@jadenrazo/cloudcost-mcp 0.5.0 → 1.0.1

package/dist/{chunk-E7KOWAMW.js → chunk-6O2Y6MKU.js}

@@ -11,7 +11,7 @@ import {
   getRegionMappings,
   getRegionPriceMultipliers,
   getStorageMap
-} from "./chunk-TRRAOOVF.js";
+} from "./chunk-MNFT5YKN.js";
 
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
@@ -562,7 +562,14 @@ function extractFromTerms(onDemandTerms, defaultUnit) {
   }
   return { price: 0, unit: defaultUnit };
 }
-function normalizeAwsCompute(rawProduct, rawPrice, region) {
+function resolveEffectiveDate(effectiveDate) {
+  if (effectiveDate) {
+    const t = new Date(effectiveDate);
+    if (!Number.isNaN(t.getTime())) return t.toISOString();
+  }
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function normalizeAwsCompute(rawProduct, rawPrice, region, effectiveDate) {
   const attrs = rawProduct?.attributes ?? {};
   const terms = rawPrice?.terms?.OnDemand ?? {};
   const { price, unit } = extractFromTerms(terms, "Hrs");
@@ -583,10 +590,10 @@ function normalizeAwsCompute(rawProduct, rawPrice, region) {
       tenancy: attrs.tenancy ?? "Shared",
       pricing_source: "live"
     },
-    effective_date: (/* @__PURE__ */ new Date()).toISOString()
+    effective_date: resolveEffectiveDate(effectiveDate)
   };
 }
-function normalizeAwsDatabase(rawProduct, rawPrice, region) {
+function normalizeAwsDatabase(rawProduct, rawPrice, region, effectiveDate) {
   const attrs = rawProduct?.attributes ?? {};
   const terms = rawPrice?.terms?.OnDemand ?? {};
   const { price, unit } = extractFromTerms(terms, "Hrs");
@@ -607,10 +614,10 @@ function normalizeAwsDatabase(rawProduct, rawPrice, region) {
       memory: attrs.memory ?? "",
       pricing_source: "live"
     },
-    effective_date: (/* @__PURE__ */ new Date()).toISOString()
+    effective_date: resolveEffectiveDate(effectiveDate)
   };
 }
-function normalizeAwsStorage(rawProduct, rawPrice, region) {
+function normalizeAwsStorage(rawProduct, rawPrice, region, effectiveDate) {
   const attrs = rawProduct?.attributes ?? {};
   const terms = rawPrice?.terms?.OnDemand ?? {};
   const { price, unit } = extractFromTerms(terms, "GB-Mo");
@@ -630,7 +637,7 @@ function normalizeAwsStorage(rawProduct, rawPrice, region) {
       max_throughput: attrs.maxThroughputvolume ?? "",
       pricing_source: "live"
     },
-    effective_date: (/* @__PURE__ */ new Date()).toISOString()
+    effective_date: resolveEffectiveDate(effectiveDate)
   };
 }
 
@@ -683,7 +690,7 @@ function sleep(ms) {
   if (process.env.NODE_ENV === "test" || process.env.VITEST) {
     return Promise.resolve();
   }
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 var CIRCUIT_FAILURE_THRESHOLD = 5;
 var CIRCUIT_OPEN_DURATION_MS = 5 * 60 * 1e3;
@@ -901,6 +908,11 @@ var EC2_BASE_PRICES = {
   "m7i.large": 0.1008,
   "m7i.xlarge": 0.2016,
   "m7i.2xlarge": 0.4032,
+  "m7i-flex.large": 0.0958,
+  "m7i-flex.xlarge": 0.1915,
+  "m7i-flex.2xlarge": 0.383,
+  "m7i-flex.4xlarge": 0.7661,
+  "m7i-flex.8xlarge": 1.5322,
   "m7g.large": 0.0816,
   "m7g.xlarge": 0.1632,
   "m7g.2xlarge": 0.3264,
@@ -918,10 +930,10 @@ var EC2_BASE_PRICES = {
   "c6g.xlarge": 0.136,
   "c6g.2xlarge": 0.272,
   "c6g.4xlarge": 0.544,
-  "c7i.large": 0.089,
-  "c7i.xlarge": 0.178,
+  "c7i.large": 0.0893,
+  "c7i.xlarge": 0.1785,
   "c7i.2xlarge": 0.357,
-  "c7g.large": 0.072,
+  "c7g.large": 0.0725,
   "c7g.xlarge": 0.145,
   "c7g.2xlarge": 0.29,
   "c7g.4xlarge": 0.58,
@@ -934,65 +946,63 @@ var EC2_BASE_PRICES = {
   "r6i.large": 0.126,
   "r6i.xlarge": 0.252,
   "r6i.2xlarge": 0.504,
-  "r6g.large": 0.101,
-  "r6g.xlarge": 0.202,
-  "r6g.2xlarge": 0.403,
-  "r6g.4xlarge": 0.806,
-  "r7i.large": 0.133,
-  "r7i.xlarge": 0.266,
-  "r7i.2xlarge": 0.532,
-  "r7g.large": 0.107,
-  "r7g.xlarge": 0.214,
-  "r7g.2xlarge": 0.428,
-  "r7g.4xlarge": 0.856,
-  // 8th-gen Graviton4 families
-  "m8g.large": 0.077,
-  "m8g.xlarge": 0.154,
-  "m8g.2xlarge": 0.308,
-  "m8g.4xlarge": 0.616,
-  "c8g.large": 0.068,
-  "c8g.xlarge": 0.136,
-  "c8g.2xlarge": 0.272,
-  "c8g.4xlarge": 0.544,
-  "r8g.large": 0.101,
-  "r8g.xlarge": 0.202,
-  "r8g.2xlarge": 0.404,
-  "r8g.4xlarge": 0.808,
-  // GPU instances
+  "r6g.large": 0.1008,
+  "r6g.xlarge": 0.2016,
+  "r6g.2xlarge": 0.4032,
+  "r6g.4xlarge": 0.8064,
+  "r7i.large": 0.1323,
+  "r7i.xlarge": 0.2646,
+  "r7i.2xlarge": 0.5292,
+  "r7g.large": 0.1071,
+  "r7g.xlarge": 0.2142,
+  "r7g.2xlarge": 0.4284,
+  "r7g.4xlarge": 0.8568,
+  "m8g.large": 0.0898,
+  "m8g.xlarge": 0.1795,
+  "m8g.2xlarge": 0.359,
+  "m8g.4xlarge": 0.7181,
+  "c8g.large": 0.0798,
+  "c8g.xlarge": 0.1595,
+  "c8g.2xlarge": 0.319,
+  "c8g.4xlarge": 0.6381,
+  "r8g.large": 0.1178,
+  "r8g.xlarge": 0.2356,
+  "r8g.2xlarge": 0.4713,
+  "r8g.4xlarge": 0.9426,
   "g5.xlarge": 1.006,
   "g5.2xlarge": 1.212,
   "g5.4xlarge": 1.624,
   "g5.8xlarge": 2.448,
   "g5.12xlarge": 5.672,
-  "p4d.24xlarge": 32.7726
+  "p4d.24xlarge": 21.9576
 };
 var RDS_BASE_PRICES = {
-  "db.t3.micro": 0.017,
-  "db.t3.small": 0.034,
-  "db.t3.medium": 0.068,
-  "db.t3.large": 0.136,
+  "db.t3.micro": 0.018,
+  "db.t3.small": 0.036,
+  "db.t3.medium": 0.072,
+  "db.t3.large": 0.145,
   "db.t4g.micro": 0.016,
   "db.t4g.small": 0.032,
   "db.t4g.medium": 0.065,
   "db.t4g.large": 0.129,
   "db.t4g.xlarge": 0.258,
-  "db.m5.large": 0.171,
-  "db.m5.xlarge": 0.342,
-  "db.m6g.large": 0.154,
-  "db.m6g.xlarge": 0.308,
-  "db.m6g.2xlarge": 0.616,
-  "db.m6i.large": 0.171,
-  "db.m6i.xlarge": 0.342,
-  "db.m6i.2xlarge": 0.684,
+  "db.m5.large": 0.178,
+  "db.m5.xlarge": 0.356,
+  "db.m6g.large": 0.159,
+  "db.m6g.xlarge": 0.318,
+  "db.m6g.2xlarge": 0.636,
+  "db.m6i.large": 0.178,
+  "db.m6i.xlarge": 0.356,
+  "db.m6i.2xlarge": 0.712,
   "db.m7g.large": 0.168,
-  "db.m7g.xlarge": 0.336,
-  "db.m7g.2xlarge": 0.672,
+  "db.m7g.xlarge": 0.337,
+  "db.m7g.2xlarge": 0.674,
   "db.r5.large": 0.25,
   "db.r5.xlarge": 0.5,
   "db.r5.2xlarge": 1,
-  "db.r6g.large": 0.218,
-  "db.r6g.xlarge": 0.437,
-  "db.r6g.2xlarge": 0.874,
+  "db.r6g.large": 0.225,
+  "db.r6g.xlarge": 0.45,
+  "db.r6g.2xlarge": 0.899,
   "db.r6i.large": 0.25,
   "db.r6i.xlarge": 0.5,
   "db.r6i.2xlarge": 1
@@ -1247,7 +1257,7 @@ var AwsBulkLoader = class {
       let headerFound = false;
       let leftover = "";
       let cachedCount = 0;
-      const effectiveDate = (/* @__PURE__ */ new Date()).toISOString();
+      let effectiveDate = (/* @__PURE__ */ new Date()).toISOString();
       while (true) {
         const { value, done } = await reader.read();
         if (done) break;
@@ -1258,6 +1268,17 @@ var AwsBulkLoader = class {
           const line = rawLine.trimEnd();
           if (!line) continue;
           if (!headerFound) {
+            if (line.startsWith('"Publication Date"') || line.startsWith("Publication Date")) {
+              const metaFields = parseCsvLine(line);
+              const rawDate = (metaFields[1] ?? "").trim();
+              if (rawDate) {
+                const parsed = new Date(rawDate);
+                if (!isNaN(parsed.getTime())) {
+                  effectiveDate = parsed.toISOString();
+                }
+              }
+              continue;
+            }
             if (line.startsWith('"SKU"') || line.startsWith("SKU")) {
               const headers = parseCsvLine(line);
               for (let h = 0; h < headers.length; h++) {
@@ -1362,7 +1383,7 @@ var AwsBulkLoader = class {
                   tenancy: "Shared",
                   pricing_source: "live"
                 },
-                effective_date: (/* @__PURE__ */ new Date()).toISOString()
+                effective_date: effectiveDate
               },
               "aws",
               "ec2",
@@ -1422,6 +1443,7 @@ var AwsBulkLoader = class {
   extractEc2Price(bulk, instanceType, region, os) {
     const products = bulk?.products ?? {};
     const onDemand = bulk?.terms?.OnDemand ?? {};
+    const publicationDate = bulk?.publicationDate;
     const sortedEntries = Object.entries(products).sort(([a], [b]) => a.localeCompare(b));
     for (const [sku, product] of sortedEntries) {
       const attrs = product?.attributes ?? {};
@@ -1431,7 +1453,8 @@ var AwsBulkLoader = class {
           return normalizeAwsCompute(
             product,
             { terms: { OnDemand: { [sku]: priceTerms } } },
-            region
+            region,
+            publicationDate
           );
         }
       }
@@ -1441,6 +1464,7 @@ var AwsBulkLoader = class {
   extractRdsPrice(bulk, instanceClass, region, engine) {
     const products = bulk?.products ?? {};
     const onDemand = bulk?.terms?.OnDemand ?? {};
+    const publicationDate = bulk?.publicationDate;
     const sortedEntries = Object.entries(products).sort(([a], [b]) => a.localeCompare(b));
     for (const [sku, product] of sortedEntries) {
       const attrs = product?.attributes ?? {};
@@ -1450,7 +1474,8 @@ var AwsBulkLoader = class {
           return normalizeAwsDatabase(
             product,
             { terms: { OnDemand: { [sku]: priceTerms } } },
-            region
+            region,
+            publicationDate
           );
         }
       }
@@ -1460,6 +1485,7 @@ var AwsBulkLoader = class {
   extractEbsPrice(bulk, volumeType, region) {
     const products = bulk?.products ?? {};
     const onDemand = bulk?.terms?.OnDemand ?? {};
+    const publicationDate = bulk?.publicationDate;
     const sortedEntries = Object.entries(products).sort(([a], [b]) => a.localeCompare(b));
     for (const [sku, product] of sortedEntries) {
       const attrs = product?.attributes ?? {};
@@ -1470,7 +1496,8 @@ var AwsBulkLoader = class {
           return normalizeAwsStorage(
             product,
             { terms: { OnDemand: { [sku]: priceTerms } } },
-            region
+            region,
+            publicationDate
           );
         }
       }
@@ -1561,6 +1588,226 @@ var AwsBulkLoader = class {
   }
 };
 
+// src/pricing/aws/spot-client.ts
+var SPOT_ADVISOR_URL = "https://website.spot.ec2.aws.a2z.com/spot.json";
+var SPOT_ADVISOR_CACHE_KEY = "aws/spot-advisor/v1";
+var AwsSpotClient = class {
+  cache;
+  /** In-flight fetch deduplication. */
+  inflight = null;
+  constructor(cache) {
+    this.cache = cache;
+  }
+  /**
+   * Get the spot discount factor (0–1) for an instance type in a region.
+   *
+   * Returns a fraction representing the **portion of on-demand you pay** — i.e.
+   * `hourly_spot = hourly_on_demand * factor`. Returns null when the live data
+   * is unavailable or doesn't cover the given instance/region combination;
+   * callers should fall back to static family-based estimates in that case.
+   */
+  async getSpotFactor(instanceType, region, os = "Linux") {
+    try {
+      const doc = await this.loadDocument();
+      if (!doc) return null;
+      const regionData = doc.spot_advisor?.[region];
+      if (!regionData) return null;
+      const osKey = os === "Windows" ? "Windows" : "Linux";
+      const osData = regionData[osKey];
+      if (!osData) return null;
+      const entry = osData[instanceType];
+      if (!entry || typeof entry.s !== "number") return null;
+      const savingsPct = Math.max(0, Math.min(95, entry.s));
+      const factor = 1 - savingsPct / 100;
+      return Math.max(0.05, factor);
+    } catch (err) {
+      logger.debug("AwsSpotClient.getSpotFactor failed", {
+        instanceType,
+        region,
+        err: err instanceof Error ? err.message : String(err)
+      });
+      return null;
+    }
+  }
+  /**
+   * Fetch and cache the full Spot Advisor document. Uses the shared SQLite
+   * cache with the same TTL as other AWS bulk data. Deduplicates concurrent
+   * callers via an in-flight promise.
+   */
+  loadDocument() {
+    const cached = this.cache.get(SPOT_ADVISOR_CACHE_KEY);
+    if (cached) return Promise.resolve(cached);
+    if (this.inflight) return this.inflight;
+    this.inflight = this.doFetchDocument().finally(() => {
+      this.inflight = null;
+    });
+    return this.inflight;
+  }
+  async doFetchDocument() {
+    logger.debug("Fetching AWS Spot Advisor JSON", { url: SPOT_ADVISOR_URL });
+    try {
+      const res = await fetchWithRetryAndCircuitBreaker(
+        SPOT_ADVISOR_URL,
+        { signal: AbortSignal.timeout(2e4) },
+        { maxRetries: 1, baseDelay: 500, maxDelay: 2e3 }
+      );
+      if (!res.ok) {
+        logger.debug("AWS Spot Advisor fetch returned non-OK", { status: res.status });
+        return null;
+      }
+      const doc = await res.json();
+      if (!doc || typeof doc.spot_advisor !== "object") {
+        logger.debug("AWS Spot Advisor response missing spot_advisor key");
+        return null;
+      }
+      this.cache.set(SPOT_ADVISOR_CACHE_KEY, doc, "aws", "spot-advisor", "global", CACHE_TTL);
+      return doc;
+    } catch (err) {
+      logger.debug("AWS Spot Advisor fetch failed", {
+        err: err instanceof Error ? err.message : String(err)
+      });
+      return null;
+    }
+  }
+};
+
+// src/pricing/aws/reserved-client.ts
+var HOURS_IN_TERM = {
+  "1yr": 24 * 365,
+  "3yr": 24 * 365 * 3
+};
+function extractRiRatesFromBulk(bulk, instanceType, os = "Linux") {
+  const products = bulk?.products ?? {};
+  const onDemand = bulk?.terms?.OnDemand ?? {};
+  const reserved = bulk?.terms?.Reserved ?? {};
+  let targetSku = null;
+  for (const [sku, product] of Object.entries(products)) {
+    const attrs = product?.attributes ?? {};
+    if (attrs.instanceType === instanceType && (attrs.operatingSystem ?? "").toLowerCase() === os.toLowerCase() && attrs.tenancy === "Shared" && attrs.capacitystatus === "Used") {
+      targetSku = sku;
+      break;
+    }
+  }
+  if (!targetSku) return [];
+  const onDemandHourly = firstHourlyPrice(onDemand[targetSku]);
+  if (!onDemandHourly || onDemandHourly <= 0) return [];
+  const reservedOffers = reserved[targetSku];
+  if (!reservedOffers) return [];
+  const rates = [];
+  for (const offer of Object.values(reservedOffers)) {
+    const lease = offer.termAttributes?.LeaseContractLength;
+    const purchase = offer.termAttributes?.PurchaseOption;
+    const term = normalizeTerm(lease);
+    const payment = normalizePayment(purchase);
+    if (!term || !payment) continue;
+    const effectiveHourly = computeEffectiveHourly(offer, term);
+    if (effectiveHourly === null) continue;
+    const rate = 1 - effectiveHourly / onDemandHourly;
+    if (rate <= 0 || rate >= 0.9) continue;
+    rates.push({ term, payment, rate });
+  }
+  return rates;
+}
+var AwsReservedClient = class {
+  cache;
+  constructor(cache) {
+    this.cache = cache;
+  }
+  async getRiRates(service, instanceType, region, os = "Linux") {
+    if (service === "AmazonEC2") {
+      logger.debug(
+        "AwsReservedClient: refusing AmazonEC2 (bulk JSON too large for in-memory parse)",
+        {
+          instanceType,
+          region
+        }
+      );
+      return null;
+    }
+    const cacheKey = `aws/ri/${service.toLowerCase()}/${region.toLowerCase()}/${instanceType.toLowerCase()}/${os.toLowerCase()}`;
+    const cached = this.cache.get(cacheKey);
+    if (cached && Array.isArray(cached.rates)) return cached.rates;
+    const url = `${BULK_PRICING_BASE}/${service}/current/${region}/index.json`;
+    logger.debug("Fetching AWS bulk pricing for RI rates", { url });
+    try {
+      const res = await fetchWithRetryAndCircuitBreaker(
+        url,
+        { signal: AbortSignal.timeout(6e4) },
+        { maxRetries: 0 }
+      );
+      if (!res.ok) {
+        logger.debug("AWS RI bulk fetch non-OK", { status: res.status });
+        return null;
+      }
+      const bulk = await res.json();
+      const rates = extractRiRatesFromBulk(bulk, instanceType, os);
+      if (rates.length === 0) return null;
+      const entry = {
+        price_per_unit: 0,
+        unit: "none",
+        rates
+      };
+      this.cache.set(cacheKey, entry, "aws", "ri", region, CACHE_TTL);
+      return rates;
+    } catch (err) {
+      logger.debug("AWS RI bulk fetch failed, will use static fallback", {
+        instanceType,
+        region,
+        err: err instanceof Error ? err.message : String(err)
+      });
+      return null;
+    }
+  }
+};
+function firstHourlyPrice(terms) {
+  if (!terms) return null;
+  for (const term of Object.values(terms)) {
+    for (const dim of Object.values(term.priceDimensions ?? {})) {
+      if ((dim.unit ?? "").toLowerCase().startsWith("hr")) {
+        const price = parseFloat(dim.pricePerUnit?.USD ?? "");
+        if (isFinite(price) && price > 0) return price;
+      }
+    }
+  }
+  return null;
+}
+function computeEffectiveHourly(offer, term) {
+  let upfront = 0;
+  let hourly = 0;
+  let sawAnything = false;
+  for (const dim of Object.values(offer.priceDimensions ?? {})) {
+    const unit = (dim.unit ?? "").toLowerCase();
+    const value = parseFloat(dim.pricePerUnit?.USD ?? "");
+    if (!isFinite(value)) continue;
+    if (unit.startsWith("hr")) {
+      hourly = value;
+      sawAnything = true;
+    } else if (unit === "quantity") {
+      upfront = value;
+      sawAnything = true;
+    }
+  }
+  if (!sawAnything) return null;
+  return hourly + upfront / HOURS_IN_TERM[term];
+}
+function normalizeTerm(lease) {
+  if (lease === "1yr") return "1yr";
+  if (lease === "3yr") return "3yr";
+  return null;
+}
+function normalizePayment(purchase) {
+  switch (purchase) {
+    case "No Upfront":
+      return "no_upfront";
+    case "All Upfront":
+      return "all_upfront";
+    case "Partial Upfront":
+      return "partial_upfront";
+    default:
+      return null;
+  }
+}
+
 // src/pricing/azure/azure-normalizer.ts
 function normalizeAzureCompute(item) {
   return {
@@ -1625,6 +1872,131 @@ function normalizeAzureStorage(item) {
   };
 }
 
+// src/pricing/azure/arm-regions.ts
+var ARM_REGION_MAP = {
+  // Americas
+  eastus: "eastus",
+  eastus2: "eastus2",
+  eastus3: "eastus3",
+  southcentralus: "southcentralus",
+  westus: "westus",
+  westus2: "westus2",
+  westus3: "westus3",
+  centralus: "centralus",
+  northcentralus: "northcentralus",
+  westcentralus: "westcentralus",
+  canadacentral: "canadacentral",
+  canadaeast: "canadaeast",
+  brazilsouth: "brazilsouth",
+  brazilsoutheast: "brazilsoutheast",
+  mexicocentral: "mexicocentral",
+  // Europe
+  northeurope: "northeurope",
+  westeurope: "westeurope",
+  uksouth: "uksouth",
+  ukwest: "ukwest",
+  francecentral: "francecentral",
+  francesouth: "francesouth",
+  germanywestcentral: "germanywestcentral",
+  germanynorth: "germanynorth",
+  switzerlandnorth: "switzerlandnorth",
+  switzerlandwest: "switzerlandwest",
+  norwayeast: "norwayeast",
+  norwaywest: "norwaywest",
+  swedencentral: "swedencentral",
+  swedensouth: "swedensouth",
+  polandcentral: "polandcentral",
+  italynorth: "italynorth",
+  spaincentral: "spaincentral",
+  // Asia Pacific
+  eastasia: "eastasia",
+  southeastasia: "southeastasia",
+  japaneast: "japaneast",
+  japanwest: "japanwest",
+  australiaeast: "australiaeast",
+  australiasoutheast: "australiasoutheast",
+  australiacentral: "australiacentral",
+  australiacentral2: "australiacentral2",
+  centralindia: "centralindia",
+  southindia: "southindia",
+  westindia: "westindia",
+  jioindiawest: "jioindiawest",
+  jioindiacentral: "jioindiacentral",
+  koreacentral: "koreacentral",
+  koreasouth: "koreasouth",
+  // Middle East / Africa
+  uaenorth: "uaenorth",
+  uaecentral: "uaecentral",
+  qatarcentral: "qatarcentral",
+  israelcentral: "israelcentral",
+  southafricanorth: "southafricanorth",
+  southafricawest: "southafricawest"
+};
+var ALIASES = {
+  // Americas
+  eastus: "eastus",
+  eastus2: "eastus2",
+  eastus3: "eastus3",
+  southcentralus: "southcentralus",
+  westus: "westus",
+  westus2: "westus2",
+  westus3: "westus3",
+  centralus: "centralus",
+  northcentralus: "northcentralus",
+  westcentralus: "westcentralus",
+  canadacentral: "canadacentral",
+  canadaeast: "canadaeast",
+  brazilsouth: "brazilsouth",
+  brazilsoutheast: "brazilsoutheast",
+  mexicocentral: "mexicocentral",
+  // Europe
+  northeurope: "northeurope",
+  westeurope: "westeurope",
+  uksouth: "uksouth",
+  ukwest: "ukwest",
+  francecentral: "francecentral",
+  francesouth: "francesouth",
+  germanywestcentral: "germanywestcentral",
+  germanynorth: "germanynorth",
+  switzerlandnorth: "switzerlandnorth",
+  switzerlandwest: "switzerlandwest",
+  norwayeast: "norwayeast",
+  norwaywest: "norwaywest",
+  swedencentral: "swedencentral",
+  swedensouth: "swedensouth",
+  polandcentral: "polandcentral",
+  italynorth: "italynorth",
+  spaincentral: "spaincentral",
+  // Asia Pacific
+  eastasia: "eastasia",
+  southeastasia: "southeastasia",
+  japaneast: "japaneast",
+  japanwest: "japanwest",
+  australiaeast: "australiaeast",
+  australiasoutheast: "australiasoutheast",
+  australiacentral: "australiacentral",
+  australiacentral2: "australiacentral2",
+  centralindia: "centralindia",
+  southindia: "southindia",
+  westindia: "westindia",
+  jioindiawest: "jioindiawest",
+  jioindiacentral: "jioindiacentral",
+  koreacentral: "koreacentral",
+  koreasouth: "koreasouth",
+  // Middle East / Africa
+  uaenorth: "uaenorth",
+  uaecentral: "uaecentral",
+  qatarcentral: "qatarcentral",
+  israelcentral: "israelcentral",
+  southafricanorth: "southafricanorth",
+  southafricawest: "southafricawest"
+};
+function toArmRegionName(region) {
+  if (!region) return region;
+  const key = region.toLowerCase().replace(/[^a-z0-9]/g, "");
+  return ALIASES[key] ?? ARM_REGION_MAP[key] ?? key;
+}
+
 // src/pricing/azure/fallback-data.ts
 var VM_BASE_PRICES = {
   standard_b1s: 0.0104,
@@ -1655,27 +2027,26 @@ var VM_BASE_PRICES = {
   standard_e32s_v5: 2.016,
   standard_e2ds_v5: 0.144,
   standard_e4ds_v5: 0.288,
-  standard_f2s_v2: 0.085,
-  standard_f4s_v2: 0.17,
-  standard_f8s_v2: 0.34,
-  standard_f16s_v2: 0.68,
-  standard_f32s_v2: 1.36,
-  standard_l8s_v3: 0.624,
-  standard_l16s_v3: 1.248,
+  standard_f2s_v2: 0.0846,
+  standard_f4s_v2: 0.169,
+  standard_f8s_v2: 0.338,
+  standard_f16s_v2: 0.677,
+  standard_f32s_v2: 1.353,
+  standard_l8s_v3: 0.696,
+  standard_l16s_v3: 1.392,
   standard_nc4as_t4_v3: 0.526,
   standard_nc8as_t4_v3: 0.752,
   standard_e2ps_v5: 0.101,
   standard_e4ps_v5: 0.202,
   standard_e8ps_v5: 0.403,
-  // v6 series
-  standard_d2s_v6: 0.096,
-  standard_d4s_v6: 0.192,
-  standard_d8s_v6: 0.384,
-  standard_d16s_v6: 0.768,
-  standard_e2s_v6: 0.126,
-  standard_e4s_v6: 0.252,
-  standard_e8s_v6: 0.504,
-  standard_e16s_v6: 1.008
+  standard_d2s_v6: 0.101,
+  standard_d4s_v6: 0.202,
+  standard_d8s_v6: 0.403,
+  standard_d16s_v6: 0.806,
+  standard_e2s_v6: 0.132,
+  standard_e4s_v6: 0.265,
+  standard_e8s_v6: 0.529,
+  standard_e16s_v6: 1.058
 };
 var DISK_BASE_PRICES = {
   premium_lrs: 0.132,
@@ -1734,7 +2105,7 @@ var AzureRetailClient = class {
     const cached = this.cache.get(cacheKey);
     if (cached) return cached;
     try {
-      const armRegion = region.toLowerCase().replace(/\s+/g, "");
+      const armRegion = toArmRegionName(region);
       const filter = this.buildODataFilter("Virtual Machines", armRegion, vmSize, true);
       const items = await this.queryPricing(filter);
       const match = this.pickVmItem(items, vmSize, os);
@@ -1757,7 +2128,7 @@ var AzureRetailClient = class {
     const cached = this.cache.get(cacheKey);
     if (cached) return cached;
     try {
-      const armRegion = region.toLowerCase().replace(/\s+/g, "");
+      const armRegion = toArmRegionName(region);
       const serviceName = `Azure Database for ${engine}`;
       const result = await this.queryDatabasePrice(tier, armRegion, serviceName);
       if (result) {
@@ -1816,22 +2187,28 @@ var AzureRetailClient = class {
   /**
    * Parse a VM name like "Standard_D2s_v3" into series info.
    * Returns { series: "Dsv3", vcpus: 2 } or null if unparseable.
+   *
+   * Real-world Azure SKUs have a lot of shape variation we have to handle:
+   *   Standard_D2s_v5            – 1-letter family, lower-case variant
+   *   Standard_M64ms_v2          – multi-digit vCPU count
+   *   Standard_DC4s_v3           – 2-letter family (confidential compute)
+   *   Standard_E96ias_v5         – longer (3-letter) variant
+   *   Standard_NC4as_T4_v3       – mid-name accelerator segment (T4)
+   *   Standard_Eb8as_v5          – single-letter "sub-family" prefix (b)
+   *
+   * The regex below accepts:
+   *   <FAMILY 1-2 letters><optional sub-family letter><vCPU digits>
+   *   <variant letters><optional _SEG segments like _T4>_v<version digits>
    */
   parseVmSeries(vmName) {
-    const match = vmName.match(/Standard_([A-Z])(\d+)([a-z]*)_v(\d+)/i);
-    if (!match) return null;
-    const [, family, vcpuStr, variant, version] = match;
-    const vcpus = parseInt(vcpuStr, 10);
-    if (isNaN(vcpus) || vcpus === 0) return null;
-    const series = `${family}${variant}v${version}`;
-    return { series, vcpus };
+    return parseAzureVmSeries(vmName);
   }
   async getStoragePrice(diskType, region) {
     const cacheKey = this.buildCacheKey("disk", region, diskType);
     const cached = this.cache.get(cacheKey);
     if (cached) return cached;
     try {
-      const armRegion = region.toLowerCase().replace(/\s+/g, "");
+      const armRegion = toArmRegionName(region);
       const filter = this.buildODataFilter("Storage", armRegion, diskType);
       const items = await this.queryPricing(filter);
       if (items.length > 0) {
@@ -1903,6 +2280,112 @@ var AzureRetailClient = class {
       effective_date: (/* @__PURE__ */ new Date()).toISOString()
     };
   }
+  /**
+   * Fetch the live Spot VM price for a given VM size/region/OS from the Azure
+   * Retail Prices API. Spot VMs are exposed as distinct rows where the
+   * `meterName` contains "Spot" (e.g. "D2s v5 Spot"). Returns `null` when no
+   * spot row is found — callers should fall back to static discount factors.
+   *
+   * Cache key is namespaced under "vm-spot" so spot and on-demand entries
+   * don't collide.
+   */
+  async getSpotPrice(vmSize, region, os = "linux") {
+    const cacheKey = this.buildCacheKey("vm-spot", region, vmSize, os);
+    const cached = this.cache.get(cacheKey);
+    if (cached) return cached;
+    try {
+      const armRegion = toArmRegionName(region);
+      const filter = this.buildODataFilter("Virtual Machines", armRegion, vmSize, true);
+      const items = await this.queryPricing(filter);
+      const isWindows = os.toLowerCase().includes("windows");
+      const spotItems = items.filter((i) => {
+        const meter = (i.meterName ?? "").toLowerCase();
+        const sku = (i.skuName ?? "").toLowerCase();
+        const hasWindows = sku.includes("windows") || meter.includes("windows");
+        const isSpot = meter.includes("spot") || sku.includes("spot");
+        return isSpot && (isWindows && hasWindows || !isWindows && !hasWindows);
+      });
+      if (spotItems.length > 0) {
+        spotItems.sort((a, b) => (a.skuId ?? "").localeCompare(b.skuId ?? ""));
+        const result = normalizeAzureCompute(spotItems[0]);
+        result.attributes.pricing_source = "live";
+        result.attributes.purchase_option = "spot";
+        this.cache.set(cacheKey, result, "azure", "vm-spot", region, CACHE_TTL2);
+        return result;
+      }
+    } catch (err) {
+      logger.warn("Azure Retail API Spot fetch failed", {
+        region,
+        vmSize,
+        err: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return null;
+  }
+  /**
+   * Fetch the live Reservation price for a VM size/region/term from the Azure
+   * Retail Prices API. The API exposes reservations via `priceType eq
+   * 'Reservation'`, with `reservationTerm` of "1 Year" or "3 Years". Returns
+   * `null` when no reservation row matches — callers should fall back to
+   * static discount factors.
+   *
+   * The returned NormalizedPrice uses the reservation's `unitOfMeasure`
+   * (typically "1 Hour" after Azure's per-hour amortisation but sometimes
+   * "1/Year" for upfront payment). The `retailPrice` is the total reservation
+   * price as returned — callers are expected to convert to an hourly rate
+   * themselves using the unit.
+   */
+  async getReservationPrice(vmSize, region, term) {
+    const cacheKey = this.buildCacheKey("vm-ri", region, vmSize, term);
+    const cached = this.cache.get(cacheKey);
+    if (cached) return cached;
+    try {
+      const armRegion = toArmRegionName(region);
+      const termLabel = term === "1yr" ? "1 Year" : "3 Years";
+      const filter = `serviceName eq 'Virtual Machines' and armRegionName eq '${armRegion}' and priceType eq 'Reservation' and armSkuName eq '${vmSize}'`;
+      const items = await this.queryPricing(filter);
+      const matches = items.filter((i) => (i.reservationTerm ?? "") === termLabel);
+      if (matches.length > 0) {
+        matches.sort((a, b) => (a.skuId ?? "").localeCompare(b.skuId ?? ""));
+        const result = normalizeAzureCompute(matches[0]);
+        result.attributes.pricing_source = "live";
+        result.attributes.purchase_option = "reservation";
+        result.attributes.reservation_term = termLabel;
+        this.cache.set(cacheKey, result, "azure", "vm-ri", region, CACHE_TTL2);
+        return result;
+      }
+    } catch (err) {
+      logger.warn("Azure Retail API Reservation fetch failed", {
+        region,
+        vmSize,
+        term,
+        err: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return null;
+  }
+  /**
+   * Convenience helper: given a VM size and region, return the effective
+   * *hourly* reservation rate (amortised). Returns `null` when the live API
+   * has no matching reservation. This wraps `getReservationPrice` and
+   * converts "1/Year" / "1/3 Years" billed units into an hourly equivalent
+   * using a 730h/month * 12 / 36 month assumption.
+   */
+  async getReservationHourlyRate(vmSize, region, term) {
+    const price = await this.getReservationPrice(vmSize, region, term);
+    if (!price) return null;
+    const unit = (price.unit ?? "").toLowerCase();
+    const raw = price.price_per_unit;
+    if (!isFinite(raw) || raw <= 0) return null;
+    if (unit.includes("hour")) {
+      return raw;
+    }
+    if (unit.includes("year")) {
+      const years = term === "1yr" ? 1 : 3;
+      return raw / (8760 * years);
+    }
+    return raw;
+  }
   // -------------------------------------------------------------------------
   // Internal helpers – live API
   // -------------------------------------------------------------------------
@@ -1927,8 +2410,8 @@ var AzureRetailClient = class {
     }
     return allItems;
   }
-  buildODataFilter(service, armRegion, skuName, exactArmSku) {
-    let filter = `serviceName eq '${service}' and armRegionName eq '${armRegion}' and priceType eq 'Consumption'`;
+  buildODataFilter(service, armRegion, skuName, exactArmSku, priceType = "Consumption") {
+    let filter = `serviceName eq '${service}' and armRegionName eq '${armRegion}' and priceType eq '${priceType}'`;
     if (skuName) {
       if (exactArmSku) {
         filter += ` and armSkuName eq '${skuName}'`;
@@ -2072,6 +2555,18 @@ var AzureRetailClient = class {
     return result;
   }
 };
+function parseAzureVmSeries(vmName) {
+  const match = vmName.match(
+    /^Standard_([A-Z]{1,2})([a-z]?)(\d+)([a-z]*)((?:_[A-Za-z0-9]+)*)_v(\d+)$/i
+  );
+  if (!match) return null;
+  const [, family, subFamily, vcpuStr, variant, extras, version] = match;
+  const vcpus = parseInt(vcpuStr, 10);
+  if (isNaN(vcpus) || vcpus === 0) return null;
+  const extrasJoined = (extras ?? "").replace(/_/g, "");
+  const series = `${family}${subFamily}${variant}${extrasJoined}v${version}`;
+  return { series, vcpus };
+}
 
 // src/pricing/gcp/gcp-normalizer.ts
 function normalizeGcpCompute(machineType, hourlyPrice, region) {
@@ -2344,7 +2839,9 @@ var BILLING_API_BASE = "https://cloudbilling.googleapis.com/v1/services";
 var SERVICE_IDS = {
   COMPUTE: "6F81-5844-456A",
   CLOUD_SQL: "9662-B51E-5089",
-  CLOUD_STORAGE: "95FF-2EF5-5EA1"
+  CLOUD_STORAGE: "95FF-2EF5-5EA1",
+  // GKE (Kubernetes Engine) service — used to locate Autopilot pod SKUs.
+  GKE: "CCD8-9BF1-090E"
 };
 var CACHE_TTL3 = 86400;
 function protoToFloat(units, nanos) {
@@ -2450,6 +2947,141 @@ var CloudBillingClient = class {
     }
     return null;
   }
+  /**
+   * Fetch Compute Engine GPU (accelerator) SKUs and return the hourly price
+   * for the given accelerator type (e.g. "nvidia-tesla-t4", "nvidia-a100").
+   *
+   * GPUs live under the Compute service (6F81-5844-456A) with
+   * `category.resourceFamily == "Compute"` and
+   * `category.resourceGroup == "GPU"`. Descriptions follow the pattern
+   * "Nvidia Tesla T4 GPU running in Americas".
+   */
+  async fetchGpuSkus(accelerator, region) {
+    const cacheKey = `gcp/gpu/${region}/${accelerator.toLowerCase()}`;
+    const cached = this.cache.get(cacheKey);
+    if (cached) return cached;
+    try {
+      const skus = await this.fetchSkus(SERVICE_IDS.COMPUTE, region);
+      const result = this.extractGpuPrice(skus, accelerator, region);
+      if (result) {
+        this.cache.set(cacheKey, result, "gcp", "compute-gpu", region, CACHE_TTL3);
+        return result;
+      }
+    } catch (err) {
+      logger.warn("GCP Cloud Billing GPU fetch failed", {
+        accelerator,
+        region,
+        err: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return null;
+  }
+  /**
+   * Fetch Committed Use Discount (CUD) rates for the Compute service in a
+   * region. Returns discount fractions (0..1) against OnDemand base rates,
+   * derived by comparing matching Commit1Yr / Commit3Yr SKUs to their
+   * OnDemand counterparts for the same resource group (e.g. "N1Standard").
+   *
+   * If the API call fails or no matching SKUs are found, returns null and
+   * callers should fall back to static rates.
+   */
+  async fetchCudRates(region) {
+    const cacheKey = `gcp/cud/${region}`;
+    const cached = this.cache.get(cacheKey);
+    if (cached) return cached;
+    try {
+      const skus = await this.fetchSkus(SERVICE_IDS.COMPUTE, region);
+      const onDemand = /* @__PURE__ */ new Map();
+      const commit1 = /* @__PURE__ */ new Map();
+      const commit3 = /* @__PURE__ */ new Map();
+      const keyOf = (sku) => {
+        const group = sku.category.resourceGroup ?? "";
+        if (!group) return null;
+        const desc = sku.description.toLowerCase();
+        let flavour;
+        if (desc.includes("core") || desc.includes("vcpu")) {
+          flavour = "core";
+        } else if (desc.includes("ram") || desc.includes("memory")) {
+          flavour = "ram";
+        } else {
+          return null;
+        }
+        return `${group}|${flavour}`;
+      };
+      for (const sku of skus) {
+        if (sku.category.resourceFamily !== "Compute") continue;
+        const price = extractUnitPrice(sku);
+        if (price === null) continue;
+        const key = keyOf(sku);
+        if (!key) continue;
+        const usage = sku.category.usageType;
+        if (usage === "OnDemand") {
+          const existing = onDemand.get(key);
+          if (existing === void 0 || price < existing) onDemand.set(key, price);
+        } else if (usage === "Commit1Yr") {
+          const existing = commit1.get(key);
+          if (existing === void 0 || price < existing) commit1.set(key, price);
+        } else if (usage === "Commit3Yr") {
+          const existing = commit3.get(key);
+          if (existing === void 0 || price < existing) commit3.set(key, price);
+        }
+      }
+      const averageDiscount = (commits) => {
+        const ratios = [];
+        for (const [key, commitPrice] of commits) {
+          const base = onDemand.get(key);
+          if (base === void 0 || base <= 0) continue;
+          const discount = 1 - commitPrice / base;
+          if (discount > 0 && discount < 1) ratios.push(discount);
+        }
+        if (ratios.length === 0) return null;
+        const sum = ratios.reduce((a, b) => a + b, 0);
+        return sum / ratios.length;
+      };
+      const result = {
+        term1yr: averageDiscount(commit1),
+        term3yr: averageDiscount(commit3),
+        sample_count: onDemand.size
+      };
+      if (result.term1yr === null && result.term3yr === null) {
+        return null;
+      }
+      this.cache.set(cacheKey, result, "gcp", "compute-cud", region, CACHE_TTL3);
+      return result;
+    } catch (err) {
+      logger.warn("GCP Cloud Billing CUD fetch failed", {
+        region,
+        err: err instanceof Error ? err.message : String(err)
+      });
+      return null;
+    }
+  }
+  /**
+   * Fetch GKE Autopilot pod resource rates (per-vCPU-hour, per-GB-memory-hour,
+   * per-GB-ephemeral-storage-hour) from the GKE service catalog. Returns a
+   * NormalizedPrice whose `price_per_unit` is the vCPU rate and whose
+   * `attributes` carry the memory/storage rates as strings — callers that
+   * know a pod's resource request can compute an exact per-pod price.
+   */
+  async fetchAutopilotPodRates(region) {
+    const cacheKey = `gcp/gke-autopilot/${region}`;
+    const cached = this.cache.get(cacheKey);
+    if (cached) return cached;
+    try {
+      const skus = await this.fetchSkus(SERVICE_IDS.GKE, region);
+      const result = this.extractAutopilotPodRates(skus, region);
+      if (result) {
+        this.cache.set(cacheKey, result, "gcp", "gke-autopilot", region, CACHE_TTL3);
+        return result;
+      }
+    } catch (err) {
+      logger.warn("GCP Cloud Billing GKE Autopilot fetch failed", {
+        region,
+        err: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return null;
+  }
   // -------------------------------------------------------------------------
   // Internal – API fetch
   // -------------------------------------------------------------------------
@@ -2467,10 +3099,14 @@ var CloudBillingClient = class {
     do {
       const pageUrl = pageToken ? `${url}?pageToken=${pageToken}` : url;
       logger.debug("GCP Cloud Billing API request", { url: pageUrl, serviceId, region });
-      const res = await fetch(pageUrl, {
-        signal: AbortSignal.timeout(3e4),
-        headers: { Accept: "application/json" }
-      });
+      const res = await fetchWithRetryAndCircuitBreaker(
+        pageUrl,
+        {
+          signal: AbortSignal.timeout(3e4),
+          headers: { Accept: "application/json" }
+        },
+        { maxRetries: 2 }
+      );
       if (!res.ok) {
         throw new Error(`GCP Billing API HTTP ${res.status} for service ${serviceId}`);
       }
@@ -2614,13 +3250,124 @@ var CloudBillingClient = class {
       effective_date: sku.pricingInfo?.[0]?.effectiveTime ?? (/* @__PURE__ */ new Date()).toISOString()
     };
   }
+  /**
+   * Extract a GPU hourly price for the requested accelerator type.
+   * Matches SKUs with resourceGroup == "GPU" whose description contains the
+   * human-readable model name (e.g. "Tesla T4", "A100 40GB").
+   */
+  extractGpuPrice(skus, accelerator, region) {
+    const lower = accelerator.toLowerCase();
+    const stripped = lower.replace(/^nvidia-?/, "");
+    const tokens = stripped.split(/[-\s]+/).filter((t) => t.length > 0);
+    if (tokens.length === 0) return null;
+    const candidates = skus.filter((s) => {
+      if (s.category.resourceFamily !== "Compute") return false;
+      if (s.category.resourceGroup !== "GPU") return false;
+      if (s.category.usageType !== "OnDemand") return false;
+      const desc = s.description.toLowerCase();
+      return tokens.every((tok) => desc.includes(tok));
+    });
+    if (candidates.length === 0) return null;
+    candidates.sort((a, b) => a.skuId.localeCompare(b.skuId));
+    const sku = candidates[0];
+    const price = extractUnitPrice(sku);
+    if (price === null) return null;
+    return {
+      provider: "gcp",
+      service: "compute-engine",
+      resource_type: accelerator,
+      region,
+      unit: "h",
+      price_per_unit: price,
+      currency: "USD",
+      description: `GCP GPU ${accelerator} (live: ${sku.description})`,
+      attributes: {
+        accelerator,
+        sku_id: sku.skuId,
+        pricing_source: "live"
+      },
+      effective_date: sku.pricingInfo?.[0]?.effectiveTime ?? (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Extract GKE Autopilot pod resource rates. Autopilot exposes separate
+   * SKUs per resource dimension (vCPU, memory, ephemeral storage) under the
+   * GKE service. We look for SKUs whose description contains "Autopilot"
+   * and the matching dimension keyword.
+   */
+  extractAutopilotPodRates(skus, region) {
+    const autopilotSkus = skus.filter((s) => {
+      const desc = s.description.toLowerCase();
+      return s.category.usageType === "OnDemand" && desc.includes("autopilot") && !desc.includes("spot") && !desc.includes("preemptible");
+    });
+    if (autopilotSkus.length === 0) return null;
+    const find = (keywords) => {
+      const matches = autopilotSkus.filter((s) => {
+        const desc = s.description.toLowerCase();
+        return keywords.every((kw) => desc.includes(kw));
+      });
+      if (matches.length === 0) return void 0;
+      matches.sort((a, b) => a.skuId.localeCompare(b.skuId));
+      return matches[0];
+    };
+    const vcpuSku = find(["cpu"]) ?? find(["core"]) ?? find(["vcpu"]);
+    const memorySku = find(["memory"]) ?? find(["ram"]);
+    const storageSku = find(["ephemeral", "storage"]) ?? find(["storage"]);
+    if (!vcpuSku) return null;
+    const vcpuPrice = extractUnitPrice(vcpuSku);
+    if (vcpuPrice === null) return null;
+    const memoryPrice = memorySku ? extractUnitPrice(memorySku) : null;
+    const storagePrice = storageSku ? extractUnitPrice(storageSku) : null;
+    const attributes = {
+      mode: "autopilot",
+      pricing_model: "per_pod_resource",
+      pricing_source: "live",
+      vcpu_hourly: String(vcpuPrice),
+      sku_id_vcpu: vcpuSku.skuId,
+      pricing_note: "Autopilot charges per pod: vCPU, memory, and ephemeral storage are billed separately. price_per_unit reports the vCPU/hr rate; see attributes for memory/storage rates."
+    };
+    if (memoryPrice !== null && memorySku) {
+      attributes.memory_gb_hourly = String(memoryPrice);
+      attributes.sku_id_memory = memorySku.skuId;
+    }
+    if (storagePrice !== null && storageSku) {
+      attributes.ephemeral_storage_gb_hourly = String(storagePrice);
+      attributes.sku_id_storage = storageSku.skuId;
+    }
+    return {
+      provider: "gcp",
+      service: "gke",
+      resource_type: "autopilot-pod",
+      region,
+      unit: "h",
+      price_per_unit: vcpuPrice,
+      currency: "USD",
+      description: `GCP GKE Autopilot pod resources (live: ${vcpuSku.description})`,
+      attributes,
+      effective_date: vcpuSku.pricingInfo?.[0]?.effectiveTime ?? (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
 };
 
 // src/pricing/pricing-engine.ts
 var AwsProvider = class {
   loader;
+  spotClient;
+  reservedClient;
   constructor(cache) {
     this.loader = new AwsBulkLoader(cache);
+    this.spotClient = new AwsSpotClient(cache);
+    this.reservedClient = new AwsReservedClient(cache);
+  }
+  getSpotFactor(instanceType, region, os) {
+    return this.spotClient.getSpotFactor(
+      instanceType,
+      region,
+      os === "Windows" ? "Windows" : "Linux"
+    );
+  }
+  getReservedRates(_instanceType, _region, _os) {
+    return Promise.resolve(null);
   }
   getComputePrice(instanceType, region, os) {
     return this.loader.getComputePrice(instanceType, region, os);
@@ -2664,6 +3411,24 @@ var AzureProvider = class {
   getKubernetesPrice(region) {
     return this.client.getKubernetesPrice(region);
   }
+  /**
+   * Azure-specific: fetch live Spot VM pricing from the Retail API. Exposed
+   * on the provider so the compute calculator can prefer live spot rows
+   * over static discount factors. Returns null when the live API has no
+   * matching spot row. Not part of the base `PricingProvider` interface
+   * because AWS/GCP use different spot channels.
+   */
+  getSpotPrice(vmSize, region, os) {
+    return this.client.getSpotPrice(vmSize, region, os);
+  }
+  /**
+   * Azure-specific: fetch the live Reservation VM hourly rate (1yr / 3yr)
+   * from the Retail API. Returns null when no reservation row matches,
+   * signalling callers to fall back to the static DISCOUNT_RATES table.
+   */
+  getReservationHourlyRate(vmSize, region, term) {
+    return this.client.getReservationHourlyRate(vmSize, region, term);
+  }
 };
 var GcpProvider = class {
   loader;
@@ -2789,13 +3554,27 @@ var PricingEngine = class {
 };
 
 // src/tools/analyze-terraform.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 
 // src/parsers/index.ts
 import { dirname as dirname2 } from "path";
 
 // src/parsers/hcl-parser.ts
 import { parse } from "@cdktf/hcl2json";
+
+// src/util/sanitize.ts
+function sanitizeForMessage(input, maxLen = 256) {
+  const s = typeof input === "string" ? input : String(input);
+  const noControl = s.replace(/[\x00-\x1F\x7F]/g, "");
+  const noInvisible = noControl.replace(
+    /[\u200B-\u200F\u202A-\u202E\u2060-\u2064\u2066-\u206F\uFEFF]/g,
+    ""
+  );
+  if (noInvisible.length <= maxLen) return noInvisible;
+  return `${noInvisible.slice(0, maxLen)}\u2026`;
+}
+
+// src/parsers/hcl-parser.ts
 async function parseHclToJson(hclContent, filename = "main.tf") {
   if (!hclContent.trim()) {
     logger.debug("Received empty HCL content, returning empty object", {
@@ -2809,8 +3588,10 @@ async function parseHclToJson(hclContent, filename = "main.tf") {
     return result;
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    logger.error("Failed to parse HCL", { filename, error: message });
-    throw new Error(`HCL parse error in "${filename}": ${message}`);
+    const safeFilename = sanitizeForMessage(filename, 256);
+    const safeMessage = sanitizeForMessage(message, 512);
+    logger.error("Failed to parse HCL", { filename: safeFilename, error: safeMessage });
+    throw new Error(`HCL parse error in "${safeFilename}": ${safeMessage}`);
   }
 }
 
@@ -3638,8 +4419,43 @@ function extractResources(hclJson, variables, sourceFile, defaultRegions = {}, w
 
 // src/parsers/module-resolver.ts
 import { readdirSync, readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
-import { join as join2, resolve } from "path";
+import { join as join2, resolve as resolve2 } from "path";
+
+// src/parsers/path-safety.ts
+import { lstatSync, realpathSync } from "fs";
+import { resolve, sep } from "path";
+function resolveWithinBoundary(candidate, basePath, rootBoundary) {
+  const resolved = resolve(basePath, candidate);
+  const boundary = resolve(rootBoundary);
+  if (!isWithin(resolved, boundary)) return null;
+  try {
+    const real = realpathSync(resolved);
+    if (!isWithin(real, boundary)) return null;
+    const stat = lstatSync(resolved);
+    if (stat.isSymbolicLink()) return null;
+    return real;
+  } catch {
+    return resolved;
+  }
+}
+function isWithin(child, parent) {
+  if (child === parent) return true;
+  const parentWithSep = parent.endsWith(sep) ? parent : parent + sep;
+  return child.startsWith(parentWithSep);
+}
+
+// src/parsers/safe-json.ts
+var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function safeJsonParse(text) {
+  return JSON.parse(text, (key, value) => {
+    if (FORBIDDEN_KEYS.has(key)) return void 0;
+    return value;
+  });
+}
+
+// src/parsers/module-resolver.ts
 var MAX_MODULE_DEPTH = 10;
+var FORBIDDEN_MERGE_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function readTfFiles(dirPath) {
   if (!existsSync2(dirPath)) return [];
   let entries;
@@ -3664,6 +4480,7 @@ function mergeHclJsons(jsons) {
   const merged = {};
   for (const json of jsons) {
     for (const [key, value] of Object.entries(json)) {
+      if (FORBIDDEN_MERGE_KEYS.has(key)) continue;
       if (!(key in merged)) {
         merged[key] = JSON.parse(JSON.stringify(value));
         continue;
@@ -3684,8 +4501,13 @@ function mergeHclJsons(jsons) {
   return merged;
 }
 function mergeObjects(a, b) {
-  const result = { ...a };
+  const result = {};
+  for (const [key, aVal] of Object.entries(a)) {
+    if (FORBIDDEN_MERGE_KEYS.has(key)) continue;
+    result[key] = aVal;
+  }
   for (const [key, bVal] of Object.entries(b)) {
+    if (FORBIDDEN_MERGE_KEYS.has(key)) continue;
     const aVal = result[key];
     if (aVal !== null && typeof aVal === "object" && !Array.isArray(aVal) && bVal !== null && typeof bVal === "object" && !Array.isArray(bVal)) {
       result[key] = mergeObjects(aVal, bVal);
@@ -3727,10 +4549,10 @@ function prefixResources(resources, moduleName) {
     id: `module.${moduleName}.${r.id}`
   }));
 }
-async function parseModuleDirectory(dirPath, parentVars, moduleInputs, warnings, depth) {
+async function parseModuleDirectory(dirPath, parentVars, moduleInputs, warnings, depth, rootBoundary) {
   if (depth >= MAX_MODULE_DEPTH) {
     warnings.push(
-      `Module nesting depth limit (${MAX_MODULE_DEPTH}) reached at "${dirPath}". Skipping further expansion.`
+      `Module nesting depth limit (${MAX_MODULE_DEPTH}) reached at "${sanitizeForMessage(dirPath)}". Skipping further expansion.`
     );
     return [];
   }
@@ -3745,10 +4567,12 @@ async function parseModuleDirectory(dirPath, parentVars, moduleInputs, warnings,
       parsedJsons.push({ path: file.path, json });
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      warnings.push(`Parse error in module file ${file.path}: ${msg}`);
+      const safePath = sanitizeForMessage(file.path);
+      const safeMsg = sanitizeForMessage(msg, 512);
+      warnings.push(`Parse error in module file ${safePath}: ${safeMsg}`);
       logger.warn("Skipping module file due to parse error", {
-        path: file.path,
-        error: msg
+        path: safePath,
+        error: safeMsg
       });
     }
   }
@@ -3771,86 +4595,117 @@ async function parseModuleDirectory(dirPath, parentVars, moduleInputs, warnings,
       allResources.push(...resources);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      warnings.push(`Extraction error in module file ${path}: ${msg}`);
-      logger.warn("Resource extraction failed in module", { path, error: msg });
-    }
-  }
-  const nestedResources = await resolveModules(combined, dirPath, variables, warnings, depth + 1);
+      const safePath = sanitizeForMessage(path);
+      const safeMsg = sanitizeForMessage(msg, 512);
+      warnings.push(`Extraction error in module file ${safePath}: ${safeMsg}`);
+      logger.warn("Resource extraction failed in module", { path: safePath, error: safeMsg });
+    }
+  }
+  const nestedResources = await resolveModules(
+    combined,
+    dirPath,
+    variables,
+    warnings,
+    depth + 1,
+    rootBoundary
+  );
   allResources.push(...nestedResources);
   return allResources;
 }
-async function resolveModules(hclJson, basePath, variables, warnings, depth = 0) {
+async function resolveModules(hclJson, basePath, variables, warnings, depth = 0, rootBoundary) {
   const moduleBlock = hclJson["module"];
   if (!moduleBlock || typeof moduleBlock !== "object" || Array.isArray(moduleBlock)) {
     return [];
   }
+  const boundary = resolve2(rootBoundary ?? process.cwd());
   const allResources = [];
   for (const [moduleName, moduleDeclaration] of Object.entries(
     moduleBlock
   )) {
+    const safeModuleName = sanitizeForMessage(moduleName, 128);
     const source = getSourceAttr(moduleDeclaration);
     if (!source) {
-      warnings.push(`Module "${moduleName}" has no source attribute and will be skipped.`);
+      warnings.push(`Module "${safeModuleName}" has no source attribute and will be skipped.`);
       continue;
     }
+    const safeSource = sanitizeForMessage(source, 256);
     const isLocal = source.startsWith("./") || source.startsWith("../");
     const isGit = source.startsWith("git::") || source.includes("github.com") || source.includes("bitbucket.org") || source.startsWith("hg::");
     if (isGit) {
       warnings.push(
-        `Module "${moduleName}" uses a git source ("${source}") which is not supported. Skipping.`
+        `Module "${safeModuleName}" uses a git source ("${safeSource}") which is not supported. Skipping.`
       );
-      logger.debug("Skipping git module", { moduleName, source });
+      logger.debug("Skipping git module", { moduleName: safeModuleName, source: safeSource });
       continue;
     }
     const rawInputs = extractModuleInputs(moduleDeclaration);
     const moduleInputs = substituteVariables(rawInputs, variables);
     let moduleDir;
     if (isLocal) {
-      moduleDir = resolve(basePath, source);
+      moduleDir = resolveWithinBoundary(source, basePath, boundary);
+      if (!moduleDir) {
+        warnings.push(
+          `Module "${safeModuleName}" source "${safeSource}" resolves outside the allowed root and was rejected.`
+        );
+        logger.warn("Rejected local module path escaping boundary", {
+          moduleName: safeModuleName,
+          source: safeSource
+        });
+        continue;
+      }
     } else {
-      const terraformModulesDir = join2(basePath, ".terraform", "modules");
-      const candidateDirect = join2(terraformModulesDir, moduleName);
-      if (existsSync2(candidateDirect)) {
+      const terraformModulesDir = resolve2(basePath, ".terraform", "modules");
+      const candidateDirect = resolveWithinBoundary(
+        moduleName,
+        terraformModulesDir,
+        terraformModulesDir
+      );
+      if (candidateDirect && existsSync2(candidateDirect)) {
         moduleDir = candidateDirect;
       } else {
         const modulesJsonPath = join2(terraformModulesDir, "modules.json");
+        let resolvedFromJson = null;
         if (existsSync2(modulesJsonPath)) {
           try {
-            const modulesJson = JSON.parse(readFileSync2(modulesJsonPath, "utf-8"));
+            const rawJson = readFileSync2(modulesJsonPath, "utf-8");
+            const modulesJson = safeJsonParse(rawJson);
             const entry = modulesJson.Modules?.find(
               (m) => m.Key === moduleName || m.Key.startsWith(`${moduleName}.`)
             );
-            if (entry?.Dir) {
-              moduleDir = resolve(basePath, entry.Dir);
-            } else {
-              warnings.push(
-                `Registry module "${moduleName}" (source: "${source}") not found in .terraform/modules/. Run "terraform init" to download modules before estimating costs.`
-              );
-              logger.debug("Registry module not initialised", { moduleName, source });
-              continue;
+            if (entry?.Dir && typeof entry.Dir === "string") {
+              resolvedFromJson = resolveWithinBoundary(entry.Dir, basePath, boundary);
             }
           } catch {
-            warnings.push(
-              `Registry module "${moduleName}" (source: "${source}") not found in .terraform/modules/. Run "terraform init" to download modules before estimating costs.`
-            );
-            continue;
+            resolvedFromJson = null;
           }
+        }
+        if (resolvedFromJson) {
+          moduleDir = resolvedFromJson;
         } else {
           warnings.push(
-            `Registry module "${moduleName}" (source: "${source}") not found in .terraform/modules/. Run "terraform init" to download modules before estimating costs.`
+            `Registry module "${safeModuleName}" (source: "${safeSource}") not found in .terraform/modules/. Run "terraform init" to download modules before estimating costs.`
           );
-          logger.debug("Registry module not initialised", { moduleName, source });
+          logger.debug("Registry module not initialised", {
+            moduleName: safeModuleName,
+            source: safeSource
+          });
           continue;
         }
       }
     }
-    logger.debug("Resolving module", { moduleName, source, moduleDir, depth });
+    logger.debug("Resolving module", {
+      moduleName: safeModuleName,
+      source: safeSource,
+      moduleDir,
+      depth
+    });
     const childResources = await parseModuleDirectory(
       moduleDir,
       variables,
       moduleInputs,
       warnings,
-      depth
+      depth,
+      boundary
     );
     allResources.push(...prefixResources(childResources, moduleName));
   }
@@ -4973,16 +5828,31 @@ function generateMermaidDiagram(graph) {
   return lines.join("\n");
 }
 
+// src/schemas/bounded.ts
+import { z } from "zod";
+var MAX_FILE_PATH_LEN = 1024;
+var MAX_FILE_CONTENT_BYTES = 5 * 1024 * 1024;
+var MAX_TFVARS_BYTES = 1 * 1024 * 1024;
+var MAX_PLAN_JSON_BYTES = 20 * 1024 * 1024;
+var MAX_STATE_JSON_BYTES = 20 * 1024 * 1024;
+var MAX_SHORT_STRING_LEN = 256;
+var filePathSchema = z.string().max(MAX_FILE_PATH_LEN, `File path exceeds ${MAX_FILE_PATH_LEN} characters`);
+var fileContentSchema = z.string().max(MAX_FILE_CONTENT_BYTES, `File content exceeds ${MAX_FILE_CONTENT_BYTES} bytes`);
+var tfvarsSchema = z.string().max(MAX_TFVARS_BYTES, `tfvars content exceeds ${MAX_TFVARS_BYTES} bytes`);
+var planJsonSchema = z.string().max(MAX_PLAN_JSON_BYTES, `plan JSON exceeds ${MAX_PLAN_JSON_BYTES} bytes`);
+var stateJsonSchema = z.string().max(MAX_STATE_JSON_BYTES, `state JSON exceeds ${MAX_STATE_JSON_BYTES} bytes`);
+var shortStringSchema = z.string().max(MAX_SHORT_STRING_LEN, `value exceeds ${MAX_SHORT_STRING_LEN} characters`);
+
 // src/tools/analyze-terraform.ts
-var analyzeTerraformSchema = z.object({
-  files: z.array(
-    z.object({
-      path: z.string().describe("File path"),
-      content: z.string().describe("File content (HCL)")
+var analyzeTerraformSchema = z2.object({
+  files: z2.array(
+    z2.object({
+      path: filePathSchema.describe("File path"),
+      content: fileContentSchema.describe("File content (HCL)")
     })
-  ).describe("Terraform files to analyze"),
-  tfvars: z.string().optional().describe("Contents of terraform.tfvars file"),
-  include_dependencies: z.boolean().optional().default(false).describe(
+  ).max(2e3, "files array exceeds 2000 entries").describe("Terraform files to analyze"),
+  tfvars: tfvarsSchema.optional().describe("Contents of terraform.tfvars file"),
+  include_dependencies: z2.boolean().optional().default(false).describe(
     "When true, parse resource references and depends_on blocks to build a dependency graph and Mermaid diagram"
   )
 });
@@ -5034,7 +5904,7 @@ async function analyzeTerraform(params) {
 }
 
 // src/tools/estimate-cost.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 
 // src/mapping/region-mapper.ts
 var DEFAULT_REGIONS = {
@@ -5244,7 +6114,7 @@ async function calculateComputeCost(resource, targetProvider, targetRegion, pric
       `No instance mapping found for ${sourceInstanceType} (${resource.provider} -> ${targetProvider})`
     );
   } else {
-    const { getInstanceMap: getInstanceMap2 } = await import("./loader-VXYJYDIH.js");
+    const { getInstanceMap: getInstanceMap2 } = await import("./loader-UWVEXYMR.js");
     const im = getInstanceMap2();
     const dirKey = `${resource.provider}_to_${targetProvider}`;
     const directMap = im[dirKey];
@@ -5282,13 +6152,69 @@ async function calculateComputeCost(resource, targetProvider, targetRegion, pric
     }
     let hourlyPrice = computePrice.price_per_unit;
     if (pricingConfig.pricing_model === "spot") {
-      const family = classifyInstanceFamily(effectiveInstance, targetProvider);
-      const providerFactors = SPOT_DISCOUNT_FACTORS[targetProvider] ?? SPOT_DISCOUNT_FACTORS.aws;
-      const factor = providerFactors[family] ?? providerFactors.general ?? 0.35;
-      const savingsPct = Math.round((1 - factor) * 100);
-      hourlyPrice = hourlyPrice * factor;
-      pricingSource = "spot-estimate";
-      notes.push(`Spot pricing applied (${savingsPct}% discount from on-demand)`);
+      let liveSpotApplied = false;
+      if (targetProvider === "azure") {
+        try {
+          const azureProvider = pricingEngine.getProvider("azure");
+          if (typeof azureProvider.getSpotPrice === "function") {
+            const liveSpot = await azureProvider.getSpotPrice(
+              effectiveInstance,
+              targetRegion,
+              resource.attributes.os
+            );
+            if (liveSpot && liveSpot.price_per_unit > 0 && hourlyPrice > 0) {
+              const savingsPct = Math.max(
+                0,
+                Math.round((1 - liveSpot.price_per_unit / hourlyPrice) * 100)
+              );
+              hourlyPrice = liveSpot.price_per_unit;
+              pricingSource = "live";
+              liveSpotApplied = true;
+              notes.push(
+                `Spot pricing applied from live Azure Retail API (${savingsPct}% discount from on-demand)`
+              );
+            }
+          }
+        } catch (err) {
+          logger.debug("Azure live spot lookup failed, using fallback discount factor", {
+            err: err instanceof Error ? err.message : String(err)
+          });
+        }
+      }
+      if (!liveSpotApplied && targetProvider === "aws") {
+        try {
+          const awsProvider = pricingEngine.getProvider("aws");
+          if (typeof awsProvider.getSpotFactor === "function") {
+            const liveFactor = await awsProvider.getSpotFactor(
+              effectiveInstance,
+              targetRegion,
+              resource.attributes.os
+            );
+            if (liveFactor !== null && liveFactor > 0 && liveFactor < 1) {
+              const savingsPct = Math.round((1 - liveFactor) * 100);
+              hourlyPrice = hourlyPrice * liveFactor;
+              pricingSource = "live";
+              liveSpotApplied = true;
+              notes.push(
+                `Spot pricing applied from live AWS Spot Advisor (${savingsPct}% discount from on-demand)`
+              );
+            }
+          }
+        } catch (err) {
+          logger.debug("AWS live spot lookup failed, using fallback discount factor", {
+            err: err instanceof Error ? err.message : String(err)
+          });
+        }
+      }
+      if (!liveSpotApplied) {
+        const family = classifyInstanceFamily(effectiveInstance, targetProvider);
+        const providerFactors = SPOT_DISCOUNT_FACTORS[targetProvider] ?? SPOT_DISCOUNT_FACTORS.aws;
+        const factor = providerFactors[family] ?? providerFactors.general ?? 0.35;
+        const savingsPct = Math.round((1 - factor) * 100);
+        hourlyPrice = hourlyPrice * factor;
+        pricingSource = "spot-estimate";
+        notes.push(`Spot pricing applied (${savingsPct}% discount from on-demand)`);
+      }
     }
     computeMonthlyCost = hourlyPrice * monthlyHours;
     breakdown.push({
@@ -8274,19 +9200,19 @@ function convertBreakdownCurrency(breakdown, currency) {
 }
 
 // src/tools/estimate-cost.ts
-var estimateCostSchema = z2.object({
-  files: z2.array(
-    z2.object({
-      path: z2.string().describe("File path"),
-      content: z2.string().describe("File content (HCL)")
+var estimateCostSchema = z3.object({
+  files: z3.array(
+    z3.object({
+      path: filePathSchema.describe("File path"),
+      content: fileContentSchema.describe("File content (HCL)")
     })
-  ),
-  tfvars: z2.string().optional().describe("Contents of terraform.tfvars file"),
-  provider: z2.enum(["aws", "azure", "gcp"]).describe("Target cloud provider to estimate costs for"),
-  region: z2.string().optional().describe(
+  ).max(2e3, "files array exceeds 2000 entries"),
+  tfvars: tfvarsSchema.optional().describe("Contents of terraform.tfvars file"),
+  provider: z3.enum(["aws", "azure", "gcp"]).describe("Target cloud provider to estimate costs for"),
+  region: z3.string().optional().describe(
     "Target region for pricing lookup. Defaults to the source region mapped to the target provider."
   ),
-  currency: z2.enum(SUPPORTED_CURRENCIES).optional().default("USD").describe("Output currency for cost estimates. Defaults to USD.")
+  currency: z3.enum(SUPPORTED_CURRENCIES).optional().default("USD").describe("Output currency for cost estimates. Defaults to USD.")
 });
 async function estimateCost(params, pricingEngine, config) {
   const inventory = await parseTerraform(params.files, params.tfvars);
@@ -8328,7 +9254,7 @@ async function estimateCost(params, pricingEngine, config) {
 }
 
 // src/tools/compare-providers.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 
 // src/calculator/reserved.ts
 var DISCOUNT_RATES = {
@@ -8356,8 +9282,12 @@ var DISCOUNT_RATES = {
     { term: "3yr", payment: "partial_upfront", rate: 0.45 }
   ]
 };
-function calculateReservedPricing(onDemandMonthly, provider) {
-  const rates = DISCOUNT_RATES[provider];
+function calculateReservedPricing(onDemandMonthly, provider, overrides) {
+  const baseRates = DISCOUNT_RATES[provider];
+  const rates = overrides ? baseRates.map((r) => {
+    const override = overrides[r.term];
+    return override !== void 0 ? { ...r, rate: override } : r;
+  }) : baseRates;
   const options = rates.map(({ term, payment, rate }) => {
     const monthly_cost = onDemandMonthly * (1 - rate);
     const monthly_savings = onDemandMonthly - monthly_cost;
@@ -9116,17 +10046,17 @@ function generateFocusReport(comparison, resources) {
 }
 
 // src/tools/compare-providers.ts
-var compareProvidersSchema = z3.object({
-  files: z3.array(
-    z3.object({
-      path: z3.string().describe("File path"),
-      content: z3.string().describe("File content (HCL)")
+var compareProvidersSchema = z4.object({
+  files: z4.array(
+    z4.object({
+      path: filePathSchema.describe("File path"),
+      content: fileContentSchema.describe("File content (HCL)")
     })
-  ),
-  tfvars: z3.string().optional().describe("Contents of terraform.tfvars file"),
-  format: z3.enum(["markdown", "json", "csv", "focus"]).default("markdown").describe("Output report format"),
-  providers: z3.array(z3.enum(["aws", "azure", "gcp"])).default(["aws", "azure", "gcp"]).describe("Cloud providers to include in the comparison"),
-  currency: z3.enum(SUPPORTED_CURRENCIES).optional().default("USD").describe("Output currency for cost estimates. Defaults to USD.")
+  ).max(2e3, "files array exceeds 2000 entries"),
+  tfvars: tfvarsSchema.optional().describe("Contents of terraform.tfvars file"),
+  format: z4.enum(["markdown", "json", "csv", "focus"]).default("markdown").describe("Output report format"),
+  providers: z4.array(z4.enum(["aws", "azure", "gcp"])).default(["aws", "azure", "gcp"]).describe("Cloud providers to include in the comparison"),
+  currency: z4.enum(SUPPORTED_CURRENCIES).optional().default("USD").describe("Output currency for cost estimates. Defaults to USD.")
 });
 async function compareProviders(params, pricingEngine, config) {
   const inventory = await parseTerraform(params.files, params.tfvars);
@@ -9208,16 +10138,16 @@ async function compareProviders(params, pricingEngine, config) {
 }
 
 // src/tools/optimize-cost.ts
-import { z as z4 } from "zod";
-var optimizeCostSchema = z4.object({
-  files: z4.array(
-    z4.object({
-      path: z4.string().describe("File path"),
-      content: z4.string().describe("File content (HCL)")
+import { z as z5 } from "zod";
+var optimizeCostSchema = z5.object({
+  files: z5.array(
+    z5.object({
+      path: filePathSchema.describe("File path"),
+      content: fileContentSchema.describe("File content (HCL)")
     })
-  ),
-  tfvars: z4.string().optional().describe("Contents of terraform.tfvars file"),
-  providers: z4.array(z4.enum(["aws", "azure", "gcp"])).default(["aws", "azure", "gcp"]).describe("Providers to calculate costs against for cross-provider recommendations")
+  ).max(2e3, "files array exceeds 2000 entries"),
+  tfvars: tfvarsSchema.optional().describe("Contents of terraform.tfvars file"),
+  providers: z5.array(z5.enum(["aws", "azure", "gcp"])).default(["aws", "azure", "gcp"]).describe("Providers to calculate costs against for cross-provider recommendations")
 });
 async function optimizeCost(params, pricingEngine, config) {
   const inventory = await parseTerraform(params.files, params.tfvars);
@@ -9253,24 +10183,28 @@ async function optimizeCost(params, pricingEngine, config) {
 }
 
 // src/tools/what-if.ts
-import { z as z5 } from "zod";
-var whatIfSchema = z5.object({
-  files: z5.array(
-    z5.object({
-      path: z5.string().describe("File path"),
-      content: z5.string().describe("File content (HCL)")
+import { z as z6 } from "zod";
+var whatIfSchema = z6.object({
+  files: z6.array(
+    z6.object({
+      path: filePathSchema.describe("File path"),
+      content: fileContentSchema.describe("File content (HCL)")
     })
-  ).describe("Terraform HCL files to analyse"),
-  changes: z5.array(
-    z5.object({
-      resource_id: z5.string().describe("The resource ID to modify (e.g. aws_instance.web)"),
-      attribute: z5.string().describe("The attribute name to change (e.g. instance_type, storage_size_gb)"),
-      new_value: z5.union([z5.string(), z5.number()]).describe("The new value for the attribute")
+  ).max(2e3, "files array exceeds 2000 entries").describe("Terraform HCL files to analyse"),
+  changes: z6.array(
+    z6.object({
+      resource_id: shortStringSchema.describe(
+        "The resource ID to modify (e.g. aws_instance.web)"
+      ),
+      attribute: shortStringSchema.describe(
+        "The attribute name to change (e.g. instance_type, storage_size_gb)"
+      ),
+      new_value: z6.union([shortStringSchema, z6.number()]).describe("The new value for the attribute")
     })
-  ).describe("List of attribute changes to simulate"),
-  provider: z5.enum(["aws", "azure", "gcp"]).optional().describe("Target cloud provider. Defaults to auto-detecting from the files"),
-  region: z5.string().optional().describe("Target region for pricing. Defaults to the region detected from provider blocks"),
-  tfvars: z5.string().optional().describe("Contents of a terraform.tfvars file for variable resolution")
+  ).max(200, "changes array exceeds 200 entries").describe("List of attribute changes to simulate"),
+  provider: z6.enum(["aws", "azure", "gcp"]).optional().describe("Target cloud provider. Defaults to auto-detecting from the files"),
+  region: z6.string().optional().describe("Target region for pricing. Defaults to the region detected from provider blocks"),
+  tfvars: z6.string().optional().describe("Contents of a terraform.tfvars file for variable resolution")
 });
 function cloneResources(resources) {
   return JSON.parse(JSON.stringify(resources));
@@ -9371,10 +10305,17 @@ export {
   logger,
   PricingCache,
   PricingEngine,
+  sanitizeForMessage,
   str,
   num,
   bool,
+  safeJsonParse,
   parseTerraform,
+  filePathSchema,
+  fileContentSchema,
+  tfvarsSchema,
+  planJsonSchema,
+  stateJsonSchema,
   analyzeTerraformSchema,
   analyzeTerraform,
   mapRegion,
@@ -9392,4 +10333,4 @@ export {
   whatIfSchema,
   whatIf
 };
-//# sourceMappingURL=chunk-E7KOWAMW.js.map
+//# sourceMappingURL=chunk-6O2Y6MKU.js.map