npm - @probelabs/visor - Versions diffs - 0.1.138-ee → 0.1.138 - Mend

@probelabs/visor 0.1.138-ee → 0.1.138

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist/sdk/sdk.js CHANGED Viewed

@@ -646,7 +646,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@probelabs/visor",
-      version: "0.1.42",
+      version: "0.1.138",
       main: "dist/index.js",
       bin: {
         visor: "./dist/index.js"
@@ -864,11 +864,11 @@ function getTracer() {
 }
 async function withActiveSpan(name, attrs, fn) {
   const tracer = getTracer();
-  return await new Promise((resolve15, reject) => {
+  return await new Promise((resolve11, reject) => {
     const callback = async (span) => {
       try {
         const res = await fn(span);
-        resolve15(res);
+        resolve11(res);
       } catch (err) {
         try {
           if (err instanceof Error) span.recordException(err);
@@ -945,19 +945,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path30 = require("path");
-    const fs26 = require("fs");
+    const path26 = require("path");
+    const fs22 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path30.dirname(__ndjsonPath);
-      if (!fs26.existsSync(dir)) fs26.mkdirSync(dir, { recursive: true });
+      const dir = path26.dirname(__ndjsonPath);
+      if (!fs22.existsSync(dir)) fs22.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path30.join(process.cwd(), "output", "traces");
-    if (!fs26.existsSync(outDir)) fs26.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path26.join(process.cwd(), "output", "traces");
+    if (!fs22.existsSync(outDir)) fs22.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path30.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path26.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -966,11 +966,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs26 = require("fs");
+    const fs22 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs26.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs22.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -3193,7 +3193,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context2) {
         try {
-          const normalize8 = (expr) => {
+          const normalize4 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -3351,7 +3351,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec2 = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize8(condition);
+            const normalizedExpr = normalize4(condition);
             exec2 = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec2(scope).run();
@@ -3734,9 +3734,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path30 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path30) return obj;
-    const parts = path30.split(".");
+    const path26 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path26) return obj;
+    const parts = path26.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -3855,9 +3855,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path30) => {
-          if (!obj || !path30) return void 0;
-          const parts = path30.split(".");
+        const getNested = (obj, path26) => {
+          if (!obj || !path26) return void 0;
+          const parts = path26.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6409,8 +6409,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs26 = await import("fs/promises");
-    const path30 = await import("path");
+    const fs22 = await import("fs/promises");
+    const path26 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6418,24 +6418,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path30.resolve(process.cwd(), file);
-      templateContent = await fs26.readFile(resolved, "utf-8");
+      const resolved = path26.resolve(process.cwd(), file);
+      templateContent = await fs22.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path30.join(__dirname, "output", sanitized, "template.liquid"),
+          path26.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path30.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path26.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path30.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path26.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path30.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path26.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs26.readFile(p, "utf-8");
+            templateContent = await fs22.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -6840,7 +6840,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs26 = require("fs");
+    const fs22 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -6851,7 +6851,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs26.existsSync(candidatePath)) {
+      if (fs22.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -7937,8 +7937,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
+              const fs22 = require("fs");
+              const path26 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8052,20 +8052,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
-              if (!fs26.existsSync(debugArtifactsDir)) {
-                fs26.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
+              if (!fs22.existsSync(debugArtifactsDir)) {
+                fs22.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path30.join(
+              const debugFile = path26.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs26.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path30.join(
+              fs22.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path26.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs26.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs22.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8098,8 +8098,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
+              const fs22 = require("fs");
+              const path26 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8110,8 +8110,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path30.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path26.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8123,7 +8123,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs26.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs22.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8150,7 +8150,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs26.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs22.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8159,11 +8159,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
+              const fs22 = require("fs");
+              const path26 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
-              const responseFile = path30.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
+              const responseFile = path26.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8196,7 +8196,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs26.writeFileSync(responseFile, responseContent, "utf-8");
+              fs22.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8212,9 +8212,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs26 = require("fs");
-                  if (fs26.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs26.statSync(agentAny._traceFilePath);
+                  const fs22 = require("fs");
+                  if (fs22.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs22.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8415,9 +8415,9 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
-              const os3 = require("os");
+              const fs22 = require("fs");
+              const path26 = require("path");
+              const os2 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
                 timestamp,
@@ -8489,19 +8489,19 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const tempDir = os3.tmpdir();
-              const promptFile = path30.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs26.writeFileSync(promptFile, prompt, "utf-8");
+              const tempDir = os2.tmpdir();
+              const promptFile = path26.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs22.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path30.join(
+                const base = path26.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs26.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs26.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs22.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs22.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -8546,8 +8546,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
+              const fs22 = require("fs");
+              const path26 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -8558,8 +8558,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path30.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path26.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8571,7 +8571,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs26.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs22.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8598,7 +8598,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs26.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs22.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8607,11 +8607,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs26 = require("fs");
-              const path30 = require("path");
+              const fs22 = require("fs");
+              const path26 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path30.join(process.cwd(), "debug-artifacts");
-              const responseFile = path30.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path26.join(process.cwd(), "debug-artifacts");
+              const responseFile = path26.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8644,7 +8644,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs26.writeFileSync(responseFile, responseContent, "utf-8");
+              fs22.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8662,9 +8662,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs26 = require("fs");
-                  if (fs26.existsSync(traceFilePath)) {
-                    const stats = fs26.statSync(traceFilePath);
+                  const fs22 = require("fs");
+                  if (fs22.existsSync(traceFilePath)) {
+                    const stats = fs22.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -8702,8 +8702,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs26 = require("fs").promises;
-        const path30 = require("path");
+        const fs22 = require("fs").promises;
+        const path26 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -8716,14 +8716,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path30.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path26.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path30.resolve(process.cwd(), schema);
+            const schemaPath = path26.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs26.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs22.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -8737,22 +8737,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path30.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path26.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path30.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path26.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path30.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path26.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs26.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs22.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path30.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path30.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path30.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path26.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path26.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path26.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -8987,7 +8987,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt, _checkName, _schema) {
-        await new Promise((resolve15) => setTimeout(resolve15, 500));
+        await new Promise((resolve11) => setTimeout(resolve11, 500));
         const name = (_checkName || "").toLowerCase();
         if (name.includes("extract-facts")) {
           const arr = Array.from({ length: 6 }, (_, i) => ({
@@ -9348,7 +9348,7 @@ var init_command_executor = __esm({
        * Execute command with stdin input
        */
       executeWithStdin(command, options) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           const childProcess = (0, import_child_process.exec)(
             command,
             {
@@ -9360,7 +9360,7 @@ var init_command_executor = __esm({
               if (error && error.killed && (error.code === "ETIMEDOUT" || error.signal === "SIGTERM")) {
                 reject(new Error(`Command timed out after ${options.timeout || 3e4}ms`));
               } else {
-                resolve15({
+                resolve11({
                   stdout: stdout || "",
                   stderr: stderr || "",
                   exitCode: error ? error.code || 1 : 0
@@ -17137,17 +17137,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path30 = require("path");
-        const fs26 = require("fs");
+        const path26 = require("path");
+        const fs22 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path30.isAbsolute(sourcePath) ? sourcePath : path30.resolve(baseDir, sourcePath);
-        if (!fs26.existsSync(resolved)) {
+        const resolved = path26.isAbsolute(sourcePath) ? sourcePath : path26.resolve(baseDir, sourcePath);
+        if (!fs22.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs26.readFileSync(resolved, "utf8");
+        const rawContent = fs22.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path30.dirname(resolved);
+          const configDir = path26.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -17177,8 +17177,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path30.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path30.basename(resolved)}`;
+        const id = path26.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path26.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -17807,8 +17807,8 @@ async function createStoreBackend(storageConfig, haConfig) {
     case "mssql": {
       try {
         const loaderPath = "../../enterprise/loader";
-        const { loadEnterpriseStoreBackend: loadEnterpriseStoreBackend2 } = await import(loaderPath);
-        return await loadEnterpriseStoreBackend2(driver, storageConfig, haConfig);
+        const { loadEnterpriseStoreBackend } = await import(loaderPath);
+        return await loadEnterpriseStoreBackend(driver, storageConfig, haConfig);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error(`[StoreFactory] Failed to load enterprise ${driver} backend: ${msg}`);
@@ -19082,7 +19082,7 @@ var init_mcp_custom_sse_server = __esm({
        * Returns the actual bound port number
        */
       async start() {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           try {
             this.server = import_http.default.createServer((req, res) => {
               this.handleRequest(req, res).catch((error) => {
@@ -19116,7 +19116,7 @@ var init_mcp_custom_sse_server = __esm({
                 );
               }
               this.startKeepalive();
-              resolve15(this.port);
+              resolve11(this.port);
             });
           } catch (error) {
             reject(error);
@@ -19179,7 +19179,7 @@ var init_mcp_custom_sse_server = __esm({
             logger.debug(
               `[CustomToolsSSEServer:${this.sessionId}] Grace period before stop: ${waitMs}ms (activeToolCalls=${this.activeToolCalls})`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, waitMs));
+            await new Promise((resolve11) => setTimeout(resolve11, waitMs));
           }
         }
         if (this.activeToolCalls > 0) {
@@ -19188,7 +19188,7 @@ var init_mcp_custom_sse_server = __esm({
             `[CustomToolsSSEServer:${this.sessionId}] Waiting for ${this.activeToolCalls} active tool call(s) before stop`
           );
           while (this.activeToolCalls > 0 && Date.now() - startedAt < effectiveDrainTimeoutMs) {
-            await new Promise((resolve15) => setTimeout(resolve15, 250));
+            await new Promise((resolve11) => setTimeout(resolve11, 250));
           }
           if (this.activeToolCalls > 0) {
             logger.warn(
@@ -19213,21 +19213,21 @@ var init_mcp_custom_sse_server = __esm({
         }
         this.connections.clear();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
+          await new Promise((resolve11, reject) => {
             const timeout = setTimeout(() => {
               if (this.debug) {
                 logger.debug(
                   `[CustomToolsSSEServer:${this.sessionId}] Force closing server after timeout`
                 );
               }
-              this.server?.close(() => resolve15());
+              this.server?.close(() => resolve11());
             }, 5e3);
             this.server.close((error) => {
               clearTimeout(timeout);
               if (error) {
                 reject(error);
               } else {
-                resolve15();
+                resolve11();
               }
             });
           });
@@ -19653,7 +19653,7 @@ var init_mcp_custom_sse_server = __esm({
               logger.warn(
                 `[CustomToolsSSEServer:${this.sessionId}] Tool ${toolName} failed (attempt ${attempt + 1}/${retryCount + 1}): ${errorMsg}. Retrying in ${delay}ms`
               );
-              await new Promise((resolve15) => setTimeout(resolve15, delay));
+              await new Promise((resolve11) => setTimeout(resolve11, delay));
               attempt++;
             }
           }
@@ -19956,9 +19956,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path7.default.resolve(process.cwd(), str);
           }
-          const fs26 = require("fs").promises;
+          const fs22 = require("fs").promises;
           try {
-            const stat = await fs26.stat(resolvedPath);
+            const stat = await fs22.stat(resolvedPath);
             return stat.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -25810,14 +25810,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path30 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path26 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path30 && !path30.startsWith("/")) {
-          path30 = `/${path30}`;
+        if (path26 && !path26.startsWith("/")) {
+          path26 = `/${path26}`;
         }
-        url = new URL(origin + path30);
+        url = new URL(origin + path26);
       }
       return url;
     }
@@ -27431,20 +27431,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path30) {
-      if (typeof path30 !== "string") {
+    module2.exports = function basename4(path26) {
+      if (typeof path26 !== "string") {
         return "";
       }
-      for (var i = path30.length - 1; i >= 0; --i) {
-        switch (path30.charCodeAt(i)) {
+      for (var i = path26.length - 1; i >= 0; --i) {
+        switch (path26.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path30 = path30.slice(i + 1);
-            return path30 === ".." || path30 === "." ? "" : path30;
+            path26 = path26.slice(i + 1);
+            return path26 === ".." || path26 === "." ? "" : path26;
         }
       }
-      return path30 === ".." || path30 === "." ? "" : path30;
+      return path26 === ".." || path26 === "." ? "" : path26;
     };
   }
 });
@@ -28448,11 +28448,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto4;
+    var crypto2;
     try {
-      crypto4 = require("crypto");
+      crypto2 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -28729,7 +28729,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto4 === void 0) {
+      if (crypto2 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -28744,7 +28744,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -28837,8 +28837,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve15, reject) => {
-        res = resolve15;
+      const promise = new Promise((resolve11, reject) => {
+        res = resolve11;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -30091,8 +30091,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto4 = require("crypto");
-      random = (max) => crypto4.randomInt(0, max);
+      const crypto2 = require("crypto");
+      random = (max) => crypto2.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -30343,8 +30343,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
                 });
               }
             });
-            const busboyResolve = new Promise((resolve15, reject) => {
-              busboy.on("finish", resolve15);
+            const busboyResolve = new Promise((resolve11, reject) => {
+              busboy.on("finish", resolve11);
               busboy.on("error", (err) => reject(new TypeError(err)));
             });
             if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk);
@@ -30475,7 +30475,7 @@ var require_request = __commonJS({
     }
     var Request = class _Request {
       constructor(origin, {
-        path: path30,
+        path: path26,
         method,
         body,
         headers,
@@ -30489,11 +30489,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path30 !== "string") {
+        if (typeof path26 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path30[0] !== "/" && !(path30.startsWith("http://") || path30.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path26[0] !== "/" && !(path26.startsWith("http://") || path26.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path30) !== null) {
+        } else if (invalidPathRegex.exec(path26) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -30556,7 +30556,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path30, query) : path30;
+        this.path = query ? util.buildURL(path26, query) : path26;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -30878,9 +30878,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve11, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve15(data);
+              return err ? reject(err) : resolve11(data);
             });
           });
         }
@@ -30918,12 +30918,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve11, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve15(data);
+              ) : resolve11(data);
             });
           });
         }
@@ -31564,9 +31564,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path30 = search ? `${pathname}${search}` : pathname;
+        const path26 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path30;
+        this.opts.path = path26;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -31985,16 +31985,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve15) => {
+        return new Promise((resolve11) => {
           if (!this[kSize]) {
-            resolve15(null);
+            resolve11(null);
           } else {
-            this[kClosedResolve] = resolve15;
+            this[kClosedResolve] = resolve11;
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve15) => {
+        return new Promise((resolve11) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request = requests[i];
@@ -32005,7 +32005,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve15();
+            resolve11();
           };
           if (this[kHTTP2Session] != null) {
             util.destroy(this[kHTTP2Session], err);
@@ -32585,7 +32585,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve15, reject) => {
+        const socket = await new Promise((resolve11, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -32597,7 +32597,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve15(socket2);
+              resolve11(socket2);
             }
           });
         });
@@ -32808,7 +32808,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path30, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path26, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -32858,7 +32858,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path30} HTTP/1.1\r
+      let header = `${method} ${path26} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -32921,7 +32921,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path30, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path26, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -32964,7 +32964,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path30;
+      headers[HTTP2_HEADER_PATH] = path26;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -33221,12 +33221,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve15, reject) => {
+      const waitForDrain = () => new Promise((resolve11, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve15;
+          callback = resolve11;
         }
       });
       if (client[kHTTPConnVersion] === "h2") {
@@ -33572,8 +33572,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           return Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          return new Promise((resolve15) => {
-            this[kClosedResolve] = resolve15;
+          return new Promise((resolve11) => {
+            this[kClosedResolve] = resolve11;
           });
         }
       }
@@ -34151,7 +34151,7 @@ var require_readable = __commonJS({
         if (this.closed) {
           return Promise.resolve(null);
         }
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           const signalListenerCleanup = signal ? util.addAbortListener(signal, () => {
             this.destroy();
           }) : noop;
@@ -34160,7 +34160,7 @@ var require_readable = __commonJS({
             if (signal && signal.aborted) {
               reject(signal.reason || Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
             } else {
-              resolve15(null);
+              resolve11(null);
             }
           }).on("error", noop).on("data", function(chunk) {
             limit -= chunk.length;
@@ -34182,11 +34182,11 @@ var require_readable = __commonJS({
         throw new TypeError("unusable");
       }
       assert(!stream[kConsume]);
-      return new Promise((resolve15, reject) => {
+      return new Promise((resolve11, reject) => {
         stream[kConsume] = {
           type,
           stream,
-          resolve: resolve15,
+          resolve: resolve11,
           reject,
           length: 0,
           body: []
@@ -34221,12 +34221,12 @@ var require_readable = __commonJS({
       }
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve15, stream, length } = consume2;
+      const { type, body, resolve: resolve11, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve15(toUSVString(Buffer.concat(body)));
+          resolve11(toUSVString(Buffer.concat(body)));
         } else if (type === "json") {
-          resolve15(JSON.parse(Buffer.concat(body)));
+          resolve11(JSON.parse(Buffer.concat(body)));
         } else if (type === "arrayBuffer") {
           const dst = new Uint8Array(length);
           let pos = 0;
@@ -34234,12 +34234,12 @@ var require_readable = __commonJS({
             dst.set(buf, pos);
             pos += buf.byteLength;
           }
-          resolve15(dst.buffer);
+          resolve11(dst.buffer);
         } else if (type === "blob") {
           if (!Blob2) {
             Blob2 = require("buffer").Blob;
           }
-          resolve15(new Blob2(body, { type: stream[kContentType] }));
+          resolve11(new Blob2(body, { type: stream[kContentType] }));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -34496,9 +34496,9 @@ var require_api_request = __commonJS({
     };
     function request(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           request.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve11(data);
           });
         });
       }
@@ -34671,9 +34671,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve11(data);
           });
         });
       }
@@ -34954,9 +34954,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve11(data);
           });
         });
       }
@@ -35045,9 +35045,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve11, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve11(data);
           });
         });
       }
@@ -35207,20 +35207,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path30) {
-      if (typeof path30 !== "string") {
-        return path30;
+    function safeUrl(path26) {
+      if (typeof path26 !== "string") {
+        return path26;
       }
-      const pathSegments = path30.split("?");
+      const pathSegments = path26.split("?");
       if (pathSegments.length !== 2) {
-        return path30;
+        return path26;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path30, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path30);
+    function matchKey(mockDispatch2, { path: path26, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path26);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -35238,7 +35238,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path30 }) => matchValue(safeUrl(path30), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path26 }) => matchValue(safeUrl(path26), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -35275,9 +35275,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path30, method, body, headers, query } = opts;
+      const { path: path26, method, body, headers, query } = opts;
       return {
-        path: path30,
+        path: path26,
         method,
         body,
         headers,
@@ -35726,10 +35726,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path30, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path26, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path30,
+            Path: path26,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -38670,7 +38670,7 @@ var require_fetch = __commonJS({
       async function dispatch({ body }) {
         const url = requestCurrentURL(request);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve15, reject) => agent.dispatch(
+        return new Promise((resolve11, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -38746,7 +38746,7 @@ var require_fetch = __commonJS({
                   }
                 }
               }
-              resolve15({
+              resolve11({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
@@ -38789,7 +38789,7 @@ var require_fetch = __commonJS({
                 const val = headersList[n + 1].toString("latin1");
                 headers[kHeadersList].append(key, val);
               }
-              resolve15({
+              resolve11({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList: headers[kHeadersList],
@@ -40350,8 +40350,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path30) {
-      for (const char of path30) {
+    function validateCookiePath(path26) {
+      for (const char of path26) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -41148,9 +41148,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto4;
+    var crypto2;
     try {
-      crypto4 = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -41169,7 +41169,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto4.randomBytes(16).toString("base64");
+      const keyValue = crypto2.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -41198,7 +41198,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto4.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -41278,9 +41278,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto4;
+    var crypto2;
     try {
-      crypto4 = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -41289,7 +41289,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto4.randomBytes(4);
+        this.maskKey = crypto2.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -42031,11 +42031,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path30 = opts.path;
+          let path26 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path30 = `/${path30}`;
+            path26 = `/${path26}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path30);
+          url = new URL(util.parseOrigin(url).origin + path26);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -42563,7 +42563,7 @@ var init_mcp_check_provider = __esm({
             logger.warn(
               `MCP ${transportName} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying in ${delay}ms: ${error instanceof Error ? error.message : String(error)}`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, delay));
+            await new Promise((resolve11) => setTimeout(resolve11, delay));
             attempt += 1;
           } finally {
             try {
@@ -42845,7 +42845,7 @@ async function acquirePromptLock() {
     activePrompt = true;
     return;
   }
-  await new Promise((resolve15) => waiters.push(resolve15));
+  await new Promise((resolve11) => waiters.push(resolve11));
   activePrompt = true;
 }
 function releasePromptLock() {
@@ -42855,7 +42855,7 @@ function releasePromptLock() {
 }
 async function interactivePrompt(options) {
   await acquirePromptLock();
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve11, reject) => {
     const dbg = process.env.VISOR_DEBUG === "true";
     try {
       if (dbg) {
@@ -42942,12 +42942,12 @@ async function interactivePrompt(options) {
     };
     const finish = (value) => {
       cleanup();
-      resolve15(value);
+      resolve11(value);
     };
     if (options.timeout && options.timeout > 0) {
       timeoutId = setTimeout(() => {
         cleanup();
-        if (defaultValue !== void 0) return resolve15(defaultValue);
+        if (defaultValue !== void 0) return resolve11(defaultValue);
         return reject(new Error("Input timeout"));
       }, options.timeout);
     }
@@ -43079,7 +43079,7 @@ async function interactivePrompt(options) {
   });
 }
 async function simplePrompt(prompt) {
-  return new Promise((resolve15) => {
+  return new Promise((resolve11) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
@@ -43095,7 +43095,7 @@ async function simplePrompt(prompt) {
     rl.question(`${prompt}
 > `, (answer) => {
       rl.close();
-      resolve15(answer.trim());
+      resolve11(answer.trim());
     });
   });
 }
@@ -43263,7 +43263,7 @@ function isStdinAvailable() {
   return !process.stdin.isTTY;
 }
 async function readStdin(timeout, maxSize = 1024 * 1024) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve11, reject) => {
     let data = "";
     let timeoutId;
     if (timeout) {
@@ -43290,7 +43290,7 @@ async function readStdin(timeout, maxSize = 1024 * 1024) {
     };
     const onEnd = () => {
       cleanup();
-      resolve15(data.trim());
+      resolve11(data.trim());
     };
     const onError = (err) => {
       cleanup();
@@ -47320,23 +47320,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs26 = await import("fs/promises");
-    const path30 = await import("path");
+    const fs22 = await import("fs/promises");
+    const path26 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path30.join(__dirname, "output", sanitized, "schema.json"),
+      path26.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path30.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path26.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path30.join(process.cwd(), "output", sanitized, "schema.json"),
+      path26.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path30.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path26.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs26.readFile(p, "utf-8");
+        const raw = await fs22.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -49755,8 +49755,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs26 = await import("fs/promises");
-    const path30 = await import("path");
+    const fs22 = await import("fs/promises");
+    const path26 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -49765,27 +49765,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path30.resolve(process.cwd(), file);
-      templateContent = await fs26.readFile(resolved, "utf-8");
+      const resolved = path26.resolve(process.cwd(), file);
+      templateContent = await fs22.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path30.join(__dirname, "output", sanitized, "template.liquid"),
+          path26.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path30.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path26.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path30.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path26.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path30.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path26.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path30.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path26.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs26.readFile(p, "utf-8");
+            templateContent = await fs22.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -51586,8 +51586,8 @@ var init_workspace_manager = __esm({
         );
         if (this.cleanupRequested && this.activeOperations === 0) {
           logger.debug(`[Workspace] All references released, proceeding with deferred cleanup`);
-          for (const resolve15 of this.cleanupResolvers) {
-            resolve15();
+          for (const resolve11 of this.cleanupResolvers) {
+            resolve11();
           }
           this.cleanupResolvers = [];
         }
@@ -51712,19 +51712,19 @@ var init_workspace_manager = __esm({
           );
           this.cleanupRequested = true;
           await Promise.race([
-            new Promise((resolve15) => {
+            new Promise((resolve11) => {
               if (this.activeOperations === 0) {
-                resolve15();
+                resolve11();
               } else {
-                this.cleanupResolvers.push(resolve15);
+                this.cleanupResolvers.push(resolve11);
               }
             }),
-            new Promise((resolve15) => {
+            new Promise((resolve11) => {
               setTimeout(() => {
                 logger.warn(
                   `[Workspace] Cleanup timeout after ${timeout}ms, proceeding anyway (${this.activeOperations} operations still active)`
                 );
-                resolve15();
+                resolve11();
               }, timeout);
             })
           ]);
@@ -52003,1264 +52003,6 @@ var init_build_engine_context = __esm({
   }
 });
-// src/policy/default-engine.ts
-var DefaultPolicyEngine;
-var init_default_engine = __esm({
-  "src/policy/default-engine.ts"() {
-    "use strict";
-    DefaultPolicyEngine = class {
-      async initialize(_config) {
-      }
-      async evaluateCheckExecution(_checkId, _checkConfig) {
-        return { allowed: true };
-      }
-      async evaluateToolInvocation(_serverName, _methodName, _transport) {
-        return { allowed: true };
-      }
-      async evaluateCapabilities(_checkId, _capabilities) {
-        return { allowed: true };
-      }
-      async shutdown() {
-      }
-    };
-  }
-});
-// src/enterprise/license/validator.ts
-var validator_exports = {};
-__export(validator_exports, {
-  LicenseValidator: () => LicenseValidator
-});
-var crypto2, fs19, path23, LicenseValidator;
-var init_validator = __esm({
-  "src/enterprise/license/validator.ts"() {
-    "use strict";
-    crypto2 = __toESM(require("crypto"));
-    fs19 = __toESM(require("fs"));
-    path23 = __toESM(require("path"));
-    LicenseValidator = class _LicenseValidator {
-      /** Ed25519 public key for license verification (PEM format). */
-      static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
-      cache = null;
-      static CACHE_TTL = 5 * 60 * 1e3;
-      // 5 minutes
-      static GRACE_PERIOD = 72 * 3600 * 1e3;
-      // 72 hours after expiry
-      /**
-       * Load and validate license from environment or file.
-       *
-       * Resolution order:
-       * 1. VISOR_LICENSE env var (JWT string)
-       * 2. VISOR_LICENSE_FILE env var (path to file)
-       * 3. .visor-license in project root (cwd)
-       * 4. .visor-license in ~/.config/visor/
-       */
-      async loadAndValidate() {
-        if (this.cache && Date.now() - this.cache.validatedAt < _LicenseValidator.CACHE_TTL) {
-          return this.cache.payload;
-        }
-        const token = this.resolveToken();
-        if (!token) return null;
-        const payload = this.verifyAndDecode(token);
-        if (!payload) return null;
-        this.cache = { payload, validatedAt: Date.now() };
-        return payload;
-      }
-      /** Check if a specific feature is licensed */
-      hasFeature(feature) {
-        if (!this.cache) return false;
-        return this.cache.payload.features.includes(feature);
-      }
-      /** Check if license is valid (with grace period) */
-      isValid() {
-        if (!this.cache) return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1e3;
-        return now < expiryMs + _LicenseValidator.GRACE_PERIOD;
-      }
-      /** Check if the license is within its grace period (expired but still valid) */
-      isInGracePeriod() {
-        if (!this.cache) return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1e3;
-        return now >= expiryMs && now < expiryMs + _LicenseValidator.GRACE_PERIOD;
-      }
-      resolveToken() {
-        if (process.env.VISOR_LICENSE) {
-          return process.env.VISOR_LICENSE.trim();
-        }
-        if (process.env.VISOR_LICENSE_FILE) {
-          const resolved = path23.resolve(process.env.VISOR_LICENSE_FILE);
-          const home2 = process.env.HOME || process.env.USERPROFILE || "";
-          const allowedPrefixes = [path23.normalize(process.cwd())];
-          if (home2) allowedPrefixes.push(path23.normalize(path23.join(home2, ".config", "visor")));
-          let realPath;
-          try {
-            realPath = fs19.realpathSync(resolved);
-          } catch {
-            return null;
-          }
-          const isSafe = allowedPrefixes.some(
-            (prefix) => realPath === prefix || realPath.startsWith(prefix + path23.sep)
-          );
-          if (!isSafe) return null;
-          return this.readFile(realPath);
-        }
-        const cwdPath = path23.join(process.cwd(), ".visor-license");
-        const cwdToken = this.readFile(cwdPath);
-        if (cwdToken) return cwdToken;
-        const home = process.env.HOME || process.env.USERPROFILE || "";
-        if (home) {
-          const configPath = path23.join(home, ".config", "visor", ".visor-license");
-          const configToken = this.readFile(configPath);
-          if (configToken) return configToken;
-        }
-        return null;
-      }
-      readFile(filePath) {
-        try {
-          return fs19.readFileSync(filePath, "utf-8").trim();
-        } catch {
-          return null;
-        }
-      }
-      verifyAndDecode(token) {
-        try {
-          const parts = token.split(".");
-          if (parts.length !== 3) return null;
-          const [headerB64, payloadB64, signatureB64] = parts;
-          const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
-          if (header.alg !== "EdDSA") return null;
-          const data = `${headerB64}.${payloadB64}`;
-          const signature = Buffer.from(signatureB64, "base64url");
-          const publicKey = crypto2.createPublicKey(_LicenseValidator.PUBLIC_KEY);
-          if (publicKey.asymmetricKeyType !== "ed25519") {
-            return null;
-          }
-          const isValid = crypto2.verify(null, Buffer.from(data), publicKey, signature);
-          if (!isValid) return null;
-          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
-          if (!payload.org || !Array.isArray(payload.features) || typeof payload.exp !== "number" || typeof payload.iat !== "number" || !payload.sub) {
-            return null;
-          }
-          const now = Date.now();
-          const expiryMs = payload.exp * 1e3;
-          if (now >= expiryMs + _LicenseValidator.GRACE_PERIOD) {
-            return null;
-          }
-          return payload;
-        } catch {
-          return null;
-        }
-      }
-    };
-  }
-});
-// src/enterprise/policy/opa-compiler.ts
-var fs20, path24, os, crypto3, import_child_process5, OpaCompiler;
-var init_opa_compiler = __esm({
-  "src/enterprise/policy/opa-compiler.ts"() {
-    "use strict";
-    fs20 = __toESM(require("fs"));
-    path24 = __toESM(require("path"));
-    os = __toESM(require("os"));
-    crypto3 = __toESM(require("crypto"));
-    import_child_process5 = require("child_process");
-    OpaCompiler = class _OpaCompiler {
-      static CACHE_DIR = path24.join(os.tmpdir(), "visor-opa-cache");
-      /**
-       * Resolve the input paths to WASM bytes.
-       *
-       * Strategy:
-       * 1. If any path is a .wasm file, read it directly
-       * 2. If a directory contains policy.wasm, read it
-       * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
-       */
-      async resolveWasmBytes(paths) {
-        const regoFiles = [];
-        for (const p of paths) {
-          const resolved = path24.resolve(p);
-          if (path24.normalize(resolved).includes("..")) {
-            throw new Error(`Policy path contains traversal sequences: ${p}`);
-          }
-          if (resolved.endsWith(".wasm") && fs20.existsSync(resolved)) {
-            return fs20.readFileSync(resolved);
-          }
-          if (!fs20.existsSync(resolved)) continue;
-          const stat = fs20.statSync(resolved);
-          if (stat.isDirectory()) {
-            const wasmCandidate = path24.join(resolved, "policy.wasm");
-            if (fs20.existsSync(wasmCandidate)) {
-              return fs20.readFileSync(wasmCandidate);
-            }
-            const files = fs20.readdirSync(resolved);
-            for (const f of files) {
-              if (f.endsWith(".rego")) {
-                regoFiles.push(path24.join(resolved, f));
-              }
-            }
-          } else if (resolved.endsWith(".rego")) {
-            regoFiles.push(resolved);
-          }
-        }
-        if (regoFiles.length === 0) {
-          throw new Error(
-            `OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(", ")}`
-          );
-        }
-        return this.compileRego(regoFiles);
-      }
-      /**
-       * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
-       *
-       * Caches the compiled bundle based on a content hash of all input .rego files
-       * so subsequent runs skip compilation if policies haven't changed.
-       */
-      compileRego(regoFiles) {
-        try {
-          (0, import_child_process5.execFileSync)("opa", ["version"], { stdio: "pipe" });
-        } catch {
-          throw new Error(
-            "OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\nOr pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz " + regoFiles.join(" ")
-          );
-        }
-        const hash = crypto3.createHash("sha256");
-        for (const f of regoFiles.sort()) {
-          hash.update(fs20.readFileSync(f));
-          hash.update(f);
-        }
-        const cacheKey = hash.digest("hex").slice(0, 16);
-        const cacheDir = _OpaCompiler.CACHE_DIR;
-        const cachedWasm = path24.join(cacheDir, `${cacheKey}.wasm`);
-        if (fs20.existsSync(cachedWasm)) {
-          return fs20.readFileSync(cachedWasm);
-        }
-        fs20.mkdirSync(cacheDir, { recursive: true });
-        const bundleTar = path24.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
-        try {
-          const args = [
-            "build",
-            "-t",
-            "wasm",
-            "-e",
-            "visor",
-            // entrypoint: the visor package tree
-            "-o",
-            bundleTar,
-            ...regoFiles
-          ];
-          (0, import_child_process5.execFileSync)("opa", args, {
-            stdio: "pipe",
-            timeout: 3e4
-          });
-        } catch (err) {
-          const stderr = err?.stderr?.toString() || "";
-          throw new Error(
-            `Failed to compile .rego files to WASM:
-${stderr}
-Ensure your .rego files are valid and the \`opa\` CLI is installed.`
-          );
-        }
-        try {
-          (0, import_child_process5.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
-            stdio: "pipe"
-          });
-          const extractedWasm = path24.join(cacheDir, "policy.wasm");
-          if (fs20.existsSync(extractedWasm)) {
-            fs20.renameSync(extractedWasm, cachedWasm);
-          }
-        } catch {
-          try {
-            (0, import_child_process5.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
-              stdio: "pipe"
-            });
-            const extractedWasm = path24.join(cacheDir, "policy.wasm");
-            if (fs20.existsSync(extractedWasm)) {
-              fs20.renameSync(extractedWasm, cachedWasm);
-            }
-          } catch (err2) {
-            throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
-          }
-        }
-        try {
-          fs20.unlinkSync(bundleTar);
-        } catch {
-        }
-        if (!fs20.existsSync(cachedWasm)) {
-          throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
-        }
-        return fs20.readFileSync(cachedWasm);
-      }
-    };
-  }
-});
-// src/enterprise/policy/opa-wasm-evaluator.ts
-var fs21, path25, OpaWasmEvaluator;
-var init_opa_wasm_evaluator = __esm({
-  "src/enterprise/policy/opa-wasm-evaluator.ts"() {
-    "use strict";
-    fs21 = __toESM(require("fs"));
-    path25 = __toESM(require("path"));
-    init_opa_compiler();
-    OpaWasmEvaluator = class {
-      policy = null;
-      dataDocument = {};
-      compiler = new OpaCompiler();
-      async initialize(rulesPath) {
-        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
-        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
-        try {
-          const { createRequire } = require("module");
-          const runtimeRequire = createRequire(__filename);
-          const opaWasm = runtimeRequire("@open-policy-agent/opa-wasm");
-          const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
-          if (!loadPolicy) {
-            throw new Error("loadPolicy not found in @open-policy-agent/opa-wasm");
-          }
-          this.policy = await loadPolicy(wasmBytes);
-        } catch (err) {
-          if (err?.code === "MODULE_NOT_FOUND" || err?.code === "ERR_MODULE_NOT_FOUND") {
-            throw new Error(
-              "OPA WASM evaluator requires @open-policy-agent/opa-wasm. Install it with: npm install @open-policy-agent/opa-wasm"
-            );
-          }
-          throw err;
-        }
-      }
-      /**
-       * Load external data from a JSON file to use as the OPA data document.
-       * The loaded data will be passed to `policy.setData()` during evaluation,
-       * making it available in Rego via `data.<key>`.
-       */
-      loadData(dataPath) {
-        const resolved = path25.resolve(dataPath);
-        if (path25.normalize(resolved).includes("..")) {
-          throw new Error(`Data path contains traversal sequences: ${dataPath}`);
-        }
-        if (!fs21.existsSync(resolved)) {
-          throw new Error(`OPA data file not found: ${resolved}`);
-        }
-        const stat = fs21.statSync(resolved);
-        if (stat.size > 10 * 1024 * 1024) {
-          throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
-        }
-        const raw = fs21.readFileSync(resolved, "utf-8");
-        try {
-          const parsed = JSON.parse(raw);
-          if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-            throw new Error("OPA data file must contain a JSON object (not an array or primitive)");
-          }
-          this.dataDocument = parsed;
-        } catch (err) {
-          if (err.message.startsWith("OPA data file must")) {
-            throw err;
-          }
-          throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
-        }
-      }
-      async evaluate(input) {
-        if (!this.policy) {
-          throw new Error("OPA WASM evaluator not initialized");
-        }
-        this.policy.setData(this.dataDocument);
-        const resultSet = this.policy.evaluate(input);
-        if (Array.isArray(resultSet) && resultSet.length > 0) {
-          return resultSet[0].result;
-        }
-        return void 0;
-      }
-      async shutdown() {
-        if (this.policy) {
-          if (typeof this.policy.close === "function") {
-            try {
-              this.policy.close();
-            } catch {
-            }
-          } else if (typeof this.policy.free === "function") {
-            try {
-              this.policy.free();
-            } catch {
-            }
-          }
-        }
-        this.policy = null;
-      }
-    };
-  }
-});
-// src/enterprise/policy/opa-http-evaluator.ts
-var OpaHttpEvaluator;
-var init_opa_http_evaluator = __esm({
-  "src/enterprise/policy/opa-http-evaluator.ts"() {
-    "use strict";
-    OpaHttpEvaluator = class {
-      baseUrl;
-      timeout;
-      constructor(baseUrl, timeout = 5e3) {
-        let parsed;
-        try {
-          parsed = new URL(baseUrl);
-        } catch {
-          throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
-        }
-        if (!["http:", "https:"].includes(parsed.protocol)) {
-          throw new Error(
-            `OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`
-          );
-        }
-        const hostname = parsed.hostname;
-        if (this.isBlockedHostname(hostname)) {
-          throw new Error(
-            `OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`
-          );
-        }
-        this.baseUrl = baseUrl.replace(/\/+$/, "");
-        this.timeout = timeout;
-      }
-      /**
-       * Check if a hostname is blocked due to SSRF concerns.
-       *
-       * Blocks:
-       * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
-       * - Link-local addresses (169.254.x.x)
-       * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
-       * - IPv6 unique local addresses (fd00::/8)
-       * - Cloud metadata services (*.internal)
-       */
-      isBlockedHostname(hostname) {
-        if (!hostname) return true;
-        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
-        if (normalized === "metadata.google.internal" || normalized.endsWith(".internal")) {
-          return true;
-        }
-        if (normalized === "localhost" || normalized === "localhost.localdomain") {
-          return true;
-        }
-        if (normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
-          return true;
-        }
-        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-        const ipv4Match = normalized.match(ipv4Pattern);
-        if (ipv4Match) {
-          const octets = ipv4Match.slice(1, 5).map(Number);
-          if (octets.some((octet) => octet > 255)) {
-            return false;
-          }
-          const [a, b] = octets;
-          if (a === 127) {
-            return true;
-          }
-          if (a === 0) {
-            return true;
-          }
-          if (a === 169 && b === 254) {
-            return true;
-          }
-          if (a === 10) {
-            return true;
-          }
-          if (a === 172 && b >= 16 && b <= 31) {
-            return true;
-          }
-          if (a === 192 && b === 168) {
-            return true;
-          }
-        }
-        if (normalized.startsWith("fd") || normalized.startsWith("fc")) {
-          return true;
-        }
-        if (normalized.startsWith("fe80:")) {
-          return true;
-        }
-        return false;
-      }
-      /**
-       * Evaluate a policy rule against an input document via OPA REST API.
-       *
-       * @param input - The input document to evaluate
-       * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
-       * @returns The result object from OPA, or undefined on error
-       */
-      async evaluate(input, rulePath) {
-        const encodedPath = rulePath.split("/").map((s) => encodeURIComponent(s)).join("/");
-        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), this.timeout);
-        try {
-          const response = await fetch(url, {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({ input }),
-            signal: controller.signal
-          });
-          if (!response.ok) {
-            throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
-          }
-          let body;
-          try {
-            body = await response.json();
-          } catch (jsonErr) {
-            throw new Error(
-              `OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`
-            );
-          }
-          return body?.result;
-        } finally {
-          clearTimeout(timer);
-        }
-      }
-      async shutdown() {
-      }
-    };
-  }
-});
-// src/enterprise/policy/policy-input-builder.ts
-var PolicyInputBuilder;
-var init_policy_input_builder = __esm({
-  "src/enterprise/policy/policy-input-builder.ts"() {
-    "use strict";
-    PolicyInputBuilder = class {
-      roles;
-      actor;
-      repository;
-      pullRequest;
-      constructor(policyConfig, actor, repository, pullRequest) {
-        this.roles = policyConfig.roles || {};
-        this.actor = actor;
-        this.repository = repository;
-        this.pullRequest = pullRequest;
-      }
-      /** Resolve which roles apply to the current actor. */
-      resolveRoles() {
-        const matched = [];
-        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
-          let identityMatch = false;
-          if (roleConfig.author_association && this.actor.authorAssociation && roleConfig.author_association.includes(this.actor.authorAssociation)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.users && this.actor.login && roleConfig.users.includes(this.actor.login)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.slack_users && this.actor.slack?.userId && roleConfig.slack_users.includes(this.actor.slack.userId)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
-            const actorEmail = this.actor.slack.email.toLowerCase();
-            if (roleConfig.emails.some((e) => e.toLowerCase() === actorEmail)) {
-              identityMatch = true;
-            }
-          }
-          if (!identityMatch) continue;
-          if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
-            if (!this.actor.slack?.channelId || !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
-              continue;
-            }
-          }
-          matched.push(roleName);
-        }
-        return matched;
-      }
-      buildActor() {
-        return {
-          authorAssociation: this.actor.authorAssociation,
-          login: this.actor.login,
-          roles: this.resolveRoles(),
-          isLocalMode: this.actor.isLocalMode,
-          ...this.actor.slack && { slack: this.actor.slack }
-        };
-      }
-      forCheckExecution(check) {
-        return {
-          scope: "check.execute",
-          check: {
-            id: check.id,
-            type: check.type,
-            group: check.group,
-            tags: check.tags,
-            criticality: check.criticality,
-            sandbox: check.sandbox,
-            policy: check.policy
-          },
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-      forToolInvocation(serverName, methodName, transport) {
-        return {
-          scope: "tool.invoke",
-          tool: { serverName, methodName, transport },
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-      forCapabilityResolve(checkId, capabilities) {
-        return {
-          scope: "capability.resolve",
-          check: { id: checkId, type: "ai" },
-          capability: capabilities,
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-    };
-  }
-});
-// src/enterprise/policy/opa-policy-engine.ts
-var opa_policy_engine_exports = {};
-__export(opa_policy_engine_exports, {
-  OpaPolicyEngine: () => OpaPolicyEngine
-});
-var OpaPolicyEngine;
-var init_opa_policy_engine = __esm({
-  "src/enterprise/policy/opa-policy-engine.ts"() {
-    "use strict";
-    init_opa_wasm_evaluator();
-    init_opa_http_evaluator();
-    init_policy_input_builder();
-    OpaPolicyEngine = class {
-      evaluator = null;
-      fallback;
-      timeout;
-      config;
-      inputBuilder = null;
-      logger = null;
-      constructor(config) {
-        this.config = config;
-        this.fallback = config.fallback || "deny";
-        this.timeout = config.timeout || 5e3;
-      }
-      async initialize(config) {
-        try {
-          this.logger = (init_logger(), __toCommonJS(logger_exports)).logger;
-        } catch {
-        }
-        const actor = {
-          authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
-          login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
-          isLocalMode: !process.env.GITHUB_ACTIONS
-        };
-        const repo = {
-          owner: process.env.GITHUB_REPOSITORY_OWNER,
-          name: process.env.GITHUB_REPOSITORY?.split("/")[1],
-          branch: process.env.GITHUB_HEAD_REF,
-          baseBranch: process.env.GITHUB_BASE_REF,
-          event: process.env.GITHUB_EVENT_NAME
-        };
-        const prNum = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER, 10) : void 0;
-        const pullRequest = {
-          number: prNum !== void 0 && Number.isFinite(prNum) ? prNum : void 0
-        };
-        this.inputBuilder = new PolicyInputBuilder(config, actor, repo, pullRequest);
-        if (config.engine === "local") {
-          if (!config.rules) {
-            throw new Error("OPA local mode requires `policy.rules` path to .wasm or .rego files");
-          }
-          const wasm = new OpaWasmEvaluator();
-          await wasm.initialize(config.rules);
-          if (config.data) {
-            wasm.loadData(config.data);
-          }
-          this.evaluator = wasm;
-        } else if (config.engine === "remote") {
-          if (!config.url) {
-            throw new Error("OPA remote mode requires `policy.url` pointing to OPA server");
-          }
-          this.evaluator = new OpaHttpEvaluator(config.url, this.timeout);
-        } else {
-          this.evaluator = null;
-        }
-      }
-      /**
-       * Update actor/repo/PR context (e.g., after PR info becomes available).
-       * Called by the enterprise loader when engine context is enriched.
-       */
-      setActorContext(actor, repo, pullRequest) {
-        this.inputBuilder = new PolicyInputBuilder(this.config, actor, repo, pullRequest);
-      }
-      async evaluateCheckExecution(checkId, checkConfig) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const cfg = checkConfig && typeof checkConfig === "object" ? checkConfig : {};
-        const policyOverride = cfg.policy;
-        const input = this.inputBuilder.forCheckExecution({
-          id: checkId,
-          type: cfg.type || "ai",
-          group: cfg.group,
-          tags: cfg.tags,
-          criticality: cfg.criticality,
-          sandbox: cfg.sandbox,
-          policy: policyOverride
-        });
-        return this.doEvaluate(input, this.resolveRulePath("check.execute", policyOverride?.rule));
-      }
-      async evaluateToolInvocation(serverName, methodName, transport) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
-        return this.doEvaluate(input, "visor/tool/invoke");
-      }
-      async evaluateCapabilities(checkId, capabilities) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
-        return this.doEvaluate(input, "visor/capability/resolve");
-      }
-      async shutdown() {
-        if (this.evaluator && "shutdown" in this.evaluator) {
-          await this.evaluator.shutdown();
-        }
-        this.evaluator = null;
-        this.inputBuilder = null;
-      }
-      resolveRulePath(defaultScope, override) {
-        if (override) {
-          return override.startsWith("visor/") ? override : `visor/${override}`;
-        }
-        return `visor/${defaultScope.replace(/\./g, "/")}`;
-      }
-      async doEvaluate(input, rulePath) {
-        try {
-          this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
-          let timer;
-          const timeoutPromise = new Promise((_resolve, reject) => {
-            timer = setTimeout(() => reject(new Error("policy evaluation timeout")), this.timeout);
-          });
-          try {
-            const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
-            const decision = this.parseDecision(result);
-            if (!decision.allowed && this.fallback === "warn") {
-              decision.allowed = true;
-              decision.warn = true;
-              decision.reason = `audit: ${decision.reason || "policy denied"}`;
-            }
-            this.logger?.debug(
-              `[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || "none"}`
-            );
-            return decision;
-          } finally {
-            if (timer) clearTimeout(timer);
-          }
-        } catch (err) {
-          const msg = err instanceof Error ? err.message : String(err);
-          this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
-          return {
-            allowed: this.fallback === "allow" || this.fallback === "warn",
-            warn: this.fallback === "warn" ? true : void 0,
-            reason: `policy evaluation failed, fallback=${this.fallback}`
-          };
-        }
-      }
-      async rawEvaluate(input, rulePath) {
-        if (this.evaluator instanceof OpaWasmEvaluator) {
-          const result = await this.evaluator.evaluate(input);
-          return this.navigateWasmResult(result, rulePath);
-        }
-        return this.evaluator.evaluate(input, rulePath);
-      }
-      /**
-       * Navigate nested OPA WASM result tree to reach the specific rule's output.
-       * The WASM entrypoint `-e visor` means the result root IS the visor package,
-       * so we strip the `visor/` prefix and walk the remaining segments.
-       */
-      navigateWasmResult(result, rulePath) {
-        if (!result || typeof result !== "object") return result;
-        const segments = rulePath.replace(/^visor\//, "").split("/");
-        let current = result;
-        for (const seg of segments) {
-          if (current && typeof current === "object" && seg in current) {
-            current = current[seg];
-          } else {
-            return void 0;
-          }
-        }
-        return current;
-      }
-      parseDecision(result) {
-        if (result === void 0 || result === null) {
-          return {
-            allowed: this.fallback === "allow" || this.fallback === "warn",
-            warn: this.fallback === "warn" ? true : void 0,
-            reason: this.fallback === "warn" ? "audit: no policy result" : "no policy result"
-          };
-        }
-        const allowed = result.allowed !== false;
-        const decision = {
-          allowed,
-          reason: result.reason
-        };
-        if (result.capabilities) {
-          decision.capabilities = result.capabilities;
-        }
-        return decision;
-      }
-    };
-  }
-});
-// src/enterprise/scheduler/knex-store.ts
-var knex_store_exports = {};
-__export(knex_store_exports, {
-  KnexStoreBackend: () => KnexStoreBackend
-});
-function toNum(val) {
-  if (val === null || val === void 0) return void 0;
-  return typeof val === "string" ? parseInt(val, 10) : val;
-}
-function safeJsonParse2(value) {
-  if (!value) return void 0;
-  try {
-    return JSON.parse(value);
-  } catch {
-    return void 0;
-  }
-}
-function fromDbRow2(row) {
-  return {
-    id: row.id,
-    creatorId: row.creator_id,
-    creatorContext: row.creator_context ?? void 0,
-    creatorName: row.creator_name ?? void 0,
-    timezone: row.timezone,
-    schedule: row.schedule_expr,
-    runAt: toNum(row.run_at),
-    isRecurring: row.is_recurring === true || row.is_recurring === 1,
-    originalExpression: row.original_expression,
-    workflow: row.workflow ?? void 0,
-    workflowInputs: safeJsonParse2(row.workflow_inputs),
-    outputContext: safeJsonParse2(row.output_context),
-    status: row.status,
-    createdAt: toNum(row.created_at),
-    lastRunAt: toNum(row.last_run_at),
-    nextRunAt: toNum(row.next_run_at),
-    runCount: row.run_count,
-    failureCount: row.failure_count,
-    lastError: row.last_error ?? void 0,
-    previousResponse: row.previous_response ?? void 0
-  };
-}
-function toInsertRow(schedule) {
-  return {
-    id: schedule.id,
-    creator_id: schedule.creatorId,
-    creator_context: schedule.creatorContext ?? null,
-    creator_name: schedule.creatorName ?? null,
-    timezone: schedule.timezone,
-    schedule_expr: schedule.schedule,
-    run_at: schedule.runAt ?? null,
-    is_recurring: schedule.isRecurring,
-    original_expression: schedule.originalExpression,
-    workflow: schedule.workflow ?? null,
-    workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
-    output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
-    status: schedule.status,
-    created_at: schedule.createdAt,
-    last_run_at: schedule.lastRunAt ?? null,
-    next_run_at: schedule.nextRunAt ?? null,
-    run_count: schedule.runCount,
-    failure_count: schedule.failureCount,
-    last_error: schedule.lastError ?? null,
-    previous_response: schedule.previousResponse ?? null
-  };
-}
-var fs22, path26, import_uuid2, KnexStoreBackend;
-var init_knex_store = __esm({
-  "src/enterprise/scheduler/knex-store.ts"() {
-    "use strict";
-    fs22 = __toESM(require("fs"));
-    path26 = __toESM(require("path"));
-    import_uuid2 = require("uuid");
-    init_logger();
-    KnexStoreBackend = class {
-      knex = null;
-      driver;
-      connection;
-      constructor(driver, storageConfig, _haConfig) {
-        this.driver = driver;
-        this.connection = storageConfig.connection || {};
-      }
-      async initialize() {
-        const { createRequire } = require("module");
-        const runtimeRequire = createRequire(__filename);
-        let knexFactory;
-        try {
-          knexFactory = runtimeRequire("knex");
-        } catch (err) {
-          const code = err?.code;
-          if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
-            throw new Error(
-              "knex is required for PostgreSQL/MySQL/MSSQL schedule storage. Install it with: npm install knex"
-            );
-          }
-          throw err;
-        }
-        const clientMap = {
-          postgresql: "pg",
-          mysql: "mysql2",
-          mssql: "tedious"
-        };
-        const client = clientMap[this.driver];
-        let connection;
-        if (this.connection.connection_string) {
-          connection = this.connection.connection_string;
-        } else if (this.driver === "mssql") {
-          connection = this.buildMssqlConnection();
-        } else {
-          connection = this.buildStandardConnection();
-        }
-        this.knex = knexFactory({
-          client,
-          connection,
-          pool: {
-            min: this.connection.pool?.min ?? 0,
-            max: this.connection.pool?.max ?? 10
-          }
-        });
-        await this.migrateSchema();
-        logger.info(`[KnexStore] Initialized (${this.driver})`);
-      }
-      buildStandardConnection() {
-        return {
-          host: this.connection.host || "localhost",
-          port: this.connection.port,
-          database: this.connection.database || "visor",
-          user: this.connection.user,
-          password: this.connection.password,
-          ssl: this.resolveSslConfig()
-        };
-      }
-      buildMssqlConnection() {
-        const ssl = this.connection.ssl;
-        const sslEnabled = ssl === true || typeof ssl === "object" && ssl.enabled !== false;
-        return {
-          server: this.connection.host || "localhost",
-          port: this.connection.port,
-          database: this.connection.database || "visor",
-          user: this.connection.user,
-          password: this.connection.password,
-          options: {
-            encrypt: sslEnabled,
-            trustServerCertificate: typeof ssl === "object" ? ssl.reject_unauthorized === false : !sslEnabled
-          }
-        };
-      }
-      resolveSslConfig() {
-        const ssl = this.connection.ssl;
-        if (ssl === false || ssl === void 0) return false;
-        if (ssl === true) return { rejectUnauthorized: true };
-        if (ssl.enabled === false) return false;
-        const result = {
-          rejectUnauthorized: ssl.reject_unauthorized !== false
-        };
-        if (ssl.ca) {
-          const caPath = this.validateSslPath(ssl.ca, "CA certificate");
-          result.ca = fs22.readFileSync(caPath, "utf8");
-        }
-        if (ssl.cert) {
-          const certPath = this.validateSslPath(ssl.cert, "client certificate");
-          result.cert = fs22.readFileSync(certPath, "utf8");
-        }
-        if (ssl.key) {
-          const keyPath = this.validateSslPath(ssl.key, "client key");
-          result.key = fs22.readFileSync(keyPath, "utf8");
-        }
-        return result;
-      }
-      validateSslPath(filePath, label) {
-        const resolved = path26.resolve(filePath);
-        if (resolved !== path26.normalize(resolved)) {
-          throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
-        }
-        if (!fs22.existsSync(resolved)) {
-          throw new Error(`SSL ${label} not found: ${filePath}`);
-        }
-        return resolved;
-      }
-      async shutdown() {
-        if (this.knex) {
-          await this.knex.destroy();
-          this.knex = null;
-        }
-      }
-      async migrateSchema() {
-        const knex = this.getKnex();
-        const exists = await knex.schema.hasTable("schedules");
-        if (!exists) {
-          await knex.schema.createTable("schedules", (table) => {
-            table.string("id", 36).primary();
-            table.string("creator_id", 255).notNullable().index();
-            table.string("creator_context", 255);
-            table.string("creator_name", 255);
-            table.string("timezone", 64).notNullable().defaultTo("UTC");
-            table.string("schedule_expr", 255);
-            table.bigInteger("run_at");
-            table.boolean("is_recurring").notNullable();
-            table.text("original_expression");
-            table.string("workflow", 255);
-            table.text("workflow_inputs");
-            table.text("output_context");
-            table.string("status", 20).notNullable().index();
-            table.bigInteger("created_at").notNullable();
-            table.bigInteger("last_run_at");
-            table.bigInteger("next_run_at");
-            table.integer("run_count").notNullable().defaultTo(0);
-            table.integer("failure_count").notNullable().defaultTo(0);
-            table.text("last_error");
-            table.text("previous_response");
-            table.index(["status", "next_run_at"]);
-          });
-        }
-        const locksExist = await knex.schema.hasTable("scheduler_locks");
-        if (!locksExist) {
-          await knex.schema.createTable("scheduler_locks", (table) => {
-            table.string("lock_id", 255).primary();
-            table.string("node_id", 255).notNullable();
-            table.string("lock_token", 36).notNullable();
-            table.bigInteger("acquired_at").notNullable();
-            table.bigInteger("expires_at").notNullable();
-          });
-        }
-      }
-      getKnex() {
-        if (!this.knex) {
-          throw new Error("[KnexStore] Not initialized. Call initialize() first.");
-        }
-        return this.knex;
-      }
-      // --- CRUD ---
-      async create(schedule) {
-        const knex = this.getKnex();
-        const newSchedule = {
-          ...schedule,
-          id: (0, import_uuid2.v4)(),
-          createdAt: Date.now(),
-          runCount: 0,
-          failureCount: 0,
-          status: "active"
-        };
-        await knex("schedules").insert(toInsertRow(newSchedule));
-        logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
-        return newSchedule;
-      }
-      async importSchedule(schedule) {
-        const knex = this.getKnex();
-        const existing = await knex("schedules").where("id", schedule.id).first();
-        if (existing) return;
-        await knex("schedules").insert(toInsertRow(schedule));
-      }
-      async get(id) {
-        const knex = this.getKnex();
-        const row = await knex("schedules").where("id", id).first();
-        return row ? fromDbRow2(row) : void 0;
-      }
-      async update(id, patch) {
-        const knex = this.getKnex();
-        const existing = await knex("schedules").where("id", id).first();
-        if (!existing) return void 0;
-        const current = fromDbRow2(existing);
-        const updated = { ...current, ...patch, id: current.id };
-        const row = toInsertRow(updated);
-        delete row.id;
-        await knex("schedules").where("id", id).update(row);
-        return updated;
-      }
-      async delete(id) {
-        const knex = this.getKnex();
-        const deleted = await knex("schedules").where("id", id).del();
-        if (deleted > 0) {
-          logger.info(`[KnexStore] Deleted schedule ${id}`);
-          return true;
-        }
-        return false;
-      }
-      // --- Queries ---
-      async getByCreator(creatorId) {
-        const knex = this.getKnex();
-        const rows = await knex("schedules").where("creator_id", creatorId);
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getActiveSchedules() {
-        const knex = this.getKnex();
-        const rows = await knex("schedules").where("status", "active");
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getDueSchedules(now) {
-        const ts = now ?? Date.now();
-        const knex = this.getKnex();
-        const bFalse = this.driver === "mssql" ? 0 : false;
-        const bTrue = this.driver === "mssql" ? 1 : true;
-        const rows = await knex("schedules").where("status", "active").andWhere(function() {
-          this.where(function() {
-            this.where("is_recurring", bFalse).whereNotNull("run_at").where("run_at", "<=", ts);
-          }).orWhere(function() {
-            this.where("is_recurring", bTrue).whereNotNull("next_run_at").where("next_run_at", "<=", ts);
-          });
-        });
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async findByWorkflow(creatorId, workflowName) {
-        const knex = this.getKnex();
-        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, "\\$&");
-        const pattern = `%${escaped}%`;
-        const rows = await knex("schedules").where("creator_id", creatorId).where("status", "active").whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getAll() {
-        const knex = this.getKnex();
-        const rows = await knex("schedules");
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getStats() {
-        const knex = this.getKnex();
-        const boolTrue = this.driver === "mssql" ? "1" : "true";
-        const boolFalse = this.driver === "mssql" ? "0" : "false";
-        const result = await knex("schedules").select(
-          knex.raw("COUNT(*) as total"),
-          knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"),
-          knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"),
-          knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"),
-          knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"),
-          knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`),
-          knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`)
-        ).first();
-        return {
-          total: Number(result.total) || 0,
-          active: Number(result.active) || 0,
-          paused: Number(result.paused) || 0,
-          completed: Number(result.completed) || 0,
-          failed: Number(result.failed) || 0,
-          recurring: Number(result.recurring) || 0,
-          oneTime: Number(result.one_time) || 0
-        };
-      }
-      async validateLimits(creatorId, isRecurring, limits) {
-        const knex = this.getKnex();
-        if (limits.maxGlobal) {
-          const result = await knex("schedules").count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxGlobal) {
-            throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
-          }
-        }
-        if (limits.maxPerUser) {
-          const result = await knex("schedules").where("creator_id", creatorId).count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxPerUser) {
-            throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
-          }
-        }
-        if (isRecurring && limits.maxRecurringPerUser) {
-          const bTrue = this.driver === "mssql" ? 1 : true;
-          const result = await knex("schedules").where("creator_id", creatorId).where("is_recurring", bTrue).count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
-            throw new Error(
-              `You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`
-            );
-          }
-        }
-      }
-      // --- HA Distributed Locking (via scheduler_locks table) ---
-      async tryAcquireLock(lockId, nodeId, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1e3;
-        const token = (0, import_uuid2.v4)();
-        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("expires_at", "<", now).update({
-          node_id: nodeId,
-          lock_token: token,
-          acquired_at: now,
-          expires_at: expiresAt
-        });
-        if (updated > 0) return token;
-        try {
-          await knex("scheduler_locks").insert({
-            lock_id: lockId,
-            node_id: nodeId,
-            lock_token: token,
-            acquired_at: now,
-            expires_at: expiresAt
-          });
-          return token;
-        } catch {
-          return null;
-        }
-      }
-      async releaseLock(lockId, lockToken) {
-        const knex = this.getKnex();
-        await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).del();
-      }
-      async renewLock(lockId, lockToken, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1e3;
-        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).update({ acquired_at: now, expires_at: expiresAt });
-        return updated > 0;
-      }
-      async flush() {
-      }
-    };
-  }
-});
-// src/enterprise/loader.ts
-var loader_exports = {};
-__export(loader_exports, {
-  loadEnterprisePolicyEngine: () => loadEnterprisePolicyEngine,
-  loadEnterpriseStoreBackend: () => loadEnterpriseStoreBackend
-});
-async function loadEnterprisePolicyEngine(config) {
-  try {
-    const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
-    const validator = new LicenseValidator2();
-    const license = await validator.loadAndValidate();
-    if (!license || !validator.hasFeature("policy")) {
-      return new DefaultPolicyEngine();
-    }
-    if (validator.isInGracePeriod()) {
-      console.warn(
-        "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
-      );
-    }
-    const { OpaPolicyEngine: OpaPolicyEngine2 } = await Promise.resolve().then(() => (init_opa_policy_engine(), opa_policy_engine_exports));
-    const engine = new OpaPolicyEngine2(config);
-    await engine.initialize(config);
-    return engine;
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    try {
-      const { logger: logger2 } = (init_logger(), __toCommonJS(logger_exports));
-      logger2.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
-    } catch {
-    }
-    return new DefaultPolicyEngine();
-  }
-}
-async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
-  const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
-  const validator = new LicenseValidator2();
-  const license = await validator.loadAndValidate();
-  if (!license || !validator.hasFeature("scheduler-sql")) {
-    throw new Error(
-      `The ${driver} schedule storage driver requires a Visor Enterprise license with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`
-    );
-  }
-  if (validator.isInGracePeriod()) {
-    console.warn(
-      "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
-    );
-  }
-  const { KnexStoreBackend: KnexStoreBackend2 } = await Promise.resolve().then(() => (init_knex_store(), knex_store_exports));
-  return new KnexStoreBackend2(driver, storageConfig, haConfig);
-}
-var init_loader = __esm({
-  "src/enterprise/loader.ts"() {
-    "use strict";
-    init_default_engine();
-  }
-});
 // src/event-bus/event-bus.ts
 var event_bus_exports = {};
 __export(event_bus_exports, {
@@ -54167,8 +52909,8 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve15) => {
-          const t = setTimeout(resolve15, ms);
+        return new Promise((resolve11) => {
+          const t = setTimeout(resolve11, ms);
           if (typeof t.unref === "function") {
             try {
               t.unref();
@@ -54442,8 +53184,8 @@ ${end}`);
       async updateGroupedComment(ctx, comments, group, changedIds) {
         const existingLock = this.updateLocks.get(group);
         let resolveLock;
-        const ourLock = new Promise((resolve15) => {
-          resolveLock = resolve15;
+        const ourLock = new Promise((resolve11) => {
+          resolveLock = resolve11;
         });
         this.updateLocks.set(group, ourLock);
         try {
@@ -54755,7 +53497,7 @@ ${blocks}
        * Sleep utility for enforcing delays
        */
       sleep(ms) {
-        return new Promise((resolve15) => setTimeout(resolve15, ms));
+        return new Promise((resolve11) => setTimeout(resolve11, ms));
       }
     };
   }
@@ -55070,17 +53812,17 @@ function extractMermaidDiagrams(text) {
   return diagrams;
 }
 async function renderMermaidToPng(mermaidCode) {
-  const tmpDir = os2.tmpdir();
-  const inputFile = path28.join(
+  const tmpDir = os.tmpdir();
+  const inputFile = path24.join(
     tmpDir,
     `mermaid-${Date.now()}-${Math.random().toString(36).slice(2)}.mmd`
   );
-  const outputFile = path28.join(
+  const outputFile = path24.join(
     tmpDir,
     `mermaid-${Date.now()}-${Math.random().toString(36).slice(2)}.png`
   );
   try {
-    fs24.writeFileSync(inputFile, mermaidCode, "utf-8");
+    fs20.writeFileSync(inputFile, mermaidCode, "utf-8");
     const chromiumPaths = [
       "/usr/bin/chromium",
       "/usr/bin/chromium-browser",
@@ -55089,7 +53831,7 @@ async function renderMermaidToPng(mermaidCode) {
     ];
     let chromiumPath;
     for (const p of chromiumPaths) {
-      if (fs24.existsSync(p)) {
+      if (fs20.existsSync(p)) {
         chromiumPath = p;
         break;
       }
@@ -55098,8 +53840,8 @@ async function renderMermaidToPng(mermaidCode) {
     if (chromiumPath) {
       env.PUPPETEER_EXECUTABLE_PATH = chromiumPath;
     }
-    const result = await new Promise((resolve15) => {
-      const proc = (0, import_child_process6.spawn)(
+    const result = await new Promise((resolve11) => {
+      const proc = (0, import_child_process5.spawn)(
         "npx",
         [
           "--yes",
@@ -55128,32 +53870,32 @@ async function renderMermaidToPng(mermaidCode) {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve15({ success: true });
+          resolve11({ success: true });
         } else {
-          resolve15({ success: false, error: stderr || `Exit code ${code}` });
+          resolve11({ success: false, error: stderr || `Exit code ${code}` });
         }
       });
       proc.on("error", (err) => {
-        resolve15({ success: false, error: err.message });
+        resolve11({ success: false, error: err.message });
       });
     });
     if (!result.success) {
       console.warn(`Mermaid rendering failed: ${result.error}`);
       return null;
     }
-    if (!fs24.existsSync(outputFile)) {
+    if (!fs20.existsSync(outputFile)) {
       console.warn("Mermaid output file not created");
       return null;
     }
-    const pngBuffer = fs24.readFileSync(outputFile);
+    const pngBuffer = fs20.readFileSync(outputFile);
     return pngBuffer;
   } catch (e) {
     console.warn(`Mermaid rendering error: ${e instanceof Error ? e.message : String(e)}`);
     return null;
   } finally {
     try {
-      if (fs24.existsSync(inputFile)) fs24.unlinkSync(inputFile);
-      if (fs24.existsSync(outputFile)) fs24.unlinkSync(outputFile);
+      if (fs20.existsSync(inputFile)) fs20.unlinkSync(inputFile);
+      if (fs20.existsSync(outputFile)) fs20.unlinkSync(outputFile);
     } catch {
     }
   }
@@ -55258,14 +54000,14 @@ function replaceFileSections(text, sections, replacement = (idx) => `_(See file:
 function formatSlackText(text) {
   return markdownToSlack(text);
 }
-var import_child_process6, fs24, path28, os2;
+var import_child_process5, fs20, path24, os;
 var init_markdown = __esm({
   "src/slack/markdown.ts"() {
     "use strict";
-    import_child_process6 = require("child_process");
-    fs24 = __toESM(require("fs"));
-    path28 = __toESM(require("path"));
-    os2 = __toESM(require("os"));
+    import_child_process5 = require("child_process");
+    fs20 = __toESM(require("fs"));
+    path24 = __toESM(require("path"));
+    os = __toESM(require("os"));
   }
 });
@@ -56241,15 +54983,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path29, fs25, StateMachineExecutionEngine;
+var path25, fs21, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path29 = __toESM(require("path"));
-    fs25 = __toESM(require("fs"));
+    path25 = __toESM(require("path"));
+    fs21 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -56481,8 +55223,8 @@ var init_state_machine_execution_engine = __esm({
             logger.debug(
               `[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`
             );
-            const { loadEnterprisePolicyEngine: loadEnterprisePolicyEngine2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
-            context2.policyEngine = await loadEnterprisePolicyEngine2(configWithTagFilter.policy);
+            const { loadEnterprisePolicyEngine } = await import("./enterprise/loader");
+            context2.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
             logger.debug(
               `[PolicyEngine] Initialized: ${context2.policyEngine?.constructor?.name || "unknown"}`
             );
@@ -56634,9 +55376,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path29.resolve(process.cwd(), ".visor", "snapshots");
-                  fs25.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path29.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path25.resolve(process.cwd(), ".visor", "snapshots");
+                  fs21.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path25.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -56777,7 +55519,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs26 = await import("fs/promises");
+        const fs22 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -56797,14 +55539,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs26.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs22.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs26 = await import("fs/promises");
-        const raw = await fs26.readFile(filePath, "utf8");
+        const fs22 = await import("fs/promises");
+        const raw = await fs22.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**