refactor(guard): dedupe dashboard decoding and CLI helpers

[michiosw]

Summary
This cleans up Guard dashboard decoding and Guard CLI helpers by making decision/profile IDs single-source-of-truth, removing duplicated wrappers, and keeping embedded assets in sync.

Before this, the dashboard duplicated allowed values between type unions and JSON decoding, and Guard CLI had repeated FlagSet boilerplate plus pass-through localruntime wrappers. Sidecar/hook failure paths also hid the underlying error reason. The repo also needed a dashboard asset refresh after the type cleanup.

Now the Guard path has one canonical set of values and clearer failure visibility:

user activity -> risk events -> dashboard rendering
hook runtime -> sidecar eval -> warning on stderr (only on error)

Why
This gives kontext-cli a cleaner maintenance path for Guard:

input/event -> boundary decode -> canonical helper/type/path -> result

This PR does not broaden behavior beyond the cleanup scope.

What changed
Added canonical value lists + guards for Decision/PolicyProfileID in web/guard-dashboard/src/dashboard/types.ts
Consolidated API decoding to use those guards and stopped any leaking across the JSON boundary
Removed redundant internal/guard/cli/localruntime.go wrappers and deduped FlagSet setup
Logged previously swallowed update/sidecar/access-mode read errors to stderr (only when errors happen)
Refreshed internal/guard/web/assets to match the dashboard build output
Deflaked llama-server startup timing tests (avoid tight 2s timing assumptions)

Verification
pnpm build
pnpm --dir web/guard-dashboard typecheck
go test ./... -count=1
go vet ./...
git diff --check

[michiosw]

• refactor(guard): dedupe dashboard decoding and CLI helpers #159 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Greptile Summary

This PR refactors Guard dashboard decoding and CLI helper setup. The main changes are:

• Adds canonical decision and policy profile value lists with type guards.
• Routes dashboard API decoding through the new guards.
• Removes small localruntime wrapper helpers from Guard CLI code.
• Logs previously hidden update, sidecar, and access-mode errors to stderr.
• Loosens a llama-server early-exit test timing assertion.

Confidence Score: 4/5

This is close, but the dashboard API shape should be restored before merging.

• The main refactors are small and mostly preserve behavior.
• The dashboard boundary now drops fields that the backend still returns.
• This can make event timestamps and policy or judge metadata disappear from fetched events.

web/guard-dashboard/src/dashboard/types.ts and web/guard-dashboard/src/dashboard/api.ts

Important Files Changed

Filename	Overview
web/guard-dashboard/src/dashboard/types.ts	Adds canonical value lists, but also removes event and risk metadata fields still emitted by the API.
web/guard-dashboard/src/dashboard/api.ts	Switches to shared type guards while the decoder now drops several backend event fields.
cmd/kontext/main.go	Adds stderr diagnostics for update, sidecar, and access-mode failure paths.
internal/guard/cli/cli.go	Deduplicates FlagSet creation and calls localruntime helpers directly.

Comments Outside Diff (1)

1. web/guard-dashboard/src/dashboard/types.ts, line 21-60 (link)

   Dropped API fields

   The dashboard types no longer include fields that the Guard API still returns, including created_at, policy_version, policy_rule_pack, policy_signals, and judge_duration_ms. Since the decoder in api.ts also stops copying those fields, fetched events silently lose server metadata at the JSON boundary. Any dashboard view that uses timestamps or policy/judge metadata will now receive missing values even though the backend returned them.

_{Reviews (1): Last reviewed commit: "refactor(guard): reduce duplication and ..." | Re-trigger Greptile}