Clarify protected leak attempts in health status

AppTunnel/Services/TrafficRouterService.Core.cs

@@ -293,9 +293,11 @@ public partial class TrafficRouterService : IDisposable
     public long LeakCount => Interlocked.Read(ref _statLeakConfirmed);
     /// <summary>
     /// Number of attempted leaks blocked locally by leak-guard.
-    /// Diagnostic-only signal for policy-transition races.
+    /// Diagnostic-only signal; these packets did not escape the machine.
     /// </summary>
     public long LeakBlockedCount => Interlocked.Read(ref _statLeakBlocked);
+    public long LeakBlockedRecoveredCount => Interlocked.Read(ref _statLeakBlockedRecovered);
+    public long LeakBlockedSuppressedCount => Interlocked.Read(ref _statLeakBlockedSuppressed);
     public long Ipv6BlockedCount => Interlocked.Read(ref _statFlowIPv6Blocked);
     public long DnsRedirectCount => Interlocked.Read(ref _redirectCount);
     public long ActiveRouteCount => _addedRoutes.Count;
@@ -540,13 +542,13 @@ public partial class TrafficRouterService : IDisposable
         long netOutFail = Interlocked.Read(ref _statNetOutSendFailed);
         string mode = _fullRouteEnabled ? "full-route" : "split";
         string leakState = leakConfirmed > 0 ? "LEAK-DETECTED" :
-            (leakBlocked > 0 ? "BLOCKING-ATTEMPTS" : "OK");
+            (leakBlocked > 0 ? "PROTECTED" : "OK");
         Logger.Info(
             $"[STATS] mode={mode} health={leakState} " +
             $"flows={flowEst}/{flowDel} targetHit={flowHit} excluded={flowExcl} ipv6Drop={ipv6Blocked} " +
             $"routes={Interlocked.Read(ref _statRoutesAdded)}({Interlocked.Read(ref _statRoutesFailed)}fail)/{_addedRoutes.Count}active " +
             $"rewriteOut={netOutRw} rewriteIn={netInRw} rewriteFail={netOutFail} nat={_natTable.Count} " +
-            $"leakConfirmed={leakConfirmed} leakBlocked={leakBlocked} recovered={leakBlockedRecovered} suppressed={leakBlockedSuppressed} " +
+            $"leakConfirmed={leakConfirmed} protectedBlocked={leakBlocked} recovered={leakBlockedRecovered} suppressed={leakBlockedSuppressed} " +
             $"targets={_targetExecutables.Count} blockedApps={_blockedExecutables.Count}");
 
         // Loop health check — warn if any background loop has exited unexpectedly

AppTunnel/Services/TrafficRouterService.NetworkSniffing.cs

@@ -235,11 +235,11 @@ public partial class TrafficRouterService
 
                         leakLogCount++;
                         if (recovered)
-                            Logger.Warning($"[LEAK-BLOCKED] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked locally, route restored for retransmit via VPN");
+                            Logger.Info($"[LEAK-PROTECTED] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked locally, route restored for retransmit via VPN");
                         else if (graceSuppressed)
-                            Logger.Info($"[LEAK-BLOCKED-TRANSITION] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked during policy transition grace");
+                            Logger.Info($"[LEAK-PROTECTED-TRANSITION] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked during policy transition grace");
                         else
-                            Logger.Warning($"[LEAK-BLOCKED] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked by split policy, route not restored");
+                            Logger.Info($"[LEAK-PROTECTED] Packet with VPN srcIP exiting PHYSICAL ifIdx={addrBuf.IfIdx} → dst={dst} (proto={buffer[9]}) — blocked by split policy, route not restored");
                     }
                 }
             }

AppTunnel/ViewModels/MainViewModel.Core.cs

@@ -403,20 +403,20 @@ public partial class MainViewModel : INotifyPropertyChanged
         ? (_trafficRouter.LeakCount == 0
             ? (_trafficRouter.LeakBlockedCount == 0
                 ? "Leak: OK"
-                : $"Leak: OK (blocked {_trafficRouter.LeakBlockedCount})")
+                : $"Leak: Protected {_trafficRouter.LeakBlockedCount}")
             : $"Leak: {_trafficRouter.LeakCount}")
         : "Leak: -";
     public string HeaderLeakColor => !IsConnected
         ? "#6CCB5F"
         : _trafficRouter.LeakCount > 0
             ? "#E05252"
-            : (_trafficRouter.LeakBlockedCount > 0 ? "#E07820" : "#6CCB5F");
+            : "#6CCB5F";
 
     public string HealthLeakText => IsConnected
         ? (_trafficRouter.LeakCount == 0
             ? (_trafficRouter.LeakBlockedCount == 0
                 ? "0 leak"
-                : $"0 leak / {_trafficRouter.LeakBlockedCount} blocked")
+                : $"0 leak / {_trafficRouter.LeakBlockedCount} protected")
             : $"{_trafficRouter.LeakCount} leak")
         : "-";
     public string HealthDnsText => IsConnected