="link" size="sm" onClick={() => onFiltersChange({})} className="mt-2">
-                Clear filters
-              </Button>
-            )}
-          </div>
+          <FindingsEmptyState
+            status={filters.status}
+            hasActiveFilters={hasActiveFilters}
+            onClearFilters={() => onFiltersChange(filters.status ? { status: filters.status } : {})}
+          />
         ) : (
-          <div className="divide-border divide-y">
+          <ul className="divide-border divide-y">
             {findings.map(finding => (
               <SecurityFindingRow
                 key={finding.id}
@@ -365,6 +410,7 @@ export function SecurityFindingsCard({
                 onClick={() => onFindingClick(finding)}
                 onStartAnalysis={onStartAnalysis}
                 isStartingAnalysis={startingAnalysisIds?.has(finding.id)}
+                analysisAtCapacity={analysisAtCapacity}
                 onStartRemediation={onStartRemediation}
                 onRetryRemediation={onRetryRemediation}
                 onCancelRemediation={onCancelRemediation}
@@ -376,36 +422,36 @@ export function SecurityFindingsCard({
                 slaDisplay={showSla ? 'visible' : 'hidden'}
               />
             ))}
-          </div>
+          </ul>
         )}
-      </div>
+      </section>
 
-      {totalCount > 0 && (
-        <div className="flex flex-col gap-3 pt-2 sm:flex-row sm:items-center sm:justify-between">
-          <p className="text-muted-foreground font-mono text-sm tabular-nums">
+      {totalCount > 0 && !state.isLoading && (
+        <div className="flex flex-col gap-3 pt-1 sm:flex-row sm:items-center sm:justify-between">
+          <p className="text-muted-foreground type-code tabular-nums">
             Showing {startItem}-{endItem} of {totalCount}
           </p>
-          <div className="flex flex-wrap items-center gap-2">
+          <div className="flex items-center gap-2 self-end sm:self-auto">
             <Button
               variant="outline"
-              size="sm"
+              className="min-h-control-touch sm:h-control-default sm:min-h-0"
               onClick={() => onPageChange(page - 1)}
               disabled={page <= 1}
             >
-              <ChevronLeft className="size-4" aria-hidden="true" />
+              <ChevronLeft aria-hidden="true" />
               Previous
             </Button>
-            <span className="text-muted-foreground font-mono text-sm tabular-nums">
+            <span className="text-muted-foreground type-code px-1 tabular-nums">
               Page {page} of {totalPages}
             </span>
             <Button
               variant="outline"
-              size="sm"
+              className="min-h-control-touch sm:h-control-default sm:min-h-0"
               onClick={() => onPageChange(page + 1)}
               disabled={page >= totalPages}
             >
               Next
-              <ChevronRight className="size-4" aria-hidden="true" />
+              <ChevronRight aria-hidden="true" />
             </Button>
           </div>
         </div>
@@ -413,3 +459,77 @@ export function SecurityFindingsCard({
     </div>
   );
 }
+
+function FindingsSkeleton({ showSla }: { showSla: boolean }) {
+  return (
+    <div className="divide-border divide-y">
+      <output className="sr-only">Loading Security Findings</output>
+      {skeletonRowKeys.map(rowKey => (
+        <div
+          key={rowKey}
+          className={cn(
+            'grid gap-4 px-4 py-4 sm:grid-cols-2 sm:px-5 xl:items-center',
+            getFindingListGridClass(showSla)
+          )}
+        >
+          <div className="flex items-center gap-3 sm:col-span-2 xl:col-span-1">
+            <Skeleton className="h-5 w-16 shrink-0" />
+            <Skeleton className="h-4 w-4/5" />
+          </div>
+          <Skeleton className="h-7 w-28" />
+          {showSla && (
+            <div className="space-y-2">
+              <Skeleton className="h-3 w-24" />
+              <Skeleton className="h-3 w-28" />
+            </div>
+          )}
+          <div className="flex items-center justify-end gap-2 sm:col-span-2 xl:col-span-2 xl:grid xl:grid-cols-[minmax(9rem,auto)_2.25rem]">
+            <Skeleton className="h-9 w-full sm:w-28 xl:justify-self-end" />
+            <Skeleton className="size-9 shrink-0" />
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+}
+
+function FindingsEmptyState({
+  status,
+  hasActiveFilters,
+  onClearFilters,
+}: {
+  status?: string;
+  hasActiveFilters: boolean;
+  onClearFilters: () => void;
+}) {
+  const Icon = hasActiveFilters ? AlertTriangle : ShieldCheck;
+  const title = hasActiveFilters
+    ? 'No findings match these filters'
+    : status === 'open'
+      ? 'No open findings'
+      : status === 'closed'
+        ? 'No closed findings'
+        : 'No findings';
+  const description = hasActiveFilters
+    ? 'Change or clear filters to include more Security Findings.'
+    : status === 'open'
+      ? 'New Security Findings will appear here after the next successful sync.'
+      : status === 'closed'
+        ? 'Fixed and dismissed Security Findings will appear here.'
+        : 'Security Findings will appear here after the next successful sync.';
+
+  return (
+    <div className="flex flex-col items-center justify-center px-6 py-14 text-center sm:py-16">
+      <div className="border-border bg-surface-inset text-muted-foreground flex size-11 items-center justify-center rounded-full border">
+        <Icon className="size-5" aria-hidden="true" />
+      </div>
+      <h3 className="type-heading mt-4">{title}</h3>
+      <p className="text-muted-foreground type-body mt-2 max-w-[52ch]">{description}</p>
+      {hasActiveFilters && (
+        <Button type="button" variant="outline" className="mt-5" onClick={onClearFilters}>
+          Clear filters
+        </Button>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/security-agent/SecurityFindingsPage.tsx b/apps/web/src/components/security-agent/SecurityFindingsPage.tsx
index 3b2b298b6..e7f736a79 100644
--- a/apps/web/src/components/security-agent/SecurityFindingsPage.tsx
+++ b/apps/web/src/components/security-agent/SecurityFindingsPage.tsx
@@ -1,6 +1,6 @@
 'use client';
 
-import { useReducer } from 'react';
+import { useEffect, useReducer, useRef } from 'react';
 import { useRouter, useSearchParams } from 'next/navigation';
 import Link from 'next/link';
 import { useQuery } from '@tanstack/react-query';
@@ -16,10 +16,11 @@ import {
 import { DismissFindingDialog, type DismissReason } from './DismissFindingDialog';
 import { FindingDetailDialog } from './FindingDetailDialog';
 import { SecurityFindingsCard } from './SecurityFindingsCard';
-import type { SecurityFindingWithRemediation } from './SecurityFindingRow';
+import type { SecurityFindingWithRemediation } from '@/lib/security-agent/db/security-remediation';
 import { useSecurityAgent } from './SecurityAgentContext';
+import { tryReserveManualAnalysisCapacity } from './manual-analysis-admission-copy';
 
-const PAGE_SIZE = 20;
+const PAGE_SIZE = 10;
 const EMPTY_FINDINGS: SecurityFindingWithRemediation[] = [];
 
 type Filters = {
@@ -47,6 +48,7 @@ type PageAction =
   | { type: 'set-filters'; filters: Filters }
   | { type: 'set-sort'; sortBy: SortBy }
   | { type: 'open-detail'; finding: SecurityFindingWithRemediation }
+  | { type: 'open-deep-link' }
   | { type: 'set-detail-open'; open: boolean }
   | { type: 'open-dismiss'; finding: SecurityFindingWithRemediation }
   | { type: 'set-dismiss-open'; open: boolean }
@@ -90,6 +92,13 @@ function pageReducer(state: PageState, action: PageAction): PageState {
       return { ...state, sortBy: action.sortBy, page: 1 };
     case 'open-detail':
       return { ...state, selectedFinding: action.finding, detailDialogOpen: true };
+    case 'open-deep-link':
+      return {
+        ...state,
+        selectedFinding: null,
+        detailDialogOpen: false,
+        closedDeepLinkId: null,
+      };
     case 'set-detail-open':
       return {
         ...state,
@@ -129,6 +138,7 @@ export function SecurityFindingsPage() {
     hasIntegration,
     isEnabled,
     filteredRepositories,
+    trackUiInteraction,
     handleSync,
     handleDismiss,
     handleStartAnalysis,
@@ -146,6 +156,7 @@ export function SecurityFindingsPage() {
   const router = useRouter();
   const searchParams = useSearchParams();
   const [state, dispatch] = useReducer(pageReducer, searchParams, createInitialPageState);
+  const localAnalysisReservationIdsRef = useRef<Set<string> | null>(null);
   const findingsEnabled = isEnabled === true;
   const slaEnabled = configData?.slaEnabled ?? true;
   const effectiveSortBy = slaEnabled ? state.sortBy : 'severity_desc';
@@ -232,6 +243,33 @@ export function SecurityFindingsPage() {
     }
   }
   const runningCount = serverRunningCount + optimisticAdditional;
+  const concurrencyLimit = findingsData?.concurrencyLimit ?? 3;
+  const analysisAtCapacity = runningCount >= concurrencyLimit;
+
+  useEffect(() => {
+    const localAnalysisReservationIds = localAnalysisReservationIdsRef.current;
+    if (!localAnalysisReservationIds) return;
+    for (const findingId of startingAnalysisIds) {
+      localAnalysisReservationIds.delete(findingId);
+    }
+  }, [startingAnalysisIds]);
+
+  const handleStartAnalysisWithinCapacity = (
+    findingId: string,
+    options?: { forceSandbox?: boolean; retrySandboxOnly?: boolean }
+  ) => {
+    const localAnalysisReservationIds = localAnalysisReservationIdsRef.current ?? new Set<string>();
+    localAnalysisReservationIdsRef.current = localAnalysisReservationIds;
+    const reserved = tryReserveManualAnalysisCapacity({
+      findingId,
+      runningCount,
+      concurrencyLimit,
+      startingAnalysisIds,
+      localReservationIds: localAnalysisReservationIds,
+    });
+    if (!reserved) return;
+    handleStartAnalysis(findingId, options);
+  };
 
   const deepLinkIsOpen = Boolean(
     deepLinkedFinding && !state.selectedFinding && state.closedDeepLinkId !== deepLinkedFinding.id
@@ -253,7 +291,23 @@ export function SecurityFindingsPage() {
     handleDismiss(activeFinding, reason, comment, () => dispatch({ type: 'finish-dismiss' }));
   };
 
+  const handleFiltersChange = (filters: Filters) => {
+    trackUiInteraction('findings_filtered');
+    dispatch({ type: 'set-filters', filters });
+  };
+
+  const handleSortByChange = (sortBy: SortBy) => {
+    trackUiInteraction('findings_filtered');
+    dispatch({ type: 'set-sort', sortBy });
+  };
+
   const basePath = isOrg ? `/organizations/${organizationId}/security-agent` : '/security-agent';
+  const handleOpenFinding = (findingId: string) => {
+    const params = new URLSearchParams(searchParams.toString());
+    params.set('findingId', findingId);
+    dispatch({ type: 'open-deep-link' });
+    router.replace(`${basePath}/findings?${params.toString()}`);
+  };
   const installUrl = isOrg
     ? `/organizations/${organizationId}/integrations`
     : '/integrations/github';
@@ -324,11 +378,11 @@ export function SecurityFindingsPage() {
           hasIntegration,
         }}
         filters={state.filters}
-        onFiltersChange={filters => dispatch({ type: 'set-filters', filters })}
+        onFiltersChange={handleFiltersChange}
         installUrl={installUrl}
         onEnableClick={() => router.push(`${basePath}/config`)}
         lastSyncTime={lastSyncData?.lastSyncTime}
-        onStartAnalysis={handleStartAnalysis}
+        onStartAnalysis={handleStartAnalysisWithinCapacity}
         startingAnalysisIds={startingAnalysisIds}
         onStartRemediation={handleStartRemediation}
         onRetryRemediation={handleRetryRemediation}
@@ -336,25 +390,31 @@ export function SecurityFindingsPage() {
         startingRemediationIds={startingRemediationIds}
         cancellingRemediationAttemptIds={cancellingRemediationAttemptIds}
         sortBy={effectiveSortBy}
-        onSortByChange={sortBy => dispatch({ type: 'set-sort', sortBy })}
+        onSortByChange={handleSortByChange}
         showSla={slaEnabled}
         runningCount={runningCount}
-        concurrencyLimit={findingsData?.concurrencyLimit ?? 3}
+        concurrencyLimit={concurrencyLimit}
       />
 
       <FindingDetailDialog
         finding={activeFinding}
         open={detailDialogOpen}
+        onStartAnalysis={handleStartAnalysisWithinCapacity}
+        analysisAtCapacity={analysisAtCapacity}
         onOpenChange={handleDetailOpenChange}
-        onDismiss={() => {
-          if (activeFinding) dispatch({ type: 'open-dismiss', finding: activeFinding });
+        onDismiss={analysis => {
+          if (activeFinding) {
+            dispatch({ type: 'open-dismiss', finding: { ...activeFinding, analysis } });
+          }
         }}
         canDismiss={activeFinding?.status === 'open'}
+        onOpenFinding={handleOpenFinding}
         organizationId={organizationId}
         showSla={slaEnabled}
       />
 
       <DismissFindingDialog
+        key={`${state.selectedFinding?.id ?? 'none'}:${state.selectedFinding?.analysis?.analyzedAt ?? 'none'}`}
         finding={state.selectedFinding}
         open={state.dismissDialogOpen}
         onOpenChange={open => dispatch({ type: 'set-dismiss-open', open })}
diff --git a/apps/web/src/components/security-agent/dismiss-finding-form.ts b/apps/web/src/components/security-agent/dismiss-finding-form.ts
new file mode 100644
index 000000000..88be07da1
--- /dev/null
+++ b/apps/web/src/components/security-agent/dismiss-finding-form.ts
@@ -0,0 +1,73 @@
+import type { SecurityFinding } from '@kilocode/db/schema';
+
+export const DISMISS_REASONS = [
+  {
+    value: 'fix_started',
+    label: 'Fix started',
+    description: 'A fix for this vulnerability has been started',
+  },
+  {
+    value: 'no_bandwidth',
+    label: 'No bandwidth',
+    description: 'No bandwidth to fix this vulnerability at this time',
+  },
+  {
+    value: 'tolerable_risk',
+    label: 'Tolerable risk',
+    description: 'The risk is tolerable for this project',
+  },
+  {
+    value: 'inaccurate',
+    label: 'Inaccurate',
+    description: 'This alert is inaccurate or incorrect',
+  },
+  {
+    value: 'not_used',
+    label: 'Not used',
+    description: 'This vulnerable code is not actually used',
+  },
+] as const;
+
+export type DismissReason = (typeof DISMISS_REASONS)[number]['value'];
+
+type DismissFindingFormDefaults = {
+  reason: DismissReason;
+  comment: string;
+};
+
+export const MAX_DISMISS_COMMENT_LENGTH = 280;
+
+const EMPTY_DISMISS_FORM: DismissFindingFormDefaults = {
+  reason: 'not_used',
+  comment: '',
+};
+
+function truncateDismissComment(comment: string): string {
+  if (comment.length <= MAX_DISMISS_COMMENT_LENGTH) return comment;
+  return `${comment.slice(0, MAX_DISMISS_COMMENT_LENGTH - 1)}…`;
+}
+
+export function getDismissFindingFormDefaults(
+  analysis: SecurityFinding['analysis'] | undefined
+): DismissFindingFormDefaults {
+  const sandbox = analysis?.sandboxAnalysis;
+  if (sandbox) {
+    if (sandbox.isExploitable === false) {
+      return {
+        reason: 'not_used',
+        comment: truncateDismissComment(sandbox.exploitabilityReasoning),
+      };
+    }
+    return EMPTY_DISMISS_FORM;
+  }
+
+  const triage = analysis?.triage;
+  if (triage?.needsSandboxAnalysis === false && triage.suggestedAction === 'dismiss') {
+    return {
+      reason: 'not_used',
+      comment: truncateDismissComment(triage.needsSandboxReasoning),
+    };
+  }
+
+  return EMPTY_DISMISS_FORM;
+}
diff --git a/apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts b/apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
index 9e79e3924..1c5754491 100644
--- a/apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
+++ b/apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
@@ -1,5 +1,9 @@
 import { describe, expect, test } from '@jest/globals';
-import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
+import {
+  isAwaitingManualAnalysisAdmission,
+  manualAnalysisAdmissionCopy,
+  tryReserveManualAnalysisCapacity,
+} from './manual-analysis-admission-copy';
 
 describe('manualAnalysisAdmissionCopy', () => {
   test('describes manual analysis as queued admission', () => {
@@ -7,4 +11,73 @@ describe('manualAnalysisAdmissionCopy', () => {
     expect(manualAnalysisAdmissionCopy.failureTitle).toMatch(/failed to queue/i);
     expect(manualAnalysisAdmissionCopy.pendingLabel).toMatch(/queue/i);
   });
+
+  test('stops showing admission progress after analysis is persisted as active', () => {
+    expect(isAwaitingManualAnalysisAdmission(true, null)).toBe(true);
+    expect(isAwaitingManualAnalysisAdmission(true, 'failed')).toBe(true);
+    expect(isAwaitingManualAnalysisAdmission(true, 'completed')).toBe(true);
+    expect(isAwaitingManualAnalysisAdmission(true, 'pending')).toBe(false);
+    expect(isAwaitingManualAnalysisAdmission(true, 'running')).toBe(false);
+    expect(isAwaitingManualAnalysisAdmission(false, null)).toBe(false);
+  });
+
+  test('reserves only the available slots across rapid analysis requests', () => {
+    const localReservationIds = new Set<string>();
+    const reserve = (findingId: string) =>
+      tryReserveManualAnalysisCapacity({
+        findingId,
+        runningCount: 1,
+        concurrencyLimit: 3,
+        startingAnalysisIds: new Set(),
+        localReservationIds,
+      });
+
+    expect(reserve('finding-1')).toBe(true);
+    expect(reserve('finding-2')).toBe(true);
+    expect(reserve('finding-3')).toBe(false);
+    expect(localReservationIds).toEqual(new Set(['finding-1', 'finding-2']));
+  });
+
+  test('does not reserve at full capacity or twice for the same finding', () => {
+    const localReservationIds = new Set<string>();
+    const startingAnalysisIds = new Set(['starting-finding']);
+
+    expect(
+      tryReserveManualAnalysisCapacity({
+        findingId: 'full-capacity-finding',
+        runningCount: 3,
+        concurrencyLimit: 3,
+        startingAnalysisIds,
+        localReservationIds,
+      })
+    ).toBe(false);
+    expect(
+      tryReserveManualAnalysisCapacity({
+        findingId: 'starting-finding',
+        runningCount: 1,
+        concurrencyLimit: 3,
+        startingAnalysisIds,
+        localReservationIds,
+      })
+    ).toBe(false);
+    expect(
+      tryReserveManualAnalysisCapacity({
+        findingId: 'new-finding',
+        runningCount: 1,
+        concurrencyLimit: 3,
+        startingAnalysisIds,
+        localReservationIds,
+      })
+    ).toBe(true);
+    expect(
+      tryReserveManualAnalysisCapacity({
+        findingId: 'new-finding',
+        runningCount: 1,
+        concurrencyLimit: 3,
+        startingAnalysisIds,
+        localReservationIds,
+      })
+    ).toBe(false);
+    expect(localReservationIds).toEqual(new Set(['new-finding']));
+  });
 });
diff --git a/apps/web/src/components/security-agent/manual-analysis-admission-copy.ts b/apps/web/src/components/security-agent/manual-analysis-admission-copy.ts
index 68445a87f..8e50ec678 100644
--- a/apps/web/src/components/security-agent/manual-analysis-admission-copy.ts
+++ b/apps/web/src/components/security-agent/manual-analysis-admission-copy.ts
@@ -1 +1,38 @@
 export { manualAnalysisAdmissionCopy } from './security-agent-command-copy';
+
+export const manualAnalysisCapacityFullCopy =
+  'Analysis capacity is full. Wait for an active analysis to finish.';
+
+type ManualAnalysisCapacityReservation = {
+  findingId: string;
+  runningCount: number;
+  concurrencyLimit: number;
+  startingAnalysisIds: ReadonlySet<string>;
+  localReservationIds: Set<string>;
+};
+
+export function tryReserveManualAnalysisCapacity({
+  findingId,
+  runningCount,
+  concurrencyLimit,
+  startingAnalysisIds,
+  localReservationIds,
+}: ManualAnalysisCapacityReservation): boolean {
+  if (startingAnalysisIds.has(findingId) || localReservationIds.has(findingId)) return false;
+
+  let unconfirmedReservationCount = 0;
+  for (const reservedFindingId of localReservationIds) {
+    if (!startingAnalysisIds.has(reservedFindingId)) unconfirmedReservationCount += 1;
+  }
+  if (runningCount + unconfirmedReservationCount >= concurrencyLimit) return false;
+
+  localReservationIds.add(findingId);
+  return true;
+}
+
+export function isAwaitingManualAnalysisAdmission(
+  hasActiveStartCommand: boolean,
+  analysisStatus: string | null | undefined
+): boolean {
+  return hasActiveStartCommand && analysisStatus !== 'pending' && analysisStatus !== 'running';
+}
diff --git a/apps/web/src/components/security-agent/remediation-unavailable-copy.test.ts b/apps/web/src/components/security-agent/remediation-unavailable-copy.test.ts
new file mode 100644
index 000000000..7397dba7d
--- /dev/null
+++ b/apps/web/src/components/security-agent/remediation-unavailable-copy.test.ts
@@ -0,0 +1,27 @@
+import { describe, expect, it } from '@jest/globals';
+import {
+  getRemediationUnavailableCopy,
+  isCodebaseAnalysisRequiredReason,
+} from './remediation-unavailable-copy';
+
+describe('getRemediationUnavailableCopy', () => {
+  it('turns typed admission reasons into actionable remediation copy', () => {
+    expect(getRemediationUnavailableCopy('analysis_required')).toBe(
+      'Run codebase analysis before starting remediation.'
+    );
+    expect(getRemediationUnavailableCopy('finding_not_found')).toBe(
+      'Security finding no longer exists.'
+    );
+  });
+});
+
+describe('isCodebaseAnalysisRequiredReason', () => {
+  it('classifies only missing codebase analysis as requiring analysis', () => {
+    expect(isCodebaseAnalysisRequiredReason('analysis_required')).toBe(true);
+    expect(isCodebaseAnalysisRequiredReason('sandbox_analysis_required')).toBe(true);
+    expect(isCodebaseAnalysisRequiredReason('triage_only')).toBe(true);
+    expect(isCodebaseAnalysisRequiredReason('not_exploitable')).toBe(false);
+    expect(isCodebaseAnalysisRequiredReason('stale_analysis')).toBe(false);
+    expect(isCodebaseAnalysisRequiredReason('finding_not_open')).toBe(false);
+  });
+});
diff --git a/apps/web/src/components/security-agent/remediation-unavailable-copy.ts b/apps/web/src/components/security-agent/remediation-unavailable-copy.ts
index 2b9c615db..defa446ad 100644
--- a/apps/web/src/components/security-agent/remediation-unavailable-copy.ts
+++ b/apps/web/src/components/security-agent/remediation-unavailable-copy.ts
@@ -1,4 +1,10 @@
-const REMEDIATION_UNAVAILABLE_COPY: Record<string, string> = {
+import {
+  SECURITY_REMEDIATION_ADMISSION_REJECTION_REASONS,
+  type SecurityRemediationAdmissionRejectionReason,
+} from '@kilocode/worker-utils/security-remediation-policy';
+
+const REMEDIATION_UNAVAILABLE_COPY: Record<SecurityRemediationAdmissionRejectionReason, string> = {
+  finding_not_found: 'Security finding no longer exists.',
   finding_not_open: 'Finding is no longer open.',
   repo_not_in_scope: 'Repository is not selected for Security Agent.',
   analysis_required: 'Run codebase analysis before starting remediation.',
@@ -26,7 +32,23 @@ const REMEDIATION_UNAVAILABLE_COPY: Record<string, string> = {
     'Analysis completed before Auto Remediation was enabled. Manual remediation can still start when safety gates pass.',
 };
 
+function isRemediationAdmissionRejectionReason(
+  reason: string
+): reason is SecurityRemediationAdmissionRejectionReason {
+  return SECURITY_REMEDIATION_ADMISSION_REJECTION_REASONS.some(candidate => candidate === reason);
+}
+
+export function isCodebaseAnalysisRequiredReason(reason: string | null | undefined): boolean {
+  return (
+    reason === 'analysis_required' ||
+    reason === 'sandbox_analysis_required' ||
+    reason === 'triage_only'
+  );
+}
+
 export function getRemediationUnavailableCopy(reason: string | null | undefined): string | null {
   if (!reason || reason === 'eligible') return null;
-  return REMEDIATION_UNAVAILABLE_COPY[reason] ?? 'Remediation is unavailable for this finding.';
+  return isRemediationAdmissionRejectionReason(reason)
+    ? REMEDIATION_UNAVAILABLE_COPY[reason]
+    : 'Remediation is unavailable for this finding.';
 }
diff --git a/apps/web/src/components/security-agent/security-agent-command-invalidation.test.ts b/apps/web/src/components/security-agent/security-agent-command-invalidation.test.ts
index 69d40e280..12abb8209 100644
--- a/apps/web/src/components/security-agent/security-agent-command-invalidation.test.ts
+++ b/apps/web/src/components/security-agent/security-agent-command-invalidation.test.ts
@@ -32,7 +32,7 @@ describe('getSecurityAgentInvalidationScopesForCommand', () => {
     const scopes = getSecurityAgentInvalidationScopesForCommand('apply_auto_remediation');
 
     expect(scopes).toEqual(
-      expect.arrayContaining(['findings', 'findingDetails', 'stats', 'dashboardStats'])
+      expect.arrayContaining(['findings', 'findingDetails', 'analysis', 'stats', 'dashboardStats'])
     );
     expect(scopes).not.toContain('repositories');
     expect(scopes).not.toContain('permissionStatus');
diff --git a/apps/web/src/components/security-agent/security-agent-command-invalidation.ts b/apps/web/src/components/security-agent/security-agent-command-invalidation.ts
index 783b050ac..58638f6b7 100644
--- a/apps/web/src/components/security-agent/security-agent-command-invalidation.ts
+++ b/apps/web/src/components/security-agent/security-agent-command-invalidation.ts
@@ -49,6 +49,7 @@ const analysisScopes = [
 const remediationScopes = [
   'findings',
   'findingDetails',
+  'analysis',
   'stats',
   'dashboardStats',
 ] as const satisfies readonly SecurityAgentInvalidationScope[];
diff --git a/apps/web/src/components/security-agent/security-finding-list-presentation.ts b/apps/web/src/components/security-agent/security-finding-list-presentation.ts
new file mode 100644
index 000000000..74ca36c0b
--- /dev/null
+++ b/apps/web/src/components/security-agent/security-finding-list-presentation.ts
@@ -0,0 +1,186 @@
+import { differenceInCalendarDays, format, isAfter, isBefore } from 'date-fns';
+import {
+  AlertTriangle,
+  Brain,
+  CheckCircle2,
+  Clock3,
+  Eye,
+  Loader2,
+  Shield,
+  ShieldAlert,
+  ShieldCheck,
+  XCircle,
+  type LucideIcon,
+} from 'lucide-react';
+import type { SecurityFinding } from '@kilocode/db/schema';
+
+export type FindingTone = 'success' | 'warning' | 'destructive' | 'neutral';
+
+export type FindingStatusPresentation = {
+  label: string;
+  tone: FindingTone;
+  icon: LucideIcon;
+  spinning?: boolean;
+  tooltip?: string | null;
+};
+
+export type FindingDeadlinePresentation = FindingStatusPresentation & {
+  detail: string;
+};
+
+const gridWithSla = 'xl:grid-cols-[minmax(0,1fr)_9rem_8.5rem_minmax(9rem,auto)_2.25rem] xl:gap-x-3';
+const gridWithoutSla = 'xl:grid-cols-[minmax(0,1fr)_9rem_minmax(9rem,auto)_2.25rem] xl:gap-x-3';
+
+export function getFindingListGridClass(showSla: boolean) {
+  return showSla ? gridWithSla : gridWithoutSla;
+}
+
+function isSupersededFinding(finding: SecurityFinding) {
+  return finding.status === 'ignored' && finding.ignored_reason?.startsWith('superseded:');
+}
+
+export function getAnalysisPresentation(finding: SecurityFinding): FindingStatusPresentation {
+  if (finding.analysis_status === 'pending') {
+    return {
+      icon: Loader2,
+      label: 'Analysis queued',
+      tone: 'warning',
+      spinning: true,
+      tooltip: 'Analysis is queued',
+    };
+  }
+  if (finding.analysis_status === 'running') {
+    return {
+      icon: Loader2,
+      label: 'Analyzing',
+      tone: 'warning',
+      spinning: true,
+      tooltip: 'Analysis is running',
+    };
+  }
+  if (finding.analysis_status === 'failed') {
+    return {
+      icon: XCircle,
+      label: 'Analysis failed',
+      tone: 'destructive',
+      tooltip: finding.analysis_error || 'Analysis failed. Retry to run it again.',
+    };
+  }
+
+  const sandbox = finding.analysis?.sandboxAnalysis;
+  const triage = finding.analysis?.triage;
+  if (sandbox?.isExploitable === true) {
+    return {
+      icon: ShieldAlert,
+      label: 'Exploitable',
+      tone: 'destructive',
+      tooltip: sandbox.summary || 'Codebase analysis confirmed this vulnerability is exploitable',
+    };
+  }
+  if (sandbox?.isExploitable === false) {
+    return {
+      icon: ShieldCheck,
+      label: 'Not exploitable',
+      tone: 'success',
+      tooltip: sandbox.summary || 'Codebase analysis determined this is not exploitable',
+    };
+  }
+  if (triage?.suggestedAction === 'dismiss') {
+    return {
+      icon: ShieldCheck,
+      label: 'Safe to dismiss',
+      tone: 'success',
+      tooltip: triage.needsSandboxReasoning || 'Triage determined this can be safely dismissed',
+    };
+  }
+  if (triage?.suggestedAction === 'manual_review') {
+    return {
+      icon: Eye,
+      label: 'Needs review',
+      tone: 'warning',
+      tooltip: triage.needsSandboxReasoning || 'Triage flagged this for manual review',
+    };
+  }
+  if (finding.analysis_status === 'completed') {
+    return {
+      icon: Shield,
+      label: triage ? 'Triage complete' : 'Analyzed',
+      tone: 'neutral',
+      tooltip: triage?.needsSandboxReasoning || null,
+    };
+  }
+  return {
+    icon: Brain,
+    label: 'Not analyzed',
+    tone: 'neutral',
+  };
+}
+
+function formatFindingDate(date: Date) {
+  return format(date, 'MMM d, yyyy');
+}
+
+export function getDeadlinePresentation(
+  finding: SecurityFinding,
+  now = new Date()
+): FindingDeadlinePresentation {
+  if (finding.status === 'fixed') {
+    const fixedAt = finding.fixed_at ? new Date(finding.fixed_at) : null;
+    const deadline = finding.sla_due_at ? new Date(finding.sla_due_at) : null;
+    const fixedBeforeDeadline = fixedAt && deadline && !isAfter(fixedAt, deadline);
+    return {
+      icon: fixedBeforeDeadline ? CheckCircle2 : Clock3,
+      label: fixedBeforeDeadline ? 'Fixed before deadline' : 'Fixed',
+      detail: fixedAt ? `Fixed ${formatFindingDate(fixedAt)}` : 'Resolution recorded',
+      tone: fixedBeforeDeadline ? 'success' : 'neutral',
+    };
+  }
+
+  if (finding.status === 'ignored') {
+    const updatedAt = new Date(finding.updated_at);
+    const label = isSupersededFinding(finding) ? 'Superseded' : 'Dismissed';
+    return {
+      icon: Clock3,
+      label,
+      detail: `${label} ${formatFindingDate(updatedAt)}`,
+      tone: 'neutral',
+    };
+  }
+
+  if (!finding.sla_due_at) {
+    return {
+      icon: Clock3,
+      label: 'Deadline not set',
+      detail: 'No SLA deadline',
+      tone: 'neutral',
+    };
+  }
+
+  const deadline = new Date(finding.sla_due_at);
+  const calendarDays = differenceInCalendarDays(deadline, now);
+  const detail = `Due ${formatFindingDate(deadline)}`;
+  if (isBefore(deadline, now)) {
+    const overdueDays = Math.abs(calendarDays);
+    return {
+      icon: AlertTriangle,
+      label:
+        overdueDays === 0
+          ? 'Overdue'
+          : `${overdueDays} ${overdueDays === 1 ? 'day' : 'days'} overdue`,
+      detail,
+      tone: 'destructive',
+    };
+  }
+  if (calendarDays === 0) {
+    return { icon: Clock3, label: 'Due today', detail, tone: 'warning' };
+  }
+  if (calendarDays === 1) {
+    return { icon: Clock3, label: 'Due tomorrow', detail, tone: 'warning' };
+  }
+  return {
+    icon: Clock3,
+    label: `Due in ${calendarDays} days`,
+    detail,
+    tone: calendarDays <= 3 ? 'warning' : 'neutral',
+  };
+}
diff --git a/apps/web/src/components/ui/accordion.tsx b/apps/web/src/components/ui/accordion.tsx
index e4dc70548..4fcf70c51 100644
--- a/apps/web/src/components/ui/accordion.tsx
+++ b/apps/web/src/components/ui/accordion.tsx
@@ -33,7 +33,7 @@ function AccordionTrigger({
       <AccordionPrimitive.Trigger
         data-slot="accordion-trigger"
         className={cn(
-          'focus-visible:border-ring focus-visible:ring-ring/50 flex flex-1 cursor-pointer items-start gap-2 rounded-md pt-4 text-left text-sm font-medium transition-all outline-none hover:underline focus-visible:ring-[3px] disabled:pointer-events-none disabled:opacity-50 [&[data-state=open]>svg]:rotate-90',
+          'focus-visible:border-ring focus-visible:ring-ring type-body flex flex-1 cursor-pointer items-start gap-2 rounded-md pt-4 text-left font-medium transition-all outline-none hover:underline focus-visible:ring-[3px] disabled:pointer-events-none disabled:opacity-50 [&[data-state=open]>svg]:rotate-90',
           className
         )}
         {...props}
@@ -53,7 +53,7 @@ function AccordionContent({
   return (
     <AccordionPrimitive.Content
       data-slot="accordion-content"
-      className="data-[state=closed]:animate-accordion-up data-[state=open]:animate-accordion-down mt-2 overflow-hidden text-sm"
+      className="data-[state=closed]:animate-accordion-up data-[state=open]:animate-accordion-down type-body mt-2 overflow-hidden"
       {...props}
     >
       <div className={cn('pt-0 pb-4', className)}>{children}</div>
diff --git a/apps/web/src/components/ui/badge.tsx b/apps/web/src/components/ui/badge.tsx
index 789f95d54..dcb6eb361 100644
--- a/apps/web/src/components/ui/badge.tsx
+++ b/apps/web/src/components/ui/badge.tsx
@@ -5,7 +5,7 @@ import { cva, type VariantProps } from 'class-variance-authority';
 import { cn } from '@/lib/utils';
 
 const badgeVariants = cva(
-  'inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden',
+  'type-label inline-flex items-center justify-center rounded-md border px-2 py-0.5 w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring focus-visible:ring-[3px] aria-invalid:ring-destructive/20 aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden',
   {
     variants: {
       variant: {
diff --git a/apps/web/src/components/ui/button.tsx b/apps/web/src/components/ui/button.tsx
index e0147f078..40cd4623c 100644
--- a/apps/web/src/components/ui/button.tsx
+++ b/apps/web/src/components/ui/button.tsx
@@ -5,24 +5,24 @@ import { cva, type VariantProps } from 'class-variance-authority';
 import { cn } from '@/lib/utils';
 
 const buttonVariants = cva(
-  'inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-colors cursor-pointer focus-visible:outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0',
+  'type-label inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md transition-colors cursor-pointer focus-visible:outline-none focus-visible:ring-[3px] focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0',
   {
     variants: {
       variant: {
-        default: 'bg-primary text-primary-foreground shadow hover:bg-primary/90',
+        default: 'bg-primary text-primary-foreground hover:bg-primary-hover',
         brand:
-          'bg-brand-primary text-primary-foreground shadow hover:bg-brand-primary/90 focus-visible:ring-brand-primary/50',
-        primary: 'bg-[#2B6AD2] text-white hover:bg-[#225eb9] focus:ring-[#3b7de8]',
-        destructive: 'bg-destructive text-white shadow-sm hover:bg-destructive/90',
+          'bg-brand-primary text-primary-foreground hover:bg-brand-primary-hover focus-visible:ring-brand-primary-ring',
+        primary: 'bg-primary text-primary-foreground hover:bg-primary-hover',
+        destructive: 'bg-destructive text-destructive-foreground hover:bg-destructive-hover',
         outline:
-          'border border-input bg-background shadow-sm hover:bg-accent hover:text-accent-foreground',
-        secondary: 'bg-secondary text-secondary-foreground shadow-sm hover:bg-secondary/80',
+          'border border-input bg-input-background hover:bg-accent hover:text-accent-foreground',
+        secondary: 'bg-secondary text-secondary-foreground hover:bg-accent',
         ghost: 'hover:bg-accent hover:text-accent-foreground',
-        link: 'text-primary underline-offset-4 hover:underline',
+        link: 'text-link underline-offset-4 hover:text-link-hover hover:underline',
       },
       size: {
         default: 'h-9 px-4 py-2',
-        sm: 'h-8 rounded-md px-3 text-xs',
+        sm: 'h-8 rounded-md px-3',
         lg: 'h-10 rounded-md px-8',
         icon: 'h-9 w-9',
       },
diff --git a/apps/web/src/components/ui/calendar.tsx b/apps/web/src/components/ui/calendar.tsx
new file mode 100644
index 000000000..64522222d
--- /dev/null
+++ b/apps/web/src/components/ui/calendar.tsx
@@ -0,0 +1,176 @@
+'use client';
+
+import * as React from 'react';
+import { ChevronDownIcon, ChevronLeftIcon, ChevronRightIcon } from 'lucide-react';
+import { DayPicker, getDefaultClassNames } from 'react-day-picker';
+import type { DayButton } from 'react-day-picker';
+
+import { cn } from '@/lib/utils';
+import { Button, buttonVariants } from '@/components/ui/button';
+
+function Calendar({
+  className,
+  classNames,
+  showOutsideDays = true,
+  captionLayout = 'label',
+  buttonVariant = 'ghost',
+  formatters,
+  components,
+  ...props
+}: React.ComponentProps<typeof DayPicker> & {
+  buttonVariant?: React.ComponentProps<typeof Button>['variant'];
+}) {
+  const defaultClassNames = getDefaultClassNames();
+
+  return (
+    <DayPicker
+      showOutsideDays={showOutsideDays}
+      className={cn(
+        'bg-background group/calendar p-3 [[data-slot=card-content]_&]:bg-transparent [[data-slot=popover-content]_&]:bg-transparent',
+        String.raw`rtl:**:[.rdp-button\_next>svg]:rotate-180`,
+        String.raw`rtl:**:[.rdp-button\_previous>svg]:rotate-180`,
+        className
+      )}
+      captionLayout={captionLayout}
+      formatters={{
+        formatMonthDropdown: date => date.toLocaleString('default', { month: 'short' }),
+        ...formatters,
+      }}
+      classNames={{
+        root: cn('w-fit', defaultClassNames.root),
+        months: cn('relative flex flex-col gap-4 md:flex-row', defaultClassNames.months),
+        month: cn('flex w-56 flex-col gap-4 last:hidden md:last:flex', defaultClassNames.month),
+        nav: cn(
+          'absolute inset-x-0 top-0 flex w-full items-center justify-between gap-1',
+          defaultClassNames.nav
+        ),
+        button_previous: cn(
+          buttonVariants({ variant: buttonVariant }),
+          'size-8 select-none p-0 aria-disabled:opacity-50',
+          defaultClassNames.button_previous
+        ),
+        button_next: cn(
+          buttonVariants({ variant: buttonVariant }),
+          'size-8 select-none p-0 aria-disabled:opacity-50',
+          defaultClassNames.button_next
+        ),
+        month_caption: cn(
+          'flex h-8 w-full items-center justify-center px-8',
+          defaultClassNames.month_caption
+        ),
+        dropdowns: cn(
+          'flex h-8 w-full items-center justify-center gap-1.5 text-sm font-medium',
+          defaultClassNames.dropdowns
+        ),
+        dropdown_root: cn(
+          'has-focus:border-ring border-input shadow-xs has-focus:ring-ring/50 has-focus:ring-[3px] relative rounded-md border',
+          defaultClassNames.dropdown_root
+        ),
+        dropdown: cn('bg-popover absolute inset-0 opacity-0', defaultClassNames.dropdown),
+        caption_label: cn(
+          'select-none font-medium',
+          captionLayout === 'label'
+            ? 'text-sm'
+            : '[&>svg]:text-muted-foreground flex h-8 items-center gap-1 rounded-md pl-2 pr-1 text-sm [&>svg]:size-3.5',
+          defaultClassNames.caption_label
+        ),
+        month_grid: cn('w-full border-collapse', defaultClassNames.month_grid),
+        weekdays: cn('flex', defaultClassNames.weekdays),
+        weekday: cn(
+          'text-muted-foreground w-8 select-none rounded-md text-[0.8rem] font-normal',
+          defaultClassNames.weekday
+        ),
+        week: cn('mt-2 flex w-full', defaultClassNames.week),
+        week_number_header: cn('w-8 select-none', defaultClassNames.week_number_header),
+        week_number: cn(
+          'text-muted-foreground select-none text-[0.8rem]',
+          defaultClassNames.week_number
+        ),
+        day: cn(
+          'group/day relative size-8 select-none p-0 text-center [&:first-child[data-selected=true]_button]:rounded-l-md [&:last-child[data-selected=true]_button]:rounded-r-md',
+          defaultClassNames.day
+        ),
+        range_start: cn('bg-accent rounded-l-md', defaultClassNames.range_start),
+        range_middle: cn('rounded-none', defaultClassNames.range_middle),
+        range_end: cn('bg-accent rounded-r-md', defaultClassNames.range_end),
+        today: cn(
+          'bg-accent text-accent-foreground rounded-md data-[selected=true]:rounded-none',
+          defaultClassNames.today
+        ),
+        outside: cn(
+          'text-muted-foreground aria-selected:text-muted-foreground',
+          defaultClassNames.outside
+        ),
+        disabled: cn('text-muted-foreground opacity-50', defaultClassNames.disabled),
+        hidden: cn('invisible', defaultClassNames.hidden),
+        ...classNames,
+      }}
+      components={{
+        Root: ({ className, rootRef, ...props }) => {
+          return <div data-slot="calendar" ref={rootRef} className={cn(className)} {...props} />;
+        },
+        Chevron: ({ className, orientation, ...props }) => {
+          if (orientation === 'left') {
+            return <ChevronLeftIcon className={cn('size-4', className)} {...props} />;
+          }
+
+          if (orientation === 'right') {
+            return <ChevronRightIcon className={cn('size-4', className)} {...props} />;
+          }
+
+          return <ChevronDownIcon className={cn('size-4', className)} {...props} />;
+        },
+        DayButton: CalendarDayButton,
+        WeekNumber: ({ children, ...props }) => {
+          return (
+            <td {...props}>
+              <div className="flex size-8 items-center justify-center text-center">{children}</div>
+            </td>
+          );
+        },
+        ...components,
+      }}
+      {...props}
+    />
+  );
+}
+
+function CalendarDayButton({
+  className,
+  day,
+  modifiers,
+  ...props
+}: React.ComponentProps<typeof DayButton>) {
+  const defaultClassNames = getDefaultClassNames();
+
+  const ref = React.useRef<HTMLButtonElement>(null);
+  React.useEffect(() => {
+    if (modifiers.focused) ref.current?.focus();
+  }, [modifiers.focused]);
+
+  return (
+    <Button
+      ref={ref}
+      variant="ghost"
+      size="icon"
+      data-day={day.date.toLocaleDateString()}
+      data-selected-single={
+        modifiers.selected &&
+        !modifiers.range_start &&
+        !modifiers.range_end &&
+        !modifiers.range_middle
+      }
+      data-range-start={modifiers.range_start}
+      data-range-end={modifiers.range_end}
+      data-range-middle={modifiers.range_middle}
+      className={cn(
+        'data-[selected-single=true]:bg-primary data-[selected-single=true]:text-primary-foreground data-[range-middle=true]:bg-accent data-[range-middle=true]:text-accent-foreground data-[range-start=true]:bg-primary data-[range-start=true]:text-primary-foreground data-[range-end=true]:bg-primary data-[range-end=true]:text-primary-foreground group-data-[focused=true]/day:border-ring group-data-[focused=true]/day:ring-ring/50 flex size-8 flex-col gap-1 font-normal leading-none data-[range-end=true]:rounded-md data-[range-middle=true]:rounded-none data-[range-start=true]:rounded-md group-data-[focused=true]/day:relative group-data-[focused=true]/day:z-10 group-data-[focused=true]/day:ring-[3px] [&>span]:text-xs [&>span]:opacity-70',
+        defaultClassNames.day_button,
+        className
+      )}
+      {...props}
+    />
+  );
+}
+
+export { Calendar, CalendarDayButton };
diff --git a/apps/web/src/components/ui/progress.tsx b/apps/web/src/components/ui/progress.tsx
index 83f33d408..9e0a7878c 100644
--- a/apps/web/src/components/ui/progress.tsx
+++ b/apps/web/src/components/ui/progress.tsx
@@ -14,6 +14,7 @@ function Progress({
   return (
     <ProgressPrimitive.Root
       data-slot="progress"
+      value={value}
       className={cn('bg-primary/20 relative h-2 w-full overflow-hidden rounded-full', className)}
       {...props}
     >
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 0b3aecd4d..d1aad7b94 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -857,6 +857,9 @@ importers:
       react-countup:
         specifier: 6.5.3
         version: 6.5.3(react@19.2.6)
+      react-day-picker:
+        specifier: 10.0.1
+        version: 10.0.1(@types/react@19.2.14)(react@19.2.6)
       react-dom:
         specifier: 19.2.6
         version: 19.2.6(react@19.2.6)
@@ -4141,6 +4144,9 @@ packages:
     resolution: {integrity: sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==}
     engines: {node: '>=12'}
 
+  '@date-fns/tz@1.5.0':
+    resolution: {integrity: sha512-lwYN/vDPeNRULcepoE/LO2Pgx+7/RV+S9ARfbc9lr2DtGkOD7pAiruHvbR1RX3Qyf6ja47EWJDMsNK5vK08DJg==}
+
   '@dependents/detective-less@5.0.1':
     resolution: {integrity: sha512-Y6+WUMsTFWE5jb20IFP4YGa5IrGY/+a/FbOSjDF/wz9gepU2hwCYSXRHP/vPwBvwcY3SVMASt4yXxbXNXigmZQ==}
     engines: {node: '>=18'}
@@ -14304,6 +14310,16 @@ packages:
     peerDependencies:
       react: '>= 16.3.0'
 
+  react-day-picker@10.0.1:
+    resolution: {integrity: sha512-eNh6BlwcYInWaJtRv18mXQ06Ys/H6rdTZAnTaSdOYJuTpwP1JMCHNd1FDRadA+gbeinq+psdULN5Xnowy9mV8w==}
+    engines: {node: '>=18'}
+    peerDependencies:
+      '@types/react': '>=16.8.0'
+      react: '>=16.8.0'
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+
   react-devtools-core@6.1.5:
     resolution: {integrity: sha512-ePrwPfxAnB+7hgnEr8vpKxL9cmnp7F322t8oqcPshbIQQhDKgFDW4tjhF2wjVbdXF9O/nyuy3sQWd9JGpiLPvA==}
 
@@ -17884,9 +17900,9 @@ snapshots:
       '@chromaui/rrweb-snapshot': 2.0.0-alpha.18-noAbsolute
       '@playwright/test': 1.58.2
       '@segment/analytics-node': 2.1.3
-      '@storybook/addon-essentials': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/addon-essentials': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/csf': 0.1.13
-      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/server-webpack5': 8.5.8(@swc/core@1.15.18)(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))(typescript@5.9.3)
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
@@ -17912,9 +17928,9 @@ snapshots:
       '@chromaui/rrweb-snapshot': 2.0.0-alpha.18-noAbsolute
       '@playwright/test': 1.58.2
       '@segment/analytics-node': 2.1.3
-      '@storybook/addon-essentials': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/addon-essentials': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/csf': 0.1.13
-      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/server-webpack5': 8.5.8(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))(typescript@5.9.3)
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
@@ -18007,7 +18023,7 @@ snapshots:
       cjs-module-lexer: 1.2.3
       esbuild: 0.27.4
       miniflare: 4.20260603.0(bufferutil@4.1.0)(utf-8-validate@6.0.6)
-      vitest: 4.1.6(@opentelemetry/api@1.9.1)(@types/node@24.12.4)(@vitest/coverage-v8@4.1.6)(@vitest/ui@4.1.6)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)
+      vitest: 4.1.6(@opentelemetry/api@1.9.1)(@types/node@25.5.2)(@vitest/coverage-v8@4.1.6)(@vitest/ui@4.1.6)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)
       wrangler: 4.98.0(@cloudflare/workers-types@4.20260605.1)(bufferutil@4.1.0)(utf-8-validate@6.0.6)
       zod: 3.25.76
     transitivePeerDependencies:
@@ -18333,6 +18349,8 @@ snapshots:
     dependencies:
       '@jridgewell/trace-mapping': 0.3.9
 
+  '@date-fns/tz@1.5.0': {}
+
   '@dependents/detective-less@5.0.1':
     dependencies:
       gonzales-pe: 4.3.0
@@ -22988,7 +23006,7 @@ snapshots:
 
   '@stitches/core@1.2.8': {}
 
-  '@storybook/addon-actions@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-actions@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       '@types/uuid': 9.0.8
@@ -22997,26 +23015,26 @@ snapshots:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       uuid: 9.0.1
 
-  '@storybook/addon-backgrounds@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-backgrounds@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       memoizerific: 1.11.3
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
 
-  '@storybook/addon-controls@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-controls@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       dequal: 2.0.3
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
 
-  '@storybook/addon-docs@8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-docs@8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@mdx-js/react': 3.1.1(@types/react@19.2.14)(react@19.2.6)
-      '@storybook/blocks': 8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/csf-plugin': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/react-dom-shim': 8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/blocks': 8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/csf-plugin': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/react-dom-shim': 8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       react: 19.2.6
       react-dom: 19.2.4(react@19.2.6)
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
@@ -23037,23 +23055,23 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@storybook/addon-essentials@8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
-    dependencies:
-      '@storybook/addon-actions': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-backgrounds': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-controls': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-docs': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-highlight': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-measure': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-outline': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-toolbars': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/addon-viewport': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+  '@storybook/addon-essentials@8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
+    dependencies:
+      '@storybook/addon-actions': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-backgrounds': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-controls': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-docs': 8.5.8(@types/react@19.2.14)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-highlight': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-measure': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-outline': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-toolbars': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/addon-viewport': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
     transitivePeerDependencies:
       - '@types/react'
 
-  '@storybook/addon-highlight@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-highlight@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
@@ -23065,13 +23083,13 @@ snapshots:
     optionalDependencies:
       react: 19.2.6
 
-  '@storybook/addon-measure@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-measure@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       tiny-invariant: 1.3.3
 
-  '@storybook/addon-outline@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-outline@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/global': 5.0.0
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
@@ -23082,16 +23100,16 @@ snapshots:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
 
-  '@storybook/addon-toolbars@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-toolbars@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
-  '@storybook/addon-viewport@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/addon-viewport@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       memoizerific: 1.11.3
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
-  '@storybook/blocks@8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/blocks@8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       '@storybook/csf': 0.1.12
       '@storybook/icons': 1.6.0(react-dom@19.2.4(react@19.2.6))(react@19.2.6)
@@ -23103,7 +23121,7 @@ snapshots:
 
   '@storybook/builder-webpack5@8.5.8(@swc/core@1.15.18)(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))(typescript@5.9.3)':
     dependencies:
-      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@types/semver': 7.7.1
       browser-assert: 1.2.1
       case-sensitive-paths-webpack-plugin: 2.4.0
@@ -23139,7 +23157,7 @@ snapshots:
 
   '@storybook/builder-webpack5@8.5.8(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))(typescript@5.9.3)':
     dependencies:
-      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@types/semver': 7.7.1
       browser-assert: 1.2.1
       case-sensitive-paths-webpack-plugin: 2.4.0
@@ -23201,11 +23219,11 @@ snapshots:
       - uglify-js
       - webpack-cli
 
-  '@storybook/components@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/components@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
-  '@storybook/core-webpack@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/core-webpack@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
@@ -23215,7 +23233,7 @@ snapshots:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
 
-  '@storybook/csf-plugin@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/csf-plugin@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       unplugin: 1.16.1
@@ -23240,7 +23258,7 @@ snapshots:
       react: 19.2.6
       react-dom: 19.2.4(react@19.2.6)
 
-  '@storybook/manager-api@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/manager-api@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
@@ -23328,17 +23346,17 @@ snapshots:
       - uglify-js
       - webpack-cli
 
-  '@storybook/preset-server-webpack@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/preset-server-webpack@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
-      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/core-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/global': 5.0.0
-      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       safe-identifier: 0.4.2
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
       yaml-loader: 0.8.1
 
-  '@storybook/preview-api@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/preview-api@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
@@ -23356,7 +23374,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@storybook/react-dom-shim@8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/react-dom-shim@8.5.8(react-dom@19.2.4(react@19.2.6))(react@19.2.6)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       react: 19.2.6
       react-dom: 19.2.4(react@19.2.6)
@@ -23387,8 +23405,8 @@ snapshots:
   '@storybook/server-webpack5@8.5.8(@swc/core@1.15.18)(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))(typescript@5.9.3)':
     dependencies:
       '@storybook/builder-webpack5': 8.5.8(@swc/core@1.15.18)(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))(typescript@5.9.3)
-      '@storybook/preset-server-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/preset-server-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
     transitivePeerDependencies:
       - '@rspack/core'
@@ -23401,8 +23419,8 @@ snapshots:
   '@storybook/server-webpack5@8.5.8(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))(typescript@5.9.3)':
     dependencies:
       '@storybook/builder-webpack5': 8.5.8(esbuild@0.27.4)(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))(typescript@5.9.3)
-      '@storybook/preset-server-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/preset-server-webpack': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/server': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
     transitivePeerDependencies:
       - '@rspack/core'
@@ -23413,14 +23431,14 @@ snapshots:
       - webpack-cli
     optional: true
 
-  '@storybook/server@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/server@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
-      '@storybook/components': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/components': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       '@storybook/csf': 0.1.12
       '@storybook/global': 5.0.0
-      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/preview-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
-      '@storybook/theming': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))
+      '@storybook/manager-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/preview-api': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
+      '@storybook/theming': 8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
       ts-dedent: 2.2.0
       yaml: 2.8.4
@@ -23455,7 +23473,7 @@ snapshots:
       - supports-color
       - ts-node
 
-  '@storybook/theming@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6))':
+  '@storybook/theming@8.5.8(storybook@9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4)))':
     dependencies:
       storybook: 9.1.20(bufferutil@4.1.0)(utf-8-validate@6.0.6)(vite@8.0.10(@types/node@25.5.2)(esbuild@0.27.4)(jiti@2.7.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.4))
 
@@ -30741,6 +30759,14 @@ snapshots:
       countup.js: 2.10.0
       react: 19.2.6
 
+  react-day-picker@10.0.1(@types/react@19.2.14)(react@19.2.6):
+    dependencies:
+      '@date-fns/tz': 1.5.0
+      date-fns: 4.1.0
+      react: 19.2.6
+    optionalDependencies:
+      '@types/react': 19.2.14
+
   react-devtools-core@6.1.5(bufferutil@4.1.0)(utf-8-validate@6.0.6):
     dependencies:
       shell-quote: 1.8.4

From 861c9652be1e7c294f324e6506d9155ccd4a58fa Mon Sep 17 00:00:00 2001
From: Jean du Plessis <jean@kilocode.ai>
Date: Wed, 17 Jun 2026 21:26:58 +0200
Subject: [PATCH 2/3] fix(security-agent): address UI polish findings

---
 .../[id]/security-agent/page.tsx              |  16 +-
 .../web/src/app/(app)/security-agent/page.tsx |  16 +-
 .../code-reviews/RepositoryMultiSelect.tsx    |  30 ++--
 .../security-agent/FindingDetailDialog.tsx    |   8 +-
 .../SecurityAuditReportPage.test.ts           |  29 ++++
 .../SecurityAuditReportPage.tsx               | 152 ++++++++++++++----
 .../security-agent/SecurityConfigSections.tsx |  13 +-
 .../security-agent/SecurityDashboard.tsx      |   2 +-
 apps/web/src/components/ui/badge-variants.ts  |  27 ++++
 apps/web/src/components/ui/badge.tsx          |  28 +---
 apps/web/src/components/ui/button-variants.ts |  35 ++++
 apps/web/src/components/ui/button.tsx         |  53 ++----
 apps/web/src/components/ui/calendar.tsx       |  11 +-
 13 files changed, 269 insertions(+), 151 deletions(-)
 create mode 100644 apps/web/src/components/ui/badge-variants.ts
 create mode 100644 apps/web/src/components/ui/button-variants.ts

diff --git a/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx b/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
index 9974b42d9..ceb08de0f 100644
--- a/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
+++ b/apps/web/src/app/(app)/organizations/[id]/security-agent/page.tsx
@@ -1,7 +1,6 @@
 'use client';
 
-import { useRouter } from 'next/navigation';
-import { useEffect } from 'react';
+import { redirect } from 'next/navigation';
 import { Loader2 } from 'lucide-react';
 import { useSecurityAgent } from '@/components/security-agent/SecurityAgentContext';
 import { SecurityDashboard } from '@/components/security-agent/SecurityDashboard';
@@ -9,24 +8,13 @@ import { SecurityDashboard } from '@/components/security-agent/SecurityDashboard
 export default function OrgSecurityAgentDashboardPage() {
   const { hasIntegration, isEnabled, isLoadingConfig, isLoadingPermission, organizationId } =
     useSecurityAgent();
-  const router = useRouter();
 
   const shouldRedirectToConfig =
     !!organizationId &&
     ((!isLoadingPermission && !hasIntegration) || (hasIntegration && isEnabled === false));
 
-  useEffect(() => {
-    if (shouldRedirectToConfig) {
-      router.replace(`/organizations/${organizationId}/security-agent/config`);
-    }
-  }, [shouldRedirectToConfig, organizationId, router]);
-
   if (shouldRedirectToConfig) {
-    return (
-      <div className="text-muted-foreground block py-16 text-center text-sm">
-        Opening settings...
-      </div>
-    );
+    redirect(`/organizations/${organizationId}/security-agent/config`);
   }
 
   if (isLoadingPermission || (hasIntegration && isLoadingConfig)) {
diff --git a/apps/web/src/app/(app)/security-agent/page.tsx b/apps/web/src/app/(app)/security-agent/page.tsx
index 6fddb31b3..2e38b07f4 100644
--- a/apps/web/src/app/(app)/security-agent/page.tsx
+++ b/apps/web/src/app/(app)/security-agent/page.tsx
@@ -1,14 +1,12 @@
 'use client';
 
-import { useRouter } from 'next/navigation';
-import { useEffect } from 'react';
+import { redirect } from 'next/navigation';
 import { Loader2 } from 'lucide-react';
 import { useSecurityAgent } from '@/components/security-agent/SecurityAgentContext';
 import { SecurityDashboard } from '@/components/security-agent/SecurityDashboard';
 
 export default function SecurityAgentDashboardPage() {
   const { hasIntegration, isEnabled, isLoadingConfig, isLoadingPermission } = useSecurityAgent();
-  const router = useRouter();
 
   // Redirect per truth table:
   // No integration -> redirect to settings with install CTA
@@ -18,18 +16,8 @@ export default function SecurityAgentDashboardPage() {
   const shouldRedirectToConfig =
     (!isLoadingPermission && !hasIntegration) || (hasIntegration && isEnabled === false);
 
-  useEffect(() => {
-    if (shouldRedirectToConfig) {
-      router.replace('/security-agent/config');
-    }
-  }, [shouldRedirectToConfig, router]);
-
   if (shouldRedirectToConfig) {
-    return (
-      <div className="text-muted-foreground block py-16 text-center text-sm">
-        Opening settings...
-      </div>
-    );
+    redirect('/security-agent/config');
   }
 
   if (isLoadingPermission || (hasIntegration && isLoadingConfig)) {
diff --git a/apps/web/src/components/code-reviews/RepositoryMultiSelect.tsx b/apps/web/src/components/code-reviews/RepositoryMultiSelect.tsx
index df1894078..1b57d9c0a 100644
--- a/apps/web/src/components/code-reviews/RepositoryMultiSelect.tsx
+++ b/apps/web/src/components/code-reviews/RepositoryMultiSelect.tsx
@@ -137,7 +137,7 @@ export function RepositoryMultiSelect({
     <div className="space-y-3">
       {/* Search Input */}
       <div className="relative">
-        <Search className="absolute top-1/2 left-3 h-4 w-4 -translate-y-1/2 text-gray-400" />
+        <Search className="text-muted-foreground absolute top-1/2 left-3 h-4 w-4 -translate-y-1/2" />
         <Input
           type="text"
           placeholder="Search repositories..."
@@ -146,7 +146,7 @@ export function RepositoryMultiSelect({
           className="pl-9"
         />
         {isSearching && (
-          <Loader2 className="absolute top-1/2 right-3 h-4 w-4 -translate-y-1/2 animate-spin text-gray-400" />
+          <Loader2 className="text-muted-foreground absolute top-1/2 right-3 h-4 w-4 -translate-y-1/2 animate-spin" />
         )}
       </div>
 
@@ -175,11 +175,11 @@ export function RepositoryMultiSelect({
       </div>
 
       {/* Repository List */}
-      <div className="h-64 overflow-y-auto rounded-md border">
+      <div className="border-border bg-background h-64 overflow-y-auto rounded-md border">
         <div className="space-y-3 p-4">
           {/* Local Results */}
           {filteredLocalRepositories.length === 0 && !showApiSection ? (
-            <div className="py-8 text-center text-sm text-gray-400">
+            <div className="text-muted-foreground py-8 text-center text-sm">
               {searchQuery ? 'No repositories match your search' : 'No repositories available'}
             </div>
           ) : (
@@ -191,8 +191,8 @@ export function RepositoryMultiSelect({
                   <div
                     key={repo.id}
                     className={cn(
-                      'flex items-center gap-3 rounded-md p-2 transition-colors hover:bg-gray-800/50',
-                      isChecked && 'bg-gray-800/30'
+                      'hover:bg-accent flex items-center gap-3 rounded-md p-2 transition-colors',
+                      isChecked && 'bg-accent text-accent-foreground'
                     )}
                   >
                     <Checkbox
@@ -205,9 +205,9 @@ export function RepositoryMultiSelect({
                       className="flex flex-1 cursor-pointer items-center gap-2 text-sm"
                     >
                       {repo.private ? (
-                        <Lock className="h-3.5 w-3.5 shrink-0 text-yellow-500" />
+                        <Lock className="text-primary h-3.5 w-3.5 shrink-0" />
                       ) : (
-                        <Unlock className="h-3.5 w-3.5 shrink-0 text-gray-500" />
+                        <Unlock className="text-muted-foreground h-3.5 w-3.5 shrink-0" />
                       )}
                       <span className="truncate font-mono">{repo.full_name}</span>
                     </label>
@@ -218,8 +218,8 @@ export function RepositoryMultiSelect({
               {/* API Search Results Section */}
               {showApiSection && (
                 <>
-                  <div className="my-3 flex items-center gap-2 border-t border-gray-700 pt-3">
-                    <span className="text-xs text-gray-400">
+                  <div className="border-border my-3 flex items-center gap-2 border-t pt-3">
+                    <span className="text-muted-foreground text-xs">
                       {isSearching ? (
                         <span className="flex items-center gap-1">
                           <Loader2 className="h-3 w-3 animate-spin" />
@@ -240,8 +240,8 @@ export function RepositoryMultiSelect({
                       <div
                         key={`api-${repo.id}`}
                         className={cn(
-                          'flex items-center gap-3 rounded-md p-2 transition-colors hover:bg-gray-800/50',
-                          isChecked && 'bg-gray-800/30'
+                          'hover:bg-accent flex items-center gap-3 rounded-md p-2 transition-colors',
+                          isChecked && 'bg-accent text-accent-foreground'
                         )}
                       >
                         <Checkbox
@@ -254,9 +254,9 @@ export function RepositoryMultiSelect({
                           className="flex flex-1 cursor-pointer items-center gap-2 text-sm"
                         >
                           {repo.private ? (
-                            <Lock className="h-3.5 w-3.5 shrink-0 text-yellow-500" />
+                            <Lock className="text-primary h-3.5 w-3.5 shrink-0" />
                           ) : (
-                            <Unlock className="h-3.5 w-3.5 shrink-0 text-gray-500" />
+                            <Unlock className="text-muted-foreground h-3.5 w-3.5 shrink-0" />
                           )}
                           <span className="truncate font-mono">{repo.full_name}</span>
                         </label>
@@ -271,7 +271,7 @@ export function RepositoryMultiSelect({
       </div>
 
       {/* Selection Count */}
-      <div className="text-xs text-gray-400">
+      <div className="text-muted-foreground text-xs">
         {selectedIds.length} of {repositories.length} repositories selected
       </div>
     </div>
diff --git a/apps/web/src/components/security-agent/FindingDetailDialog.tsx b/apps/web/src/components/security-agent/FindingDetailDialog.tsx
index 7ea8adb7a..d84bd920a 100644
--- a/apps/web/src/components/security-agent/FindingDetailDialog.tsx
+++ b/apps/web/src/components/security-agent/FindingDetailDialog.tsx
@@ -2966,7 +2966,7 @@ export function FindingDetailDialog({
     return false as const;
   };
 
-  const orgAnalysisQuery = useQuery({
+  const { data: orgAnalysisData, refetch: refetchOrgAnalysis } = useQuery({
     ...trpc.organizations.securityAgent.getAnalysis.queryOptions({
       organizationId: organizationId ?? '',
       findingId: findingId ?? '',
@@ -2974,15 +2974,15 @@ export function FindingDetailDialog({
     enabled: open && Boolean(initialFinding) && isOrg,
     refetchInterval: pollWhileActive,
   });
-  const personalAnalysisQuery = useQuery({
+  const { data: personalAnalysisData, refetch: refetchPersonalAnalysis } = useQuery({
     ...trpc.securityAgent.getAnalysis.queryOptions({
       findingId: findingId ?? '',
     }),
     enabled: open && Boolean(initialFinding) && !isOrg,
     refetchInterval: pollWhileActive,
   });
-  const analysisData = isOrg ? orgAnalysisQuery.data : personalAnalysisQuery.data;
-  const refetchAnalysis = isOrg ? orgAnalysisQuery.refetch : personalAnalysisQuery.refetch;
+  const analysisData = isOrg ? orgAnalysisData : personalAnalysisData;
+  const refetchAnalysis = isOrg ? refetchOrgAnalysis : refetchPersonalAnalysis;
   const analysisSettlementKey =
     findingId && analysisData?.completedAt ? `${findingId}:${analysisData.completedAt}` : null;
 
diff --git a/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts b/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
index 6ffa15e0e..f9061f12c 100644
--- a/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
+++ b/apps/web/src/components/security-agent/SecurityAuditReportPage.test.ts
@@ -8,6 +8,8 @@ import type {
 } from '@/lib/security-agent/db/security-audit-report';
 import {
   AuditReportProvenance,
+  auditReportControlsReducer,
+  createAuditReportControlsState,
   filterSecurityAgentAuditReport,
   formatAuditEventTime,
   formatDateTime24Hour,
@@ -109,6 +111,33 @@ describe('audit report owner context', () => {
   });
 });
 
+describe('audit report control state', () => {
+  it('submits a complete draft range and normalized filters in one transition', () => {
+    const state = createAuditReportControlsState({
+      initialRange: { startDate: '2026-03-19', endDate: '2026-06-16' },
+      initialFilters: { severity: 'all', state: 'all', repository: null },
+    });
+    const submittedRange = { startDate: '2026-05-01', endDate: '2026-05-31' };
+    const submittedFilters = {
+      severity: 'high',
+      state: 'ignored',
+      repository: 'kilo/web',
+    } as const;
+
+    const nextState = auditReportControlsReducer(state, {
+      type: 'submit-report',
+      range: submittedRange,
+      filters: submittedFilters,
+    });
+
+    expect(nextState.submittedRange).toBe(submittedRange);
+    expect(nextState.draftFilters).toBe(submittedFilters);
+    expect(nextState.submittedFilters).toBe(submittedFilters);
+    expect(nextState.draftRange).toBe(state.draftRange);
+    expect(nextState.isRangePickerOpen).toBe(false);
+  });
+});
+
 describe('audit report filters', () => {
   it('parses supported URL filters and defaults unsupported values to all', () => {
     expect(
diff --git a/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx b/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
index 715eabce8..2846ace36 100644
--- a/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
+++ b/apps/web/src/components/security-agent/SecurityAuditReportPage.tsx
@@ -1,7 +1,7 @@
 'use client';
 
 import { useSearchParams } from 'next/navigation';
-import React, { type FormEvent, type ReactNode, useState } from 'react';
+import React, { type FormEvent, type ReactNode, useReducer } from 'react';
 import { useQuery } from '@tanstack/react-query';
 import { differenceInCalendarDays, format as formatCalendarDateLabel } from 'date-fns';
 import {
@@ -70,6 +70,42 @@ export type AuditReportFilters = {
   repository: string | null;
 };
 
+export type AuditReportControlsState = {
+  draftRange: DayPickerDateRange | undefined;
+  submittedRange: DateRange;
+  draftFilters: AuditReportFilters;
+  submittedFilters: AuditReportFilters;
+  isRangePickerOpen: boolean;
+};
+
+type AuditReportControlsStateInput = {
+  initialRange: DateRange;
+  initialFilters: AuditReportFilters;
+};
+
+type AuditReportControlsAction =
+  | {
+      type: 'set-range-picker-open';
+      open: boolean;
+    }
+  | {
+      type: 'select-draft-range';
+      range: DayPickerDateRange | undefined;
+      closePicker: boolean;
+    }
+  | {
+      type: 'set-draft-filter';
+      filter: Partial<AuditReportFilters>;
+    }
+  | {
+      type: 'submit-report';
+      range: DateRange;
+      filters: AuditReportFilters;
+    }
+  | {
+      type: 'clear-filters';
+    };
+
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low'] as const;
 const FINDING_SUPERSEDED_ACTION = 'security.finding.superseded';
 const MAX_AUDIT_REPORT_DAYS = 90;
@@ -161,6 +197,53 @@ export function hasSecurityAgentAuditReportOwnerContext(
   return !isOrg || Boolean(organizationId);
 }
 
+export function createAuditReportControlsState({
+  initialRange,
+  initialFilters,
+}: AuditReportControlsStateInput): AuditReportControlsState {
+  return {
+    draftRange: toDayPickerDateRange(initialRange),
+    submittedRange: initialRange,
+    draftFilters: initialFilters,
+    submittedFilters: initialFilters,
+    isRangePickerOpen: false,
+  };
+}
+
+export function auditReportControlsReducer(
+  state: AuditReportControlsState,
+  action: AuditReportControlsAction
+): AuditReportControlsState {
+  switch (action.type) {
+    case 'set-range-picker-open':
+      return { ...state, isRangePickerOpen: action.open };
+    case 'select-draft-range':
+      return {
+        ...state,
+        draftRange: action.range,
+        isRangePickerOpen: action.closePicker ? false : state.isRangePickerOpen,
+      };
+    case 'set-draft-filter':
+      return {
+        ...state,
+        draftFilters: { ...state.draftFilters, ...action.filter },
+      };
+    case 'submit-report':
+      return {
+        ...state,
+        submittedRange: action.range,
+        draftFilters: action.filters,
+        submittedFilters: action.filters,
+      };
+    case 'clear-filters':
+      return {
+        ...state,
+        draftFilters: ALL_AUDIT_REPORT_FILTERS,
+        submittedFilters: ALL_AUDIT_REPORT_FILTERS,
+      };
+  }
+}
+
 export function SecurityAuditReportPage() {
   const trpc = useTRPC();
   const searchParams = useSearchParams();
@@ -173,13 +256,13 @@ export function SecurityAuditReportPage() {
     ? requestedRange
     : getDefaultAuditReportDateRange();
   const initialFilters = parseAuditReportFilters(searchParams);
-  const [draftRange, setDraftRange] = useState<DayPickerDateRange | undefined>(() =>
-    toDayPickerDateRange(initialRange)
+  const [controlsState, dispatchControlsState] = useReducer(
+    auditReportControlsReducer,
+    { initialRange, initialFilters },
+    createAuditReportControlsState
   );
-  const [submittedRange, setSubmittedRange] = useState<DateRange>(initialRange);
-  const [draftFilters, setDraftFilters] = useState<AuditReportFilters>(initialFilters);
-  const [submittedFilters, setSubmittedFilters] = useState<AuditReportFilters>(initialFilters);
-  const [isRangePickerOpen, setIsRangePickerOpen] = useState(false);
+  const { draftRange, submittedRange, draftFilters, submittedFilters, isRangePickerOpen } =
+    controlsState;
   const completeDraftRange = toAuditReportDateRange(draftRange);
   const latestSelectableDate = utcDateAsLocalCalendarDate(new Date());
   const hasOwnerContext = hasSecurityAgentAuditReportOwnerContext(isOrg, organizationId);
@@ -216,20 +299,24 @@ export function SecurityAuditReportPage() {
   function handleGenerateReport(event: FormEvent<HTMLFormElement>) {
     event.preventDefault();
     if (!completeDraftRange) return;
-    setSubmittedRange(completeDraftRange);
-    setDraftFilters(effectiveDraftFilters);
-    setSubmittedFilters(effectiveDraftFilters);
+    dispatchControlsState({
+      type: 'submit-report',
+      range: completeDraftRange,
+      filters: effectiveDraftFilters,
+    });
   }
 
   function handleDateRangeSelect(nextRange: DayPickerDateRange | undefined) {
     if (nextRange?.from && nextRange.to && !isWithinAuditReportRangeLimit(nextRange)) return;
-    setDraftRange(nextRange);
-    if (nextRange?.from && nextRange.to) setIsRangePickerOpen(false);
+    dispatchControlsState({
+      type: 'select-draft-range',
+      range: nextRange,
+      closePicker: Boolean(nextRange?.from && nextRange.to),
+    });
   }
 
   function handleClearFilters() {
-    setDraftFilters(ALL_AUDIT_REPORT_FILTERS);
-    setSubmittedFilters(ALL_AUDIT_REPORT_FILTERS);
+    dispatchControlsState({ type: 'clear-filters' });
   }
 
   return (
@@ -251,7 +338,12 @@ export function SecurityAuditReportPage() {
                   label="Report period"
                   className="md:col-span-2 xl:col-span-1"
                 >
-                  <Popover open={isRangePickerOpen} onOpenChange={setIsRangePickerOpen}>
+                  <Popover
+                    open={isRangePickerOpen}
+                    onOpenChange={open =>
+                      dispatchControlsState({ type: 'set-range-picker-open', open })
+                    }
+                  >
                     <PopoverTrigger asChild>
                       <Button
                         id="audit-report-date-range"
@@ -291,10 +383,12 @@ export function SecurityAuditReportPage() {
                   <Select
                     value={draftFilters.severity}
                     onValueChange={severity =>
-                      setDraftFilters(current => ({
-                        ...current,
-                        severity: parseAuditReportSeverityFilter(severity),
-                      }))
+                      dispatchControlsState({
+                        type: 'set-draft-filter',
+                        filter: {
+                          severity: parseAuditReportSeverityFilter(severity),
+                        },
+                      })
                     }
                   >
                     <SelectTrigger
@@ -317,10 +411,12 @@ export function SecurityAuditReportPage() {
                   <Select
                     value={draftFilters.state}
                     onValueChange={state =>
-                      setDraftFilters(current => ({
-                        ...current,
-                        state: parseAuditReportStateFilter(state),
-                      }))
+                      dispatchControlsState({
+                        type: 'set-draft-filter',
+                        filter: {
+                          state: parseAuditReportStateFilter(state),
+                        },
+                      })
                     }
                   >
                     <SelectTrigger id="audit-report-state" className="min-h-11 w-full sm:min-h-9">
@@ -341,10 +437,12 @@ export function SecurityAuditReportPage() {
                   <Select
                     value={effectiveDraftFilters.repository ?? 'all'}
                     onValueChange={repository =>
-                      setDraftFilters(current => ({
-                        ...current,
-                        repository: parseAuditReportRepositoryFilter(repository),
-                      }))
+                      dispatchControlsState({
+                        type: 'set-draft-filter',
+                        filter: {
+                          repository: parseAuditReportRepositoryFilter(repository),
+                        },
+                      })
                     }
                   >
                     <SelectTrigger
diff --git a/apps/web/src/components/security-agent/SecurityConfigSections.tsx b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
index 6ac75eeda..118973811 100644
--- a/apps/web/src/components/security-agent/SecurityConfigSections.tsx
+++ b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
@@ -133,15 +133,20 @@ function SectionToggle({
 }) {
   return (
     <div className="flex shrink-0 items-center gap-3">
-      <span className="text-muted-foreground text-xs font-medium" aria-hidden="true">
-        {checked ? 'On' : 'Off'}
-      </span>
+      <div className="space-y-0.5 text-right">
+        <Label htmlFor={id} className="text-sm font-medium">
+          {label}
+        </Label>
+        <div id={`${id}-state`} className="text-muted-foreground text-xs font-medium">
+          {checked ? 'On' : 'Off'}
+        </div>
+      </div>
       <Switch
         id={id}
         checked={checked}
         disabled={disabled}
         onCheckedChange={onCheckedChange}
-        aria-label={label}
+        aria-describedby={`${id}-state`}
       />
     </div>
   );
diff --git a/apps/web/src/components/security-agent/SecurityDashboard.tsx b/apps/web/src/components/security-agent/SecurityDashboard.tsx
index ca5ba0dfa..95fda3650 100644
--- a/apps/web/src/components/security-agent/SecurityDashboard.tsx
+++ b/apps/web/src/components/security-agent/SecurityDashboard.tsx
@@ -564,7 +564,7 @@ function AttentionCard({
       aria-labelledby="attention-heading"
     >
       <div className="grid lg:grid-cols-[minmax(0,1.35fr)_minmax(20rem,0.65fr)]">
-        <div className="p-5 sm:p-6 lg:p-8">
+        <div className="p-5 sm:p-6">
           <div className="text-status-destructive flex items-center gap-2 text-sm font-medium">
             <ShieldAlert className="size-4" aria-hidden="true" />
             Act first
diff --git a/apps/web/src/components/ui/badge-variants.ts b/apps/web/src/components/ui/badge-variants.ts
new file mode 100644
index 000000000..27fda0046
--- /dev/null
+++ b/apps/web/src/components/ui/badge-variants.ts
@@ -0,0 +1,27 @@
+import { cva, type VariantProps } from 'class-variance-authority';
+
+const badgeVariants = cva(
+  'type-label inline-flex items-center justify-center rounded-md border px-2 py-0.5 w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring focus-visible:ring-[3px] aria-invalid:ring-destructive/20 aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden',
+  {
+    variants: {
+      variant: {
+        default: 'border-transparent bg-primary text-primary-foreground [a&]:hover:bg-primary/90',
+        secondary:
+          'border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90',
+        'secondary-outline': 'bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90',
+        destructive:
+          'border-transparent bg-destructive/60 text-white [a&]:hover:bg-destructive/90 focus-visible:ring-destructive/40',
+        outline: 'text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground',
+        beta: 'rounded-full bg-blue-500/10 px-3 py-1 font-semibold text-blue-400 ring-1 ring-blue-500/20 border-transparent',
+        new: 'rounded-full bg-green-500/10 px-3 py-1 font-semibold text-green-400 ring-1 ring-green-500/20 border-transparent',
+      },
+    },
+    defaultVariants: {
+      variant: 'default',
+    },
+  }
+);
+
+type BadgeVariantProps = VariantProps<typeof badgeVariants>;
+
+export { badgeVariants, type BadgeVariantProps };
diff --git a/apps/web/src/components/ui/badge.tsx b/apps/web/src/components/ui/badge.tsx
index dcb6eb361..9d1d5509d 100644
--- a/apps/web/src/components/ui/badge.tsx
+++ b/apps/web/src/components/ui/badge.tsx
@@ -1,37 +1,15 @@
 import * as React from 'react';
 import { Slot } from '@radix-ui/react-slot';
-import { cva, type VariantProps } from 'class-variance-authority';
 
 import { cn } from '@/lib/utils';
-
-const badgeVariants = cva(
-  'type-label inline-flex items-center justify-center rounded-md border px-2 py-0.5 w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring focus-visible:ring-[3px] aria-invalid:ring-destructive/20 aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden',
-  {
-    variants: {
-      variant: {
-        default: 'border-transparent bg-primary text-primary-foreground [a&]:hover:bg-primary/90',
-        secondary:
-          'border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90',
-        'secondary-outline': 'bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90',
-        destructive:
-          'border-transparent bg-destructive/60 text-white [a&]:hover:bg-destructive/90 focus-visible:ring-destructive/40',
-        outline: 'text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground',
-        beta: 'rounded-full bg-blue-500/10 px-3 py-1 font-semibold text-blue-400 ring-1 ring-blue-500/20 border-transparent',
-        new: 'rounded-full bg-green-500/10 px-3 py-1 font-semibold text-green-400 ring-1 ring-green-500/20 border-transparent',
-      },
-    },
-    defaultVariants: {
-      variant: 'default',
-    },
-  }
-);
+import { badgeVariants, type BadgeVariantProps } from './badge-variants';
 
 function Badge({
   className,
   variant,
   asChild = false,
   ...props
-}: React.ComponentProps<'span'> & VariantProps<typeof badgeVariants> & { asChild?: boolean }) {
+}: React.ComponentProps<'span'> & BadgeVariantProps & { asChild?: boolean }) {
   const Comp = asChild ? Slot : 'span';
 
   return (
@@ -39,4 +17,4 @@ function Badge({
   );
 }
 
-export { Badge, badgeVariants };
+export { Badge };
diff --git a/apps/web/src/components/ui/button-variants.ts b/apps/web/src/components/ui/button-variants.ts
new file mode 100644
index 000000000..c6624c43a
--- /dev/null
+++ b/apps/web/src/components/ui/button-variants.ts
@@ -0,0 +1,35 @@
+import { cva, type VariantProps } from 'class-variance-authority';
+
+const buttonVariants = cva(
+  'type-label inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md transition-colors cursor-pointer focus-visible:outline-none focus-visible:ring-[3px] focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0',
+  {
+    variants: {
+      variant: {
+        default: 'bg-primary text-primary-foreground hover:bg-primary-hover',
+        brand:
+          'bg-brand-primary text-primary-foreground hover:bg-brand-primary-hover focus-visible:ring-brand-primary-ring',
+        primary: 'bg-primary text-primary-foreground hover:bg-primary-hover',
+        destructive: 'bg-destructive text-destructive-foreground hover:bg-destructive-hover',
+        outline:
+          'border border-input bg-input-background hover:bg-accent hover:text-accent-foreground',
+        secondary: 'bg-secondary text-secondary-foreground hover:bg-accent',
+        ghost: 'hover:bg-accent hover:text-accent-foreground',
+        link: 'text-link underline-offset-4 hover:text-link-hover hover:underline',
+      },
+      size: {
+        default: 'h-9 px-4 py-2',
+        sm: 'h-8 rounded-md px-3',
+        lg: 'h-10 rounded-md px-8',
+        icon: 'h-9 w-9',
+      },
+    },
+    defaultVariants: {
+      variant: 'default',
+      size: 'default',
+    },
+  }
+);
+
+type ButtonVariantProps = VariantProps<typeof buttonVariants>;
+
+export { buttonVariants, type ButtonVariantProps };
diff --git a/apps/web/src/components/ui/button.tsx b/apps/web/src/components/ui/button.tsx
index 40cd4623c..780a242e5 100644
--- a/apps/web/src/components/ui/button.tsx
+++ b/apps/web/src/components/ui/button.tsx
@@ -1,52 +1,17 @@
 import * as React from 'react';
 import { Slot } from '@radix-ui/react-slot';
-import { cva, type VariantProps } from 'class-variance-authority';
 
 import { cn } from '@/lib/utils';
+import { buttonVariants, type ButtonVariantProps } from './button-variants';
 
-const buttonVariants = cva(
-  'type-label inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md transition-colors cursor-pointer focus-visible:outline-none focus-visible:ring-[3px] focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0',
-  {
-    variants: {
-      variant: {
-        default: 'bg-primary text-primary-foreground hover:bg-primary-hover',
-        brand:
-          'bg-brand-primary text-primary-foreground hover:bg-brand-primary-hover focus-visible:ring-brand-primary-ring',
-        primary: 'bg-primary text-primary-foreground hover:bg-primary-hover',
-        destructive: 'bg-destructive text-destructive-foreground hover:bg-destructive-hover',
-        outline:
-          'border border-input bg-input-background hover:bg-accent hover:text-accent-foreground',
-        secondary: 'bg-secondary text-secondary-foreground hover:bg-accent',
-        ghost: 'hover:bg-accent hover:text-accent-foreground',
-        link: 'text-link underline-offset-4 hover:text-link-hover hover:underline',
-      },
-      size: {
-        default: 'h-9 px-4 py-2',
-        sm: 'h-8 rounded-md px-3',
-        lg: 'h-10 rounded-md px-8',
-        icon: 'h-9 w-9',
-      },
-    },
-    defaultVariants: {
-      variant: 'default',
-      size: 'default',
-    },
-  }
-);
+export type ButtonProps = React.ComponentPropsWithRef<'button'> &
+  ButtonVariantProps & {
+    asChild?: boolean;
+  };
 
-export interface ButtonProps
-  extends React.ButtonHTMLAttributes<HTMLButtonElement>, VariantProps<typeof buttonVariants> {
-  asChild?: boolean;
+function Button({ className, variant, size, asChild = false, ref, ...props }: ButtonProps) {
+  const Comp = asChild ? Slot : 'button';
+  return <Comp className={cn(buttonVariants({ variant, size }), className)} ref={ref} {...props} />;
 }
 
-const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
-  ({ className, variant, size, asChild = false, ...props }, ref) => {
-    const Comp = asChild ? Slot : 'button';
-    return (
-      <Comp className={cn(buttonVariants({ variant, size }), className)} ref={ref} {...props} />
-    );
-  }
-);
-Button.displayName = 'Button';
-
-export { Button, buttonVariants };
+export { Button };
diff --git a/apps/web/src/components/ui/calendar.tsx b/apps/web/src/components/ui/calendar.tsx
index 64522222d..ea057a933 100644
--- a/apps/web/src/components/ui/calendar.tsx
+++ b/apps/web/src/components/ui/calendar.tsx
@@ -6,7 +6,13 @@ import { DayPicker, getDefaultClassNames } from 'react-day-picker';
 import type { DayButton } from 'react-day-picker';
 
 import { cn } from '@/lib/utils';
-import { Button, buttonVariants } from '@/components/ui/button';
+import { Button } from '@/components/ui/button';
+import { buttonVariants } from '@/components/ui/button-variants';
+
+const rtlChevronClassNames = [
+  'rtl:**:[.rdp-button\\_next>svg]:rotate-180',
+  'rtl:**:[.rdp-button\\_previous>svg]:rotate-180',
+] as const;
 
 function Calendar({
   className,
@@ -27,8 +33,7 @@ function Calendar({
       showOutsideDays={showOutsideDays}
       className={cn(
         'bg-background group/calendar p-3 [[data-slot=card-content]_&]:bg-transparent [[data-slot=popover-content]_&]:bg-transparent',
-        String.raw`rtl:**:[.rdp-button\_next>svg]:rotate-180`,
-        String.raw`rtl:**:[.rdp-button\_previous>svg]:rotate-180`,
+        rtlChevronClassNames,
         className
       )}
       captionLayout={captionLayout}

From 3ce9033539a4d0d309e6f4fb83df5a61f67fd730 Mon Sep 17 00:00:00 2001
From: Jean du Plessis <jean@kilocode.ai>
Date: Wed, 17 Jun 2026 21:28:56 +0200
Subject: [PATCH 3/3] fix(security-agent): balance automation option
 descriptions

---
 .../src/components/security-agent/SecurityConfigSections.tsx  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/components/security-agent/SecurityConfigSections.tsx b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
index 118973811..53826c53f 100644
--- a/apps/web/src/components/security-agent/SecurityConfigSections.tsx
+++ b/apps/web/src/components/security-agent/SecurityConfigSections.tsx
@@ -229,11 +229,11 @@ function OptionGrid<Value extends string>({
               className={cn('mt-0.5', selected && 'border-brand-primary text-brand-primary')}
               disabled={disabled}
             />
-            <span className="space-y-1">
+            <span className="flex min-w-0 flex-1 flex-col gap-1">
               <span className={cn('block font-medium', selected && 'text-brand-primary')}>
                 {option.label}
               </span>
-              <span className="text-muted-foreground block text-xs font-normal">
+              <span className="text-muted-foreground block min-h-10 text-xs leading-5 font-normal">
                 {option.description}
               </span>
             </span>