@probelabs/visor 0.1.132-ee → 0.1.137-ee

package/dist/sdk/sdk.js

@@ -693,9 +693,10 @@ var require_package = __commonJS({
         format: "prettier --write src tests",
         "format:check": "prettier --check src tests",
         clean: "",
+        "clean:traces": "node scripts/clean-traces.js",
         prebuild: "npm run clean && node scripts/generate-config-schema.js",
-        pretest: "node scripts/generate-config-schema.js && npm run build:cli",
-        "pretest:unit": "node scripts/generate-config-schema.js && npm run build:cli",
+        pretest: "npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli",
+        "pretest:unit": "npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli",
         "test:with-build": "npm run build:cli && jest",
         "test:yaml": "node dist/index.js test --progress compact",
         "test:yaml:parallel": "node dist/index.js test --progress compact --max-parallel 4",
@@ -742,25 +743,31 @@ var require_package = __commonJS({
       homepage: "https://github.com/probelabs/visor#readme",
       dependencies: {
         "@actions/core": "^1.11.1",
+        "@apidevtools/swagger-parser": "^12.1.0",
         "@modelcontextprotocol/sdk": "^1.25.3",
         "@nyariv/sandboxjs": "github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9",
         "@octokit/action": "^8.0.2",
         "@octokit/auth-app": "^8.1.0",
         "@octokit/core": "^7.0.3",
         "@octokit/rest": "^22.0.0",
-        "@probelabs/probe": "^0.6.0-rc245",
+        "@probelabs/probe": "^0.6.0-rc255",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
+        acorn: "^8.16.0",
+        "acorn-walk": "^8.3.5",
         ajv: "^8.17.1",
         "ajv-formats": "^3.0.1",
         "better-sqlite3": "^11.0.0",
         blessed: "^0.1.81",
         "cli-table3": "^0.6.5",
         commander: "^14.0.0",
+        deepmerge: "^4.3.1",
         dotenv: "^17.2.3",
         ignore: "^7.0.5",
         "js-yaml": "^4.1.0",
+        "jsonpath-plus": "^10.4.0",
         liquidjs: "^10.21.1",
+        minimatch: "^10.2.2",
         "node-cron": "^3.0.3",
         open: "^9.1.0",
         "simple-git": "^3.28.0",
@@ -938,19 +945,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path29 = require("path");
-    const fs25 = require("fs");
+    const path30 = require("path");
+    const fs26 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path29.dirname(__ndjsonPath);
-      if (!fs25.existsSync(dir)) fs25.mkdirSync(dir, { recursive: true });
+      const dir = path30.dirname(__ndjsonPath);
+      if (!fs26.existsSync(dir)) fs26.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path29.join(process.cwd(), "output", "traces");
-    if (!fs25.existsSync(outDir)) fs25.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path30.join(process.cwd(), "output", "traces");
+    if (!fs26.existsSync(outDir)) fs26.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path29.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path30.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -959,11 +966,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs25 = require("fs");
+    const fs26 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs25.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs26.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -2311,6 +2318,36 @@ ${src}
   }
   return out;
 }
+async function compileAndRunAsync(sandbox, transformedCode, scope, opts = { injectLog: true, logPrefix: "[async-sandbox]" }) {
+  const inject = opts?.injectLog === true;
+  let safePrefix = String(opts?.logPrefix ?? "[async-sandbox]");
+  safePrefix = safePrefix.replace(/[\r\n\t\0]/g, "").replace(/[`$\\]/g, "").replace(/\$\{/g, "").slice(0, 64);
+  const scopeWithLog = inject ? {
+    ...scope,
+    log: (...args) => {
+      try {
+        console.log(safePrefix, ...args);
+      } catch {
+      }
+    }
+  } : scope;
+  const codePreview = transformedCode.replace(/\s+/g, " ").trim().slice(0, 100);
+  const contextInfo = safePrefix !== "[async-sandbox]" ? ` [${safePrefix}]` : "";
+  let exec2;
+  try {
+    exec2 = sandbox.compileAsync(transformedCode);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`async_sandbox_compile_error${contextInfo}: ${msg} | code: ${codePreview}`);
+  }
+  try {
+    const result = await exec2(scopeWithLog).run();
+    return result;
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`async_sandbox_execution_error${contextInfo}: ${msg} | code: ${codePreview}`);
+  }
+}
 var import_sandboxjs;
 var init_sandbox = __esm({
   "src/utils/sandbox.ts"() {
@@ -3697,9 +3734,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path29 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path29) return obj;
-    const parts = path29.split(".");
+    const path30 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path30) return obj;
+    const parts = path30.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -3818,9 +3855,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path29) => {
-          if (!obj || !path29) return void 0;
-          const parts = path29.split(".");
+        const getNested = (obj, path30) => {
+          if (!obj || !path30) return void 0;
+          const parts = path30.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6372,8 +6409,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs26 = await import("fs/promises");
+    const path30 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6381,24 +6418,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path30.resolve(process.cwd(), file);
+      templateContent = await fs26.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path30.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path30.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path30.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path30.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs26.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -6803,7 +6840,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs25 = require("fs");
+    const fs26 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -6814,7 +6851,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs25.existsSync(candidatePath)) {
+      if (fs26.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -7900,8 +7937,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8015,20 +8052,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              if (!fs25.existsSync(debugArtifactsDir)) {
-                fs25.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              if (!fs26.existsSync(debugArtifactsDir)) {
+                fs26.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path29.join(
+              const debugFile = path30.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs25.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path29.join(
+              fs26.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path30.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs25.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs26.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8061,8 +8098,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8073,8 +8110,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path30.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8086,7 +8123,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs26.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8113,7 +8150,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs26.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8122,11 +8159,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              const responseFile = path30.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8159,7 +8196,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs26.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8175,9 +8212,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs25.statSync(agentAny._traceFilePath);
+                  const fs26 = require("fs");
+                  if (fs26.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs26.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8378,8 +8415,8 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const os3 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
@@ -8453,18 +8490,18 @@ ${"=".repeat(60)}
               readableVersion += `${"=".repeat(60)}
 `;
               const tempDir = os3.tmpdir();
-              const promptFile = path29.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs25.writeFileSync(promptFile, prompt, "utf-8");
+              const promptFile = path30.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs26.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path29.join(
+                const base = path30.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs25.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs25.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs26.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs26.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -8509,8 +8546,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -8521,8 +8558,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path30.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8534,7 +8571,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs26.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8561,7 +8598,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs26.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8570,11 +8607,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs26 = require("fs");
+              const path30 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              const responseFile = path30.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8607,7 +8644,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs26.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8625,9 +8662,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(traceFilePath)) {
-                    const stats = fs25.statSync(traceFilePath);
+                  const fs26 = require("fs");
+                  if (fs26.existsSync(traceFilePath)) {
+                    const stats = fs26.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -8665,8 +8702,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs25 = require("fs").promises;
-        const path29 = require("path");
+        const fs26 = require("fs").promises;
+        const path30 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -8679,14 +8716,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path29.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path30.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path29.resolve(process.cwd(), schema);
+            const schemaPath = path30.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs26.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -8700,22 +8737,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path29.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path30.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path30.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path30.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs26.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path29.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path30.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path30.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path30.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -9391,6 +9428,758 @@ var init_command_executor = __esm({
   }
 });
 
+// src/providers/api-tool-executor.ts
+function isHttpUrl(value) {
+  return value.startsWith("http://") || value.startsWith("https://");
+}
+function toStringArray(value) {
+  if (!value) return [];
+  if (Array.isArray(value)) {
+    return value.map((item) => String(item).trim()).filter(Boolean);
+  }
+  return value.split(",").map((item) => item.trim()).filter(Boolean);
+}
+function isPlainObject(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function toOverlaySourceArray(value) {
+  if (!value) return [];
+  if (typeof value === "string" || isPlainObject(value)) {
+    return [value];
+  }
+  if (Array.isArray(value)) {
+    return value.filter((item) => typeof item === "string" || isPlainObject(item));
+  }
+  return [];
+}
+function resolvePathOrUrl(candidate, baseDir) {
+  if (isHttpUrl(candidate)) return candidate;
+  if (import_path4.default.isAbsolute(candidate)) return candidate;
+  if (isHttpUrl(baseDir)) {
+    return new URL(candidate, baseDir).toString();
+  }
+  return import_path4.default.resolve(baseDir, candidate);
+}
+async function readTextFromPathOrUrl(location) {
+  if (isHttpUrl(location)) {
+    const res = await fetch(location);
+    if (!res.ok) {
+      throw new Error(`Failed to fetch ${location}: ${res.status} ${res.statusText}`);
+    }
+    return await res.text();
+  }
+  return await import_promises2.default.readFile(location, "utf8");
+}
+function parseJsonOrYaml(raw, location) {
+  const ext = import_path4.default.extname(location).toLowerCase();
+  if (ext === ".yaml" || ext === ".yml") {
+    return import_js_yaml.default.load(raw);
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return import_js_yaml.default.load(raw);
+  }
+}
+function parseOverlayTargetPath(pathValue) {
+  if (!Array.isArray(pathValue) || pathValue.length === 0) return "$";
+  return pathValue.map((segment, index) => {
+    if (index === 0) return "$";
+    if (typeof segment === "number") return `[${segment}]`;
+    if (/^[A-Za-z_][\w$]*$/.test(segment)) return `.${segment}`;
+    return `['${segment.replace(/'/g, "\\'")}']`;
+  }).join("");
+}
+function applyOverlayActions(target, overlay) {
+  const cloned = JSON.parse(JSON.stringify(target));
+  if (!overlay || typeof overlay !== "object") return cloned;
+  const actions = Array.isArray(overlay.actions) ? overlay.actions : [];
+  if (actions.length === 0) {
+    return (0, import_deepmerge.default)(cloned, overlay, {
+      arrayMerge: (dst, src) => dst.concat(src)
+    });
+  }
+  for (const action of actions) {
+    const targetExpr = action?.target;
+    if (!targetExpr || typeof targetExpr !== "string") continue;
+    let matches = [];
+    try {
+      matches = (0, import_jsonpath_plus.JSONPath)({
+        path: targetExpr,
+        json: cloned,
+        resultType: "all"
+      });
+    } catch (error) {
+      logger.warn(`[ApiToolExecutor] Invalid overlay target "${targetExpr}": ${error}`);
+      continue;
+    }
+    if (matches.length === 0) {
+      continue;
+    }
+    for (const match of matches) {
+      if (!match || typeof match !== "object") continue;
+      const parent = match.parent;
+      const key = match.parentProperty;
+      if (parent === void 0 || key === void 0) {
+        const jsonPath = parseOverlayTargetPath(
+          match.path || []
+        );
+        logger.debug(`[ApiToolExecutor] Overlay target has no writable parent: ${jsonPath}`);
+        continue;
+      }
+      if (action.remove === true) {
+        if (Array.isArray(parent)) {
+          parent.splice(Number(key), 1);
+        } else if (parent && typeof parent === "object") {
+          delete parent[key];
+        }
+        continue;
+      }
+      if (action.update === void 0) {
+        continue;
+      }
+      const current = match.value;
+      if (Array.isArray(current)) {
+        current.push(action.update);
+      } else if (current && typeof current === "object") {
+        const merged = (0, import_deepmerge.default)(current, action.update, {
+          arrayMerge: (dst, src) => dst.concat(src)
+        });
+        if (Array.isArray(parent)) {
+          parent[Number(key)] = merged;
+        } else {
+          parent[key] = merged;
+        }
+      } else if (Array.isArray(parent)) {
+        parent[Number(key)] = action.update;
+      } else {
+        parent[key] = action.update;
+      }
+    }
+  }
+  return cloned;
+}
+function isRefObject(value) {
+  return Boolean(value && typeof value === "object" && "$ref" in value);
+}
+function isSchemaObject(value) {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && !isRefObject(value)
+  );
+}
+function getSchemaFromContent(content) {
+  if (!content || typeof content !== "object") return void 0;
+  const entries = Object.values(content);
+  const withSchema = entries.find((entry) => entry && typeof entry === "object" && entry.schema);
+  return withSchema?.schema;
+}
+function mapOpenApiTypeToJsonType(schema) {
+  if (!schema || !schema.type) return { type: "string" };
+  const openApiType = String(schema.type);
+  const nullable = schema.nullable === true;
+  switch (openApiType) {
+    case "integer":
+    case "number":
+    case "boolean":
+    case "string":
+    case "array":
+    case "object":
+      return { type: openApiType, format: schema.format, nullable };
+    default:
+      return { type: "string", format: schema.format, nullable };
+  }
+}
+function openApiSchemaToJsonSchema(schema) {
+  if (!schema) {
+    return { type: "string" };
+  }
+  const mapped = mapOpenApiTypeToJsonType(schema);
+  const result = {
+    type: mapped.nullable ? [mapped.type, "null"] : mapped.type
+  };
+  if (mapped.format) result.format = mapped.format;
+  if (schema.description !== void 0) result.description = schema.description;
+  if (schema.default !== void 0) result.default = schema.default;
+  if (schema.enum !== void 0) result.enum = schema.enum;
+  if (schema.example !== void 0) result.example = schema.example;
+  if (schema.minimum !== void 0) result.minimum = schema.minimum;
+  if (schema.maximum !== void 0) result.maximum = schema.maximum;
+  if (schema.minLength !== void 0) result.minLength = schema.minLength;
+  if (schema.maxLength !== void 0) result.maxLength = schema.maxLength;
+  if (schema.pattern !== void 0) result.pattern = schema.pattern;
+  if (schema.multipleOf !== void 0) result.multipleOf = schema.multipleOf;
+  if (schema.minItems !== void 0) result.minItems = schema.minItems;
+  if (schema.maxItems !== void 0) result.maxItems = schema.maxItems;
+  if (schema.uniqueItems !== void 0) result.uniqueItems = schema.uniqueItems;
+  if (schema.type === "object" && schema.properties && typeof schema.properties === "object") {
+    const props = {};
+    for (const [propName, propSchema] of Object.entries(schema.properties)) {
+      if (isSchemaObject(propSchema)) {
+        props[propName] = openApiSchemaToJsonSchema(propSchema);
+      }
+    }
+    result.properties = props;
+    if (Array.isArray(schema.required) && schema.required.length > 0) {
+      result.required = schema.required;
+    }
+    if (schema.additionalProperties === true || schema.additionalProperties === false) {
+      result.additionalProperties = schema.additionalProperties;
+    } else if (isSchemaObject(schema.additionalProperties)) {
+      result.additionalProperties = openApiSchemaToJsonSchema(schema.additionalProperties);
+    }
+  }
+  if (schema.type === "array" && isSchemaObject(schema.items)) {
+    result.items = openApiSchemaToJsonSchema(schema.items);
+  }
+  for (const [key, value] of Object.entries(schema)) {
+    if (key.startsWith("x-")) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function shouldIncludeOperation(operationId, pathValue, method, whitelist, blacklist) {
+  const methodPath = `${method.toUpperCase()}:${pathValue}`;
+  const opKey = operationId || methodPath;
+  if (whitelist.length > 0) {
+    return whitelist.some((pattern) => (0, import_minimatch.minimatch)(opKey, pattern) || (0, import_minimatch.minimatch)(methodPath, pattern));
+  }
+  if (blacklist.length > 0) {
+    return !blacklist.some((pattern) => (0, import_minimatch.minimatch)(opKey, pattern) || (0, import_minimatch.minimatch)(methodPath, pattern));
+  }
+  return true;
+}
+function getApiToolConfig(tool) {
+  return {
+    customHeaders: tool.headers || {},
+    disableXMcp: Boolean(tool.disableXMcp ?? tool.disable_x_mcp ?? false),
+    apiKey: tool.apiKey ?? tool.api_key,
+    securitySchemeName: tool.securitySchemeName ?? tool.security_scheme_name,
+    securityCredentials: tool.securityCredentials || tool.security_credentials || {},
+    requestTimeoutMs: tool.requestTimeoutMs ?? tool.request_timeout_ms ?? tool.timeout ?? 3e4
+  };
+}
+function buildOutputSchema(operation) {
+  const responses = operation.responses;
+  if (!responses || typeof responses !== "object") return void 0;
+  const successCode = Object.keys(responses).find((code) => code.startsWith("2"));
+  if (!successCode) return void 0;
+  const response = responses[successCode];
+  if (!response || typeof response !== "object" || isRefObject(response)) return void 0;
+  const jsonSchema = response.content?.["application/json"]?.schema || getSchemaFromContent(response.content);
+  if (!isSchemaObject(jsonSchema)) return void 0;
+  const mapped = openApiSchemaToJsonSchema(jsonSchema);
+  if (response.description && typeof response.description === "string") {
+    mapped.description = response.description;
+  }
+  return mapped;
+}
+function getToolName(operationId, operation, pathItem, tool) {
+  let toolName = operationId;
+  const opExtension = operation["x-mcp"];
+  const pathExtension = pathItem["x-mcp"];
+  if (opExtension && typeof opExtension === "object" && typeof opExtension.name === "string") {
+    toolName = opExtension.name;
+  } else if (pathExtension && typeof pathExtension === "object" && typeof pathExtension.name === "string") {
+    toolName = pathExtension.name;
+  }
+  const prefix = tool.namePrefix || tool.name_prefix;
+  if (prefix) {
+    return `${prefix}${toolName}`;
+  }
+  return toolName;
+}
+function getToolDescription(operation, pathItem) {
+  const opExtension = operation["x-mcp"];
+  const pathExtension = pathItem["x-mcp"];
+  if (opExtension && typeof opExtension === "object" && typeof opExtension.description === "string") {
+    return opExtension.description;
+  }
+  if (pathExtension && typeof pathExtension === "object" && typeof pathExtension.description === "string") {
+    return pathExtension.description;
+  }
+  return typeof operation.description === "string" && operation.description || typeof operation.summary === "string" && operation.summary || typeof pathItem.summary === "string" && pathItem.summary || "No description available.";
+}
+function isApiToolDefinition(tool) {
+  return Boolean(tool && tool.type === "api");
+}
+async function loadOpenApiDocument(tool) {
+  if (!tool.spec) {
+    throw new Error(`API tool '${tool.name}' is missing required field: spec`);
+  }
+  const configuredBaseDir = tool.__baseDir;
+  const baseDir = (() => {
+    if (tool.cwd) {
+      if (import_path4.default.isAbsolute(tool.cwd) || isHttpUrl(tool.cwd)) {
+        return tool.cwd;
+      }
+      if (configuredBaseDir) {
+        return resolvePathOrUrl(tool.cwd, configuredBaseDir);
+      }
+      return import_path4.default.resolve(tool.cwd);
+    }
+    return configuredBaseDir || process.cwd();
+  })();
+  const dereferenceWithContext = async (source, spec) => {
+    try {
+      return await import_swagger_parser.default.dereference(spec);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new Error(
+        `Failed to dereference OpenAPI spec for API tool '${tool.name}' from ${source}: ${errorMessage}`
+      );
+    }
+  };
+  let openapi;
+  if (typeof tool.spec === "string") {
+    const specLocation = resolvePathOrUrl(tool.spec, baseDir);
+    if (isHttpUrl(specLocation)) {
+      const raw = await readTextFromPathOrUrl(specLocation);
+      const parsed = parseJsonOrYaml(raw, specLocation);
+      openapi = await dereferenceWithContext(specLocation, parsed);
+    } else {
+      openapi = await dereferenceWithContext(specLocation, specLocation);
+    }
+  } else if (isPlainObject(tool.spec)) {
+    openapi = await dereferenceWithContext("inline spec", JSON.parse(JSON.stringify(tool.spec)));
+  } else {
+    throw new Error(
+      `API tool '${tool.name}' has invalid spec field (expected string path/URL or object)`
+    );
+  }
+  const overlays = toOverlaySourceArray(tool.overlays);
+  let working = openapi;
+  for (const overlaySource of overlays) {
+    let overlay = overlaySource;
+    if (typeof overlaySource === "string") {
+      const resolved = resolvePathOrUrl(overlaySource, baseDir);
+      const raw = await readTextFromPathOrUrl(resolved);
+      overlay = parseJsonOrYaml(raw, resolved);
+    }
+    working = applyOverlayActions(working, overlay);
+  }
+  return working;
+}
+function mapOpenApiToTools(openapi, tool) {
+  const paths = openapi?.paths;
+  if (!paths || typeof paths !== "object") {
+    return [];
+  }
+  const targetUrl = tool.targetUrl || tool.target_url;
+  const baseServerUrl = String(targetUrl || openapi?.servers?.[0]?.url || "").replace(/\/$/, "");
+  if (!baseServerUrl) {
+    throw new Error(
+      `API tool '${tool.name}' cannot determine target API URL. Set targetUrl/target_url or provide OpenAPI servers[].`
+    );
+  }
+  const whitelist = toStringArray(tool.whitelist);
+  const blacklist = toStringArray(tool.blacklist);
+  const globalSecurity = Array.isArray(openapi?.security) ? openapi.security : null;
+  const securitySchemes = openapi?.components?.securitySchemes;
+  const mapped = [];
+  const apiToolConfig = getApiToolConfig(tool);
+  for (const [pathValue, pathItemRaw] of Object.entries(paths)) {
+    const pathItem = pathItemRaw;
+    if (!pathItem || typeof pathItem !== "object") continue;
+    for (const [method, operationRaw] of Object.entries(pathItem)) {
+      if (!HTTP_METHODS.has(method.toLowerCase())) continue;
+      const operation = operationRaw;
+      if (!operation || typeof operation !== "object") continue;
+      const operationId = typeof operation.operationId === "string" ? String(operation.operationId) : void 0;
+      if (!operationId) {
+        logger.debug(
+          `[ApiToolExecutor] Skipping ${method.toUpperCase()} ${pathValue} (missing operationId)`
+        );
+        continue;
+      }
+      if (!shouldIncludeOperation(operationId, pathValue, method, whitelist, blacklist)) {
+        continue;
+      }
+      const toolName = getToolName(operationId, operation, pathItem, tool);
+      const toolDescription = getToolDescription(operation, pathItem);
+      const inputSchema = {
+        type: "object",
+        properties: {}
+      };
+      const requiredNames = /* @__PURE__ */ new Set();
+      const allParameters = [
+        ...Array.isArray(pathItem.parameters) ? pathItem.parameters : [],
+        ...Array.isArray(operation.parameters) ? operation.parameters : []
+      ].filter((param) => param && typeof param === "object" && !isRefObject(param));
+      for (const param of allParameters) {
+        const paramObj = param;
+        const paramName = typeof paramObj.name === "string" ? paramObj.name : "";
+        if (!paramName) continue;
+        if (!isSchemaObject(paramObj.schema)) continue;
+        const schema = openApiSchemaToJsonSchema(paramObj.schema);
+        if (typeof paramObj.description === "string") {
+          schema.description = paramObj.description;
+        }
+        schema["x-parameter-location"] = paramObj.in || "query";
+        if (paramObj.example !== void 0) schema.example = paramObj.example;
+        if (paramObj.deprecated === true) schema.deprecated = true;
+        inputSchema.properties[paramName] = schema;
+        if (paramObj.required === true) requiredNames.add(paramName);
+      }
+      const requestBody = !isRefObject(operation.requestBody) ? operation.requestBody : void 0;
+      if (requestBody && typeof requestBody === "object") {
+        const reqSchema = requestBody.content?.["application/json"]?.schema || getSchemaFromContent(requestBody.content);
+        if (isSchemaObject(reqSchema)) {
+          const bodySchema = openApiSchemaToJsonSchema(reqSchema);
+          if (typeof requestBody.description === "string") {
+            bodySchema.description = requestBody.description;
+          }
+          const contentTypes = Object.keys(requestBody.content || {});
+          if (contentTypes.length > 0) {
+            bodySchema["x-content-types"] = contentTypes;
+          }
+          inputSchema.properties.requestBody = bodySchema;
+          if (requestBody.required === true) {
+            requiredNames.add("requestBody");
+          }
+        }
+      }
+      if (requiredNames.size > 0) {
+        inputSchema.required = Array.from(requiredNames);
+      }
+      const securityRequirements = Array.isArray(operation.security) ? operation.security : globalSecurity;
+      mapped.push({
+        sourceToolName: tool.name,
+        mcpToolDefinition: {
+          name: toolName,
+          description: toolDescription,
+          inputSchema,
+          outputSchema: buildOutputSchema(operation)
+        },
+        apiCallDetails: {
+          method: method.toUpperCase(),
+          pathTemplate: pathValue,
+          serverUrl: baseServerUrl,
+          parameters: allParameters,
+          requestBody,
+          securityRequirements,
+          securitySchemes,
+          apiToolConfig
+        }
+      });
+    }
+  }
+  return mapped;
+}
+function validateParameterValue(value, paramDef) {
+  const schema = paramDef.schema;
+  if (!schema || typeof schema !== "object") return null;
+  const schemaType = schema.type;
+  if (schemaType === "integer") {
+    if (typeof value !== "number" || !Number.isInteger(value)) {
+      return "must be an integer";
+    }
+  } else if (schemaType === "number") {
+    if (typeof value !== "number") {
+      return `expected number, got ${typeof value}`;
+    }
+  } else if (schemaType === "boolean") {
+    if (typeof value !== "boolean") {
+      return `expected boolean, got ${typeof value}`;
+    }
+  } else if (schemaType === "string") {
+    if (typeof value !== "string") {
+      return `expected string, got ${typeof value}`;
+    }
+  } else if (schemaType === "array") {
+    if (!Array.isArray(value)) {
+      return `expected array, got ${typeof value}`;
+    }
+  } else if (schemaType === "object") {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+      return `expected object, got ${Array.isArray(value) ? "array" : typeof value}`;
+    }
+  }
+  if (schema.minimum !== void 0 && typeof value === "number" && value < schema.minimum) {
+    return `must be >= ${schema.minimum}`;
+  }
+  if (schema.maximum !== void 0 && typeof value === "number" && value > schema.maximum) {
+    return `must be <= ${schema.maximum}`;
+  }
+  if (schema.minLength !== void 0 && typeof value === "string" && value.length < schema.minLength) {
+    return `length must be >= ${schema.minLength}`;
+  }
+  if (schema.maxLength !== void 0 && typeof value === "string" && value.length > schema.maxLength) {
+    return `length must be <= ${schema.maxLength}`;
+  }
+  if (Array.isArray(schema.enum) && !schema.enum.includes(value)) {
+    return `must be one of: ${schema.enum.join(", ")}`;
+  }
+  return null;
+}
+function applySecurityToRequest(details, headers, queryParams) {
+  const requirements = details.securityRequirements;
+  if (!requirements || requirements.length === 0) {
+    return;
+  }
+  const schemes = details.securitySchemes || {};
+  const cfg = details.apiToolConfig;
+  const tryResolveCredential = (schemeName) => {
+    if (cfg.securityCredentials[schemeName]) {
+      return cfg.securityCredentials[schemeName];
+    }
+    if (cfg.securitySchemeName && cfg.securitySchemeName !== schemeName) {
+      return void 0;
+    }
+    return cfg.apiKey;
+  };
+  for (const requirement of requirements) {
+    const schemeNames = Object.keys(requirement);
+    if (schemeNames.length === 0) return;
+    const tempHeaders = { ...headers };
+    const tempQuery = new URLSearchParams(queryParams);
+    let satisfied = true;
+    for (const schemeName of schemeNames) {
+      const scheme = schemes[schemeName];
+      if (!scheme || typeof scheme !== "object") {
+        satisfied = false;
+        break;
+      }
+      const credential = tryResolveCredential(schemeName);
+      if (!credential) {
+        satisfied = false;
+        break;
+      }
+      switch (scheme.type) {
+        case "apiKey":
+          if (scheme.in === "header") {
+            tempHeaders[String(scheme.name)] = credential;
+          } else if (scheme.in === "query") {
+            tempQuery.set(String(scheme.name), credential);
+          } else if (scheme.in === "cookie") {
+            const cookieName = String(scheme.name);
+            const existing = tempHeaders["Cookie"];
+            tempHeaders["Cookie"] = existing ? `${existing}; ${cookieName}=${credential}` : `${cookieName}=${credential}`;
+          } else {
+            satisfied = false;
+          }
+          break;
+        case "http":
+          if (typeof scheme.scheme !== "string") {
+            satisfied = false;
+            break;
+          }
+          if (scheme.scheme.toLowerCase() === "bearer") {
+            tempHeaders["Authorization"] = `Bearer ${credential}`;
+          } else if (scheme.scheme.toLowerCase() === "basic") {
+            tempHeaders["Authorization"] = `Basic ${Buffer.from(credential).toString("base64")}`;
+          } else {
+            satisfied = false;
+          }
+          break;
+        case "oauth2":
+        case "openIdConnect":
+          tempHeaders["Authorization"] = `Bearer ${credential}`;
+          break;
+        default:
+          satisfied = false;
+      }
+      if (!satisfied) {
+        break;
+      }
+    }
+    if (satisfied) {
+      Object.assign(headers, tempHeaders);
+      queryParams.forEach((_value, key) => queryParams.delete(key));
+      tempQuery.forEach((value, key) => queryParams.append(key, value));
+      return;
+    }
+  }
+}
+function responseBodyToString(body) {
+  if (typeof body === "string") return body;
+  try {
+    return JSON.stringify(body);
+  } catch {
+    return String(body);
+  }
+}
+async function executeMappedApiTool(mappedTool, args) {
+  const { apiCallDetails } = mappedTool;
+  const { method, pathTemplate, serverUrl, parameters, requestBody, apiToolConfig } = apiCallDetails;
+  const urlPath = pathTemplate.replace(/{([^}]+)}/g, (_token, rawName) => {
+    const value = args[rawName];
+    if (value === void 0 || value === null) {
+      return `{${rawName}}`;
+    }
+    return encodeURIComponent(String(value));
+  });
+  if (urlPath.includes("{") || urlPath.includes("}")) {
+    throw new Error(`Missing required path parameters for ${method} ${pathTemplate}`);
+  }
+  let endpoint;
+  try {
+    endpoint = new URL(`${serverUrl}${urlPath}`);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    throw new Error(
+      `Failed to construct endpoint URL for API tool '${mappedTool.sourceToolName}' operation '${mappedTool.mcpToolDefinition.name}' (${method} ${pathTemplate}) with serverUrl '${serverUrl}': ${errorMessage}`
+    );
+  }
+  const queryParams = new URLSearchParams(endpoint.search);
+  const headers = { ...apiToolConfig.customHeaders };
+  let requestBodyValue;
+  for (const param of parameters) {
+    const name = String(param.name || "");
+    if (!name) continue;
+    const value = args[name];
+    if (value === void 0 || value === null) {
+      if (param.required) {
+        throw new Error(`Missing required parameter: ${name}`);
+      }
+      continue;
+    }
+    const validationError = validateParameterValue(value, param);
+    if (validationError) {
+      throw new Error(`Parameter '${name}' ${validationError}`);
+    }
+    switch (param.in) {
+      case "query":
+        if (Array.isArray(value)) {
+          for (const item of value) {
+            queryParams.append(name, String(item));
+          }
+        } else {
+          queryParams.set(name, String(value));
+        }
+        break;
+      case "header":
+        headers[name] = String(value);
+        break;
+      case "path":
+        break;
+      case "cookie": {
+        const existing = headers["Cookie"];
+        headers["Cookie"] = existing ? `${existing}; ${name}=${String(value)}` : `${name}=${String(value)}`;
+        break;
+      }
+      default:
+        break;
+    }
+  }
+  if (requestBody && requestBody.required && args.requestBody === void 0) {
+    throw new Error("Missing required requestBody parameter");
+  }
+  if (args.requestBody !== void 0) {
+    requestBodyValue = args.requestBody;
+    if (!headers["Content-Type"]) {
+      headers["Content-Type"] = "application/json";
+    }
+  }
+  if (!apiToolConfig.disableXMcp) {
+    headers["X-MCP"] = "1";
+  }
+  applySecurityToRequest(apiCallDetails, headers, queryParams);
+  endpoint.search = queryParams.toString();
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), apiToolConfig.requestTimeoutMs);
+  try {
+    const response = await fetch(endpoint.toString(), {
+      method,
+      headers,
+      body: requestBodyValue === void 0 ? void 0 : headers["Content-Type"]?.includes("application/json") ? JSON.stringify(requestBodyValue) : String(requestBodyValue),
+      signal: controller.signal
+    });
+    const raw = await response.text();
+    let body = raw;
+    const contentType = response.headers.get("content-type") || "";
+    if (contentType.includes("json") && raw.trim().length > 0) {
+      try {
+        body = JSON.parse(raw);
+      } catch {
+        body = raw;
+      }
+    } else if (raw.trim().length > 0) {
+      try {
+        body = JSON.parse(raw);
+      } catch {
+        body = raw;
+      }
+    } else {
+      body = null;
+    }
+    if (response.ok) {
+      return body;
+    }
+    throw new Error(`API Error ${response.status}: ${responseBodyToString(body)}`);
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`API request timed out after ${apiToolConfig.requestTimeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+var import_promises2, import_path4, import_js_yaml, import_swagger_parser, import_deepmerge, import_jsonpath_plus, import_minimatch, HTTP_METHODS, ApiToolRegistry;
+var init_api_tool_executor = __esm({
+  "src/providers/api-tool-executor.ts"() {
+    "use strict";
+    import_promises2 = __toESM(require("fs/promises"));
+    import_path4 = __toESM(require("path"));
+    import_js_yaml = __toESM(require("js-yaml"));
+    import_swagger_parser = __toESM(require("@apidevtools/swagger-parser"));
+    import_deepmerge = __toESM(require("deepmerge"));
+    import_jsonpath_plus = require("jsonpath-plus");
+    import_minimatch = require("minimatch");
+    init_logger();
+    HTTP_METHODS = /* @__PURE__ */ new Set(["get", "put", "post", "delete", "options", "head", "patch", "trace"]);
+    ApiToolRegistry = class {
+      bundleCache = /* @__PURE__ */ new Map();
+      operationCache = /* @__PURE__ */ new Map();
+      registerMappedTools(sourceToolName, mappedTools) {
+        this.bundleCache.set(sourceToolName, mappedTools);
+        for (const mapped of mappedTools) {
+          const existing = this.operationCache.get(mapped.mcpToolDefinition.name);
+          if (existing && existing.sourceToolName !== sourceToolName) {
+            logger.warn(
+              `[ApiToolExecutor] Tool name collision: '${mapped.mcpToolDefinition.name}' from '${sourceToolName}' overrides '${existing.sourceToolName}'. Use namePrefix to avoid collisions.`
+            );
+          }
+          this.operationCache.set(mapped.mcpToolDefinition.name, mapped);
+        }
+      }
+      async ensureBundle(sourceToolName, tool) {
+        const cached = this.bundleCache.get(sourceToolName);
+        if (cached) return cached;
+        if (!isApiToolDefinition(tool)) {
+          return [];
+        }
+        const openapi = await loadOpenApiDocument(tool);
+        const mapped = mapOpenApiToTools(openapi, tool);
+        this.registerMappedTools(sourceToolName, mapped);
+        return mapped;
+      }
+      async ensureAll(toolMap) {
+        for (const [sourceToolName, tool] of toolMap.entries()) {
+          if (!isApiToolDefinition(tool)) continue;
+          await this.ensureBundle(sourceToolName, tool);
+        }
+      }
+      async listMappedTools(toolMap) {
+        await this.ensureAll(toolMap);
+        return Array.from(this.operationCache.values());
+      }
+      async getMappedTool(toolName, toolMap) {
+        const cached = this.operationCache.get(toolName);
+        if (cached) return cached;
+        for (const [sourceToolName, tool] of toolMap.entries()) {
+          if (!isApiToolDefinition(tool)) continue;
+          await this.ensureBundle(sourceToolName, tool);
+          const resolved = this.operationCache.get(toolName);
+          if (resolved) return resolved;
+        }
+        return void 0;
+      }
+    };
+  }
+});
+
 // src/providers/custom-tool-executor.ts
 var import_ajv, CustomToolExecutor;
 var init_custom_tool_executor = __esm({
@@ -9401,11 +10190,13 @@ var init_custom_tool_executor = __esm({
     init_logger();
     init_command_executor();
     import_ajv = __toESM(require("ajv"));
+    init_api_tool_executor();
     CustomToolExecutor = class {
       liquid;
       sandbox;
       tools;
       ajv;
+      apiToolRegistry;
       constructor(tools) {
         this.liquid = createExtendedLiquid({
           cache: false,
@@ -9413,7 +10204,8 @@ var init_custom_tool_executor = __esm({
           strictVariables: false
         });
         this.tools = new Map(Object.entries(tools || {}));
-        this.ajv = new import_ajv.default({ allErrors: true, verbose: true });
+        this.ajv = new import_ajv.default({ allErrors: true, verbose: true, strict: false });
+        this.apiToolRegistry = new ApiToolRegistry();
       }
       /**
        * Register a custom tool
@@ -9422,6 +10214,13 @@ var init_custom_tool_executor = __esm({
         if (!tool.name) {
           throw new Error("Tool must have a name");
         }
+        if (isApiToolDefinition(tool)) {
+          if (!tool.spec) {
+            throw new Error(`API tool '${tool.name}' must define 'spec'`);
+          }
+        } else if (!tool.exec) {
+          throw new Error(`Tool '${tool.name}' must define 'exec' (or set type: 'api')`);
+        }
         this.tools.set(tool.name, tool);
       }
       /**
@@ -9464,12 +10263,45 @@ var init_custom_tool_executor = __esm({
           throw new Error(`Input validation failed for tool '${tool.name}': ${errors}`);
         }
       }
+      /**
+       * Validate input against a JSON schema object
+       */
+      validateInputSchema(toolName, schema, input) {
+        if (!schema) {
+          return;
+        }
+        const validate = this.ajv.compile(schema);
+        const valid = validate(input);
+        if (!valid) {
+          const errors = validate.errors?.map((err) => {
+            if (err.instancePath) {
+              return `${err.instancePath}: ${err.message}`;
+            }
+            return err.message;
+          }).join(", ");
+          throw new Error(`Input validation failed for tool '${toolName}': ${errors}`);
+        }
+      }
       /**
        * Execute a custom tool
        */
       async execute(toolName, args, context2) {
         const tool = this.tools.get(toolName);
+        if (tool && isApiToolDefinition(tool)) {
+          throw new Error(
+            `Tool '${toolName}' is an API bundle. Call one of its generated operations instead.`
+          );
+        }
         if (!tool) {
+          const apiMappedTool = await this.apiToolRegistry.getMappedTool(toolName, this.tools);
+          if (apiMappedTool) {
+            this.validateInputSchema(
+              toolName,
+              apiMappedTool.mcpToolDefinition.inputSchema,
+              args
+            );
+            return await executeMappedApiTool(apiMappedTool, args);
+          }
           throw new Error(`Tool not found: ${toolName}`);
         }
         this.validateInput(tool, args);
@@ -9478,6 +10310,9 @@ var init_custom_tool_executor = __esm({
           args,
           input: args
         };
+        if (!tool.exec) {
+          throw new Error(`Tool '${toolName}' is missing exec command`);
+        }
         const command = await this.liquid.parseAndRender(tool.exec, templateContext);
         let stdin;
         if (tool.stdin) {
@@ -9537,6 +10372,50 @@ var init_custom_tool_executor = __esm({
         }
         return output;
       }
+      /**
+       * Check if a tool exists (direct or API-generated)
+       */
+      async hasTool(toolName) {
+        if (this.tools.has(toolName)) {
+          const tool = this.tools.get(toolName);
+          return !isApiToolDefinition(tool);
+        }
+        const apiMappedTool = await this.apiToolRegistry.getMappedTool(toolName, this.tools);
+        return Boolean(apiMappedTool);
+      }
+      /**
+       * Get all available tool names, including API-generated operations
+       */
+      async getToolNames() {
+        const names = [];
+        for (const tool of this.tools.values()) {
+          if (!isApiToolDefinition(tool)) {
+            names.push(tool.name);
+          }
+        }
+        const apiTools = await this.apiToolRegistry.listMappedTools(this.tools);
+        for (const mapped of apiTools) {
+          names.push(mapped.mcpToolDefinition.name);
+        }
+        return names;
+      }
+      /**
+       * List MCP-compatible tool definitions including API-generated operations
+       */
+      async listMcpTools() {
+        const directTools = this.getTools().filter((tool) => !isApiToolDefinition(tool)).map((tool) => ({
+          name: tool.name,
+          description: tool.description,
+          inputSchema: tool.inputSchema
+        }));
+        const apiTools = await this.apiToolRegistry.listMappedTools(this.tools);
+        const mappedApiTools = apiTools.map((tool) => ({
+          name: tool.mcpToolDefinition.name,
+          description: tool.mcpToolDefinition.description,
+          inputSchema: tool.mcpToolDefinition.inputSchema
+        }));
+        return [...directTools, ...mappedApiTools];
+      }
       /**
        * Apply JavaScript transform to output
        */
@@ -9564,7 +10443,7 @@ var init_custom_tool_executor = __esm({
        * Convert custom tools to MCP tool format
        */
       toMcpTools() {
-        return Array.from(this.tools.values()).map((tool) => ({
+        return Array.from(this.tools.values()).filter((tool) => !isApiToolDefinition(tool)).map((tool) => ({
           name: tool.name,
           description: tool.description,
           inputSchema: tool.inputSchema,
@@ -9582,12 +10461,12 @@ var workflow_registry_exports = {};
 __export(workflow_registry_exports, {
   WorkflowRegistry: () => WorkflowRegistry
 });
-var import_fs3, path8, yaml, import_ajv2, import_ajv_formats, WorkflowRegistry;
+var import_fs3, path9, yaml, import_ajv2, import_ajv_formats, WorkflowRegistry;
 var init_workflow_registry = __esm({
   "src/workflow-registry.ts"() {
     "use strict";
     import_fs3 = require("fs");
-    path8 = __toESM(require("path"));
+    path9 = __toESM(require("path"));
     yaml = __toESM(require("js-yaml"));
     init_logger();
     init_dependency_resolver();
@@ -9923,9 +10802,9 @@ var init_workflow_registry = __esm({
           const importBasePath = new URL(".", resolvedUrl).toString();
           return { content: await response.text(), resolvedSource: resolvedUrl, importBasePath };
         }
-        const filePath = path8.isAbsolute(source) ? source : path8.resolve(basePath || process.cwd(), source);
+        const filePath = path9.isAbsolute(source) ? source : path9.resolve(basePath || process.cwd(), source);
         const content = await import_fs3.promises.readFile(filePath, "utf-8");
-        return { content, resolvedSource: filePath, importBasePath: path8.dirname(filePath) };
+        return { content, resolvedSource: filePath, importBasePath: path9.dirname(filePath) };
       }
       /**
        * Parse workflow content (YAML or JSON)
@@ -10682,12 +11561,12 @@ var init_config_merger = __esm({
 });
 
 // src/utils/config-loader.ts
-var fs7, path9, yaml2, ConfigLoader;
+var fs8, path10, yaml2, ConfigLoader;
 var init_config_loader = __esm({
   "src/utils/config-loader.ts"() {
     "use strict";
-    fs7 = __toESM(require("fs"));
-    path9 = __toESM(require("path"));
+    fs8 = __toESM(require("fs"));
+    path10 = __toESM(require("path"));
     yaml2 = __toESM(require("js-yaml"));
     ConfigLoader = class {
       constructor(options = {}) {
@@ -10707,6 +11586,19 @@ var init_config_loader = __esm({
       }
       cache = /* @__PURE__ */ new Map();
       loadedConfigs = /* @__PURE__ */ new Set();
+      /**
+       * Annotate tool definitions with their source base directory.
+       * This is used at runtime to resolve relative tool assets (e.g., API specs).
+       */
+      annotateToolsBaseDir(config, baseDir) {
+        if (!config.tools || typeof config.tools !== "object") {
+          return;
+        }
+        for (const tool of Object.values(config.tools)) {
+          if (!tool || typeof tool !== "object") continue;
+          tool.__baseDir = tool.__baseDir || baseDir;
+        }
+      }
       /**
        * Determine the source type from a string
        */
@@ -10768,7 +11660,7 @@ var init_config_loader = __esm({
             return source.toLowerCase();
           case "local" /* LOCAL */:
             const basePath = this.options.baseDir || process.cwd();
-            return path9.resolve(basePath, source);
+            return path10.resolve(basePath, source);
           default:
             return source;
         }
@@ -10778,10 +11670,10 @@ var init_config_loader = __esm({
        */
       async fetchLocalConfig(filePath) {
         const basePath = this.options.baseDir || process.cwd();
-        const resolvedPath = path9.resolve(basePath, filePath);
+        const resolvedPath = path10.resolve(basePath, filePath);
         this.validateLocalPath(resolvedPath);
         try {
-          const content = fs7.readFileSync(resolvedPath, "utf8");
+          const content = fs8.readFileSync(resolvedPath, "utf8");
           const config = yaml2.load(content);
           if (!config || typeof config !== "object") {
             throw new Error(`Invalid YAML in configuration file: ${resolvedPath}`);
@@ -10791,8 +11683,9 @@ var init_config_loader = __esm({
             config.extends = Array.isArray(inc) ? inc : [inc];
             delete config.include;
           }
+          this.annotateToolsBaseDir(config, path10.dirname(resolvedPath));
           const previousBaseDir = this.options.baseDir;
-          this.options.baseDir = path9.dirname(resolvedPath);
+          this.options.baseDir = path10.dirname(resolvedPath);
           try {
             if (config.extends) {
               const processedConfig = await this.processExtends(config);
@@ -10848,6 +11741,12 @@ var init_config_loader = __esm({
           if (!config || typeof config !== "object") {
             throw new Error(`Invalid YAML in remote configuration: ${url}`);
           }
+          try {
+            const parsed = new URL(url);
+            const baseUrl = new URL(".", parsed).toString();
+            this.annotateToolsBaseDir(config, baseUrl);
+          } catch {
+          }
           this.cache.set(url, {
             config,
             timestamp: Date.now(),
@@ -10875,25 +11774,25 @@ var init_config_loader = __esm({
       async fetchDefaultConfig() {
         const possiblePaths = [
           // Only support new non-dot filename
-          path9.join(__dirname, "defaults", "visor.yaml"),
+          path10.join(__dirname, "defaults", "visor.yaml"),
           // When running from source
-          path9.join(__dirname, "..", "..", "defaults", "visor.yaml"),
+          path10.join(__dirname, "..", "..", "defaults", "visor.yaml"),
           // Try via package root
-          this.findPackageRoot() ? path9.join(this.findPackageRoot(), "defaults", "visor.yaml") : "",
+          this.findPackageRoot() ? path10.join(this.findPackageRoot(), "defaults", "visor.yaml") : "",
           // GitHub Action environment variable
-          process.env.GITHUB_ACTION_PATH ? path9.join(process.env.GITHUB_ACTION_PATH, "defaults", "visor.yaml") : "",
-          process.env.GITHUB_ACTION_PATH ? path9.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", "visor.yaml") : ""
+          process.env.GITHUB_ACTION_PATH ? path10.join(process.env.GITHUB_ACTION_PATH, "defaults", "visor.yaml") : "",
+          process.env.GITHUB_ACTION_PATH ? path10.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", "visor.yaml") : ""
         ].filter((p) => p);
         let defaultConfigPath;
         for (const possiblePath of possiblePaths) {
-          if (fs7.existsSync(possiblePath)) {
+          if (fs8.existsSync(possiblePath)) {
             defaultConfigPath = possiblePath;
             break;
           }
         }
         if (defaultConfigPath) {
           console.error(`\u{1F4E6} Loading bundled default configuration from ${defaultConfigPath}`);
-          const content = fs7.readFileSync(defaultConfigPath, "utf8");
+          const content = fs8.readFileSync(defaultConfigPath, "utf8");
           let config = yaml2.load(content);
           if (!config || typeof config !== "object") {
             throw new Error("Invalid default configuration");
@@ -10907,7 +11806,7 @@ var init_config_loader = __esm({
           if (config.extends) {
             const previousBaseDir = this.options.baseDir;
             try {
-              this.options.baseDir = path9.dirname(defaultConfigPath);
+              this.options.baseDir = path10.dirname(defaultConfigPath);
               return await this.processExtends(config);
             } finally {
               this.options.baseDir = previousBaseDir;
@@ -10984,9 +11883,17 @@ var init_config_loader = __esm({
        */
       validateLocalPath(resolvedPath) {
         const projectRoot = this.options.projectRoot || process.cwd();
-        const normalizedPath = path9.normalize(resolvedPath);
-        const normalizedRoot = path9.normalize(projectRoot);
-        if (!normalizedPath.startsWith(normalizedRoot)) {
+        const canonicalize = (p) => {
+          const resolved = path10.resolve(p);
+          try {
+            return path10.normalize(fs8.realpathSync.native(resolved));
+          } catch {
+            return path10.normalize(resolved);
+          }
+        };
+        const normalizedPath = canonicalize(resolvedPath);
+        const normalizedRoot = canonicalize(projectRoot);
+        if (normalizedPath !== normalizedRoot && !normalizedPath.startsWith(`${normalizedRoot}${path10.sep}`)) {
           throw new Error(
             `Security error: Path traversal detected. Cannot access files outside project root: ${projectRoot}`
           );
@@ -10997,7 +11904,7 @@ var init_config_loader = __esm({
           "/.ssh/",
           "/.aws/",
           "/.env",
-          "/private/"
+          "/private/etc/"
         ];
         const lowerPath = normalizedPath.toLowerCase();
         for (const pattern of sensitivePatterns) {
@@ -11011,19 +11918,19 @@ var init_config_loader = __esm({
        */
       findPackageRoot() {
         let currentDir = __dirname;
-        const root = path9.parse(currentDir).root;
+        const root = path10.parse(currentDir).root;
         while (currentDir !== root) {
-          const packageJsonPath = path9.join(currentDir, "package.json");
-          if (fs7.existsSync(packageJsonPath)) {
+          const packageJsonPath = path10.join(currentDir, "package.json");
+          if (fs8.existsSync(packageJsonPath)) {
             try {
-              const packageJson = JSON.parse(fs7.readFileSync(packageJsonPath, "utf8"));
+              const packageJson = JSON.parse(fs8.readFileSync(packageJsonPath, "utf8"));
               if (packageJson.name === "@probelabs/visor") {
                 return currentDir;
               }
             } catch {
             }
           }
-          currentDir = path9.dirname(currentDir);
+          currentDir = path10.dirname(currentDir);
         }
         return null;
       }
@@ -11271,6 +12178,11 @@ var init_config_schema = __esm({
         CustomToolDefinition: {
           type: "object",
           properties: {
+            type: {
+              type: "string",
+              enum: ["command", "api"],
+              description: "Tool implementation type (defaults to 'command')"
+            },
             name: {
               type: "string",
               description: "Tool name - used to reference the tool in MCP blocks"
@@ -11308,7 +12220,7 @@ var init_config_schema = __esm({
             },
             exec: {
               type: "string",
-              description: "Command to execute - supports Liquid template"
+              description: "Command to execute - supports Liquid template (required for type: 'command')"
             },
             stdin: {
               type: "string",
@@ -11341,9 +12253,132 @@ var init_config_schema = __esm({
             outputSchema: {
               $ref: "#/definitions/Record%3Cstring%2Cunknown%3E",
               description: "Expected output schema for validation"
+            },
+            spec: {
+              anyOf: [
+                {
+                  type: "string"
+                },
+                {
+                  $ref: "#/definitions/Record%3Cstring%2Cunknown%3E"
+                }
+              ],
+              description: "OpenAPI specification path/URL or inline object (required for type: 'api')"
+            },
+            overlays: {
+              anyOf: [
+                {
+                  type: "string"
+                },
+                {
+                  $ref: "#/definitions/Record%3Cstring%2Cunknown%3E"
+                },
+                {
+                  type: "array",
+                  items: {
+                    anyOf: [
+                      {
+                        type: "string"
+                      },
+                      {
+                        $ref: "#/definitions/Record%3Cstring%2Cunknown%3E"
+                      }
+                    ]
+                  }
+                }
+              ],
+              description: "Overlay path/URL, inline object, or a mixed array applied in order"
+            },
+            targetUrl: {
+              type: "string",
+              description: "Override API base URL instead of OpenAPI servers"
+            },
+            target_url: {
+              type: "string",
+              description: "Alias for targetUrl (snake_case)"
+            },
+            whitelist: {
+              anyOf: [
+                {
+                  type: "array",
+                  items: {
+                    type: "string"
+                  }
+                },
+                {
+                  type: "string"
+                }
+              ],
+              description: "Include only operations matching these glob patterns (operationId or METHOD:/path)"
+            },
+            blacklist: {
+              anyOf: [
+                {
+                  type: "array",
+                  items: {
+                    type: "string"
+                  }
+                },
+                {
+                  type: "string"
+                }
+              ],
+              description: "Exclude operations matching these glob patterns (ignored when whitelist is set)"
+            },
+            headers: {
+              $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
+              description: "Extra headers added to all API requests"
+            },
+            disableXMcp: {
+              type: "boolean",
+              description: "Disable X-MCP: 1 request header"
+            },
+            disable_x_mcp: {
+              type: "boolean",
+              description: "Alias for disableXMcp (snake_case)"
+            },
+            apiKey: {
+              type: "string",
+              description: "API key fallback credential used by security schemes"
+            },
+            api_key: {
+              type: "string",
+              description: "Alias for apiKey (snake_case)"
+            },
+            securitySchemeName: {
+              type: "string",
+              description: "Preferred security scheme name (optional hint)"
+            },
+            security_scheme_name: {
+              type: "string",
+              description: "Alias for securitySchemeName (snake_case)"
+            },
+            securityCredentials: {
+              $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
+              description: "Credentials by OpenAPI security scheme name"
+            },
+            security_credentials: {
+              $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
+              description: "Alias for securityCredentials (snake_case)"
+            },
+            namePrefix: {
+              type: "string",
+              description: "Optional prefix prepended to generated operation tool names"
+            },
+            name_prefix: {
+              type: "string",
+              description: "Alias for namePrefix (snake_case)"
+            },
+            requestTimeoutMs: {
+              type: "number",
+              description: "Request timeout in milliseconds for API calls"
+            },
+            request_timeout_ms: {
+              type: "number",
+              description: "Alias for requestTimeoutMs (snake_case)"
             }
           },
-          required: ["name", "exec"],
+          required: ["name"],
           additionalProperties: false,
           description: "Custom tool definition for use in MCP blocks",
           patternProperties: {
@@ -11474,6 +12509,46 @@ var init_config_schema = __esm({
               type: "string",
               description: "Script content to execute for script checks"
             },
+            tools: {
+              type: "array",
+              items: {
+                anyOf: [
+                  {
+                    type: "string"
+                  },
+                  {
+                    type: "object",
+                    properties: {
+                      workflow: {
+                        type: "string"
+                      },
+                      args: {
+                        $ref: "#/definitions/Record%3Cstring%2Cunknown%3E"
+                      }
+                    },
+                    required: ["workflow"],
+                    additionalProperties: false
+                  }
+                ]
+              },
+              description: "Tool names to expose inside script checks (string names or workflow references)"
+            },
+            tools_js: {
+              type: "string",
+              description: "JavaScript expression to dynamically compute tools for script checks"
+            },
+            mcp_servers: {
+              $ref: "#/definitions/Record%3Cstring%2CMcpServerConfig%3E",
+              description: "MCP servers whose tools are exposed inside script checks"
+            },
+            enable_fetch: {
+              type: "boolean",
+              description: "Enable fetch() function in script checks (default: false)"
+            },
+            enable_bash: {
+              type: "boolean",
+              description: "Enable bash() function in script checks (default: false)"
+            },
             schedule: {
               type: "string",
               description: 'Cron schedule expression (e.g., "0 2 * * *") - optional for any check type'
@@ -11819,7 +12894,7 @@ var init_config_schema = __esm({
               description: "Arguments/inputs for the workflow"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867%3E%3E",
               description: "Override specific step configurations in the workflow"
             },
             output_mapping: {
@@ -11835,7 +12910,7 @@ var init_config_schema = __esm({
               description: "Config file path - alternative to workflow ID (loads a Visor config file as workflow)"
             },
             workflow_overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867%3E%3E",
               description: "Alias for overrides - workflow step overrides (backward compatibility)"
             },
             ref: {
@@ -11941,6 +13016,72 @@ var init_config_schema = __esm({
           ],
           description: "Valid check types in configuration"
         },
+        "Record<string,McpServerConfig>": {
+          type: "object",
+          additionalProperties: {
+            $ref: "#/definitions/McpServerConfig"
+          }
+        },
+        McpServerConfig: {
+          type: "object",
+          properties: {
+            command: {
+              type: "string",
+              description: "Command to execute (presence indicates stdio server)"
+            },
+            args: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: "Arguments to pass to the command"
+            },
+            env: {
+              $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
+              description: "Environment variables for the MCP server"
+            },
+            url: {
+              type: "string",
+              description: "URL endpoint (presence indicates external server)"
+            },
+            transport: {
+              type: "string",
+              enum: ["stdio", "sse", "http"],
+              description: "Transport type"
+            },
+            workflow: {
+              type: "string",
+              description: "Workflow ID or path (presence indicates workflow tool)"
+            },
+            inputs: {
+              $ref: "#/definitions/Record%3Cstring%2Cunknown%3E",
+              description: "Inputs to pass to workflow"
+            },
+            description: {
+              type: "string",
+              description: "Tool description for AI"
+            },
+            allowedMethods: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: 'Whitelist specific methods from this MCP server (supports wildcards like "search_*")'
+            },
+            blockedMethods: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: 'Block specific methods from this MCP server (supports wildcards like "*_delete")'
+            }
+          },
+          additionalProperties: false,
+          description: "Unified MCP server/tool entry - type detected by which properties are present\n\nDetection logic (priority order): 1. Has `command` \u2192 stdio MCP server (external process) 2. Has `url` \u2192 SSE/HTTP MCP server (external endpoint) 3. Has `workflow` \u2192 workflow tool reference 4. Empty `{}` or just key \u2192 auto-detect from `tools:` section",
+          patternProperties: {
+            "^x-": {}
+          }
+        },
         EventTrigger: {
           type: "string",
           enum: [
@@ -12069,72 +13210,6 @@ var init_config_schema = __esm({
             "^x-": {}
           }
         },
-        "Record<string,McpServerConfig>": {
-          type: "object",
-          additionalProperties: {
-            $ref: "#/definitions/McpServerConfig"
-          }
-        },
-        McpServerConfig: {
-          type: "object",
-          properties: {
-            command: {
-              type: "string",
-              description: "Command to execute (presence indicates stdio server)"
-            },
-            args: {
-              type: "array",
-              items: {
-                type: "string"
-              },
-              description: "Arguments to pass to the command"
-            },
-            env: {
-              $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
-              description: "Environment variables for the MCP server"
-            },
-            url: {
-              type: "string",
-              description: "URL endpoint (presence indicates external server)"
-            },
-            transport: {
-              type: "string",
-              enum: ["stdio", "sse", "http"],
-              description: "Transport type"
-            },
-            workflow: {
-              type: "string",
-              description: "Workflow ID or path (presence indicates workflow tool)"
-            },
-            inputs: {
-              $ref: "#/definitions/Record%3Cstring%2Cunknown%3E",
-              description: "Inputs to pass to workflow"
-            },
-            description: {
-              type: "string",
-              description: "Tool description for AI"
-            },
-            allowedMethods: {
-              type: "array",
-              items: {
-                type: "string"
-              },
-              description: 'Whitelist specific methods from this MCP server (supports wildcards like "search_*")'
-            },
-            blockedMethods: {
-              type: "array",
-              items: {
-                type: "string"
-              },
-              description: 'Block specific methods from this MCP server (supports wildcards like "*_delete")'
-            }
-          },
-          additionalProperties: false,
-          description: "Unified MCP server/tool entry - type detected by which properties are present\n\nDetection logic (priority order): 1. Has `command` \u2192 stdio MCP server (external process) 2. Has `url` \u2192 SSE/HTTP MCP server (external endpoint) 3. Has `workflow` \u2192 workflow tool reference 4. Empty `{}` or just key \u2192 auto-detect from `tools:` section",
-          patternProperties: {
-            "^x-": {}
-          }
-        },
         AIRetryConfig: {
           type: "object",
           properties: {
@@ -12523,7 +13598,7 @@ var init_config_schema = __esm({
               description: "Custom output name (defaults to workflow name)"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867%3E%3E",
               description: "Step overrides"
             },
             output_mapping: {
@@ -12538,13 +13613,13 @@ var init_config_schema = __esm({
             "^x-": {}
           }
         },
-        "Record<string,Partial<interface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381>>": {
+        "Record<string,Partial<interface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867>>": {
           type: "object",
           additionalProperties: {
-            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381%3E"
+            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867%3E"
           }
         },
-        "Partial<interface-src_types_config.ts-13489-27516-src_types_config.ts-0-51381>": {
+        "Partial<interface-src_types_config.ts-13489-28083-src_types_config.ts-0-53867>": {
           type: "object",
           additionalProperties: false
         },
@@ -13792,13 +14867,13 @@ __export(config_exports, {
   ConfigManager: () => ConfigManager,
   VALID_EVENT_TRIGGERS: () => VALID_EVENT_TRIGGERS
 });
-var yaml3, fs8, path10, import_simple_git, import_ajv3, import_ajv_formats2, VALID_EVENT_TRIGGERS, ConfigManager, __ajvValidate, __ajvErrors;
+var yaml3, fs9, path11, import_simple_git, import_ajv3, import_ajv_formats2, VALID_EVENT_TRIGGERS, ConfigManager, __ajvValidate, __ajvErrors;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
     yaml3 = __toESM(require("js-yaml"));
-    fs8 = __toESM(require("fs"));
-    path10 = __toESM(require("path"));
+    fs9 = __toESM(require("fs"));
+    path11 = __toESM(require("path"));
     init_logger();
     import_simple_git = __toESM(require("simple-git"));
     init_config_loader();
@@ -13837,16 +14912,28 @@ var init_config = __esm({
       validEventTriggers = [...VALID_EVENT_TRIGGERS];
       validOutputFormats = ["table", "json", "markdown", "sarif"];
       validGroupByOptions = ["check", "file", "severity", "group"];
+      /**
+       * Annotate tools with the originating config directory for relative asset resolution.
+       */
+      annotateToolBaseDirs(config, baseDir) {
+        if (!config.tools || typeof config.tools !== "object") {
+          return;
+        }
+        for (const tool of Object.values(config.tools)) {
+          if (!tool || typeof tool !== "object") continue;
+          tool.__baseDir = tool.__baseDir || baseDir;
+        }
+      }
       /**
        * Load configuration from a file
        */
       async loadConfig(configPath, options = {}) {
         const { validate = true, mergeDefaults = true, allowedRemotePatterns } = options;
-        const resolvedPath = path10.isAbsolute(configPath) ? configPath : path10.resolve(process.cwd(), configPath);
+        const resolvedPath = path11.isAbsolute(configPath) ? configPath : path11.resolve(process.cwd(), configPath);
         try {
           let configContent;
           try {
-            configContent = fs8.readFileSync(resolvedPath, "utf8");
+            configContent = fs9.readFileSync(resolvedPath, "utf8");
           } catch (readErr) {
             if (readErr && (readErr.code === "ENOENT" || readErr.code === "ENOTDIR")) {
               throw new Error(`Configuration file not found: ${resolvedPath}`);
@@ -13868,7 +14955,7 @@ var init_config = __esm({
           const extendsValue = parsedConfig.extends || parsedConfig.include;
           if (extendsValue) {
             const loaderOptions = {
-              baseDir: path10.dirname(resolvedPath),
+              baseDir: path11.dirname(resolvedPath),
               allowRemote: this.isRemoteExtendsAllowed(),
               maxDepth: 10,
               allowedRemotePatterns
@@ -13887,10 +14974,11 @@ var init_config = __esm({
             parsedConfig = merger.removeDisabledChecks(parsedConfig);
           }
           if (parsedConfig.id && typeof parsedConfig.id === "string") {
-            parsedConfig = await this.convertWorkflowToConfig(parsedConfig, path10.dirname(resolvedPath));
+            parsedConfig = await this.convertWorkflowToConfig(parsedConfig, path11.dirname(resolvedPath));
           }
+          this.annotateToolBaseDirs(parsedConfig, path11.dirname(resolvedPath));
           parsedConfig = this.normalizeStepsAndChecks(parsedConfig, !!extendsValue);
-          await this.loadWorkflows(parsedConfig, path10.dirname(resolvedPath));
+          await this.loadWorkflows(parsedConfig, path11.dirname(resolvedPath));
           if (validate) {
             this.validateConfig(parsedConfig);
           }
@@ -13949,6 +15037,7 @@ var init_config = __esm({
           if (parsedConfig.id && typeof parsedConfig.id === "string") {
             parsedConfig = await this.convertWorkflowToConfig(parsedConfig, baseDir || process.cwd());
           }
+          this.annotateToolBaseDirs(parsedConfig, baseDir || process.cwd());
           parsedConfig = this.normalizeStepsAndChecks(parsedConfig, !!extendsValue);
           await this.loadWorkflows(parsedConfig, baseDir || process.cwd());
           if (validate) this.validateConfig(parsedConfig);
@@ -13968,16 +15057,16 @@ var init_config = __esm({
         const searchDirs = [gitRoot, process.cwd()].filter(Boolean);
         for (const baseDir of searchDirs) {
           const candidates = ["visor.yaml", "visor.yml", ".visor.yaml", ".visor.yml"].map(
-            (p) => path10.join(baseDir, p)
+            (p) => path11.join(baseDir, p)
           );
           for (const p of candidates) {
             try {
-              const st = fs8.statSync(p);
+              const st = fs9.statSync(p);
               if (!st.isFile()) continue;
-              const isLegacy = path10.basename(p).startsWith(".");
+              const isLegacy = path11.basename(p).startsWith(".");
               if (isLegacy) {
                 if (process.env.VISOR_STRICT_CONFIG_NAME === "true") {
-                  const rel = path10.relative(baseDir, p);
+                  const rel = path11.relative(baseDir, p);
                   throw new Error(
                     `Legacy config detected: ${rel}. Please rename to visor.yaml (or visor.yml).`
                   );
@@ -14040,23 +15129,23 @@ var init_config = __esm({
           const possiblePaths = [];
           if (typeof __dirname !== "undefined") {
             possiblePaths.push(
-              path10.join(__dirname, "defaults", "visor.yaml"),
-              path10.join(__dirname, "..", "defaults", "visor.yaml")
+              path11.join(__dirname, "defaults", "visor.yaml"),
+              path11.join(__dirname, "..", "defaults", "visor.yaml")
             );
           }
           const pkgRoot = this.findPackageRoot();
           if (pkgRoot) {
-            possiblePaths.push(path10.join(pkgRoot, "defaults", "visor.yaml"));
+            possiblePaths.push(path11.join(pkgRoot, "defaults", "visor.yaml"));
           }
           if (process.env.GITHUB_ACTION_PATH) {
             possiblePaths.push(
-              path10.join(process.env.GITHUB_ACTION_PATH, "defaults", "visor.yaml"),
-              path10.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", "visor.yaml")
+              path11.join(process.env.GITHUB_ACTION_PATH, "defaults", "visor.yaml"),
+              path11.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", "visor.yaml")
             );
           }
           let bundledConfigPath;
           for (const possiblePath of possiblePaths) {
-            if (fs8.existsSync(possiblePath)) {
+            if (fs9.existsSync(possiblePath)) {
               bundledConfigPath = possiblePath;
               break;
             }
@@ -14064,7 +15153,7 @@ var init_config = __esm({
           if (bundledConfigPath) {
             console.error(`\u{1F4E6} Loading bundled default configuration from ${bundledConfigPath}`);
             const readAndParse = (p) => {
-              const raw = fs8.readFileSync(p, "utf8");
+              const raw = fs9.readFileSync(p, "utf8");
               const obj = yaml3.load(raw);
               if (!obj || typeof obj !== "object") return {};
               if (obj.include && !obj.extends) {
@@ -14074,7 +15163,7 @@ var init_config = __esm({
               }
               return obj;
             };
-            const baseDir = path10.dirname(bundledConfigPath);
+            const baseDir = path11.dirname(bundledConfigPath);
             const merger = new (init_config_merger(), __toCommonJS(config_merger_exports)).ConfigMerger();
             const loadWithExtendsSync = (p) => {
               const current = readAndParse(p);
@@ -14086,7 +15175,7 @@ var init_config = __esm({
               let acc = {};
               for (const src of list) {
                 const rel = typeof src === "string" ? src : String(src);
-                const abs = path10.isAbsolute(rel) ? rel : path10.resolve(baseDir, rel);
+                const abs = path11.isAbsolute(rel) ? rel : path11.resolve(baseDir, rel);
                 const parentCfg = loadWithExtendsSync(abs);
                 acc = merger.merge(acc, parentCfg);
               }
@@ -14110,18 +15199,18 @@ var init_config = __esm({
        */
       findPackageRoot() {
         let currentDir = __dirname;
-        while (currentDir !== path10.dirname(currentDir)) {
-          const packageJsonPath = path10.join(currentDir, "package.json");
-          if (fs8.existsSync(packageJsonPath)) {
+        while (currentDir !== path11.dirname(currentDir)) {
+          const packageJsonPath = path11.join(currentDir, "package.json");
+          if (fs9.existsSync(packageJsonPath)) {
             try {
-              const packageJson = JSON.parse(fs8.readFileSync(packageJsonPath, "utf8"));
+              const packageJson = JSON.parse(fs9.readFileSync(packageJsonPath, "utf8"));
               if (packageJson.name === "@probelabs/visor") {
                 return currentDir;
               }
             } catch {
             }
           }
-          currentDir = path10.dirname(currentDir);
+          currentDir = path11.dirname(currentDir);
         }
         return null;
       }
@@ -14461,6 +15550,42 @@ ${errors}`);
         if (config.ai_mcp_servers) {
           this.validateMcpServersObject(config.ai_mcp_servers, "ai_mcp_servers", errors, warnings);
         }
+        if (config.tools) {
+          for (const [toolName, toolDef] of Object.entries(config.tools)) {
+            const type = toolDef.type || "command";
+            if (type === "api") {
+              const spec = toolDef.spec;
+              const hasStringSpec = typeof spec === "string" && spec.trim().length > 0;
+              const hasInlineSpec = !!spec && typeof spec === "object" && !Array.isArray(spec);
+              if (!hasStringSpec && !hasInlineSpec) {
+                errors.push({
+                  field: `tools.${toolName}.spec`,
+                  message: `Invalid tool configuration for "${toolName}": missing spec field (required for type: api)`
+                });
+              }
+              const overlays = toolDef.overlays;
+              if (overlays !== void 0) {
+                const isInlineOverlay = !!overlays && typeof overlays === "object" && !Array.isArray(overlays);
+                const isStringOverlay = typeof overlays === "string";
+                const isMixedArrayOverlay = Array.isArray(overlays) && overlays.every(
+                  (item) => typeof item === "string" || !!item && typeof item === "object" && !Array.isArray(item)
+                );
+                if (!isInlineOverlay && !isStringOverlay && !isMixedArrayOverlay) {
+                  errors.push({
+                    field: `tools.${toolName}.overlays`,
+                    message: `Invalid tool configuration for "${toolName}": overlays must be a string, object, or array of strings/objects`,
+                    value: overlays
+                  });
+                }
+              }
+            } else if (!toolDef.exec || typeof toolDef.exec !== "string") {
+              errors.push({
+                field: `tools.${toolName}.exec`,
+                message: `Invalid tool configuration for "${toolName}": missing exec field (required for command tools)`
+              });
+            }
+          }
+        }
         if (config.output) {
           this.validateOutputConfig(config.output, errors);
         }
@@ -14878,7 +16003,7 @@ ${errors}`);
         if (policy.engine === "local" && policy.rules) {
           const rulesPath = Array.isArray(policy.rules) ? policy.rules : [policy.rules];
           for (const rp of rulesPath) {
-            if (typeof rp === "string" && !fs8.existsSync(path10.resolve(rp))) {
+            if (typeof rp === "string" && !fs9.existsSync(path11.resolve(rp))) {
               warnings.push({
                 field: "policy.rules",
                 message: `Policy rules path does not exist: ${rp}. It will be resolved at runtime.`,
@@ -14928,7 +16053,7 @@ ${errors}`);
             });
           }
         }
-        if (policy.data && typeof policy.data === "string" && !fs8.existsSync(path10.resolve(policy.data))) {
+        if (policy.data && typeof policy.data === "string" && !fs9.existsSync(path11.resolve(policy.data))) {
           warnings.push({
             field: "policy.data",
             message: `Policy data file does not exist: ${policy.data}. It will be resolved at runtime.`,
@@ -15078,7 +16203,7 @@ ${errors}`);
         try {
           if (!__ajvValidate) {
             try {
-              const jsonPath = path10.resolve(__dirname, "generated", "config-schema.json");
+              const jsonPath = path11.resolve(__dirname, "generated", "config-schema.json");
               const jsonSchema = require(jsonPath);
               if (jsonSchema) {
                 const ajv = new import_ajv3.default({ allErrors: true, allowUnionTypes: true, strict: false });
@@ -15128,6 +16253,9 @@ ${errors}`);
                 if (topLevel && allowedTopLevelKeys.has(addl)) {
                   continue;
                 }
+                if (!topLevel && addl === "__baseDir" && pathStr.startsWith("tools.")) {
+                  continue;
+                }
                 if (!topLevel && addl === "sandbox" && pathStr.match(/^(checks|steps)\.[^.]+$/)) {
                   continue;
                 }
@@ -15332,7 +16460,7 @@ var workflow_check_provider_exports = {};
 __export(workflow_check_provider_exports, {
   WorkflowCheckProvider: () => WorkflowCheckProvider
 });
-var path11, yaml4, WorkflowCheckProvider;
+var path12, yaml4, WorkflowCheckProvider;
 var init_workflow_check_provider = __esm({
   "src/providers/workflow-check-provider.ts"() {
     "use strict";
@@ -15343,7 +16471,7 @@ var init_workflow_check_provider = __esm({
     init_sandbox();
     init_human_id();
     init_liquid_extensions();
-    path11 = __toESM(require("path"));
+    path12 = __toESM(require("path"));
     yaml4 = __toESM(require("js-yaml"));
     WorkflowCheckProvider = class extends CheckProvider {
       registry;
@@ -15552,13 +16680,13 @@ var init_workflow_check_provider = __esm({
         const loadConfigLiquid = createExtendedLiquid();
         const loadConfig2 = (filePath) => {
           try {
-            const normalizedBasePath = path11.normalize(basePath);
-            const resolvedPath = path11.isAbsolute(filePath) ? path11.normalize(filePath) : path11.normalize(path11.resolve(basePath, filePath));
-            const basePathWithSep = normalizedBasePath.endsWith(path11.sep) ? normalizedBasePath : normalizedBasePath + path11.sep;
+            const normalizedBasePath = path12.normalize(basePath);
+            const resolvedPath = path12.isAbsolute(filePath) ? path12.normalize(filePath) : path12.normalize(path12.resolve(basePath, filePath));
+            const basePathWithSep = normalizedBasePath.endsWith(path12.sep) ? normalizedBasePath : normalizedBasePath + path12.sep;
             if (!resolvedPath.startsWith(basePathWithSep) && resolvedPath !== normalizedBasePath) {
               throw new Error(`Path '${filePath}' escapes base directory`);
             }
-            const configDir = path11.dirname(resolvedPath);
+            const configDir = path12.dirname(resolvedPath);
             const rawContent = require("fs").readFileSync(resolvedPath, "utf-8");
             const renderedContent = loadConfigLiquid.parseAndRenderSync(rawContent, {
               basePath: configDir
@@ -16009,17 +17137,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path29 = require("path");
-        const fs25 = require("fs");
+        const path30 = require("path");
+        const fs26 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path29.isAbsolute(sourcePath) ? sourcePath : path29.resolve(baseDir, sourcePath);
-        if (!fs25.existsSync(resolved)) {
+        const resolved = path30.isAbsolute(sourcePath) ? sourcePath : path30.resolve(baseDir, sourcePath);
+        if (!fs26.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs25.readFileSync(resolved, "utf8");
+        const rawContent = fs26.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path29.dirname(resolved);
+          const configDir = path30.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -16049,8 +17177,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path29.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path29.basename(resolved)}`;
+        const id = path30.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path30.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -16289,11 +17417,11 @@ function fromDbRow(row) {
     previousResponse: row.previous_response ?? void 0
   };
 }
-var import_path4, import_fs4, import_uuid, SqliteStoreBackend;
+var import_path5, import_fs4, import_uuid, SqliteStoreBackend;
 var init_sqlite_store = __esm({
   "src/scheduler/store/sqlite-store.ts"() {
     "use strict";
-    import_path4 = __toESM(require("path"));
+    import_path5 = __toESM(require("path"));
     import_fs4 = __toESM(require("fs"));
     import_uuid = require("uuid");
     init_logger();
@@ -16306,8 +17434,8 @@ var init_sqlite_store = __esm({
         this.dbPath = filename || ".visor/schedules.db";
       }
       async initialize() {
-        const resolvedPath = import_path4.default.resolve(process.cwd(), this.dbPath);
-        const dir = import_path4.default.dirname(resolvedPath);
+        const resolvedPath = import_path5.default.resolve(process.cwd(), this.dbPath);
+        const dir = import_path5.default.dirname(resolvedPath);
         import_fs4.default.mkdirSync(dir, { recursive: true });
         const { createRequire } = require("module");
         const runtimeRequire = createRequire(__filename);
@@ -16703,10 +17831,10 @@ var init_store = __esm({
 
 // src/scheduler/store/json-migrator.ts
 async function migrateJsonToBackend(jsonPath, backend) {
-  const resolvedPath = import_path5.default.resolve(process.cwd(), jsonPath);
+  const resolvedPath = import_path6.default.resolve(process.cwd(), jsonPath);
   let content;
   try {
-    content = await import_promises2.default.readFile(resolvedPath, "utf-8");
+    content = await import_promises3.default.readFile(resolvedPath, "utf-8");
   } catch (err) {
     if (err.code === "ENOENT") {
       return 0;
@@ -16753,7 +17881,7 @@ async function migrateJsonToBackend(jsonPath, backend) {
 async function renameToMigrated(resolvedPath) {
   const migratedPath = `${resolvedPath}.migrated`;
   try {
-    await import_promises2.default.rename(resolvedPath, migratedPath);
+    await import_promises3.default.rename(resolvedPath, migratedPath);
     logger.info(`[JsonMigrator] Backed up ${resolvedPath} \u2192 ${migratedPath}`);
   } catch (err) {
     logger.warn(
@@ -16761,12 +17889,12 @@ async function renameToMigrated(resolvedPath) {
     );
   }
 }
-var import_promises2, import_path5;
+var import_promises3, import_path6;
 var init_json_migrator = __esm({
   "src/scheduler/store/json-migrator.ts"() {
     "use strict";
-    import_promises2 = __toESM(require("fs/promises"));
-    import_path5 = __toESM(require("path"));
+    import_promises3 = __toESM(require("fs/promises"));
+    import_path6 = __toESM(require("path"));
     init_logger();
   }
 });
@@ -17044,6 +18172,13 @@ var init_schedule_parser = __esm({
 });
 
 // src/scheduler/schedule-tool.ts
+var schedule_tool_exports = {};
+__export(schedule_tool_exports, {
+  buildScheduleToolContext: () => buildScheduleToolContext,
+  getScheduleToolDefinition: () => getScheduleToolDefinition,
+  handleScheduleAction: () => handleScheduleAction,
+  isScheduleTool: () => isScheduleTool
+});
 function matchGlobPattern(pattern, value) {
   const regexPattern = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
   return new RegExp(`^${regexPattern}$`).test(value);
@@ -18374,7 +19509,23 @@ var init_mcp_custom_sse_server = __esm({
        * Handle tools/list MCP request
        */
       async handleToolsList(id) {
-        const allTools = Array.from(this.tools.values());
+        const normalizeInputSchema = (schema) => {
+          if (schema && schema.type === "object") {
+            return schema;
+          }
+          return {
+            type: "object",
+            properties: {},
+            required: []
+          };
+        };
+        const regularTools = await this.toolExecutor.listMcpTools();
+        const workflowTools = Array.from(this.tools.values()).filter(isWorkflowTool).map((tool) => ({
+          name: tool.name,
+          description: tool.description || `Execute ${tool.name}`,
+          inputSchema: normalizeInputSchema(tool.inputSchema)
+        }));
+        const allTools = [...regularTools, ...workflowTools];
         if (this.debug) {
           logger.debug(
             `[CustomToolsSSEServer:${this.sessionId}] Listing ${allTools.length} tools: ${allTools.map((t) => t.name).join(", ")}`
@@ -18387,11 +19538,7 @@ var init_mcp_custom_sse_server = __esm({
             tools: allTools.map((tool) => ({
               name: tool.name,
               description: tool.description || `Execute ${tool.name}`,
-              inputSchema: tool.inputSchema || {
-                type: "object",
-                properties: {},
-                required: []
-              }
+              inputSchema: normalizeInputSchema(tool.inputSchema)
             }))
           }
         };
@@ -18581,8 +19728,45 @@ var init_mcp_custom_sse_server = __esm({
   }
 });
 
+// src/utils/tool-resolver.ts
+function resolveTools(toolItems, globalTools, logPrefix = "[ToolResolver]") {
+  const tools = /* @__PURE__ */ new Map();
+  for (const item of toolItems) {
+    const workflowTool = resolveWorkflowToolFromItem(item);
+    if (workflowTool) {
+      logger.debug(`${logPrefix} Loaded workflow '${workflowTool.name}' as tool`);
+      tools.set(workflowTool.name, workflowTool);
+      continue;
+    }
+    if (typeof item === "string") {
+      if (globalTools && globalTools[item]) {
+        const tool = globalTools[item];
+        tool.name = tool.name || item;
+        tools.set(item, tool);
+        continue;
+      }
+      logger.warn(`${logPrefix} Tool '${item}' not found in global tools or workflow registry`);
+    } else if (isWorkflowToolReference(item)) {
+      logger.warn(`${logPrefix} Workflow '${item.workflow}' referenced but not found in registry`);
+    }
+  }
+  if (tools.size === 0 && toolItems.length > 0 && !globalTools) {
+    logger.warn(
+      `${logPrefix} Tools specified but no global tools found in configuration and no workflows matched`
+    );
+  }
+  return tools;
+}
+var init_tool_resolver = __esm({
+  "src/utils/tool-resolver.ts"() {
+    "use strict";
+    init_workflow_tool_executor();
+    init_logger();
+  }
+});
+
 // src/providers/ai-check-provider.ts
-var import_promises3, import_path6, AICheckProvider;
+var import_promises4, import_path7, AICheckProvider;
 var init_ai_check_provider = __esm({
   "src/providers/ai-check-provider.ts"() {
     "use strict";
@@ -18591,13 +19775,14 @@ var init_ai_check_provider = __esm({
     init_env_resolver();
     init_issue_filter();
     init_liquid_extensions();
-    import_promises3 = __toESM(require("fs/promises"));
-    import_path6 = __toESM(require("path"));
+    import_promises4 = __toESM(require("fs/promises"));
+    import_path7 = __toESM(require("path"));
     init_lazy_otel();
     init_state_capture();
     init_mcp_custom_sse_server();
     init_logger();
     init_workflow_tool_executor();
+    init_tool_resolver();
     init_sandbox();
     init_schedule_tool();
     init_schedule_tool_handler();
@@ -18756,7 +19941,7 @@ var init_ai_check_provider = __esm({
         const hasFileExtension = /\.[a-zA-Z0-9]{1,10}$/i.test(str);
         const hasPathSeparators = /[\/\\]/.test(str);
         const isRelativePath = /^\.{1,2}\//.test(str);
-        const isAbsolutePath = import_path6.default.isAbsolute(str);
+        const isAbsolutePath = import_path7.default.isAbsolute(str);
         const hasTypicalFileChars = /^[a-zA-Z0-9._\-\/\\:~]+$/.test(str);
         if (!(hasFileExtension || isRelativePath || isAbsolutePath || hasPathSeparators)) {
           return false;
@@ -18766,14 +19951,14 @@ var init_ai_check_provider = __esm({
         }
         try {
           let resolvedPath;
-          if (import_path6.default.isAbsolute(str)) {
-            resolvedPath = import_path6.default.normalize(str);
+          if (import_path7.default.isAbsolute(str)) {
+            resolvedPath = import_path7.default.normalize(str);
           } else {
-            resolvedPath = import_path6.default.resolve(process.cwd(), str);
+            resolvedPath = import_path7.default.resolve(process.cwd(), str);
           }
-          const fs25 = require("fs").promises;
+          const fs26 = require("fs").promises;
           try {
-            const stat = await fs25.stat(resolvedPath);
+            const stat = await fs26.stat(resolvedPath);
             return stat.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -18790,14 +19975,14 @@ var init_ai_check_provider = __esm({
           throw new Error("Prompt file must have .liquid extension");
         }
         let resolvedPath;
-        if (import_path6.default.isAbsolute(promptPath)) {
+        if (import_path7.default.isAbsolute(promptPath)) {
           resolvedPath = promptPath;
         } else {
-          resolvedPath = import_path6.default.resolve(process.cwd(), promptPath);
+          resolvedPath = import_path7.default.resolve(process.cwd(), promptPath);
         }
-        if (!import_path6.default.isAbsolute(promptPath)) {
-          const normalizedPath = import_path6.default.normalize(resolvedPath);
-          const currentDir = import_path6.default.resolve(process.cwd());
+        if (!import_path7.default.isAbsolute(promptPath)) {
+          const normalizedPath = import_path7.default.normalize(resolvedPath);
+          const currentDir = import_path7.default.resolve(process.cwd());
           if (!normalizedPath.startsWith(currentDir)) {
             throw new Error("Invalid prompt file path: path traversal detected");
           }
@@ -18806,7 +19991,7 @@ var init_ai_check_provider = __esm({
           throw new Error("Invalid prompt file path: path traversal detected");
         }
         try {
-          const promptContent = await import_promises3.default.readFile(resolvedPath, "utf-8");
+          const promptContent = await import_promises4.default.readFile(resolvedPath, "utf-8");
           return promptContent;
         } catch (error) {
           throw new Error(
@@ -20209,37 +21394,8 @@ ${processedPrompt}` : processedPrompt;
        * Supports both traditional custom tools and workflow-as-tool references
        */
       loadCustomTools(toolItems, config) {
-        const tools = /* @__PURE__ */ new Map();
         const globalTools = config.__globalTools;
-        for (const item of toolItems) {
-          const workflowTool = resolveWorkflowToolFromItem(item);
-          if (workflowTool) {
-            logger.debug(`[AICheckProvider] Loaded workflow '${workflowTool.name}' as custom tool`);
-            tools.set(workflowTool.name, workflowTool);
-            continue;
-          }
-          if (typeof item === "string") {
-            if (globalTools && globalTools[item]) {
-              const tool = globalTools[item];
-              tool.name = tool.name || item;
-              tools.set(item, tool);
-              continue;
-            }
-            logger.warn(
-              `[AICheckProvider] Custom tool '${item}' not found in global tools or workflow registry`
-            );
-          } else if (isWorkflowToolReference(item)) {
-            logger.warn(
-              `[AICheckProvider] Workflow '${item.workflow}' referenced but not found in registry`
-            );
-          }
-        }
-        if (tools.size === 0 && toolItems.length > 0 && !globalTools) {
-          logger.warn(
-            `[AICheckProvider] ai_custom_tools specified but no global tools found in configuration and no workflows matched`
-          );
-        }
-        return tools;
+        return resolveTools(toolItems, globalTools, "[AICheckProvider]");
       }
       /**
        * Intersect config-level allowedTools with policy-level allowedTools.
@@ -20789,7 +21945,7 @@ var init_template_context = __esm({
 });
 
 // src/providers/http-client-provider.ts
-var fs12, path15, HttpClientProvider;
+var fs13, path16, HttpClientProvider;
 var init_http_client_provider = __esm({
   "src/providers/http-client-provider.ts"() {
     "use strict";
@@ -20799,8 +21955,8 @@ var init_http_client_provider = __esm({
     init_sandbox();
     init_template_context();
     init_logger();
-    fs12 = __toESM(require("fs"));
-    path15 = __toESM(require("path"));
+    fs13 = __toESM(require("fs"));
+    path16 = __toESM(require("path"));
     HttpClientProvider = class extends CheckProvider {
       liquid;
       sandbox;
@@ -20895,14 +22051,14 @@ var init_http_client_provider = __esm({
             const parentContext = context2?._parentContext;
             const workingDirectory = parentContext?.workingDirectory;
             const workspaceEnabled = parentContext?.workspace?.isEnabled?.();
-            if (workspaceEnabled && workingDirectory && !path15.isAbsolute(resolvedOutputFile)) {
-              resolvedOutputFile = path15.join(workingDirectory, resolvedOutputFile);
+            if (workspaceEnabled && workingDirectory && !path16.isAbsolute(resolvedOutputFile)) {
+              resolvedOutputFile = path16.join(workingDirectory, resolvedOutputFile);
               logger.debug(
                 `[http_client] Resolved relative output_file to workspace: ${resolvedOutputFile}`
               );
             }
-            if (skipIfExists && fs12.existsSync(resolvedOutputFile)) {
-              const stats = fs12.statSync(resolvedOutputFile);
+            if (skipIfExists && fs13.existsSync(resolvedOutputFile)) {
+              const stats = fs13.statSync(resolvedOutputFile);
               logger.verbose(`[http_client] File cached: ${resolvedOutputFile} (${stats.size} bytes)`);
               return {
                 issues: [],
@@ -21113,13 +22269,13 @@ var init_http_client_provider = __esm({
               ]
             };
           }
-          const parentDir = path15.dirname(outputFile);
-          if (parentDir && !fs12.existsSync(parentDir)) {
-            fs12.mkdirSync(parentDir, { recursive: true });
+          const parentDir = path16.dirname(outputFile);
+          if (parentDir && !fs13.existsSync(parentDir)) {
+            fs13.mkdirSync(parentDir, { recursive: true });
           }
           const arrayBuffer = await response.arrayBuffer();
           const buffer = Buffer.from(arrayBuffer);
-          fs12.writeFileSync(outputFile, buffer);
+          fs13.writeFileSync(outputFile, buffer);
           const contentType = response.headers.get("content-type") || "application/octet-stream";
           logger.verbose(`[http_client] Downloaded: ${outputFile} (${buffer.length} bytes)`);
           return {
@@ -21878,7 +23034,7 @@ var init_claude_code_types = __esm({
 function isClaudeCodeConstructor(value) {
   return typeof value === "function";
 }
-var import_promises4, import_path7, ClaudeCodeSDKNotInstalledError, ClaudeCodeAPIKeyMissingError, ClaudeCodeCheckProvider;
+var import_promises5, import_path8, ClaudeCodeSDKNotInstalledError, ClaudeCodeAPIKeyMissingError, ClaudeCodeCheckProvider;
 var init_claude_code_check_provider = __esm({
   "src/providers/claude-code-check-provider.ts"() {
     "use strict";
@@ -21886,8 +23042,8 @@ var init_claude_code_check_provider = __esm({
     init_env_resolver();
     init_issue_filter();
     init_liquid_extensions();
-    import_promises4 = __toESM(require("fs/promises"));
-    import_path7 = __toESM(require("path"));
+    import_promises5 = __toESM(require("fs/promises"));
+    import_path8 = __toESM(require("path"));
     init_claude_code_types();
     ClaudeCodeSDKNotInstalledError = class extends Error {
       constructor() {
@@ -22035,7 +23191,7 @@ var init_claude_code_check_provider = __esm({
         const hasFileExtension = /\.[a-zA-Z0-9]{1,10}$/i.test(str);
         const hasPathSeparators = /[\/\\]/.test(str);
         const isRelativePath = /^\.{1,2}\//.test(str);
-        const isAbsolutePath = import_path7.default.isAbsolute(str);
+        const isAbsolutePath = import_path8.default.isAbsolute(str);
         const hasTypicalFileChars = /^[a-zA-Z0-9._\-\/\\:~]+$/.test(str);
         if (!(hasFileExtension || isRelativePath || isAbsolutePath || hasPathSeparators)) {
           return false;
@@ -22045,13 +23201,13 @@ var init_claude_code_check_provider = __esm({
         }
         try {
           let resolvedPath;
-          if (import_path7.default.isAbsolute(str)) {
-            resolvedPath = import_path7.default.normalize(str);
+          if (import_path8.default.isAbsolute(str)) {
+            resolvedPath = import_path8.default.normalize(str);
           } else {
-            resolvedPath = import_path7.default.resolve(process.cwd(), str);
+            resolvedPath = import_path8.default.resolve(process.cwd(), str);
           }
           try {
-            const stat = await import_promises4.default.stat(resolvedPath);
+            const stat = await import_promises5.default.stat(resolvedPath);
             return stat.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -22068,14 +23224,14 @@ var init_claude_code_check_provider = __esm({
           throw new Error("Prompt file must have .liquid extension");
         }
         let resolvedPath;
-        if (import_path7.default.isAbsolute(promptPath)) {
+        if (import_path8.default.isAbsolute(promptPath)) {
           resolvedPath = promptPath;
         } else {
-          resolvedPath = import_path7.default.resolve(process.cwd(), promptPath);
+          resolvedPath = import_path8.default.resolve(process.cwd(), promptPath);
         }
-        if (!import_path7.default.isAbsolute(promptPath)) {
-          const normalizedPath = import_path7.default.normalize(resolvedPath);
-          const currentDir = import_path7.default.resolve(process.cwd());
+        if (!import_path8.default.isAbsolute(promptPath)) {
+          const normalizedPath = import_path8.default.normalize(resolvedPath);
+          const currentDir = import_path8.default.resolve(process.cwd());
           if (!normalizedPath.startsWith(currentDir)) {
             throw new Error("Invalid prompt file path: path traversal detected");
           }
@@ -22084,7 +23240,7 @@ var init_claude_code_check_provider = __esm({
           throw new Error("Invalid prompt file path: path traversal detected");
         }
         try {
-          const promptContent = await import_promises4.default.readFile(resolvedPath, "utf-8");
+          const promptContent = await import_promises5.default.readFile(resolvedPath, "utf-8");
           return promptContent;
         } catch (error) {
           throw new Error(
@@ -22436,6 +23592,7 @@ var init_command_check_provider = __esm({
     init_sandbox();
     init_liquid_extensions();
     init_logger();
+    init_env_resolver();
     init_command_executor();
     init_author_permissions();
     init_lazy_otel();
@@ -22637,7 +23794,7 @@ var init_command_check_provider = __esm({
           if (config.env) {
             for (const [key, value] of Object.entries(config.env)) {
               if (value !== void 0 && value !== null) {
-                scriptEnv[key] = String(value);
+                scriptEnv[key] = String(EnvironmentResolver.resolveValue(value));
               }
             }
           }
@@ -24653,14 +25810,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path29 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path30 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path29 && !path29.startsWith("/")) {
-          path29 = `/${path29}`;
+        if (path30 && !path30.startsWith("/")) {
+          path30 = `/${path30}`;
         }
-        url = new URL(origin + path29);
+        url = new URL(origin + path30);
       }
       return url;
     }
@@ -26274,20 +27431,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path29) {
-      if (typeof path29 !== "string") {
+    module2.exports = function basename4(path30) {
+      if (typeof path30 !== "string") {
         return "";
       }
-      for (var i = path29.length - 1; i >= 0; --i) {
-        switch (path29.charCodeAt(i)) {
+      for (var i = path30.length - 1; i >= 0; --i) {
+        switch (path30.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path29 = path29.slice(i + 1);
-            return path29 === ".." || path29 === "." ? "" : path29;
+            path30 = path30.slice(i + 1);
+            return path30 === ".." || path30 === "." ? "" : path30;
         }
       }
-      return path29 === ".." || path29 === "." ? "" : path29;
+      return path30 === ".." || path30 === "." ? "" : path30;
     };
   }
 });
@@ -29318,7 +30475,7 @@ var require_request = __commonJS({
     }
     var Request = class _Request {
       constructor(origin, {
-        path: path29,
+        path: path30,
         method,
         body,
         headers,
@@ -29332,11 +30489,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path29 !== "string") {
+        if (typeof path30 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path29[0] !== "/" && !(path29.startsWith("http://") || path29.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path30[0] !== "/" && !(path30.startsWith("http://") || path30.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path29) !== null) {
+        } else if (invalidPathRegex.exec(path30) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -29399,7 +30556,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path29, query) : path29;
+        this.path = query ? util.buildURL(path30, query) : path30;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -30407,9 +31564,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path29 = search ? `${pathname}${search}` : pathname;
+        const path30 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path29;
+        this.opts.path = path30;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -31651,7 +32808,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path29, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path30, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -31701,7 +32858,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path29} HTTP/1.1\r
+      let header = `${method} ${path30} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -31764,7 +32921,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path29, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path30, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -31807,7 +32964,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path29;
+      headers[HTTP2_HEADER_PATH] = path30;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -34050,20 +35207,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path29) {
-      if (typeof path29 !== "string") {
-        return path29;
+    function safeUrl(path30) {
+      if (typeof path30 !== "string") {
+        return path30;
       }
-      const pathSegments = path29.split("?");
+      const pathSegments = path30.split("?");
       if (pathSegments.length !== 2) {
-        return path29;
+        return path30;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path29, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path29);
+    function matchKey(mockDispatch2, { path: path30, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path30);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -34081,7 +35238,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path29 }) => matchValue(safeUrl(path29), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path30 }) => matchValue(safeUrl(path30), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -34118,9 +35275,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path29, method, body, headers, query } = opts;
+      const { path: path30, method, body, headers, query } = opts;
       return {
-        path: path29,
+        path: path30,
         method,
         body,
         headers,
@@ -34569,10 +35726,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path29, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path30, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path29,
+            Path: path30,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -39193,8 +40350,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path29) {
-      for (const char of path29) {
+    function validateCookiePath(path30) {
+      for (const char of path30) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -40874,11 +42031,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path29 = opts.path;
+          let path30 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path29 = `/${path29}`;
+            path30 = `/${path30}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path29);
+          url = new URL(util.parseOrigin(url).origin + path30);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -41306,10 +42463,11 @@ var init_mcp_check_provider = __esm({
               'No custom tools available. Define tools in the "tools" section of your configuration.'
             );
           }
-          const tool = this.customToolExecutor.getTool(config.method);
-          if (!tool) {
+          const hasTool = await this.customToolExecutor.hasTool(config.method);
+          if (!hasTool) {
+            const availableToolNames = await this.customToolExecutor.getToolNames();
             throw new Error(
-              `Custom tool not found: ${config.method}. Available tools: ${this.customToolExecutor.getTools().map((t) => t.name).join(", ")}`
+              `Custom tool not found: ${config.method}. Available tools: ${availableToolNames.join(", ")}`
             );
           }
           const context2 = {
@@ -41420,11 +42578,24 @@ var init_mcp_check_provider = __esm({
        * Execute MCP method using stdio transport
        */
       async executeStdioMethod(config, methodArgs, timeout) {
+        const env = {};
+        for (const [key, value] of Object.entries(process.env)) {
+          if (value !== void 0) {
+            env[key] = value;
+          }
+        }
+        if (config.env) {
+          for (const [key, value] of Object.entries(config.env)) {
+            if (value !== void 0 && value !== null) {
+              env[key] = String(EnvironmentResolver.resolveValue(value));
+            }
+          }
+        }
         return this.executeWithTransport(
           () => new import_stdio.StdioClientTransport({
             command: config.command,
             args: config.command_args,
-            env: config.env,
+            env,
             cwd: config.workingDirectory,
             stderr: "pipe"
             // Prevent child stderr from corrupting TUI
@@ -42149,7 +43320,7 @@ var init_stdin_reader = __esm({
 });
 
 // src/providers/human-input-check-provider.ts
-var fs14, path17, HumanInputCheckProvider;
+var fs15, path18, HumanInputCheckProvider;
 var init_human_input_check_provider = __esm({
   "src/providers/human-input-check-provider.ts"() {
     "use strict";
@@ -42158,8 +43329,8 @@ var init_human_input_check_provider = __esm({
     init_prompt_state();
     init_liquid_extensions();
     init_stdin_reader();
-    fs14 = __toESM(require("fs"));
-    path17 = __toESM(require("path"));
+    fs15 = __toESM(require("fs"));
+    path18 = __toESM(require("path"));
     HumanInputCheckProvider = class _HumanInputCheckProvider extends CheckProvider {
       liquid;
       /**
@@ -42333,19 +43504,19 @@ var init_human_input_check_provider = __esm({
        */
       async tryReadFile(filePath) {
         try {
-          const absolutePath = path17.isAbsolute(filePath) ? filePath : path17.resolve(process.cwd(), filePath);
-          const normalizedPath = path17.normalize(absolutePath);
+          const absolutePath = path18.isAbsolute(filePath) ? filePath : path18.resolve(process.cwd(), filePath);
+          const normalizedPath = path18.normalize(absolutePath);
           const cwd = process.cwd();
-          if (!normalizedPath.startsWith(cwd + path17.sep) && normalizedPath !== cwd) {
+          if (!normalizedPath.startsWith(cwd + path18.sep) && normalizedPath !== cwd) {
             return null;
           }
           try {
-            await fs14.promises.access(normalizedPath, fs14.constants.R_OK);
-            const stats = await fs14.promises.stat(normalizedPath);
+            await fs15.promises.access(normalizedPath, fs15.constants.R_OK);
+            const stats = await fs15.promises.stat(normalizedPath);
             if (!stats.isFile()) {
               return null;
             }
-            const content = await fs14.promises.readFile(normalizedPath, "utf-8");
+            const content = await fs15.promises.readFile(normalizedPath, "utf-8");
             return content.trim();
           } catch {
             return null;
@@ -42630,6 +43801,494 @@ ${snippet}`
   }
 });
 
+// src/utils/script-tool-environment.ts
+function formatSyntaxError(code, err) {
+  const line = err.loc?.line ?? 0;
+  const col = err.loc?.column ?? 0;
+  const baseMsg = err.message?.replace(/\s*\(\d+:\d+\)$/, "") || "Syntax error";
+  if (!line) return `Syntax error: ${baseMsg}`;
+  const lines = code.split("\n");
+  const snippetLines = [];
+  const start = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 1);
+  for (let i = start; i < end; i++) {
+    const lineNum = String(i + 1).padStart(3, " ");
+    if (i === line - 1) {
+      snippetLines.push(`  > ${lineNum} | ${lines[i]}`);
+      snippetLines.push(`    ${" ".repeat(lineNum.length)} | ${" ".repeat(col)}^`);
+    } else {
+      snippetLines.push(`    ${lineNum} | ${lines[i]}`);
+    }
+  }
+  return `Syntax error at line ${line}, column ${col}: ${baseMsg}
+
+${snippetLines.join("\n")}`;
+}
+function levenshtein(a, b) {
+  const m = a.length;
+  const n = b.length;
+  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+function transformScriptForAsync(code, asyncFunctionNames, opts) {
+  if (asyncFunctionNames.size === 0) {
+    return `return (() => {
+${code}
+})()`;
+  }
+  let ast;
+  try {
+    ast = acorn.parse(code, {
+      ecmaVersion: 2022,
+      sourceType: "script",
+      allowReturnOutsideFunction: true,
+      locations: true
+    });
+  } catch (e) {
+    throw new Error(formatSyntaxError(code, e));
+  }
+  if (opts?.knownGlobals) {
+    lintUnknownCalls(code, ast, opts.knownGlobals, opts.disabledBuiltins);
+  }
+  const insertions = [];
+  const functionsNeedingAsync = /* @__PURE__ */ new Set();
+  const functionScopes = [];
+  walk.full(ast, (node) => {
+    if (node.type === "ArrowFunctionExpression" || node.type === "FunctionExpression") {
+      functionScopes.push(node);
+    }
+  });
+  walk.full(ast, (node) => {
+    if (node.type !== "CallExpression") return;
+    const calleeName = getCalleeName(node);
+    if (!calleeName || !asyncFunctionNames.has(calleeName)) return;
+    insertions.push({ offset: node.start, text: "await " });
+    for (const fn of functionScopes) {
+      const body2 = fn.body;
+      if (body2 && body2.start <= node.start && body2.end >= node.end) {
+        functionsNeedingAsync.add(fn);
+      }
+    }
+  });
+  walk.full(ast, (node) => {
+    if (node.type !== "CallExpression") return;
+    const callNode = node;
+    const calleeName = getCalleeName(callNode);
+    if (calleeName !== "map" || !callNode.arguments || callNode.arguments.length < 2) return;
+    const callback = callNode.arguments[1];
+    if (callback.type === "ArrowFunctionExpression" || callback.type === "FunctionExpression") {
+      let hasAsyncCall = false;
+      walk.full(callback, (inner) => {
+        if (inner.type === "CallExpression") {
+          const innerName = getCalleeName(inner);
+          if (innerName && asyncFunctionNames.has(innerName)) {
+            hasAsyncCall = true;
+          }
+        }
+      });
+      if (hasAsyncCall) {
+        functionsNeedingAsync.add(callback);
+      }
+    }
+  });
+  walk.full(ast, (node) => {
+    if (node.type === "WhileStatement" || node.type === "ForStatement" || node.type === "ForOfStatement" || node.type === "ForInStatement") {
+      const body2 = node.body;
+      if (body2 && body2.type === "BlockStatement" && body2.body && body2.body.length > 0) {
+        insertions.push({ offset: body2.start + 1, text: " __checkLoop();" });
+      }
+    }
+  });
+  for (const fn of functionsNeedingAsync) {
+    insertions.push({ offset: fn.start, text: "async " });
+  }
+  const body = ast.body;
+  if (body && body.length > 0) {
+    const lastStmt = body[body.length - 1];
+    if (lastStmt.type === "ExpressionStatement") {
+      insertions.push({ offset: lastStmt.start, text: "return " });
+    }
+  }
+  insertions.sort((a, b) => b.offset - a.offset);
+  let transformed = code;
+  for (const ins of insertions) {
+    transformed = transformed.slice(0, ins.offset) + ins.text + transformed.slice(ins.offset);
+  }
+  return `return (async () => {
+${transformed}
+})()`;
+}
+function getCalleeName(callExpr) {
+  const callee = callExpr.callee;
+  if (callee.type === "Identifier" && callee.name) {
+    return callee.name;
+  }
+  return null;
+}
+function lintUnknownCalls(_code, ast, knownGlobals, disabledBuiltins) {
+  const declaredFunctions = /* @__PURE__ */ new Set();
+  walk.full(ast, (node) => {
+    if (node.type === "FunctionDeclaration" && node.id?.name) {
+      declaredFunctions.add(node.id.name);
+    }
+    if (node.type === "VariableDeclarator" && node.id?.name) {
+      const init = node.init;
+      if (init && (init.type === "ArrowFunctionExpression" || init.type === "FunctionExpression")) {
+        declaredFunctions.add(node.id.name);
+      }
+    }
+  });
+  const warnings = [];
+  walk.full(ast, (node) => {
+    if (node.type !== "CallExpression") return;
+    const name = getCalleeName(node);
+    if (!name) return;
+    if (knownGlobals.has(name) || JS_BUILTINS.has(name) || declaredFunctions.has(name)) return;
+    const loc = node.loc?.start;
+    const lineInfo = loc ? ` (line ${loc.line}, column ${loc.column})` : "";
+    if (disabledBuiltins?.has(name)) {
+      const hint = disabledBuiltins.get(name);
+      warnings.push(`'${name}()' is not enabled${lineInfo}. ${hint}`);
+      return;
+    }
+    const allNames = [...knownGlobals];
+    let bestMatch = "";
+    let bestDist = Infinity;
+    for (const candidate of allNames) {
+      const dist = levenshtein(name.toLowerCase(), candidate.toLowerCase());
+      if (dist < bestDist) {
+        bestDist = dist;
+        bestMatch = candidate;
+      }
+    }
+    const maxLen = Math.max(name.length, bestMatch.length);
+    const suggestion = bestDist <= Math.ceil(maxLen * 0.4) ? ` Did you mean '${bestMatch}'?` : "";
+    warnings.push(`Unknown function '${name}()'${lineInfo}.${suggestion}`);
+  });
+  if (warnings.length > 0) {
+    throw new Error(`Script lint errors:
+${warnings.map((w) => `  - ${w}`).join("\n")}`);
+  }
+}
+function tryParseJSON(text) {
+  if (typeof text !== "string") return text;
+  const firstChar = text.trimStart()[0];
+  if (firstChar === "{" || firstChar === "[") {
+    try {
+      return JSON.parse(text);
+    } catch {
+    }
+  }
+  return text;
+}
+function buildToolGlobals(opts) {
+  const { resolvedTools, mcpClients, toolContext, workflowContext } = opts;
+  const globals = {};
+  const asyncFunctionNames = /* @__PURE__ */ new Set();
+  const commandTools = {};
+  for (const [name, tool] of resolvedTools) {
+    if (!isWorkflowTool(tool)) {
+      commandTools[name] = tool;
+    }
+  }
+  const toolExecutor = new CustomToolExecutor(commandTools);
+  const allToolInfo = [];
+  for (const [name, tool] of resolvedTools) {
+    const toolFn = async (args = {}) => {
+      try {
+        if (isWorkflowTool(tool)) {
+          if (!workflowContext) {
+            return `ERROR: Workflow context not available for tool '${name}'`;
+          }
+          return await executeWorkflowAsTool(
+            tool.__workflowId,
+            args,
+            workflowContext,
+            tool.__argsOverrides
+          );
+        }
+        return await toolExecutor.execute(name, args, toolContext);
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        logger.warn(`[script:${name}] Tool error: ${msg}`);
+        return `ERROR: ${msg}`;
+      }
+    };
+    globals[name] = toolFn;
+    asyncFunctionNames.add(name);
+    allToolInfo.push({ name, description: tool.description });
+  }
+  if (mcpClients) {
+    for (const entry of mcpClients) {
+      for (const mcpTool of entry.tools) {
+        const globalName = `${entry.serverName}_${mcpTool.name}`;
+        const mcpToolFn = async (args = {}) => {
+          try {
+            const result = await entry.client.callTool({
+              name: mcpTool.name,
+              arguments: args
+            });
+            const content = result?.content;
+            if (Array.isArray(content) && content.length > 0) {
+              const text = content[0]?.text;
+              if (text !== void 0) {
+                return tryParseJSON(text);
+              }
+            }
+            return result;
+          } catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            logger.warn(`[script:${globalName}] MCP tool error: ${msg}`);
+            return `ERROR: ${msg}`;
+          }
+        };
+        globals[globalName] = mcpToolFn;
+        asyncFunctionNames.add(globalName);
+        allToolInfo.push({ name: globalName, description: mcpTool.description });
+      }
+    }
+  }
+  const callToolFn = async (name, args = {}) => {
+    const fn = globals[name];
+    if (!fn || typeof fn !== "function") {
+      const available = Array.from(asyncFunctionNames).join(", ");
+      return `ERROR: Tool '${name}' not found. Available: ${available}`;
+    }
+    return fn(args);
+  };
+  globals.callTool = callToolFn;
+  asyncFunctionNames.add("callTool");
+  globals.listTools = () => {
+    return [...allToolInfo];
+  };
+  return { globals, asyncFunctionNames };
+}
+function buildBuiltinGlobals(opts) {
+  const globals = {};
+  const asyncFunctionNames = /* @__PURE__ */ new Set();
+  const scheduleFn = async (args = {}) => {
+    try {
+      const { handleScheduleAction: handleScheduleAction2, buildScheduleToolContext: buildScheduleToolContext2 } = await Promise.resolve().then(() => (init_schedule_tool(), schedule_tool_exports));
+      const { extractSlackContext: extractSlackContext2 } = await Promise.resolve().then(() => (init_schedule_tool_handler(), schedule_tool_handler_exports));
+      const parentCtx = opts.sessionInfo?._parentContext;
+      const webhookData = parentCtx?.prInfo?.eventContext?.webhookData;
+      const visorCfg = parentCtx?.config;
+      const slackContext = webhookData ? extractSlackContext2(webhookData) : null;
+      const availableWorkflows = visorCfg?.checks ? Object.keys(visorCfg.checks) : void 0;
+      const permissions = visorCfg?.scheduler?.permissions;
+      const context2 = buildScheduleToolContext2(
+        {
+          slackContext: slackContext || void 0,
+          cliContext: slackContext ? void 0 : { userId: "script" }
+        },
+        availableWorkflows,
+        permissions
+      );
+      return await handleScheduleAction2(args, context2);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      logger.warn(`[script:schedule] Error: ${msg}`);
+      return `ERROR: ${msg}`;
+    }
+  };
+  globals.schedule = scheduleFn;
+  asyncFunctionNames.add("schedule");
+  if (opts.config.enable_fetch === true) {
+    const fetchFn = async (args = {}) => {
+      try {
+        const url = String(args.url || "");
+        if (!url) return "ERROR: url is required";
+        const method = String(args.method || "GET");
+        const headers = args.headers || {};
+        const body = args.body != null ? String(args.body) : void 0;
+        const timeout = Number(args.timeout) || 3e4;
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
+        try {
+          const resp = await globalThis.fetch(url, {
+            method,
+            headers,
+            body: method !== "GET" ? body : void 0,
+            signal: controller.signal
+          });
+          clearTimeout(timeoutId);
+          const contentType = resp.headers.get("content-type") || "";
+          if (contentType.includes("json")) return await resp.json();
+          const text = await resp.text();
+          try {
+            return JSON.parse(text);
+          } catch {
+            return text;
+          }
+        } finally {
+          clearTimeout(timeoutId);
+        }
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        logger.warn(`[script:fetch] Error: ${msg}`);
+        return `ERROR: ${msg}`;
+      }
+    };
+    globals.fetch = fetchFn;
+    asyncFunctionNames.add("fetch");
+  }
+  const octokit = opts.config.eventContext?.octokit;
+  if (octokit) {
+    const githubFn = async (args = {}) => {
+      try {
+        const op = String(args.op || "");
+        const repoEnv = process.env.GITHUB_REPOSITORY || "";
+        let owner = "";
+        let repo = "";
+        if (repoEnv.includes("/")) {
+          [owner, repo] = repoEnv.split("/");
+        }
+        if (!owner || !repo) {
+          const ec = opts.config.eventContext || {};
+          owner = owner || ec.repository?.owner?.login || "";
+          repo = repo || ec.repository?.name || "";
+        }
+        const prNumber = opts.prInfo?.number;
+        if (!owner || !repo || !prNumber) {
+          return "ERROR: Missing GitHub repo/PR context";
+        }
+        const values = Array.isArray(args.values) ? args.values.map(String) : typeof args.value === "string" ? [args.value] : typeof args.values === "string" ? [args.values] : [];
+        switch (op) {
+          case "labels.add":
+            await octokit.rest.issues.addLabels({
+              owner,
+              repo,
+              issue_number: prNumber,
+              labels: values
+            });
+            return { success: true, op };
+          case "labels.remove":
+            for (const name of values) {
+              try {
+                await octokit.rest.issues.removeLabel({
+                  owner,
+                  repo,
+                  issue_number: prNumber,
+                  name
+                });
+              } catch {
+              }
+            }
+            return { success: true, op };
+          case "comment.create":
+            await octokit.rest.issues.createComment({
+              owner,
+              repo,
+              issue_number: prNumber,
+              body: values[0] || ""
+            });
+            return { success: true, op };
+          default:
+            return `ERROR: Unknown github op '${op}'. Supported: labels.add, labels.remove, comment.create`;
+        }
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        logger.warn(`[script:github] Error: ${msg}`);
+        return `ERROR: ${msg}`;
+      }
+    };
+    globals.github = githubFn;
+    asyncFunctionNames.add("github");
+  }
+  if (opts.config.enable_bash === true) {
+    const bashFn = async (args = {}) => {
+      try {
+        const { CommandExecutor: CommandExecutor2 } = await Promise.resolve().then(() => (init_command_executor(), command_executor_exports));
+        const executor = CommandExecutor2.getInstance();
+        const command = String(args.command || "");
+        if (!command) return "ERROR: command is required";
+        return await executor.execute(command, {
+          cwd: args.cwd ? String(args.cwd) : void 0,
+          env: args.env,
+          timeout: Number(args.timeout) || 3e4
+        });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        logger.warn(`[script:bash] Error: ${msg}`);
+        return `ERROR: ${msg}`;
+      }
+    };
+    globals.bash = bashFn;
+    asyncFunctionNames.add("bash");
+  }
+  return { globals, asyncFunctionNames };
+}
+var acorn, walk, JS_BUILTINS;
+var init_script_tool_environment = __esm({
+  "src/utils/script-tool-environment.ts"() {
+    "use strict";
+    acorn = __toESM(require("acorn"));
+    walk = __toESM(require("acorn-walk"));
+    init_custom_tool_executor();
+    init_workflow_tool_executor();
+    init_logger();
+    JS_BUILTINS = /* @__PURE__ */ new Set([
+      // Constructors & types
+      "Array",
+      "Object",
+      "String",
+      "Number",
+      "Boolean",
+      "Date",
+      "RegExp",
+      "Error",
+      "TypeError",
+      "RangeError",
+      "Map",
+      "Set",
+      "WeakMap",
+      "WeakSet",
+      "Promise",
+      "Symbol",
+      "BigInt",
+      "Proxy",
+      "Reflect",
+      // Static methods commonly called as functions
+      "parseInt",
+      "parseFloat",
+      "isNaN",
+      "isFinite",
+      "encodeURIComponent",
+      "decodeURIComponent",
+      "encodeURI",
+      "decodeURI",
+      // Timers
+      "setTimeout",
+      "clearTimeout",
+      "setInterval",
+      "clearInterval",
+      // JSON/Math accessed via method calls are on objects, but just in case
+      "JSON",
+      "Math",
+      "console",
+      // Node.js globals — sandbox blocks these at runtime with a better error
+      "require",
+      "process",
+      "Buffer",
+      "global",
+      "globalThis",
+      // Common patterns
+      "eval",
+      "Function",
+      "alert",
+      "confirm",
+      "prompt"
+    ]);
+  }
+});
+
 // src/providers/script-check-provider.ts
 var ScriptCheckProvider;
 var init_script_check_provider = __esm({
@@ -42642,6 +44301,10 @@ var init_script_check_provider = __esm({
     init_sandbox();
     init_template_context();
     init_script_memory_ops();
+    init_tool_resolver();
+    init_script_tool_environment();
+    init_workflow_tool_executor();
+    init_env_resolver();
     ScriptCheckProvider = class extends CheckProvider {
       liquid;
       constructor() {
@@ -42658,7 +44321,7 @@ var init_script_check_provider = __esm({
         return "script";
       }
       getDescription() {
-        return "Execute JavaScript with access to PR context, dependency outputs, and memory.";
+        return "Execute JavaScript with access to PR context, dependency outputs, memory, and tools.";
       }
       async validateConfig(config) {
         if (!config || typeof config !== "object") return false;
@@ -42708,16 +44371,77 @@ var init_script_check_provider = __esm({
         ctx.atob = (str) => {
           return Buffer.from(String(str), "base64").toString("binary");
         };
+        const { globals: builtinGlobals, asyncFunctionNames: builtinAsyncNames } = buildBuiltinGlobals({
+          config,
+          prInfo,
+          sessionInfo: _sessionInfo
+        });
+        Object.assign(ctx, builtinGlobals);
+        const hasTools = Array.isArray(config.tools) || config.tools_js || config.mcp_servers;
         const sandbox = this.createSecureSandbox();
         let result;
-        try {
-          result = compileAndRun(
+        let mcpClients = [];
+        try {
+          const asyncFunctionNames = new Set(builtinAsyncNames);
+          if (hasTools) {
+            const toolItems = this.resolveToolItems(config, prInfo, dependencyResults, ctx);
+            const globalTools = config.__globalTools;
+            const resolvedTools = resolveTools(toolItems, globalTools, "[script]");
+            mcpClients = await this.connectMcpServers(config.mcp_servers);
+            const toolContext = {
+              pr: ctx.pr,
+              files: ctx.files || prInfo.files,
+              outputs: ctx.outputs,
+              env: process.env
+            };
+            const parentCtx = _sessionInfo?._parentContext;
+            const workflowContext = {
+              prInfo,
+              outputs: dependencyResults,
+              executionContext: _sessionInfo,
+              workspace: parentCtx?.workspace
+            };
+            const { globals: toolGlobals, asyncFunctionNames: toolAsyncNames } = buildToolGlobals({
+              resolvedTools,
+              mcpClients,
+              toolContext,
+              workflowContext
+            });
+            Object.assign(ctx, toolGlobals);
+            for (const name of toolAsyncNames) asyncFunctionNames.add(name);
+          }
+          let loopIterations = 0;
+          const maxLoopIterations = 1e4;
+          ctx.__checkLoop = () => {
+            loopIterations++;
+            if (loopIterations > maxLoopIterations) {
+              throw new Error(`Loop exceeded maximum of ${maxLoopIterations} iterations`);
+            }
+          };
+          const knownGlobals = new Set(Object.keys(ctx));
+          for (const name of asyncFunctionNames) knownGlobals.add(name);
+          knownGlobals.add("__checkLoop");
+          knownGlobals.add("log");
+          const disabledBuiltins = /* @__PURE__ */ new Map();
+          if (!config.enable_bash) {
+            disabledBuiltins.set("bash", "Add 'enable_bash: true' to your check config to enable it.");
+          }
+          if (!config.enable_fetch) {
+            disabledBuiltins.set(
+              "fetch",
+              "Add 'enable_fetch: true' to your check config to enable it."
+            );
+          }
+          const transformed = transformScriptForAsync(script, asyncFunctionNames, {
+            knownGlobals,
+            disabledBuiltins
+          });
+          result = await compileAndRunAsync(
             sandbox,
-            script,
+            transformed,
             { ...ctx },
             {
               injectLog: true,
-              wrapFunction: true,
               logPrefix: "[script]"
             }
           );
@@ -42737,6 +44461,8 @@ var init_script_check_provider = __esm({
             ],
             output: null
           };
+        } finally {
+          await this.disconnectMcpClients(mcpClients);
         }
         try {
           if (needsSave() && memoryStore.getConfig().storage === "file" && memoryStore.getConfig().auto_save) {
@@ -42762,17 +44488,167 @@ var init_script_check_provider = __esm({
         }
         return out;
       }
+      /**
+       * Resolve tool items from static config and optional JS expression.
+       */
+      resolveToolItems(config, prInfo, dependencyResults, ctx) {
+        let items = [];
+        const staticTools = config.tools;
+        if (Array.isArray(staticTools)) {
+          items = staticTools.filter(
+            (item) => typeof item === "string" || isWorkflowToolReference(item)
+          );
+        }
+        const toolsJsExpr = config.tools_js;
+        if (toolsJsExpr && dependencyResults) {
+          try {
+            const jsSandbox = this.createSecureSandbox();
+            const jsCtx = ctx || buildProviderTemplateContext(prInfo, dependencyResults);
+            jsCtx.env = process.env;
+            jsCtx.inputs = config.workflowInputs || {};
+            const evalResult = compileAndRun(jsSandbox, toolsJsExpr, jsCtx, {
+              injectLog: true,
+              wrapFunction: true,
+              logPrefix: "[tools_js]"
+            });
+            if (Array.isArray(evalResult)) {
+              const dynamic = evalResult.filter(
+                (item) => typeof item === "string" || isWorkflowToolReference(item)
+              );
+              const existingNames = new Set(items.map((i) => typeof i === "string" ? i : i.workflow));
+              for (const tool of dynamic) {
+                const name = typeof tool === "string" ? tool : tool.workflow;
+                if (!existingNames.has(name)) {
+                  items.push(tool);
+                }
+              }
+            }
+          } catch (error) {
+            logger.error(
+              `[script] Failed to evaluate tools_js: ${error instanceof Error ? error.message : "Unknown error"}`
+            );
+          }
+        }
+        return items;
+      }
+      /**
+       * Connect to MCP servers and discover their tools.
+       */
+      async connectMcpServers(mcpServersConfig) {
+        if (!mcpServersConfig || Object.keys(mcpServersConfig).length === 0) {
+          return [];
+        }
+        const entries = [];
+        for (const [serverName, serverConfig] of Object.entries(mcpServersConfig)) {
+          try {
+            const { Client: Client2 } = await import("@modelcontextprotocol/sdk/client/index.js");
+            const client = new Client2(
+              { name: "visor-script-client", version: "1.0.0" },
+              { capabilities: {} }
+            );
+            const env = {};
+            for (const [key, value] of Object.entries(process.env)) {
+              if (value !== void 0) env[key] = value;
+            }
+            if (serverConfig.env) {
+              for (const [key, value] of Object.entries(serverConfig.env)) {
+                env[key] = String(EnvironmentResolver.resolveValue(String(value)));
+              }
+            }
+            const timeout = (serverConfig.timeout || 60) * 1e3;
+            if (serverConfig.command) {
+              const { StdioClientTransport: StdioClientTransport2 } = await import("@modelcontextprotocol/sdk/client/stdio.js");
+              const transport = new StdioClientTransport2({
+                command: serverConfig.command,
+                args: serverConfig.args,
+                env,
+                stderr: "pipe"
+              });
+              await Promise.race([
+                client.connect(transport),
+                new Promise(
+                  (_, reject) => setTimeout(() => reject(new Error("MCP connection timeout")), timeout)
+                )
+              ]);
+            } else if (serverConfig.url) {
+              const transportType = serverConfig.transport || "sse";
+              if (transportType === "sse") {
+                const { SSEClientTransport: SSEClientTransport2 } = await import("@modelcontextprotocol/sdk/client/sse.js");
+                await Promise.race([
+                  client.connect(new SSEClientTransport2(new URL(serverConfig.url))),
+                  new Promise(
+                    (_, reject) => setTimeout(() => reject(new Error("MCP connection timeout")), timeout)
+                  )
+                ]);
+              } else {
+                const { StreamableHTTPClientTransport: StreamableHTTPClientTransport2 } = await import("@modelcontextprotocol/sdk/client/streamableHttp.js");
+                await Promise.race([
+                  client.connect(new StreamableHTTPClientTransport2(new URL(serverConfig.url))),
+                  new Promise(
+                    (_, reject) => setTimeout(() => reject(new Error("MCP connection timeout")), timeout)
+                  )
+                ]);
+              }
+            } else {
+              logger.warn(`[script] MCP server '${serverName}' has no command or url, skipping`);
+              continue;
+            }
+            let tools = [];
+            try {
+              const listResult = await client.listTools();
+              tools = (listResult?.tools || []).map((t) => ({
+                name: t.name,
+                description: t.description,
+                inputSchema: t.inputSchema
+              }));
+              logger.debug(
+                `[script] MCP '${serverName}': ${tools.length} tools [${tools.map((t) => t.name).join(", ")}]`
+              );
+            } catch (err) {
+              logger.warn(
+                `[script] Could not list tools from MCP '${serverName}': ${err instanceof Error ? err.message : String(err)}`
+              );
+            }
+            entries.push({ client, serverName, tools });
+          } catch (err) {
+            logger.error(
+              `[script] Failed to connect MCP '${serverName}': ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+        }
+        return entries;
+      }
+      /**
+       * Disconnect all MCP clients.
+       */
+      async disconnectMcpClients(clients) {
+        for (const entry of clients) {
+          try {
+            await entry.client.close();
+          } catch (err) {
+            logger.debug(
+              `[script] Error closing MCP '${entry.serverName}': ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+        }
+      }
       getSupportedConfigKeys() {
         return [
           "type",
           "content",
+          "tools",
+          "tools_js",
+          "mcp_servers",
+          "enable_fetch",
+          "enable_bash",
           "depends_on",
           "group",
           "on",
           "if",
           "fail_if",
           "on_fail",
-          "on_success"
+          "on_success",
+          "timeout"
         ];
       }
       async isAvailable() {
@@ -42781,19 +44657,18 @@ var init_script_check_provider = __esm({
       getRequirements() {
         return ["No external dependencies required"];
       }
-      // No local buildTemplateContext; uses shared builder above
     };
   }
 });
 
 // src/utils/worktree-manager.ts
-var fs15, fsp, path18, crypto, WorktreeManager, worktreeManager;
+var fs16, fsp, path19, crypto, WorktreeManager, worktreeManager;
 var init_worktree_manager = __esm({
   "src/utils/worktree-manager.ts"() {
     "use strict";
-    fs15 = __toESM(require("fs"));
+    fs16 = __toESM(require("fs"));
     fsp = __toESM(require("fs/promises"));
-    path18 = __toESM(require("path"));
+    path19 = __toESM(require("path"));
     crypto = __toESM(require("crypto"));
     init_command_executor();
     init_logger();
@@ -42809,7 +44684,7 @@ var init_worktree_manager = __esm({
         } catch {
           cwd = "/tmp";
         }
-        const defaultBasePath = process.env.VISOR_WORKTREE_PATH || path18.join(cwd, ".visor", "worktrees");
+        const defaultBasePath = process.env.VISOR_WORKTREE_PATH || path19.join(cwd, ".visor", "worktrees");
         this.config = {
           enabled: true,
           base_path: defaultBasePath,
@@ -42846,20 +44721,20 @@ var init_worktree_manager = __esm({
         }
         const reposDir = this.getReposDir();
         const worktreesDir = this.getWorktreesDir();
-        if (!fs15.existsSync(reposDir)) {
-          fs15.mkdirSync(reposDir, { recursive: true });
+        if (!fs16.existsSync(reposDir)) {
+          fs16.mkdirSync(reposDir, { recursive: true });
           logger.debug(`Created repos directory: ${reposDir}`);
         }
-        if (!fs15.existsSync(worktreesDir)) {
-          fs15.mkdirSync(worktreesDir, { recursive: true });
+        if (!fs16.existsSync(worktreesDir)) {
+          fs16.mkdirSync(worktreesDir, { recursive: true });
           logger.debug(`Created worktrees directory: ${worktreesDir}`);
         }
       }
       getReposDir() {
-        return path18.join(this.config.base_path, "repos");
+        return path19.join(this.config.base_path, "repos");
       }
       getWorktreesDir() {
-        return path18.join(this.config.base_path, "worktrees");
+        return path19.join(this.config.base_path, "worktrees");
       }
       /**
        * Generate a deterministic worktree ID based on repository and ref.
@@ -42877,8 +44752,8 @@ var init_worktree_manager = __esm({
       async getOrCreateBareRepo(repository, repoUrl, token, fetchDepth, cloneTimeoutMs) {
         const reposDir = this.getReposDir();
         const repoName = repository.replace(/\//g, "-");
-        const bareRepoPath = path18.join(reposDir, `${repoName}.git`);
-        if (fs15.existsSync(bareRepoPath)) {
+        const bareRepoPath = path19.join(reposDir, `${repoName}.git`);
+        if (fs16.existsSync(bareRepoPath)) {
           logger.debug(`Bare repository already exists: ${bareRepoPath}`);
           const verifyResult = await this.verifyBareRepoRemote(bareRepoPath, repoUrl);
           if (verifyResult === "timeout") {
@@ -42997,11 +44872,11 @@ var init_worktree_manager = __esm({
           options.cloneTimeoutMs
         );
         const worktreeId = this.generateWorktreeId(repository, ref);
-        let worktreePath = options.workingDirectory || path18.join(this.getWorktreesDir(), worktreeId);
+        let worktreePath = options.workingDirectory || path19.join(this.getWorktreesDir(), worktreeId);
         if (options.workingDirectory) {
           worktreePath = this.validatePath(options.workingDirectory);
         }
-        if (fs15.existsSync(worktreePath)) {
+        if (fs16.existsSync(worktreePath)) {
           logger.debug(`Worktree already exists: ${worktreePath}`);
           const metadata2 = await this.loadMetadata(worktreePath);
           if (metadata2) {
@@ -43242,9 +45117,9 @@ var init_worktree_manager = __esm({
         const result = await this.executeGitCommand(removeCmd, { timeout: 3e4 });
         if (result.exitCode !== 0) {
           logger.warn(`Failed to remove worktree via git: ${result.stderr}`);
-          if (fs15.existsSync(worktree_path)) {
+          if (fs16.existsSync(worktree_path)) {
             logger.debug(`Manually removing worktree directory`);
-            fs15.rmSync(worktree_path, { recursive: true, force: true });
+            fs16.rmSync(worktree_path, { recursive: true, force: true });
           }
         }
         this.activeWorktrees.delete(worktreeId);
@@ -43254,19 +45129,19 @@ var init_worktree_manager = __esm({
        * Save worktree metadata
        */
       async saveMetadata(worktreePath, metadata) {
-        const metadataPath = path18.join(worktreePath, ".visor-metadata.json");
-        fs15.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2), "utf8");
+        const metadataPath = path19.join(worktreePath, ".visor-metadata.json");
+        fs16.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2), "utf8");
       }
       /**
        * Load worktree metadata
        */
       async loadMetadata(worktreePath) {
-        const metadataPath = path18.join(worktreePath, ".visor-metadata.json");
-        if (!fs15.existsSync(metadataPath)) {
+        const metadataPath = path19.join(worktreePath, ".visor-metadata.json");
+        if (!fs16.existsSync(metadataPath)) {
           return null;
         }
         try {
-          const content = fs15.readFileSync(metadataPath, "utf8");
+          const content = fs16.readFileSync(metadataPath, "utf8");
           return JSON.parse(content);
         } catch (error) {
           logger.warn(`Failed to load metadata: ${error}`);
@@ -43278,14 +45153,14 @@ var init_worktree_manager = __esm({
        */
       async listWorktrees() {
         const worktreesDir = this.getWorktreesDir();
-        if (!fs15.existsSync(worktreesDir)) {
+        if (!fs16.existsSync(worktreesDir)) {
           return [];
         }
-        const entries = fs15.readdirSync(worktreesDir, { withFileTypes: true });
+        const entries = fs16.readdirSync(worktreesDir, { withFileTypes: true });
         const worktrees = [];
         for (const entry of entries) {
           if (!entry.isDirectory()) continue;
-          const worktreePath = path18.join(worktreesDir, entry.name);
+          const worktreePath = path19.join(worktreesDir, entry.name);
           const metadata = await this.loadMetadata(worktreePath);
           if (metadata) {
             worktrees.push({
@@ -43417,8 +45292,8 @@ var init_worktree_manager = __esm({
        * Validate path to prevent directory traversal
        */
       validatePath(userPath) {
-        const resolvedPath = path18.resolve(userPath);
-        if (!path18.isAbsolute(resolvedPath)) {
+        const resolvedPath = path19.resolve(userPath);
+        if (!path19.isAbsolute(resolvedPath)) {
           throw new Error("Path must be absolute");
         }
         const sensitivePatterns = [
@@ -45127,6 +47002,7 @@ async function executeSingleCheck(checkId, context2, state, emitEvent, transitio
       ...checkConfig,
       eventContext: context2.prInfo?.eventContext || {},
       __outputHistory: outputHistory,
+      __globalTools: context2.config.tools || {},
       // Propagate workflow inputs for template access via {{ inputs.* }}
       workflowInputs,
       ai: {
@@ -45444,23 +47320,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs26 = await import("fs/promises");
+    const path30 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path29.join(__dirname, "output", sanitized, "schema.json"),
+      path30.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path29.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path30.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path29.join(process.cwd(), "output", sanitized, "schema.json"),
+      path30.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path29.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path30.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs25.readFile(p, "utf-8");
+        const raw = await fs26.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -47879,8 +49755,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs26 = await import("fs/promises");
+    const path30 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -47889,27 +49765,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path30.resolve(process.cwd(), file);
+      templateContent = await fs26.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path30.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path30.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path29.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path30.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path30.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path30.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs26.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -48516,14 +50392,14 @@ var init_runner = __esm({
 });
 
 // src/sandbox/docker-image-sandbox.ts
-var import_util2, import_child_process2, import_fs5, import_path8, import_os, import_crypto2, execFileAsync, EXEC_MAX_BUFFER, DockerImageSandbox;
+var import_util2, import_child_process2, import_fs5, import_path9, import_os, import_crypto2, execFileAsync, EXEC_MAX_BUFFER, DockerImageSandbox;
 var init_docker_image_sandbox = __esm({
   "src/sandbox/docker-image-sandbox.ts"() {
     "use strict";
     import_util2 = require("util");
     import_child_process2 = require("child_process");
     import_fs5 = require("fs");
-    import_path8 = require("path");
+    import_path9 = require("path");
     import_os = require("os");
     import_crypto2 = require("crypto");
     init_logger();
@@ -48568,8 +50444,8 @@ var init_docker_image_sandbox = __esm({
                   `Sandbox '${this.name}' has invalid dockerfile_inline: must contain a FROM instruction`
                 );
               }
-              const tmpDir = (0, import_fs5.mkdtempSync)((0, import_path8.join)((0, import_os.tmpdir)(), "visor-build-"));
-              const dockerfilePath = (0, import_path8.join)(tmpDir, "Dockerfile");
+              const tmpDir = (0, import_fs5.mkdtempSync)((0, import_path9.join)((0, import_os.tmpdir)(), "visor-build-"));
+              const dockerfilePath = (0, import_path9.join)(tmpDir, "Dockerfile");
               (0, import_fs5.writeFileSync)(dockerfilePath, this.config.dockerfile_inline, "utf8");
               try {
                 logger.info(`Building sandbox image '${imageName}' from inline Dockerfile`);
@@ -49006,11 +50882,11 @@ var init_cache_volume_manager = __esm({
 });
 
 // src/sandbox/sandbox-manager.ts
-var import_path9, import_fs6, SandboxManager;
+var import_path10, import_fs6, SandboxManager;
 var init_sandbox_manager = __esm({
   "src/sandbox/sandbox-manager.ts"() {
     "use strict";
-    import_path9 = require("path");
+    import_path10 = require("path");
     import_fs6 = require("fs");
     init_docker_image_sandbox();
     init_docker_compose_sandbox();
@@ -49030,10 +50906,10 @@ var init_sandbox_manager = __esm({
       }
       constructor(sandboxDefs, repoPath, gitBranch) {
         this.sandboxDefs = sandboxDefs;
-        this.repoPath = (0, import_path9.resolve)(repoPath);
+        this.repoPath = (0, import_path10.resolve)(repoPath);
         this.gitBranch = gitBranch;
         this.cacheManager = new CacheVolumeManager();
-        this.visorDistPath = (0, import_fs6.existsSync)((0, import_path9.join)(__dirname, "index.js")) ? __dirname : (0, import_path9.resolve)((0, import_path9.dirname)(__dirname));
+        this.visorDistPath = (0, import_fs6.existsSync)((0, import_path10.join)(__dirname, "index.js")) ? __dirname : (0, import_path10.resolve)((0, import_path10.dirname)(__dirname));
       }
       /**
        * Resolve which sandbox a check should use.
@@ -49150,13 +51026,13 @@ var init_sandbox_manager = __esm({
 });
 
 // src/utils/file-exclusion.ts
-var import_ignore, fs16, path19, DEFAULT_EXCLUSION_PATTERNS, FileExclusionHelper;
+var import_ignore, fs17, path20, DEFAULT_EXCLUSION_PATTERNS, FileExclusionHelper;
 var init_file_exclusion = __esm({
   "src/utils/file-exclusion.ts"() {
     "use strict";
     import_ignore = __toESM(require("ignore"));
-    fs16 = __toESM(require("fs"));
-    path19 = __toESM(require("path"));
+    fs17 = __toESM(require("fs"));
+    path20 = __toESM(require("path"));
     DEFAULT_EXCLUSION_PATTERNS = [
       "dist/",
       "build/",
@@ -49175,7 +51051,7 @@ var init_file_exclusion = __esm({
        * @param additionalPatterns - Additional patterns to include (optional, defaults to common build artifacts)
        */
       constructor(workingDirectory = process.cwd(), additionalPatterns = DEFAULT_EXCLUSION_PATTERNS) {
-        const normalizedPath = path19.resolve(workingDirectory);
+        const normalizedPath = path20.resolve(workingDirectory);
         if (normalizedPath.includes("\0")) {
           throw new Error("Invalid workingDirectory: contains null bytes");
         }
@@ -49187,11 +51063,11 @@ var init_file_exclusion = __esm({
        * @param additionalPatterns - Additional patterns to add to gitignore rules
        */
       loadGitignore(additionalPatterns) {
-        const gitignorePath = path19.resolve(this.workingDirectory, ".gitignore");
-        const resolvedWorkingDir = path19.resolve(this.workingDirectory);
+        const gitignorePath = path20.resolve(this.workingDirectory, ".gitignore");
+        const resolvedWorkingDir = path20.resolve(this.workingDirectory);
         try {
-          const relativePath = path19.relative(resolvedWorkingDir, gitignorePath);
-          if (relativePath.startsWith("..") || path19.isAbsolute(relativePath)) {
+          const relativePath = path20.relative(resolvedWorkingDir, gitignorePath);
+          if (relativePath.startsWith("..") || path20.isAbsolute(relativePath)) {
             throw new Error("Invalid gitignore path: path traversal detected");
           }
           if (relativePath !== ".gitignore") {
@@ -49201,8 +51077,8 @@ var init_file_exclusion = __esm({
           if (additionalPatterns && additionalPatterns.length > 0) {
             this.gitignore.add(additionalPatterns);
           }
-          if (fs16.existsSync(gitignorePath)) {
-            const rawContent = fs16.readFileSync(gitignorePath, "utf8");
+          if (fs17.existsSync(gitignorePath)) {
+            const rawContent = fs17.readFileSync(gitignorePath, "utf8");
             const gitignoreContent = rawContent.replace(/[\r\n]+/g, "\n").replace(/[\x00-\x09\x0B-\x1F\x7F]/g, "").split("\n").filter((line) => line.length < 1e3).join("\n").trim();
             this.gitignore.add(gitignoreContent);
             if (process.env.VISOR_DEBUG === "true") {
@@ -49234,13 +51110,13 @@ var git_repository_analyzer_exports = {};
 __export(git_repository_analyzer_exports, {
   GitRepositoryAnalyzer: () => GitRepositoryAnalyzer
 });
-var import_simple_git2, path20, fs17, MAX_PATCH_SIZE, GitRepositoryAnalyzer;
+var import_simple_git2, path21, fs18, MAX_PATCH_SIZE, GitRepositoryAnalyzer;
 var init_git_repository_analyzer = __esm({
   "src/git-repository-analyzer.ts"() {
     "use strict";
     import_simple_git2 = require("simple-git");
-    path20 = __toESM(require("path"));
-    fs17 = __toESM(require("fs"));
+    path21 = __toESM(require("path"));
+    fs18 = __toESM(require("fs"));
     init_file_exclusion();
     MAX_PATCH_SIZE = 50 * 1024;
     GitRepositoryAnalyzer = class {
@@ -49429,7 +51305,7 @@ ${file.patch}`).join("\n\n");
               console.error(`\u23ED\uFE0F  Skipping excluded file: ${file}`);
               continue;
             }
-            const filePath = path20.join(this.cwd, file);
+            const filePath = path21.join(this.cwd, file);
             const fileChange = await this.analyzeFileChange(file, status2, filePath, includeContext);
             changes.push(fileChange);
           }
@@ -49505,7 +51381,7 @@ ${file.patch}`).join("\n\n");
         let content;
         let truncated = false;
         try {
-          if (includeContext && status !== "added" && fs17.existsSync(filePath)) {
+          if (includeContext && status !== "added" && fs18.existsSync(filePath)) {
             const diff = await this.git.diff(["--", filename]).catch(() => "");
             if (diff) {
               const result = this.truncatePatch(diff, filename);
@@ -49515,7 +51391,7 @@ ${file.patch}`).join("\n\n");
               additions = lines.filter((line) => line.startsWith("+")).length;
               deletions = lines.filter((line) => line.startsWith("-")).length;
             }
-          } else if (status !== "added" && fs17.existsSync(filePath)) {
+          } else if (status !== "added" && fs18.existsSync(filePath)) {
             const diff = await this.git.diff(["--", filename]).catch(() => "");
             if (diff) {
               const lines = diff.split("\n");
@@ -49523,17 +51399,17 @@ ${file.patch}`).join("\n\n");
               deletions = lines.filter((line) => line.startsWith("-")).length;
             }
           }
-          if (status === "added" && fs17.existsSync(filePath)) {
+          if (status === "added" && fs18.existsSync(filePath)) {
             try {
-              const stats = fs17.statSync(filePath);
+              const stats = fs18.statSync(filePath);
               if (stats.isFile() && stats.size < 1024 * 1024) {
                 if (includeContext) {
-                  content = fs17.readFileSync(filePath, "utf8");
+                  content = fs18.readFileSync(filePath, "utf8");
                   const result = this.truncatePatch(content, filename);
                   patch = result.patch;
                   truncated = result.truncated;
                 }
-                const fileContent = includeContext ? content : fs17.readFileSync(filePath, "utf8");
+                const fileContent = includeContext ? content : fs18.readFileSync(filePath, "utf8");
                 additions = fileContent.split("\n").length;
               }
             } catch {
@@ -49624,12 +51500,12 @@ function shellEscape(str) {
 function sanitizePathComponent(name) {
   return name.replace(/\.\./g, "").replace(/[\/\\]/g, "-").replace(/^\.+/, "").trim() || "unnamed";
 }
-var fsp2, path21, WorkspaceManager;
+var fsp2, path22, WorkspaceManager;
 var init_workspace_manager = __esm({
   "src/utils/workspace-manager.ts"() {
     "use strict";
     fsp2 = __toESM(require("fs/promises"));
-    path21 = __toESM(require("path"));
+    path22 = __toESM(require("path"));
     init_command_executor();
     init_logger();
     WorkspaceManager = class _WorkspaceManager {
@@ -49663,7 +51539,7 @@ var init_workspace_manager = __esm({
         };
         this.basePath = this.config.basePath;
         const workspaceDirName = sanitizePathComponent(this.config.name || this.sessionId);
-        this.workspacePath = path21.join(this.basePath, workspaceDirName);
+        this.workspacePath = path22.join(this.basePath, workspaceDirName);
       }
       /**
        * Get or create a WorkspaceManager instance for a session
@@ -49758,7 +51634,7 @@ var init_workspace_manager = __esm({
           configuredMainProjectName || this.extractProjectName(this.originalPath)
         );
         this.usedNames.add(mainProjectName);
-        const mainProjectPath = path21.join(this.workspacePath, mainProjectName);
+        const mainProjectPath = path22.join(this.workspacePath, mainProjectName);
         const isGitRepo = await this.isGitRepository(this.originalPath);
         if (isGitRepo) {
           await this.createMainProjectWorktree(mainProjectPath);
@@ -49799,7 +51675,7 @@ var init_workspace_manager = __esm({
         let projectName = sanitizePathComponent(description || this.extractRepoName(repository));
         projectName = this.getUniqueName(projectName);
         this.usedNames.add(projectName);
-        const workspacePath = path21.join(this.workspacePath, projectName);
+        const workspacePath = path22.join(this.workspacePath, projectName);
         await fsp2.rm(workspacePath, { recursive: true, force: true });
         try {
           await fsp2.symlink(worktreePath, workspacePath);
@@ -49938,7 +51814,7 @@ var init_workspace_manager = __esm({
        * Extract project name from path
        */
       extractProjectName(dirPath) {
-        return path21.basename(dirPath);
+        return path22.basename(dirPath);
       }
       /**
        * Extract repository name from owner/repo format
@@ -50155,13 +52031,13 @@ var validator_exports = {};
 __export(validator_exports, {
   LicenseValidator: () => LicenseValidator
 });
-var crypto2, fs18, path22, LicenseValidator;
+var crypto2, fs19, path23, LicenseValidator;
 var init_validator = __esm({
   "src/enterprise/license/validator.ts"() {
     "use strict";
     crypto2 = __toESM(require("crypto"));
-    fs18 = __toESM(require("fs"));
-    path22 = __toESM(require("path"));
+    fs19 = __toESM(require("fs"));
+    path23 = __toESM(require("path"));
     LicenseValidator = class _LicenseValidator {
       /** Ed25519 public key for license verification (PEM format). */
       static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
@@ -50214,28 +52090,28 @@ var init_validator = __esm({
           return process.env.VISOR_LICENSE.trim();
         }
         if (process.env.VISOR_LICENSE_FILE) {
-          const resolved = path22.resolve(process.env.VISOR_LICENSE_FILE);
+          const resolved = path23.resolve(process.env.VISOR_LICENSE_FILE);
           const home2 = process.env.HOME || process.env.USERPROFILE || "";
-          const allowedPrefixes = [path22.normalize(process.cwd())];
-          if (home2) allowedPrefixes.push(path22.normalize(path22.join(home2, ".config", "visor")));
+          const allowedPrefixes = [path23.normalize(process.cwd())];
+          if (home2) allowedPrefixes.push(path23.normalize(path23.join(home2, ".config", "visor")));
           let realPath;
           try {
-            realPath = fs18.realpathSync(resolved);
+            realPath = fs19.realpathSync(resolved);
           } catch {
             return null;
           }
           const isSafe = allowedPrefixes.some(
-            (prefix) => realPath === prefix || realPath.startsWith(prefix + path22.sep)
+            (prefix) => realPath === prefix || realPath.startsWith(prefix + path23.sep)
           );
           if (!isSafe) return null;
           return this.readFile(realPath);
         }
-        const cwdPath = path22.join(process.cwd(), ".visor-license");
+        const cwdPath = path23.join(process.cwd(), ".visor-license");
         const cwdToken = this.readFile(cwdPath);
         if (cwdToken) return cwdToken;
         const home = process.env.HOME || process.env.USERPROFILE || "";
         if (home) {
-          const configPath = path22.join(home, ".config", "visor", ".visor-license");
+          const configPath = path23.join(home, ".config", "visor", ".visor-license");
           const configToken = this.readFile(configPath);
           if (configToken) return configToken;
         }
@@ -50243,7 +52119,7 @@ var init_validator = __esm({
       }
       readFile(filePath) {
         try {
-          return fs18.readFileSync(filePath, "utf-8").trim();
+          return fs19.readFileSync(filePath, "utf-8").trim();
         } catch {
           return null;
         }
@@ -50282,17 +52158,17 @@ var init_validator = __esm({
 });
 
 // src/enterprise/policy/opa-compiler.ts
-var fs19, path23, os, crypto3, import_child_process5, OpaCompiler;
+var fs20, path24, os, crypto3, import_child_process5, OpaCompiler;
 var init_opa_compiler = __esm({
   "src/enterprise/policy/opa-compiler.ts"() {
     "use strict";
-    fs19 = __toESM(require("fs"));
-    path23 = __toESM(require("path"));
+    fs20 = __toESM(require("fs"));
+    path24 = __toESM(require("path"));
     os = __toESM(require("os"));
     crypto3 = __toESM(require("crypto"));
     import_child_process5 = require("child_process");
     OpaCompiler = class _OpaCompiler {
-      static CACHE_DIR = path23.join(os.tmpdir(), "visor-opa-cache");
+      static CACHE_DIR = path24.join(os.tmpdir(), "visor-opa-cache");
       /**
        * Resolve the input paths to WASM bytes.
        *
@@ -50304,24 +52180,24 @@ var init_opa_compiler = __esm({
       async resolveWasmBytes(paths) {
         const regoFiles = [];
         for (const p of paths) {
-          const resolved = path23.resolve(p);
-          if (path23.normalize(resolved).includes("..")) {
+          const resolved = path24.resolve(p);
+          if (path24.normalize(resolved).includes("..")) {
             throw new Error(`Policy path contains traversal sequences: ${p}`);
           }
-          if (resolved.endsWith(".wasm") && fs19.existsSync(resolved)) {
-            return fs19.readFileSync(resolved);
+          if (resolved.endsWith(".wasm") && fs20.existsSync(resolved)) {
+            return fs20.readFileSync(resolved);
           }
-          if (!fs19.existsSync(resolved)) continue;
-          const stat = fs19.statSync(resolved);
+          if (!fs20.existsSync(resolved)) continue;
+          const stat = fs20.statSync(resolved);
           if (stat.isDirectory()) {
-            const wasmCandidate = path23.join(resolved, "policy.wasm");
-            if (fs19.existsSync(wasmCandidate)) {
-              return fs19.readFileSync(wasmCandidate);
+            const wasmCandidate = path24.join(resolved, "policy.wasm");
+            if (fs20.existsSync(wasmCandidate)) {
+              return fs20.readFileSync(wasmCandidate);
             }
-            const files = fs19.readdirSync(resolved);
+            const files = fs20.readdirSync(resolved);
             for (const f of files) {
               if (f.endsWith(".rego")) {
-                regoFiles.push(path23.join(resolved, f));
+                regoFiles.push(path24.join(resolved, f));
               }
             }
           } else if (resolved.endsWith(".rego")) {
@@ -50351,17 +52227,17 @@ var init_opa_compiler = __esm({
         }
         const hash = crypto3.createHash("sha256");
         for (const f of regoFiles.sort()) {
-          hash.update(fs19.readFileSync(f));
+          hash.update(fs20.readFileSync(f));
           hash.update(f);
         }
         const cacheKey = hash.digest("hex").slice(0, 16);
         const cacheDir = _OpaCompiler.CACHE_DIR;
-        const cachedWasm = path23.join(cacheDir, `${cacheKey}.wasm`);
-        if (fs19.existsSync(cachedWasm)) {
-          return fs19.readFileSync(cachedWasm);
+        const cachedWasm = path24.join(cacheDir, `${cacheKey}.wasm`);
+        if (fs20.existsSync(cachedWasm)) {
+          return fs20.readFileSync(cachedWasm);
         }
-        fs19.mkdirSync(cacheDir, { recursive: true });
-        const bundleTar = path23.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        fs20.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path24.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
         try {
           const args = [
             "build",
@@ -50390,43 +52266,43 @@ Ensure your .rego files are valid and the \`opa\` CLI is installed.`
           (0, import_child_process5.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
             stdio: "pipe"
           });
-          const extractedWasm = path23.join(cacheDir, "policy.wasm");
-          if (fs19.existsSync(extractedWasm)) {
-            fs19.renameSync(extractedWasm, cachedWasm);
+          const extractedWasm = path24.join(cacheDir, "policy.wasm");
+          if (fs20.existsSync(extractedWasm)) {
+            fs20.renameSync(extractedWasm, cachedWasm);
           }
         } catch {
           try {
             (0, import_child_process5.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
               stdio: "pipe"
             });
-            const extractedWasm = path23.join(cacheDir, "policy.wasm");
-            if (fs19.existsSync(extractedWasm)) {
-              fs19.renameSync(extractedWasm, cachedWasm);
+            const extractedWasm = path24.join(cacheDir, "policy.wasm");
+            if (fs20.existsSync(extractedWasm)) {
+              fs20.renameSync(extractedWasm, cachedWasm);
             }
           } catch (err2) {
             throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
           }
         }
         try {
-          fs19.unlinkSync(bundleTar);
+          fs20.unlinkSync(bundleTar);
         } catch {
         }
-        if (!fs19.existsSync(cachedWasm)) {
+        if (!fs20.existsSync(cachedWasm)) {
           throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
         }
-        return fs19.readFileSync(cachedWasm);
+        return fs20.readFileSync(cachedWasm);
       }
     };
   }
 });
 
 // src/enterprise/policy/opa-wasm-evaluator.ts
-var fs20, path24, OpaWasmEvaluator;
+var fs21, path25, OpaWasmEvaluator;
 var init_opa_wasm_evaluator = __esm({
   "src/enterprise/policy/opa-wasm-evaluator.ts"() {
     "use strict";
-    fs20 = __toESM(require("fs"));
-    path24 = __toESM(require("path"));
+    fs21 = __toESM(require("fs"));
+    path25 = __toESM(require("path"));
     init_opa_compiler();
     OpaWasmEvaluator = class {
       policy = null;
@@ -50459,18 +52335,18 @@ var init_opa_wasm_evaluator = __esm({
        * making it available in Rego via `data.<key>`.
        */
       loadData(dataPath) {
-        const resolved = path24.resolve(dataPath);
-        if (path24.normalize(resolved).includes("..")) {
+        const resolved = path25.resolve(dataPath);
+        if (path25.normalize(resolved).includes("..")) {
           throw new Error(`Data path contains traversal sequences: ${dataPath}`);
         }
-        if (!fs20.existsSync(resolved)) {
+        if (!fs21.existsSync(resolved)) {
           throw new Error(`OPA data file not found: ${resolved}`);
         }
-        const stat = fs20.statSync(resolved);
+        const stat = fs21.statSync(resolved);
         if (stat.size > 10 * 1024 * 1024) {
           throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
         }
-        const raw = fs20.readFileSync(resolved, "utf-8");
+        const raw = fs21.readFileSync(resolved, "utf-8");
         try {
           const parsed = JSON.parse(raw);
           if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
@@ -50991,12 +52867,12 @@ function toInsertRow(schedule) {
     previous_response: schedule.previousResponse ?? null
   };
 }
-var fs21, path25, import_uuid2, KnexStoreBackend;
+var fs22, path26, import_uuid2, KnexStoreBackend;
 var init_knex_store = __esm({
   "src/enterprise/scheduler/knex-store.ts"() {
     "use strict";
-    fs21 = __toESM(require("fs"));
-    path25 = __toESM(require("path"));
+    fs22 = __toESM(require("fs"));
+    path26 = __toESM(require("path"));
     import_uuid2 = require("uuid");
     init_logger();
     KnexStoreBackend = class {
@@ -51082,24 +52958,24 @@ var init_knex_store = __esm({
         };
         if (ssl.ca) {
           const caPath = this.validateSslPath(ssl.ca, "CA certificate");
-          result.ca = fs21.readFileSync(caPath, "utf8");
+          result.ca = fs22.readFileSync(caPath, "utf8");
         }
         if (ssl.cert) {
           const certPath = this.validateSslPath(ssl.cert, "client certificate");
-          result.cert = fs21.readFileSync(certPath, "utf8");
+          result.cert = fs22.readFileSync(certPath, "utf8");
         }
         if (ssl.key) {
           const keyPath = this.validateSslPath(ssl.key, "client key");
-          result.key = fs21.readFileSync(keyPath, "utf8");
+          result.key = fs22.readFileSync(keyPath, "utf8");
         }
         return result;
       }
       validateSslPath(filePath, label) {
-        const resolved = path25.resolve(filePath);
-        if (resolved !== path25.normalize(resolved)) {
+        const resolved = path26.resolve(filePath);
+        if (resolved !== path26.normalize(resolved)) {
           throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
         }
-        if (!fs21.existsSync(resolved)) {
+        if (!fs22.existsSync(resolved)) {
           throw new Error(`SSL ${label} not found: ${filePath}`);
         }
         return resolved;
@@ -51430,12 +53306,12 @@ var ndjson_sink_exports = {};
 __export(ndjson_sink_exports, {
   NdjsonSink: () => NdjsonSink
 });
-var import_fs7, import_path10, NdjsonSink;
+var import_fs7, import_path11, NdjsonSink;
 var init_ndjson_sink = __esm({
   "src/frontends/ndjson-sink.ts"() {
     "use strict";
     import_fs7 = __toESM(require("fs"));
-    import_path10 = __toESM(require("path"));
+    import_path11 = __toESM(require("path"));
     NdjsonSink = class {
       name = "ndjson-sink";
       cfg;
@@ -51467,8 +53343,8 @@ var init_ndjson_sink = __esm({
         this.unsub = void 0;
       }
       resolveFile(p) {
-        if (import_path10.default.isAbsolute(p)) return p;
-        return import_path10.default.join(process.cwd(), p);
+        if (import_path11.default.isAbsolute(p)) return p;
+        return import_path11.default.join(process.cwd(), p);
       }
     };
   }
@@ -53195,16 +55071,16 @@ function extractMermaidDiagrams(text) {
 }
 async function renderMermaidToPng(mermaidCode) {
   const tmpDir = os2.tmpdir();
-  const inputFile = path27.join(
+  const inputFile = path28.join(
     tmpDir,
     `mermaid-${Date.now()}-${Math.random().toString(36).slice(2)}.mmd`
   );
-  const outputFile = path27.join(
+  const outputFile = path28.join(
     tmpDir,
     `mermaid-${Date.now()}-${Math.random().toString(36).slice(2)}.png`
   );
   try {
-    fs23.writeFileSync(inputFile, mermaidCode, "utf-8");
+    fs24.writeFileSync(inputFile, mermaidCode, "utf-8");
     const chromiumPaths = [
       "/usr/bin/chromium",
       "/usr/bin/chromium-browser",
@@ -53213,7 +55089,7 @@ async function renderMermaidToPng(mermaidCode) {
     ];
     let chromiumPath;
     for (const p of chromiumPaths) {
-      if (fs23.existsSync(p)) {
+      if (fs24.existsSync(p)) {
         chromiumPath = p;
         break;
       }
@@ -53265,19 +55141,19 @@ async function renderMermaidToPng(mermaidCode) {
       console.warn(`Mermaid rendering failed: ${result.error}`);
       return null;
     }
-    if (!fs23.existsSync(outputFile)) {
+    if (!fs24.existsSync(outputFile)) {
       console.warn("Mermaid output file not created");
       return null;
     }
-    const pngBuffer = fs23.readFileSync(outputFile);
+    const pngBuffer = fs24.readFileSync(outputFile);
     return pngBuffer;
   } catch (e) {
     console.warn(`Mermaid rendering error: ${e instanceof Error ? e.message : String(e)}`);
     return null;
   } finally {
     try {
-      if (fs23.existsSync(inputFile)) fs23.unlinkSync(inputFile);
-      if (fs23.existsSync(outputFile)) fs23.unlinkSync(outputFile);
+      if (fs24.existsSync(inputFile)) fs24.unlinkSync(inputFile);
+      if (fs24.existsSync(outputFile)) fs24.unlinkSync(outputFile);
     } catch {
     }
   }
@@ -53382,13 +55258,13 @@ function replaceFileSections(text, sections, replacement = (idx) => `_(See file:
 function formatSlackText(text) {
   return markdownToSlack(text);
 }
-var import_child_process6, fs23, path27, os2;
+var import_child_process6, fs24, path28, os2;
 var init_markdown = __esm({
   "src/slack/markdown.ts"() {
     "use strict";
     import_child_process6 = require("child_process");
-    fs23 = __toESM(require("fs"));
-    path27 = __toESM(require("path"));
+    fs24 = __toESM(require("fs"));
+    path28 = __toESM(require("path"));
     os2 = __toESM(require("os"));
   }
 });
@@ -54365,15 +56241,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path28, fs24, StateMachineExecutionEngine;
+var path29, fs25, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path28 = __toESM(require("path"));
-    fs24 = __toESM(require("fs"));
+    path29 = __toESM(require("path"));
+    fs25 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -54563,6 +56439,15 @@ var init_state_machine_execution_engine = __esm({
           ...config,
           tag_filter: tagFilter
         } : config;
+        try {
+          const { CheckProviderRegistry: CheckProviderRegistry2 } = await Promise.resolve().then(() => (init_check_provider_registry(), check_provider_registry_exports));
+          const registry = CheckProviderRegistry2.getInstance();
+          registry.setCustomTools(configWithTagFilter.tools || {});
+        } catch (error) {
+          logger.warn(
+            `[StateMachine] Failed to register custom tools: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
         const context2 = this.buildEngineContext(
           configWithTagFilter,
           prInfo,
@@ -54749,9 +56634,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path28.resolve(process.cwd(), ".visor", "snapshots");
-                  fs24.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path28.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path29.resolve(process.cwd(), ".visor", "snapshots");
+                  fs25.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path29.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -54892,7 +56777,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs25 = await import("fs/promises");
+        const fs26 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -54912,14 +56797,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs25.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs26.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs25 = await import("fs/promises");
-        const raw = await fs25.readFile(filePath, "utf8");
+        const fs26 = await import("fs/promises");
+        const raw = await fs26.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**