@probelabs/visor 0.1.140 → 0.1.141-ee

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. package/dist/index.js +1750 -30
  2. package/dist/providers/api-tool-executor.d.ts.map +1 -1
  3. package/dist/providers/mcp-check-provider.d.ts.map +1 -1
  4. package/dist/sdk/{check-provider-registry-6SRGE5JN.mjs → check-provider-registry-4XMVWKTZ.mjs} +2 -2
  5. package/dist/sdk/{check-provider-registry-CG7WRFNN.mjs → check-provider-registry-C5UOX4YX.mjs} +3 -3
  6. package/dist/sdk/{chunk-VEBZPZKL.mjs → chunk-IU2I3ING.mjs} +29 -10
  7. package/dist/sdk/chunk-IU2I3ING.mjs.map +1 -0
  8. package/dist/sdk/{chunk-OUAGXG4P.mjs → chunk-YVSU5WUL.mjs} +35 -16
  9. package/dist/sdk/chunk-YVSU5WUL.mjs.map +1 -0
  10. package/dist/sdk/{host-ZO7W7TJ7.mjs → host-RF2UEKMG.mjs} +2 -2
  11. package/dist/sdk/knex-store-HPXJILBL.mjs +411 -0
  12. package/dist/sdk/knex-store-HPXJILBL.mjs.map +1 -0
  13. package/dist/sdk/loader-ZC5G3JGJ.mjs +89 -0
  14. package/dist/sdk/loader-ZC5G3JGJ.mjs.map +1 -0
  15. package/dist/sdk/opa-policy-engine-S2S2ULEI.mjs +655 -0
  16. package/dist/sdk/opa-policy-engine-S2S2ULEI.mjs.map +1 -0
  17. package/dist/sdk/{schedule-tool-handler-P5HRTHWB.mjs → schedule-tool-handler-7FICUAKF.mjs} +3 -3
  18. package/dist/sdk/{schedule-tool-handler-BRTDF3O5.mjs → schedule-tool-handler-TKSRMVOI.mjs} +2 -2
  19. package/dist/sdk/sdk.js +1555 -278
  20. package/dist/sdk/sdk.js.map +1 -1
  21. package/dist/sdk/sdk.mjs +5 -5
  22. package/dist/sdk/validator-XTZJZZJH.mjs +134 -0
  23. package/dist/sdk/validator-XTZJZZJH.mjs.map +1 -0
  24. package/dist/sdk/{workflow-check-provider-XEQKTJ2H.mjs → workflow-check-provider-PWCAGFNW.mjs} +3 -3
  25. package/dist/sdk/{workflow-check-provider-RXORJDUT.mjs → workflow-check-provider-ZDO5KBUG.mjs} +2 -2
  26. package/dist/state-machine/dispatch/execution-invoker.d.ts.map +1 -1
  27. package/package.json +1 -1
  28. package/dist/output/traces/run-2026-02-24T15-53-04-834Z.ndjson +0 -138
  29. package/dist/output/traces/run-2026-02-24T15-53-54-895Z.ndjson +0 -1442
  30. package/dist/sdk/check-provider-registry-5SOUIUIQ.mjs +0 -29
  31. package/dist/sdk/chunk-JVUSLGRZ.mjs +0 -443
  32. package/dist/sdk/chunk-JVUSLGRZ.mjs.map +0 -1
  33. package/dist/sdk/chunk-KVUYZZ2U.mjs +0 -40247
  34. package/dist/sdk/chunk-KVUYZZ2U.mjs.map +0 -1
  35. package/dist/sdk/chunk-N5S4VIJ5.mjs +0 -739
  36. package/dist/sdk/chunk-N5S4VIJ5.mjs.map +0 -1
  37. package/dist/sdk/chunk-OUAGXG4P.mjs.map +0 -1
  38. package/dist/sdk/chunk-VEBZPZKL.mjs.map +0 -1
  39. package/dist/sdk/chunk-W3SBMDWP.mjs +0 -1502
  40. package/dist/sdk/chunk-W3SBMDWP.mjs.map +0 -1
  41. package/dist/sdk/failure-condition-evaluator-BFWBQKMQ.mjs +0 -17
  42. package/dist/sdk/github-frontend-LZ5TYYVD.mjs +0 -1356
  43. package/dist/sdk/github-frontend-LZ5TYYVD.mjs.map +0 -1
  44. package/dist/sdk/routing-Z3Q5M3YY.mjs +0 -25
  45. package/dist/sdk/schedule-tool-handler-P5HRTHWB.mjs.map +0 -1
  46. package/dist/sdk/schedule-tool-handler-TCONK736.mjs +0 -39
  47. package/dist/sdk/schedule-tool-handler-TCONK736.mjs.map +0 -1
  48. package/dist/sdk/trace-helpers-G5FDFEB4.mjs +0 -25
  49. package/dist/sdk/trace-helpers-G5FDFEB4.mjs.map +0 -1
  50. package/dist/sdk/workflow-check-provider-4BUP6YGY.mjs +0 -29
  51. package/dist/sdk/workflow-check-provider-4BUP6YGY.mjs.map +0 -1
  52. package/dist/sdk/workflow-check-provider-RXORJDUT.mjs.map +0 -1
  53. package/dist/sdk/workflow-check-provider-XEQKTJ2H.mjs.map +0 -1
  54. package/dist/traces/run-2026-02-24T15-53-04-834Z.ndjson +0 -138
  55. package/dist/traces/run-2026-02-24T15-53-54-895Z.ndjson +0 -1442
  56. /package/dist/sdk/{check-provider-registry-5SOUIUIQ.mjs.map → check-provider-registry-4XMVWKTZ.mjs.map} +0 -0
  57. /package/dist/sdk/{check-provider-registry-6SRGE5JN.mjs.map → check-provider-registry-C5UOX4YX.mjs.map} +0 -0
  58. /package/dist/sdk/{host-ZO7W7TJ7.mjs.map → host-RF2UEKMG.mjs.map} +0 -0
  59. /package/dist/sdk/{check-provider-registry-CG7WRFNN.mjs.map → schedule-tool-handler-7FICUAKF.mjs.map} +0 -0
  60. /package/dist/sdk/{failure-condition-evaluator-BFWBQKMQ.mjs.map → schedule-tool-handler-TKSRMVOI.mjs.map} +0 -0
  61. /package/dist/sdk/{routing-Z3Q5M3YY.mjs.map → workflow-check-provider-PWCAGFNW.mjs.map} +0 -0
  62. /package/dist/sdk/{schedule-tool-handler-BRTDF3O5.mjs.map → workflow-check-provider-ZDO5KBUG.mjs.map} +0 -0
package/dist/index.js CHANGED
@@ -1,8 +1,8 @@
1
1
  #!/usr/bin/env node
2
- process.env.VISOR_VERSION = '0.1.140';
2
+ process.env.VISOR_VERSION = '0.1.141';
3
3
  process.env.PROBE_VERSION = '0.6.0-rc257';
4
- process.env.VISOR_COMMIT_SHA = 'deded323300d6f7302b7261696a96fae794bae50';
5
- process.env.VISOR_COMMIT_SHORT = 'deded32';
4
+ process.env.VISOR_COMMIT_SHA = '0138f28a1353dfcdcb260661995ec69aa2b9981b';
5
+ process.env.VISOR_COMMIT_SHORT = '0138f28';
6
6
  /******/ (() => { // webpackBootstrap
7
7
  /******/ var __webpack_modules__ = ({
8
8
 
@@ -161177,7 +161177,7 @@ async function handleDumpPolicyInput(checkId, argv) {
161177
161177
  let PolicyInputBuilder;
161178
161178
  try {
161179
161179
  // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
161180
- const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
161180
+ const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
161181
161181
  PolicyInputBuilder = mod.PolicyInputBuilder;
161182
161182
  }
161183
161183
  catch {
@@ -166967,6 +166967,1690 @@ class DependencyResolver {
166967
166967
  exports.DependencyResolver = DependencyResolver;
166968
166968
 
166969
166969
 
166970
+ /***/ }),
166971
+
166972
+ /***/ 50069:
166973
+ /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
166974
+
166975
+ "use strict";
166976
+
166977
+ /**
166978
+ * Copyright (c) ProbeLabs. All rights reserved.
166979
+ * Licensed under the Elastic License 2.0; you may not use this file except
166980
+ * in compliance with the Elastic License 2.0.
166981
+ */
166982
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
166983
+ if (k2 === undefined) k2 = k;
166984
+ var desc = Object.getOwnPropertyDescriptor(m, k);
166985
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
166986
+ desc = { enumerable: true, get: function() { return m[k]; } };
166987
+ }
166988
+ Object.defineProperty(o, k2, desc);
166989
+ }) : (function(o, m, k, k2) {
166990
+ if (k2 === undefined) k2 = k;
166991
+ o[k2] = m[k];
166992
+ }));
166993
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
166994
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
166995
+ }) : function(o, v) {
166996
+ o["default"] = v;
166997
+ });
166998
+ var __importStar = (this && this.__importStar) || (function () {
166999
+ var ownKeys = function(o) {
167000
+ ownKeys = Object.getOwnPropertyNames || function (o) {
167001
+ var ar = [];
167002
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
167003
+ return ar;
167004
+ };
167005
+ return ownKeys(o);
167006
+ };
167007
+ return function (mod) {
167008
+ if (mod && mod.__esModule) return mod;
167009
+ var result = {};
167010
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
167011
+ __setModuleDefault(result, mod);
167012
+ return result;
167013
+ };
167014
+ })();
167015
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167016
+ exports.LicenseValidator = void 0;
167017
+ const crypto = __importStar(__nccwpck_require__(76982));
167018
+ const fs = __importStar(__nccwpck_require__(79896));
167019
+ const path = __importStar(__nccwpck_require__(16928));
167020
+ class LicenseValidator {
167021
+ /** Ed25519 public key for license verification (PEM format). */
167022
+ static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
167023
+ 'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
167024
+ '-----END PUBLIC KEY-----\n';
167025
+ cache = null;
167026
+ static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
167027
+ static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
167028
+ /**
167029
+ * Load and validate license from environment or file.
167030
+ *
167031
+ * Resolution order:
167032
+ * 1. VISOR_LICENSE env var (JWT string)
167033
+ * 2. VISOR_LICENSE_FILE env var (path to file)
167034
+ * 3. .visor-license in project root (cwd)
167035
+ * 4. .visor-license in ~/.config/visor/
167036
+ */
167037
+ async loadAndValidate() {
167038
+ // Return cached result if still fresh
167039
+ if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
167040
+ return this.cache.payload;
167041
+ }
167042
+ const token = this.resolveToken();
167043
+ if (!token)
167044
+ return null;
167045
+ const payload = this.verifyAndDecode(token);
167046
+ if (!payload)
167047
+ return null;
167048
+ this.cache = { payload, validatedAt: Date.now() };
167049
+ return payload;
167050
+ }
167051
+ /** Check if a specific feature is licensed */
167052
+ hasFeature(feature) {
167053
+ if (!this.cache)
167054
+ return false;
167055
+ return this.cache.payload.features.includes(feature);
167056
+ }
167057
+ /** Check if license is valid (with grace period) */
167058
+ isValid() {
167059
+ if (!this.cache)
167060
+ return false;
167061
+ const now = Date.now();
167062
+ const expiryMs = this.cache.payload.exp * 1000;
167063
+ return now < expiryMs + LicenseValidator.GRACE_PERIOD;
167064
+ }
167065
+ /** Check if the license is within its grace period (expired but still valid) */
167066
+ isInGracePeriod() {
167067
+ if (!this.cache)
167068
+ return false;
167069
+ const now = Date.now();
167070
+ const expiryMs = this.cache.payload.exp * 1000;
167071
+ return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
167072
+ }
167073
+ resolveToken() {
167074
+ // 1. Direct env var
167075
+ if (process.env.VISOR_LICENSE) {
167076
+ return process.env.VISOR_LICENSE.trim();
167077
+ }
167078
+ // 2. File path from env (validate against path traversal)
167079
+ if (process.env.VISOR_LICENSE_FILE) {
167080
+ // path.resolve() produces an absolute path with all '..' segments resolved,
167081
+ // so a separate resolved.includes('..') check is unnecessary.
167082
+ const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
167083
+ const home = process.env.HOME || process.env.USERPROFILE || '';
167084
+ const allowedPrefixes = [path.normalize(process.cwd())];
167085
+ if (home)
167086
+ allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
167087
+ // Resolve symlinks so an attacker cannot create a symlink inside an
167088
+ // allowed prefix that points to an arbitrary file outside it.
167089
+ let realPath;
167090
+ try {
167091
+ realPath = fs.realpathSync(resolved);
167092
+ }
167093
+ catch {
167094
+ return null; // File doesn't exist or isn't accessible
167095
+ }
167096
+ const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
167097
+ if (!isSafe)
167098
+ return null;
167099
+ return this.readFile(realPath);
167100
+ }
167101
+ // 3. .visor-license in cwd
167102
+ const cwdPath = path.join(process.cwd(), '.visor-license');
167103
+ const cwdToken = this.readFile(cwdPath);
167104
+ if (cwdToken)
167105
+ return cwdToken;
167106
+ // 4. ~/.config/visor/.visor-license
167107
+ const home = process.env.HOME || process.env.USERPROFILE || '';
167108
+ if (home) {
167109
+ const configPath = path.join(home, '.config', 'visor', '.visor-license');
167110
+ const configToken = this.readFile(configPath);
167111
+ if (configToken)
167112
+ return configToken;
167113
+ }
167114
+ return null;
167115
+ }
167116
+ readFile(filePath) {
167117
+ try {
167118
+ return fs.readFileSync(filePath, 'utf-8').trim();
167119
+ }
167120
+ catch {
167121
+ return null;
167122
+ }
167123
+ }
167124
+ verifyAndDecode(token) {
167125
+ try {
167126
+ const parts = token.split('.');
167127
+ if (parts.length !== 3)
167128
+ return null;
167129
+ const [headerB64, payloadB64, signatureB64] = parts;
167130
+ // Decode header to verify algorithm
167131
+ const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
167132
+ if (header.alg !== 'EdDSA')
167133
+ return null;
167134
+ // Verify signature
167135
+ const data = `${headerB64}.${payloadB64}`;
167136
+ const signature = Buffer.from(signatureB64, 'base64url');
167137
+ const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
167138
+ // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
167139
+ // This prevents algorithm-confusion attacks if the embedded key were ever
167140
+ // swapped to a different type.
167141
+ if (publicKey.asymmetricKeyType !== 'ed25519') {
167142
+ return null;
167143
+ }
167144
+ // Ed25519 verification: algorithm must be null because EdDSA performs its
167145
+ // own internal hashing (SHA-512) — passing a digest algorithm here would
167146
+ // cause Node.js to throw. The key type is validated above.
167147
+ const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
167148
+ if (!isValid)
167149
+ return null;
167150
+ // Decode payload
167151
+ const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
167152
+ // Validate required fields
167153
+ if (!payload.org ||
167154
+ !Array.isArray(payload.features) ||
167155
+ typeof payload.exp !== 'number' ||
167156
+ typeof payload.iat !== 'number' ||
167157
+ !payload.sub) {
167158
+ return null;
167159
+ }
167160
+ // Check expiry (with grace period)
167161
+ const now = Date.now();
167162
+ const expiryMs = payload.exp * 1000;
167163
+ if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
167164
+ return null;
167165
+ }
167166
+ return payload;
167167
+ }
167168
+ catch {
167169
+ return null;
167170
+ }
167171
+ }
167172
+ }
167173
+ exports.LicenseValidator = LicenseValidator;
167174
+
167175
+
167176
+ /***/ }),
167177
+
167178
+ /***/ 87068:
167179
+ /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
167180
+
167181
+ "use strict";
167182
+
167183
+ /**
167184
+ * Copyright (c) ProbeLabs. All rights reserved.
167185
+ * Licensed under the Elastic License 2.0; you may not use this file except
167186
+ * in compliance with the Elastic License 2.0.
167187
+ */
167188
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
167189
+ if (k2 === undefined) k2 = k;
167190
+ var desc = Object.getOwnPropertyDescriptor(m, k);
167191
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
167192
+ desc = { enumerable: true, get: function() { return m[k]; } };
167193
+ }
167194
+ Object.defineProperty(o, k2, desc);
167195
+ }) : (function(o, m, k, k2) {
167196
+ if (k2 === undefined) k2 = k;
167197
+ o[k2] = m[k];
167198
+ }));
167199
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
167200
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
167201
+ }) : function(o, v) {
167202
+ o["default"] = v;
167203
+ });
167204
+ var __importStar = (this && this.__importStar) || (function () {
167205
+ var ownKeys = function(o) {
167206
+ ownKeys = Object.getOwnPropertyNames || function (o) {
167207
+ var ar = [];
167208
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
167209
+ return ar;
167210
+ };
167211
+ return ownKeys(o);
167212
+ };
167213
+ return function (mod) {
167214
+ if (mod && mod.__esModule) return mod;
167215
+ var result = {};
167216
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
167217
+ __setModuleDefault(result, mod);
167218
+ return result;
167219
+ };
167220
+ })();
167221
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167222
+ exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
167223
+ exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
167224
+ const default_engine_1 = __nccwpck_require__(93866);
167225
+ /**
167226
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
167227
+ *
167228
+ * This is the sole import boundary between OSS and enterprise code. Core code
167229
+ * must only import from this module (via dynamic `await import()`), never from
167230
+ * individual enterprise submodules.
167231
+ */
167232
+ async function loadEnterprisePolicyEngine(config) {
167233
+ try {
167234
+ const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
167235
+ const validator = new LicenseValidator();
167236
+ const license = await validator.loadAndValidate();
167237
+ if (!license || !validator.hasFeature('policy')) {
167238
+ return new default_engine_1.DefaultPolicyEngine();
167239
+ }
167240
+ if (validator.isInGracePeriod()) {
167241
+ // eslint-disable-next-line no-console
167242
+ console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
167243
+ 'Please renew your license.');
167244
+ }
167245
+ const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
167246
+ const engine = new OpaPolicyEngine(config);
167247
+ await engine.initialize(config);
167248
+ return engine;
167249
+ }
167250
+ catch (err) {
167251
+ // Enterprise code not available or initialization failed
167252
+ const msg = err instanceof Error ? err.message : String(err);
167253
+ try {
167254
+ const { logger } = __nccwpck_require__(86999);
167255
+ logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
167256
+ }
167257
+ catch {
167258
+ // silent
167259
+ }
167260
+ return new default_engine_1.DefaultPolicyEngine();
167261
+ }
167262
+ }
167263
+ /**
167264
+ * Load the enterprise schedule store backend if licensed.
167265
+ *
167266
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
167267
+ * @param storageConfig Storage configuration with connection details
167268
+ * @param haConfig Optional HA configuration
167269
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
167270
+ */
167271
+ async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
167272
+ const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
167273
+ const validator = new LicenseValidator();
167274
+ const license = await validator.loadAndValidate();
167275
+ if (!license || !validator.hasFeature('scheduler-sql')) {
167276
+ throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
167277
+ `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
167278
+ }
167279
+ if (validator.isInGracePeriod()) {
167280
+ // eslint-disable-next-line no-console
167281
+ console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
167282
+ 'Please renew your license.');
167283
+ }
167284
+ const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
167285
+ return new KnexStoreBackend(driver, storageConfig, haConfig);
167286
+ }
167287
+
167288
+
167289
+ /***/ }),
167290
+
167291
+ /***/ 628:
167292
+ /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
167293
+
167294
+ "use strict";
167295
+
167296
+ /**
167297
+ * Copyright (c) ProbeLabs. All rights reserved.
167298
+ * Licensed under the Elastic License 2.0; you may not use this file except
167299
+ * in compliance with the Elastic License 2.0.
167300
+ */
167301
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
167302
+ if (k2 === undefined) k2 = k;
167303
+ var desc = Object.getOwnPropertyDescriptor(m, k);
167304
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
167305
+ desc = { enumerable: true, get: function() { return m[k]; } };
167306
+ }
167307
+ Object.defineProperty(o, k2, desc);
167308
+ }) : (function(o, m, k, k2) {
167309
+ if (k2 === undefined) k2 = k;
167310
+ o[k2] = m[k];
167311
+ }));
167312
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
167313
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
167314
+ }) : function(o, v) {
167315
+ o["default"] = v;
167316
+ });
167317
+ var __importStar = (this && this.__importStar) || (function () {
167318
+ var ownKeys = function(o) {
167319
+ ownKeys = Object.getOwnPropertyNames || function (o) {
167320
+ var ar = [];
167321
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
167322
+ return ar;
167323
+ };
167324
+ return ownKeys(o);
167325
+ };
167326
+ return function (mod) {
167327
+ if (mod && mod.__esModule) return mod;
167328
+ var result = {};
167329
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
167330
+ __setModuleDefault(result, mod);
167331
+ return result;
167332
+ };
167333
+ })();
167334
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167335
+ exports.OpaCompiler = void 0;
167336
+ const fs = __importStar(__nccwpck_require__(79896));
167337
+ const path = __importStar(__nccwpck_require__(16928));
167338
+ const os = __importStar(__nccwpck_require__(70857));
167339
+ const crypto = __importStar(__nccwpck_require__(76982));
167340
+ const child_process_1 = __nccwpck_require__(35317);
167341
+ /**
167342
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
167343
+ *
167344
+ * Handles:
167345
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
167346
+ * - Compiling .rego files to WASM via `opa build`
167347
+ * - Caching compiled bundles based on content hashes
167348
+ * - Extracting policy.wasm from OPA tar.gz bundles
167349
+ *
167350
+ * Requires:
167351
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
167352
+ */
167353
+ class OpaCompiler {
167354
+ static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
167355
+ /**
167356
+ * Resolve the input paths to WASM bytes.
167357
+ *
167358
+ * Strategy:
167359
+ * 1. If any path is a .wasm file, read it directly
167360
+ * 2. If a directory contains policy.wasm, read it
167361
+ * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
167362
+ */
167363
+ async resolveWasmBytes(paths) {
167364
+ // Collect .rego files and check for existing .wasm
167365
+ const regoFiles = [];
167366
+ for (const p of paths) {
167367
+ const resolved = path.resolve(p);
167368
+ // Reject paths containing '..' after resolution (path traversal)
167369
+ if (path.normalize(resolved).includes('..')) {
167370
+ throw new Error(`Policy path contains traversal sequences: ${p}`);
167371
+ }
167372
+ // Direct .wasm file
167373
+ if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
167374
+ return fs.readFileSync(resolved);
167375
+ }
167376
+ if (!fs.existsSync(resolved))
167377
+ continue;
167378
+ const stat = fs.statSync(resolved);
167379
+ if (stat.isDirectory()) {
167380
+ // Check for pre-compiled policy.wasm in directory
167381
+ const wasmCandidate = path.join(resolved, 'policy.wasm');
167382
+ if (fs.existsSync(wasmCandidate)) {
167383
+ return fs.readFileSync(wasmCandidate);
167384
+ }
167385
+ // Collect all .rego files from directory
167386
+ const files = fs.readdirSync(resolved);
167387
+ for (const f of files) {
167388
+ if (f.endsWith('.rego')) {
167389
+ regoFiles.push(path.join(resolved, f));
167390
+ }
167391
+ }
167392
+ }
167393
+ else if (resolved.endsWith('.rego')) {
167394
+ regoFiles.push(resolved);
167395
+ }
167396
+ }
167397
+ if (regoFiles.length === 0) {
167398
+ throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
167399
+ }
167400
+ // Auto-compile .rego -> .wasm
167401
+ return this.compileRego(regoFiles);
167402
+ }
167403
+ /**
167404
+ * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
167405
+ *
167406
+ * Caches the compiled bundle based on a content hash of all input .rego files
167407
+ * so subsequent runs skip compilation if policies haven't changed.
167408
+ */
167409
+ compileRego(regoFiles) {
167410
+ // Check that `opa` CLI is available
167411
+ try {
167412
+ (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
167413
+ }
167414
+ catch {
167415
+ throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
167416
+ 'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
167417
+ regoFiles.join(' '));
167418
+ }
167419
+ // Compute content hash for cache key
167420
+ const hash = crypto.createHash('sha256');
167421
+ for (const f of regoFiles.sort()) {
167422
+ hash.update(fs.readFileSync(f));
167423
+ hash.update(f); // include filename for disambiguation
167424
+ }
167425
+ const cacheKey = hash.digest('hex').slice(0, 16);
167426
+ const cacheDir = OpaCompiler.CACHE_DIR;
167427
+ const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
167428
+ // Return cached bundle if still valid
167429
+ if (fs.existsSync(cachedWasm)) {
167430
+ return fs.readFileSync(cachedWasm);
167431
+ }
167432
+ // Compile to WASM via opa build
167433
+ fs.mkdirSync(cacheDir, { recursive: true });
167434
+ const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
167435
+ try {
167436
+ const args = [
167437
+ 'build',
167438
+ '-t',
167439
+ 'wasm',
167440
+ '-e',
167441
+ 'visor', // entrypoint: the visor package tree
167442
+ '-o',
167443
+ bundleTar,
167444
+ ...regoFiles,
167445
+ ];
167446
+ (0, child_process_1.execFileSync)('opa', args, {
167447
+ stdio: 'pipe',
167448
+ timeout: 30000,
167449
+ });
167450
+ }
167451
+ catch (err) {
167452
+ const stderr = err?.stderr?.toString() || '';
167453
+ throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
167454
+ 'Ensure your .rego files are valid and the `opa` CLI is installed.');
167455
+ }
167456
+ // Extract policy.wasm from the tar.gz bundle
167457
+ // OPA bundles are tar.gz with /policy.wasm inside
167458
+ try {
167459
+ (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
167460
+ stdio: 'pipe',
167461
+ });
167462
+ const extractedWasm = path.join(cacheDir, 'policy.wasm');
167463
+ if (fs.existsSync(extractedWasm)) {
167464
+ // Move to cache-key named file
167465
+ fs.renameSync(extractedWasm, cachedWasm);
167466
+ }
167467
+ }
167468
+ catch {
167469
+ // Some tar implementations don't like leading /
167470
+ try {
167471
+ (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
167472
+ stdio: 'pipe',
167473
+ });
167474
+ const extractedWasm = path.join(cacheDir, 'policy.wasm');
167475
+ if (fs.existsSync(extractedWasm)) {
167476
+ fs.renameSync(extractedWasm, cachedWasm);
167477
+ }
167478
+ }
167479
+ catch (err2) {
167480
+ throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
167481
+ }
167482
+ }
167483
+ // Clean up tar
167484
+ try {
167485
+ fs.unlinkSync(bundleTar);
167486
+ }
167487
+ catch { }
167488
+ if (!fs.existsSync(cachedWasm)) {
167489
+ throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
167490
+ }
167491
+ return fs.readFileSync(cachedWasm);
167492
+ }
167493
+ }
167494
+ exports.OpaCompiler = OpaCompiler;
167495
+
167496
+
167497
+ /***/ }),
167498
+
167499
+ /***/ 44693:
167500
+ /***/ ((__unused_webpack_module, exports) => {
167501
+
167502
+ "use strict";
167503
+
167504
+ /**
167505
+ * Copyright (c) ProbeLabs. All rights reserved.
167506
+ * Licensed under the Elastic License 2.0; you may not use this file except
167507
+ * in compliance with the Elastic License 2.0.
167508
+ */
167509
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167510
+ exports.OpaHttpEvaluator = void 0;
167511
+ /**
167512
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
167513
+ *
167514
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
167515
+ */
167516
+ class OpaHttpEvaluator {
167517
+ baseUrl;
167518
+ timeout;
167519
+ constructor(baseUrl, timeout = 5000) {
167520
+ // Validate URL format and protocol
167521
+ let parsed;
167522
+ try {
167523
+ parsed = new URL(baseUrl);
167524
+ }
167525
+ catch {
167526
+ throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
167527
+ }
167528
+ if (!['http:', 'https:'].includes(parsed.protocol)) {
167529
+ throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
167530
+ }
167531
+ // Block cloud metadata, loopback, link-local, and private network addresses
167532
+ const hostname = parsed.hostname;
167533
+ if (this.isBlockedHostname(hostname)) {
167534
+ throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
167535
+ }
167536
+ // Normalize: strip trailing slash
167537
+ this.baseUrl = baseUrl.replace(/\/+$/, '');
167538
+ this.timeout = timeout;
167539
+ }
167540
+ /**
167541
+ * Check if a hostname is blocked due to SSRF concerns.
167542
+ *
167543
+ * Blocks:
167544
+ * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
167545
+ * - Link-local addresses (169.254.x.x)
167546
+ * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
167547
+ * - IPv6 unique local addresses (fd00::/8)
167548
+ * - Cloud metadata services (*.internal)
167549
+ */
167550
+ isBlockedHostname(hostname) {
167551
+ if (!hostname)
167552
+ return true; // block empty hostnames
167553
+ // Normalize hostname: lowercase and remove brackets for IPv6
167554
+ const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
167555
+ // Block .internal domains (cloud metadata services)
167556
+ if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
167557
+ return true;
167558
+ }
167559
+ // Block localhost variants
167560
+ if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
167561
+ return true;
167562
+ }
167563
+ // Block IPv6 loopback
167564
+ if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
167565
+ return true;
167566
+ }
167567
+ // Check IPv4 patterns
167568
+ const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
167569
+ const ipv4Match = normalized.match(ipv4Pattern);
167570
+ if (ipv4Match) {
167571
+ const octets = ipv4Match.slice(1, 5).map(Number);
167572
+ // Validate octets are in range [0, 255]
167573
+ if (octets.some(octet => octet > 255)) {
167574
+ return false;
167575
+ }
167576
+ const [a, b] = octets;
167577
+ // Block loopback: 127.0.0.0/8
167578
+ if (a === 127) {
167579
+ return true;
167580
+ }
167581
+ // Block 0.0.0.0/8 (this host)
167582
+ if (a === 0) {
167583
+ return true;
167584
+ }
167585
+ // Block link-local: 169.254.0.0/16
167586
+ if (a === 169 && b === 254) {
167587
+ return true;
167588
+ }
167589
+ // Block private networks
167590
+ // 10.0.0.0/8
167591
+ if (a === 10) {
167592
+ return true;
167593
+ }
167594
+ // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
167595
+ if (a === 172 && b >= 16 && b <= 31) {
167596
+ return true;
167597
+ }
167598
+ // 192.168.0.0/16
167599
+ if (a === 192 && b === 168) {
167600
+ return true;
167601
+ }
167602
+ }
167603
+ // Check IPv6 patterns
167604
+ // Block unique local addresses: fd00::/8
167605
+ if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
167606
+ return true;
167607
+ }
167608
+ // Block link-local: fe80::/10
167609
+ if (normalized.startsWith('fe80:')) {
167610
+ return true;
167611
+ }
167612
+ return false;
167613
+ }
167614
+ /**
167615
+ * Evaluate a policy rule against an input document via OPA REST API.
167616
+ *
167617
+ * @param input - The input document to evaluate
167618
+ * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
167619
+ * @returns The result object from OPA, or undefined on error
167620
+ */
167621
+ async evaluate(input, rulePath) {
167622
+ // OPA Data API: POST /v1/data/<path>
167623
+ const encodedPath = rulePath
167624
+ .split('/')
167625
+ .map(s => encodeURIComponent(s))
167626
+ .join('/');
167627
+ const url = `${this.baseUrl}/v1/data/${encodedPath}`;
167628
+ const controller = new AbortController();
167629
+ const timer = setTimeout(() => controller.abort(), this.timeout);
167630
+ try {
167631
+ const response = await fetch(url, {
167632
+ method: 'POST',
167633
+ headers: { 'Content-Type': 'application/json' },
167634
+ body: JSON.stringify({ input }),
167635
+ signal: controller.signal,
167636
+ });
167637
+ if (!response.ok) {
167638
+ throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
167639
+ }
167640
+ let body;
167641
+ try {
167642
+ body = await response.json();
167643
+ }
167644
+ catch (jsonErr) {
167645
+ throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
167646
+ }
167647
+ // OPA returns { result: { ... } }
167648
+ return body?.result;
167649
+ }
167650
+ finally {
167651
+ clearTimeout(timer);
167652
+ }
167653
+ }
167654
+ async shutdown() {
167655
+ // No persistent connections to close
167656
+ }
167657
+ }
167658
+ exports.OpaHttpEvaluator = OpaHttpEvaluator;
167659
+
167660
+
167661
+ /***/ }),
167662
+
167663
+ /***/ 39530:
167664
+ /***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
167665
+
167666
+ "use strict";
167667
+
167668
+ /**
167669
+ * Copyright (c) ProbeLabs. All rights reserved.
167670
+ * Licensed under the Elastic License 2.0; you may not use this file except
167671
+ * in compliance with the Elastic License 2.0.
167672
+ */
167673
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167674
+ exports.OpaPolicyEngine = void 0;
167675
+ const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
167676
+ const opa_http_evaluator_1 = __nccwpck_require__(44693);
167677
+ const policy_input_builder_1 = __nccwpck_require__(17117);
167678
+ /**
167679
+ * Enterprise OPA Policy Engine.
167680
+ *
167681
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
167682
+ * OSS PolicyEngine interface. All OPA input building and role resolution
167683
+ * is handled internally — the OSS call sites pass only plain types.
167684
+ */
167685
+ class OpaPolicyEngine {
167686
+ evaluator = null;
167687
+ fallback;
167688
+ timeout;
167689
+ config;
167690
+ inputBuilder = null;
167691
+ logger = null;
167692
+ constructor(config) {
167693
+ this.config = config;
167694
+ this.fallback = config.fallback || 'deny';
167695
+ this.timeout = config.timeout || 5000;
167696
+ }
167697
+ async initialize(config) {
167698
+ // Resolve logger once at initialization
167699
+ try {
167700
+ this.logger = (__nccwpck_require__(86999).logger);
167701
+ }
167702
+ catch {
167703
+ // logger not available in this context
167704
+ }
167705
+ // Build actor/repo context from environment (available at engine init time)
167706
+ const actor = {
167707
+ authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
167708
+ login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
167709
+ isLocalMode: !process.env.GITHUB_ACTIONS,
167710
+ };
167711
+ const repo = {
167712
+ owner: process.env.GITHUB_REPOSITORY_OWNER,
167713
+ name: process.env.GITHUB_REPOSITORY?.split('/')[1],
167714
+ branch: process.env.GITHUB_HEAD_REF,
167715
+ baseBranch: process.env.GITHUB_BASE_REF,
167716
+ event: process.env.GITHUB_EVENT_NAME,
167717
+ };
167718
+ const prNum = process.env.GITHUB_PR_NUMBER
167719
+ ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
167720
+ : undefined;
167721
+ const pullRequest = {
167722
+ number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
167723
+ };
167724
+ this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
167725
+ if (config.engine === 'local') {
167726
+ if (!config.rules) {
167727
+ throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
167728
+ }
167729
+ const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
167730
+ await wasm.initialize(config.rules);
167731
+ if (config.data) {
167732
+ wasm.loadData(config.data);
167733
+ }
167734
+ this.evaluator = wasm;
167735
+ }
167736
+ else if (config.engine === 'remote') {
167737
+ if (!config.url) {
167738
+ throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
167739
+ }
167740
+ this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
167741
+ }
167742
+ else {
167743
+ this.evaluator = null;
167744
+ }
167745
+ }
167746
+ /**
167747
+ * Update actor/repo/PR context (e.g., after PR info becomes available).
167748
+ * Called by the enterprise loader when engine context is enriched.
167749
+ */
167750
+ setActorContext(actor, repo, pullRequest) {
167751
+ this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
167752
+ }
167753
+ async evaluateCheckExecution(checkId, checkConfig) {
167754
+ if (!this.evaluator || !this.inputBuilder)
167755
+ return { allowed: true };
167756
+ const cfg = checkConfig && typeof checkConfig === 'object'
167757
+ ? checkConfig
167758
+ : {};
167759
+ const policyOverride = cfg.policy;
167760
+ const input = this.inputBuilder.forCheckExecution({
167761
+ id: checkId,
167762
+ type: cfg.type || 'ai',
167763
+ group: cfg.group,
167764
+ tags: cfg.tags,
167765
+ criticality: cfg.criticality,
167766
+ sandbox: cfg.sandbox,
167767
+ policy: policyOverride,
167768
+ });
167769
+ return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
167770
+ }
167771
+ async evaluateToolInvocation(serverName, methodName, transport) {
167772
+ if (!this.evaluator || !this.inputBuilder)
167773
+ return { allowed: true };
167774
+ const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
167775
+ return this.doEvaluate(input, 'visor/tool/invoke');
167776
+ }
167777
+ async evaluateCapabilities(checkId, capabilities) {
167778
+ if (!this.evaluator || !this.inputBuilder)
167779
+ return { allowed: true };
167780
+ const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
167781
+ return this.doEvaluate(input, 'visor/capability/resolve');
167782
+ }
167783
+ async shutdown() {
167784
+ if (this.evaluator && 'shutdown' in this.evaluator) {
167785
+ await this.evaluator.shutdown();
167786
+ }
167787
+ this.evaluator = null;
167788
+ this.inputBuilder = null;
167789
+ }
167790
+ resolveRulePath(defaultScope, override) {
167791
+ if (override) {
167792
+ return override.startsWith('visor/') ? override : `visor/${override}`;
167793
+ }
167794
+ return `visor/${defaultScope.replace(/\./g, '/')}`;
167795
+ }
167796
+ async doEvaluate(input, rulePath) {
167797
+ try {
167798
+ this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
167799
+ let timer;
167800
+ const timeoutPromise = new Promise((_resolve, reject) => {
167801
+ timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
167802
+ });
167803
+ try {
167804
+ const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
167805
+ const decision = this.parseDecision(result);
167806
+ // In warn mode, override denied decisions to allowed but flag as warn
167807
+ if (!decision.allowed && this.fallback === 'warn') {
167808
+ decision.allowed = true;
167809
+ decision.warn = true;
167810
+ decision.reason = `audit: ${decision.reason || 'policy denied'}`;
167811
+ }
167812
+ this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
167813
+ return decision;
167814
+ }
167815
+ finally {
167816
+ if (timer)
167817
+ clearTimeout(timer);
167818
+ }
167819
+ }
167820
+ catch (err) {
167821
+ const msg = err instanceof Error ? err.message : String(err);
167822
+ this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
167823
+ return {
167824
+ allowed: this.fallback === 'allow' || this.fallback === 'warn',
167825
+ warn: this.fallback === 'warn' ? true : undefined,
167826
+ reason: `policy evaluation failed, fallback=${this.fallback}`,
167827
+ };
167828
+ }
167829
+ }
167830
+ async rawEvaluate(input, rulePath) {
167831
+ if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
167832
+ const result = await this.evaluator.evaluate(input);
167833
+ // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
167834
+ // Navigate to the specific rule subtree using rulePath segments.
167835
+ // e.g., 'visor/check/execute' → result.check.execute
167836
+ return this.navigateWasmResult(result, rulePath);
167837
+ }
167838
+ return this.evaluator.evaluate(input, rulePath);
167839
+ }
167840
+ /**
167841
+ * Navigate nested OPA WASM result tree to reach the specific rule's output.
167842
+ * The WASM entrypoint `-e visor` means the result root IS the visor package,
167843
+ * so we strip the `visor/` prefix and walk the remaining segments.
167844
+ */
167845
+ navigateWasmResult(result, rulePath) {
167846
+ if (!result || typeof result !== 'object')
167847
+ return result;
167848
+ // Strip the 'visor/' prefix (matches our compilation entrypoint)
167849
+ const segments = rulePath.replace(/^visor\//, '').split('/');
167850
+ let current = result;
167851
+ for (const seg of segments) {
167852
+ if (current && typeof current === 'object' && seg in current) {
167853
+ current = current[seg];
167854
+ }
167855
+ else {
167856
+ return undefined; // path not found in result tree
167857
+ }
167858
+ }
167859
+ return current;
167860
+ }
167861
+ parseDecision(result) {
167862
+ if (result === undefined || result === null) {
167863
+ return {
167864
+ allowed: this.fallback === 'allow' || this.fallback === 'warn',
167865
+ warn: this.fallback === 'warn' ? true : undefined,
167866
+ reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
167867
+ };
167868
+ }
167869
+ const allowed = result.allowed !== false;
167870
+ const decision = {
167871
+ allowed,
167872
+ reason: result.reason,
167873
+ };
167874
+ if (result.capabilities) {
167875
+ decision.capabilities = result.capabilities;
167876
+ }
167877
+ return decision;
167878
+ }
167879
+ }
167880
+ exports.OpaPolicyEngine = OpaPolicyEngine;
167881
+
167882
+
167883
+ /***/ }),
167884
+
167885
+ /***/ 8613:
167886
+ /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
167887
+
167888
+ "use strict";
167889
+
167890
+ /**
167891
+ * Copyright (c) ProbeLabs. All rights reserved.
167892
+ * Licensed under the Elastic License 2.0; you may not use this file except
167893
+ * in compliance with the Elastic License 2.0.
167894
+ */
167895
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
167896
+ if (k2 === undefined) k2 = k;
167897
+ var desc = Object.getOwnPropertyDescriptor(m, k);
167898
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
167899
+ desc = { enumerable: true, get: function() { return m[k]; } };
167900
+ }
167901
+ Object.defineProperty(o, k2, desc);
167902
+ }) : (function(o, m, k, k2) {
167903
+ if (k2 === undefined) k2 = k;
167904
+ o[k2] = m[k];
167905
+ }));
167906
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
167907
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
167908
+ }) : function(o, v) {
167909
+ o["default"] = v;
167910
+ });
167911
+ var __importStar = (this && this.__importStar) || (function () {
167912
+ var ownKeys = function(o) {
167913
+ ownKeys = Object.getOwnPropertyNames || function (o) {
167914
+ var ar = [];
167915
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
167916
+ return ar;
167917
+ };
167918
+ return ownKeys(o);
167919
+ };
167920
+ return function (mod) {
167921
+ if (mod && mod.__esModule) return mod;
167922
+ var result = {};
167923
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
167924
+ __setModuleDefault(result, mod);
167925
+ return result;
167926
+ };
167927
+ })();
167928
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
167929
+ exports.OpaWasmEvaluator = void 0;
167930
+ const fs = __importStar(__nccwpck_require__(79896));
167931
+ const path = __importStar(__nccwpck_require__(16928));
167932
+ const opa_compiler_1 = __nccwpck_require__(628);
167933
+ /**
167934
+ * OPA WASM Evaluator - loads and evaluates OPA policies locally.
167935
+ *
167936
+ * Supports three input formats:
167937
+ * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
167938
+ * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
167939
+ * 3. Directory with `policy.wasm` inside — loaded directly
167940
+ *
167941
+ * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
167942
+ *
167943
+ * Requires:
167944
+ * - `@open-policy-agent/opa-wasm` npm package (optional dep)
167945
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
167946
+ */
167947
+ class OpaWasmEvaluator {
167948
+ policy = null;
167949
+ dataDocument = {};
167950
+ compiler = new opa_compiler_1.OpaCompiler();
167951
+ async initialize(rulesPath) {
167952
+ const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
167953
+ const wasmBytes = await this.compiler.resolveWasmBytes(paths);
167954
+ try {
167955
+ // Use createRequire to load the optional dep at runtime without ncc bundling it.
167956
+ // `new Function('id', 'return require(id)')` fails in ncc bundles because
167957
+ // `require` is not in the `new Function` scope. `createRequire` works correctly
167958
+ // because it creates a real Node.js require rooted at the given path.
167959
+ // eslint-disable-next-line @typescript-eslint/no-var-requires
167960
+ const { createRequire } = __nccwpck_require__(73339);
167961
+ const runtimeRequire = createRequire(__filename);
167962
+ const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
167963
+ const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
167964
+ if (!loadPolicy) {
167965
+ throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
167966
+ }
167967
+ this.policy = await loadPolicy(wasmBytes);
167968
+ }
167969
+ catch (err) {
167970
+ if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
167971
+ throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
167972
+ 'Install it with: npm install @open-policy-agent/opa-wasm');
167973
+ }
167974
+ throw err;
167975
+ }
167976
+ }
167977
+ /**
167978
+ * Load external data from a JSON file to use as the OPA data document.
167979
+ * The loaded data will be passed to `policy.setData()` during evaluation,
167980
+ * making it available in Rego via `data.<key>`.
167981
+ */
167982
+ loadData(dataPath) {
167983
+ const resolved = path.resolve(dataPath);
167984
+ if (path.normalize(resolved).includes('..')) {
167985
+ throw new Error(`Data path contains traversal sequences: ${dataPath}`);
167986
+ }
167987
+ if (!fs.existsSync(resolved)) {
167988
+ throw new Error(`OPA data file not found: ${resolved}`);
167989
+ }
167990
+ const stat = fs.statSync(resolved);
167991
+ if (stat.size > 10 * 1024 * 1024) {
167992
+ throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
167993
+ }
167994
+ const raw = fs.readFileSync(resolved, 'utf-8');
167995
+ try {
167996
+ const parsed = JSON.parse(raw);
167997
+ if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
167998
+ throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
167999
+ }
168000
+ this.dataDocument = parsed;
168001
+ }
168002
+ catch (err) {
168003
+ if (err.message.startsWith('OPA data file must')) {
168004
+ throw err;
168005
+ }
168006
+ throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
168007
+ }
168008
+ }
168009
+ async evaluate(input) {
168010
+ if (!this.policy) {
168011
+ throw new Error('OPA WASM evaluator not initialized');
168012
+ }
168013
+ this.policy.setData(this.dataDocument);
168014
+ const resultSet = this.policy.evaluate(input);
168015
+ if (Array.isArray(resultSet) && resultSet.length > 0) {
168016
+ return resultSet[0].result;
168017
+ }
168018
+ return undefined;
168019
+ }
168020
+ async shutdown() {
168021
+ if (this.policy) {
168022
+ // opa-wasm policy objects may have a close/free method for WASM cleanup
168023
+ if (typeof this.policy.close === 'function') {
168024
+ try {
168025
+ this.policy.close();
168026
+ }
168027
+ catch { }
168028
+ }
168029
+ else if (typeof this.policy.free === 'function') {
168030
+ try {
168031
+ this.policy.free();
168032
+ }
168033
+ catch { }
168034
+ }
168035
+ }
168036
+ this.policy = null;
168037
+ }
168038
+ }
168039
+ exports.OpaWasmEvaluator = OpaWasmEvaluator;
168040
+
168041
+
168042
+ /***/ }),
168043
+
168044
+ /***/ 17117:
168045
+ /***/ ((__unused_webpack_module, exports) => {
168046
+
168047
+ "use strict";
168048
+
168049
+ /**
168050
+ * Copyright (c) ProbeLabs. All rights reserved.
168051
+ * Licensed under the Elastic License 2.0; you may not use this file except
168052
+ * in compliance with the Elastic License 2.0.
168053
+ */
168054
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
168055
+ exports.PolicyInputBuilder = void 0;
168056
+ /**
168057
+ * Builds OPA-compatible input documents from engine context.
168058
+ *
168059
+ * Resolves actor roles from the `policy.roles` config section by matching
168060
+ * the actor's authorAssociation and login against role definitions.
168061
+ */
168062
+ class PolicyInputBuilder {
168063
+ roles;
168064
+ actor;
168065
+ repository;
168066
+ pullRequest;
168067
+ constructor(policyConfig, actor, repository, pullRequest) {
168068
+ this.roles = policyConfig.roles || {};
168069
+ this.actor = actor;
168070
+ this.repository = repository;
168071
+ this.pullRequest = pullRequest;
168072
+ }
168073
+ /** Resolve which roles apply to the current actor. */
168074
+ resolveRoles() {
168075
+ const matched = [];
168076
+ for (const [roleName, roleConfig] of Object.entries(this.roles)) {
168077
+ let identityMatch = false;
168078
+ if (roleConfig.author_association &&
168079
+ this.actor.authorAssociation &&
168080
+ roleConfig.author_association.includes(this.actor.authorAssociation)) {
168081
+ identityMatch = true;
168082
+ }
168083
+ if (!identityMatch &&
168084
+ roleConfig.users &&
168085
+ this.actor.login &&
168086
+ roleConfig.users.includes(this.actor.login)) {
168087
+ identityMatch = true;
168088
+ }
168089
+ // Slack user ID match
168090
+ if (!identityMatch &&
168091
+ roleConfig.slack_users &&
168092
+ this.actor.slack?.userId &&
168093
+ roleConfig.slack_users.includes(this.actor.slack.userId)) {
168094
+ identityMatch = true;
168095
+ }
168096
+ // Email match (case-insensitive)
168097
+ if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
168098
+ const actorEmail = this.actor.slack.email.toLowerCase();
168099
+ if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
168100
+ identityMatch = true;
168101
+ }
168102
+ }
168103
+ // Note: teams-based role resolution requires GitHub API access (read:org scope)
168104
+ // and is not yet implemented. If configured, the role will not match via teams.
168105
+ if (!identityMatch)
168106
+ continue;
168107
+ // slack_channels gate: if set, the role only applies when triggered from one of these channels
168108
+ if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
168109
+ if (!this.actor.slack?.channelId ||
168110
+ !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
168111
+ continue;
168112
+ }
168113
+ }
168114
+ matched.push(roleName);
168115
+ }
168116
+ return matched;
168117
+ }
168118
+ buildActor() {
168119
+ return {
168120
+ authorAssociation: this.actor.authorAssociation,
168121
+ login: this.actor.login,
168122
+ roles: this.resolveRoles(),
168123
+ isLocalMode: this.actor.isLocalMode,
168124
+ ...(this.actor.slack && { slack: this.actor.slack }),
168125
+ };
168126
+ }
168127
+ forCheckExecution(check) {
168128
+ return {
168129
+ scope: 'check.execute',
168130
+ check: {
168131
+ id: check.id,
168132
+ type: check.type,
168133
+ group: check.group,
168134
+ tags: check.tags,
168135
+ criticality: check.criticality,
168136
+ sandbox: check.sandbox,
168137
+ policy: check.policy,
168138
+ },
168139
+ actor: this.buildActor(),
168140
+ repository: this.repository,
168141
+ pullRequest: this.pullRequest,
168142
+ };
168143
+ }
168144
+ forToolInvocation(serverName, methodName, transport) {
168145
+ return {
168146
+ scope: 'tool.invoke',
168147
+ tool: { serverName, methodName, transport },
168148
+ actor: this.buildActor(),
168149
+ repository: this.repository,
168150
+ pullRequest: this.pullRequest,
168151
+ };
168152
+ }
168153
+ forCapabilityResolve(checkId, capabilities) {
168154
+ return {
168155
+ scope: 'capability.resolve',
168156
+ check: { id: checkId, type: 'ai' },
168157
+ capability: capabilities,
168158
+ actor: this.buildActor(),
168159
+ repository: this.repository,
168160
+ pullRequest: this.pullRequest,
168161
+ };
168162
+ }
168163
+ }
168164
+ exports.PolicyInputBuilder = PolicyInputBuilder;
168165
+
168166
+
168167
+ /***/ }),
168168
+
168169
+ /***/ 63737:
168170
+ /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
168171
+
168172
+ "use strict";
168173
+
168174
+ /**
168175
+ * Copyright (c) ProbeLabs. All rights reserved.
168176
+ * Licensed under the Elastic License 2.0; you may not use this file except
168177
+ * in compliance with the Elastic License 2.0.
168178
+ */
168179
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
168180
+ if (k2 === undefined) k2 = k;
168181
+ var desc = Object.getOwnPropertyDescriptor(m, k);
168182
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
168183
+ desc = { enumerable: true, get: function() { return m[k]; } };
168184
+ }
168185
+ Object.defineProperty(o, k2, desc);
168186
+ }) : (function(o, m, k, k2) {
168187
+ if (k2 === undefined) k2 = k;
168188
+ o[k2] = m[k];
168189
+ }));
168190
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
168191
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
168192
+ }) : function(o, v) {
168193
+ o["default"] = v;
168194
+ });
168195
+ var __importStar = (this && this.__importStar) || (function () {
168196
+ var ownKeys = function(o) {
168197
+ ownKeys = Object.getOwnPropertyNames || function (o) {
168198
+ var ar = [];
168199
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
168200
+ return ar;
168201
+ };
168202
+ return ownKeys(o);
168203
+ };
168204
+ return function (mod) {
168205
+ if (mod && mod.__esModule) return mod;
168206
+ var result = {};
168207
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
168208
+ __setModuleDefault(result, mod);
168209
+ return result;
168210
+ };
168211
+ })();
168212
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
168213
+ exports.KnexStoreBackend = void 0;
168214
+ /**
168215
+ * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
168216
+ *
168217
+ * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
168218
+ * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
168219
+ */
168220
+ const fs = __importStar(__nccwpck_require__(79896));
168221
+ const path = __importStar(__nccwpck_require__(16928));
168222
+ const uuid_1 = __nccwpck_require__(31914);
168223
+ const logger_1 = __nccwpck_require__(86999);
168224
+ function toNum(val) {
168225
+ if (val === null || val === undefined)
168226
+ return undefined;
168227
+ return typeof val === 'string' ? parseInt(val, 10) : val;
168228
+ }
168229
+ function safeJsonParse(value) {
168230
+ if (!value)
168231
+ return undefined;
168232
+ try {
168233
+ return JSON.parse(value);
168234
+ }
168235
+ catch {
168236
+ return undefined;
168237
+ }
168238
+ }
168239
+ function fromDbRow(row) {
168240
+ return {
168241
+ id: row.id,
168242
+ creatorId: row.creator_id,
168243
+ creatorContext: row.creator_context ?? undefined,
168244
+ creatorName: row.creator_name ?? undefined,
168245
+ timezone: row.timezone,
168246
+ schedule: row.schedule_expr,
168247
+ runAt: toNum(row.run_at),
168248
+ isRecurring: row.is_recurring === true || row.is_recurring === 1,
168249
+ originalExpression: row.original_expression,
168250
+ workflow: row.workflow ?? undefined,
168251
+ workflowInputs: safeJsonParse(row.workflow_inputs),
168252
+ outputContext: safeJsonParse(row.output_context),
168253
+ status: row.status,
168254
+ createdAt: toNum(row.created_at),
168255
+ lastRunAt: toNum(row.last_run_at),
168256
+ nextRunAt: toNum(row.next_run_at),
168257
+ runCount: row.run_count,
168258
+ failureCount: row.failure_count,
168259
+ lastError: row.last_error ?? undefined,
168260
+ previousResponse: row.previous_response ?? undefined,
168261
+ };
168262
+ }
168263
+ function toInsertRow(schedule) {
168264
+ return {
168265
+ id: schedule.id,
168266
+ creator_id: schedule.creatorId,
168267
+ creator_context: schedule.creatorContext ?? null,
168268
+ creator_name: schedule.creatorName ?? null,
168269
+ timezone: schedule.timezone,
168270
+ schedule_expr: schedule.schedule,
168271
+ run_at: schedule.runAt ?? null,
168272
+ is_recurring: schedule.isRecurring,
168273
+ original_expression: schedule.originalExpression,
168274
+ workflow: schedule.workflow ?? null,
168275
+ workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
168276
+ output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
168277
+ status: schedule.status,
168278
+ created_at: schedule.createdAt,
168279
+ last_run_at: schedule.lastRunAt ?? null,
168280
+ next_run_at: schedule.nextRunAt ?? null,
168281
+ run_count: schedule.runCount,
168282
+ failure_count: schedule.failureCount,
168283
+ last_error: schedule.lastError ?? null,
168284
+ previous_response: schedule.previousResponse ?? null,
168285
+ };
168286
+ }
168287
+ /**
168288
+ * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
168289
+ */
168290
+ class KnexStoreBackend {
168291
+ knex = null;
168292
+ driver;
168293
+ connection;
168294
+ constructor(driver, storageConfig, _haConfig) {
168295
+ this.driver = driver;
168296
+ this.connection = (storageConfig.connection || {});
168297
+ }
168298
+ async initialize() {
168299
+ // Load knex dynamically
168300
+ const { createRequire } = __nccwpck_require__(73339);
168301
+ const runtimeRequire = createRequire(__filename);
168302
+ let knexFactory;
168303
+ try {
168304
+ knexFactory = runtimeRequire('knex');
168305
+ }
168306
+ catch (err) {
168307
+ const code = err?.code;
168308
+ if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
168309
+ throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
168310
+ 'Install it with: npm install knex');
168311
+ }
168312
+ throw err;
168313
+ }
168314
+ const clientMap = {
168315
+ postgresql: 'pg',
168316
+ mysql: 'mysql2',
168317
+ mssql: 'tedious',
168318
+ };
168319
+ const client = clientMap[this.driver];
168320
+ // Build connection config
168321
+ let connection;
168322
+ if (this.connection.connection_string) {
168323
+ connection = this.connection.connection_string;
168324
+ }
168325
+ else if (this.driver === 'mssql') {
168326
+ connection = this.buildMssqlConnection();
168327
+ }
168328
+ else {
168329
+ connection = this.buildStandardConnection();
168330
+ }
168331
+ this.knex = knexFactory({
168332
+ client,
168333
+ connection,
168334
+ pool: {
168335
+ min: this.connection.pool?.min ?? 0,
168336
+ max: this.connection.pool?.max ?? 10,
168337
+ },
168338
+ });
168339
+ // Run schema migration
168340
+ await this.migrateSchema();
168341
+ logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
168342
+ }
168343
+ buildStandardConnection() {
168344
+ return {
168345
+ host: this.connection.host || 'localhost',
168346
+ port: this.connection.port,
168347
+ database: this.connection.database || 'visor',
168348
+ user: this.connection.user,
168349
+ password: this.connection.password,
168350
+ ssl: this.resolveSslConfig(),
168351
+ };
168352
+ }
168353
+ buildMssqlConnection() {
168354
+ const ssl = this.connection.ssl;
168355
+ const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
168356
+ return {
168357
+ server: this.connection.host || 'localhost',
168358
+ port: this.connection.port,
168359
+ database: this.connection.database || 'visor',
168360
+ user: this.connection.user,
168361
+ password: this.connection.password,
168362
+ options: {
168363
+ encrypt: sslEnabled,
168364
+ trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
168365
+ },
168366
+ };
168367
+ }
168368
+ resolveSslConfig() {
168369
+ const ssl = this.connection.ssl;
168370
+ if (ssl === false || ssl === undefined)
168371
+ return false;
168372
+ if (ssl === true)
168373
+ return { rejectUnauthorized: true };
168374
+ // Object config
168375
+ if (ssl.enabled === false)
168376
+ return false;
168377
+ const result = {
168378
+ rejectUnauthorized: ssl.reject_unauthorized !== false,
168379
+ };
168380
+ if (ssl.ca) {
168381
+ const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
168382
+ result.ca = fs.readFileSync(caPath, 'utf8');
168383
+ }
168384
+ if (ssl.cert) {
168385
+ const certPath = this.validateSslPath(ssl.cert, 'client certificate');
168386
+ result.cert = fs.readFileSync(certPath, 'utf8');
168387
+ }
168388
+ if (ssl.key) {
168389
+ const keyPath = this.validateSslPath(ssl.key, 'client key');
168390
+ result.key = fs.readFileSync(keyPath, 'utf8');
168391
+ }
168392
+ return result;
168393
+ }
168394
+ validateSslPath(filePath, label) {
168395
+ const resolved = path.resolve(filePath);
168396
+ if (resolved !== path.normalize(resolved)) {
168397
+ throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
168398
+ }
168399
+ if (!fs.existsSync(resolved)) {
168400
+ throw new Error(`SSL ${label} not found: ${filePath}`);
168401
+ }
168402
+ return resolved;
168403
+ }
168404
+ async shutdown() {
168405
+ if (this.knex) {
168406
+ await this.knex.destroy();
168407
+ this.knex = null;
168408
+ }
168409
+ }
168410
+ async migrateSchema() {
168411
+ const knex = this.getKnex();
168412
+ const exists = await knex.schema.hasTable('schedules');
168413
+ if (!exists) {
168414
+ await knex.schema.createTable('schedules', table => {
168415
+ table.string('id', 36).primary();
168416
+ table.string('creator_id', 255).notNullable().index();
168417
+ table.string('creator_context', 255);
168418
+ table.string('creator_name', 255);
168419
+ table.string('timezone', 64).notNullable().defaultTo('UTC');
168420
+ table.string('schedule_expr', 255);
168421
+ table.bigInteger('run_at');
168422
+ table.boolean('is_recurring').notNullable();
168423
+ table.text('original_expression');
168424
+ table.string('workflow', 255);
168425
+ table.text('workflow_inputs');
168426
+ table.text('output_context');
168427
+ table.string('status', 20).notNullable().index();
168428
+ table.bigInteger('created_at').notNullable();
168429
+ table.bigInteger('last_run_at');
168430
+ table.bigInteger('next_run_at');
168431
+ table.integer('run_count').notNullable().defaultTo(0);
168432
+ table.integer('failure_count').notNullable().defaultTo(0);
168433
+ table.text('last_error');
168434
+ table.text('previous_response');
168435
+ table.index(['status', 'next_run_at']);
168436
+ });
168437
+ }
168438
+ // Create scheduler_locks table for distributed locking
168439
+ const locksExist = await knex.schema.hasTable('scheduler_locks');
168440
+ if (!locksExist) {
168441
+ await knex.schema.createTable('scheduler_locks', table => {
168442
+ table.string('lock_id', 255).primary();
168443
+ table.string('node_id', 255).notNullable();
168444
+ table.string('lock_token', 36).notNullable();
168445
+ table.bigInteger('acquired_at').notNullable();
168446
+ table.bigInteger('expires_at').notNullable();
168447
+ });
168448
+ }
168449
+ }
168450
+ getKnex() {
168451
+ if (!this.knex) {
168452
+ throw new Error('[KnexStore] Not initialized. Call initialize() first.');
168453
+ }
168454
+ return this.knex;
168455
+ }
168456
+ // --- CRUD ---
168457
+ async create(schedule) {
168458
+ const knex = this.getKnex();
168459
+ const newSchedule = {
168460
+ ...schedule,
168461
+ id: (0, uuid_1.v4)(),
168462
+ createdAt: Date.now(),
168463
+ runCount: 0,
168464
+ failureCount: 0,
168465
+ status: 'active',
168466
+ };
168467
+ await knex('schedules').insert(toInsertRow(newSchedule));
168468
+ logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
168469
+ return newSchedule;
168470
+ }
168471
+ async importSchedule(schedule) {
168472
+ const knex = this.getKnex();
168473
+ const existing = await knex('schedules').where('id', schedule.id).first();
168474
+ if (existing)
168475
+ return; // Already imported (idempotent)
168476
+ await knex('schedules').insert(toInsertRow(schedule));
168477
+ }
168478
+ async get(id) {
168479
+ const knex = this.getKnex();
168480
+ const row = await knex('schedules').where('id', id).first();
168481
+ return row ? fromDbRow(row) : undefined;
168482
+ }
168483
+ async update(id, patch) {
168484
+ const knex = this.getKnex();
168485
+ const existing = await knex('schedules').where('id', id).first();
168486
+ if (!existing)
168487
+ return undefined;
168488
+ const current = fromDbRow(existing);
168489
+ const updated = { ...current, ...patch, id: current.id };
168490
+ const row = toInsertRow(updated);
168491
+ // Remove id from update (PK cannot change)
168492
+ delete row.id;
168493
+ await knex('schedules').where('id', id).update(row);
168494
+ return updated;
168495
+ }
168496
+ async delete(id) {
168497
+ const knex = this.getKnex();
168498
+ const deleted = await knex('schedules').where('id', id).del();
168499
+ if (deleted > 0) {
168500
+ logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
168501
+ return true;
168502
+ }
168503
+ return false;
168504
+ }
168505
+ // --- Queries ---
168506
+ async getByCreator(creatorId) {
168507
+ const knex = this.getKnex();
168508
+ const rows = await knex('schedules').where('creator_id', creatorId);
168509
+ return rows.map((r) => fromDbRow(r));
168510
+ }
168511
+ async getActiveSchedules() {
168512
+ const knex = this.getKnex();
168513
+ const rows = await knex('schedules').where('status', 'active');
168514
+ return rows.map((r) => fromDbRow(r));
168515
+ }
168516
+ async getDueSchedules(now) {
168517
+ const ts = now ?? Date.now();
168518
+ const knex = this.getKnex();
168519
+ // MSSQL uses 1/0 for booleans
168520
+ const bFalse = this.driver === 'mssql' ? 0 : false;
168521
+ const bTrue = this.driver === 'mssql' ? 1 : true;
168522
+ const rows = await knex('schedules')
168523
+ .where('status', 'active')
168524
+ .andWhere(function () {
168525
+ this.where(function () {
168526
+ this.where('is_recurring', bFalse)
168527
+ .whereNotNull('run_at')
168528
+ .where('run_at', '<=', ts);
168529
+ }).orWhere(function () {
168530
+ this.where('is_recurring', bTrue)
168531
+ .whereNotNull('next_run_at')
168532
+ .where('next_run_at', '<=', ts);
168533
+ });
168534
+ });
168535
+ return rows.map((r) => fromDbRow(r));
168536
+ }
168537
+ async findByWorkflow(creatorId, workflowName) {
168538
+ const knex = this.getKnex();
168539
+ const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
168540
+ const pattern = `%${escaped}%`;
168541
+ const rows = await knex('schedules')
168542
+ .where('creator_id', creatorId)
168543
+ .where('status', 'active')
168544
+ .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
168545
+ return rows.map((r) => fromDbRow(r));
168546
+ }
168547
+ async getAll() {
168548
+ const knex = this.getKnex();
168549
+ const rows = await knex('schedules');
168550
+ return rows.map((r) => fromDbRow(r));
168551
+ }
168552
+ async getStats() {
168553
+ const knex = this.getKnex();
168554
+ // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
168555
+ const boolTrue = this.driver === 'mssql' ? '1' : 'true';
168556
+ const boolFalse = this.driver === 'mssql' ? '0' : 'false';
168557
+ const result = await knex('schedules')
168558
+ .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
168559
+ .first();
168560
+ return {
168561
+ total: Number(result.total) || 0,
168562
+ active: Number(result.active) || 0,
168563
+ paused: Number(result.paused) || 0,
168564
+ completed: Number(result.completed) || 0,
168565
+ failed: Number(result.failed) || 0,
168566
+ recurring: Number(result.recurring) || 0,
168567
+ oneTime: Number(result.one_time) || 0,
168568
+ };
168569
+ }
168570
+ async validateLimits(creatorId, isRecurring, limits) {
168571
+ const knex = this.getKnex();
168572
+ if (limits.maxGlobal) {
168573
+ const result = await knex('schedules').count('* as cnt').first();
168574
+ if (Number(result?.cnt) >= limits.maxGlobal) {
168575
+ throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
168576
+ }
168577
+ }
168578
+ if (limits.maxPerUser) {
168579
+ const result = await knex('schedules')
168580
+ .where('creator_id', creatorId)
168581
+ .count('* as cnt')
168582
+ .first();
168583
+ if (Number(result?.cnt) >= limits.maxPerUser) {
168584
+ throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
168585
+ }
168586
+ }
168587
+ if (isRecurring && limits.maxRecurringPerUser) {
168588
+ const bTrue = this.driver === 'mssql' ? 1 : true;
168589
+ const result = await knex('schedules')
168590
+ .where('creator_id', creatorId)
168591
+ .where('is_recurring', bTrue)
168592
+ .count('* as cnt')
168593
+ .first();
168594
+ if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
168595
+ throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
168596
+ }
168597
+ }
168598
+ }
168599
+ // --- HA Distributed Locking (via scheduler_locks table) ---
168600
+ async tryAcquireLock(lockId, nodeId, ttlSeconds) {
168601
+ const knex = this.getKnex();
168602
+ const now = Date.now();
168603
+ const expiresAt = now + ttlSeconds * 1000;
168604
+ const token = (0, uuid_1.v4)();
168605
+ // Step 1: Try to claim an existing expired lock
168606
+ const updated = await knex('scheduler_locks')
168607
+ .where('lock_id', lockId)
168608
+ .where('expires_at', '<', now)
168609
+ .update({
168610
+ node_id: nodeId,
168611
+ lock_token: token,
168612
+ acquired_at: now,
168613
+ expires_at: expiresAt,
168614
+ });
168615
+ if (updated > 0)
168616
+ return token;
168617
+ // Step 2: Try to INSERT a new lock row
168618
+ try {
168619
+ await knex('scheduler_locks').insert({
168620
+ lock_id: lockId,
168621
+ node_id: nodeId,
168622
+ lock_token: token,
168623
+ acquired_at: now,
168624
+ expires_at: expiresAt,
168625
+ });
168626
+ return token;
168627
+ }
168628
+ catch {
168629
+ // Unique constraint violation — another node holds the lock
168630
+ return null;
168631
+ }
168632
+ }
168633
+ async releaseLock(lockId, lockToken) {
168634
+ const knex = this.getKnex();
168635
+ await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
168636
+ }
168637
+ async renewLock(lockId, lockToken, ttlSeconds) {
168638
+ const knex = this.getKnex();
168639
+ const now = Date.now();
168640
+ const expiresAt = now + ttlSeconds * 1000;
168641
+ const updated = await knex('scheduler_locks')
168642
+ .where('lock_id', lockId)
168643
+ .where('lock_token', lockToken)
168644
+ .update({ acquired_at: now, expires_at: expiresAt });
168645
+ return updated > 0;
168646
+ }
168647
+ async flush() {
168648
+ // No-op for server-based backends
168649
+ }
168650
+ }
168651
+ exports.KnexStoreBackend = KnexStoreBackend;
168652
+
168653
+
166970
168654
  /***/ }),
166971
168655
 
166972
168656
  /***/ 83864:
@@ -177643,6 +179327,35 @@ class OutputFormatters {
177643
179327
  exports.OutputFormatters = OutputFormatters;
177644
179328
 
177645
179329
 
179330
+ /***/ }),
179331
+
179332
+ /***/ 93866:
179333
+ /***/ ((__unused_webpack_module, exports) => {
179334
+
179335
+ "use strict";
179336
+
179337
+ Object.defineProperty(exports, "__esModule", ({ value: true }));
179338
+ exports.DefaultPolicyEngine = void 0;
179339
+ /**
179340
+ * Default (no-op) policy engine — always allows everything.
179341
+ * Used when no enterprise license is present or policy is disabled.
179342
+ */
179343
+ class DefaultPolicyEngine {
179344
+ async initialize(_config) { }
179345
+ async evaluateCheckExecution(_checkId, _checkConfig) {
179346
+ return { allowed: true };
179347
+ }
179348
+ async evaluateToolInvocation(_serverName, _methodName, _transport) {
179349
+ return { allowed: true };
179350
+ }
179351
+ async evaluateCapabilities(_checkId, _capabilities) {
179352
+ return { allowed: true };
179353
+ }
179354
+ async shutdown() { }
179355
+ }
179356
+ exports.DefaultPolicyEngine = DefaultPolicyEngine;
179357
+
179358
+
177646
179359
  /***/ }),
177647
179360
 
177648
179361
  /***/ 96611:
@@ -180877,6 +182590,13 @@ async function executeMappedApiTool(mappedTool, args) {
180877
182590
  }
180878
182591
  const queryParams = new URLSearchParams(endpoint.search);
180879
182592
  const headers = { ...apiToolConfig.customHeaders };
182593
+ for (const key of Object.keys(headers)) {
182594
+ if (typeof headers[key] === 'string') {
182595
+ headers[key] = headers[key].replace(/\${([^}]+)}/g, (_, name) => process.env[name] || '');
182596
+ }
182597
+ }
182598
+ const finalUrl = endpoint.toString() + '?' + queryParams.toString();
182599
+ console.error(`[ApiToolExecutor] Calling URL: ${method} ${finalUrl} | args: ${JSON.stringify(args)}`);
180880
182600
  let requestBodyValue;
180881
182601
  for (const param of parameters) {
180882
182602
  const name = String(param.name || '');
@@ -186595,6 +188315,19 @@ class McpCheckProvider extends check_provider_interface_1.CheckProvider {
186595
188315
  };
186596
188316
  }
186597
188317
  }
188318
+ else if (methodArgs && typeof methodArgs === 'object') {
188319
+ // Shallow render string values in methodArgs
188320
+ const renderedArgs = {};
188321
+ for (const [key, value] of Object.entries(methodArgs)) {
188322
+ if (typeof value === 'string' && (value.includes('{{') || value.includes('{%'))) {
188323
+ renderedArgs[key] = await this.liquid.parseAndRender(value, templateContext);
188324
+ }
188325
+ else {
188326
+ renderedArgs[key] = value;
188327
+ }
188328
+ }
188329
+ methodArgs = renderedArgs;
188330
+ }
186598
188331
  // Create MCP client and execute method
186599
188332
  const result = await this.executeMcpMethod(cfg, methodArgs, prInfo, dependencyResults, sessionInfo);
186600
188333
  // Apply transforms if specified
@@ -197877,7 +199610,7 @@ class StateMachineExecutionEngine {
197877
199610
  try {
197878
199611
  logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
197879
199612
  // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
197880
- const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
199613
+ const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
197881
199614
  context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
197882
199615
  logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
197883
199616
  }
@@ -199819,10 +201552,13 @@ async function executeSingleCheck(checkId, context, state, emitEvent, transition
199819
201552
  let outputWithTimestamp = undefined;
199820
201553
  if (result.output !== undefined) {
199821
201554
  const output = result.output;
199822
- if (output !== null && typeof output === 'object' && !Array.isArray(output))
199823
- outputWithTimestamp = { ...output, ts: Date.now() };
199824
- else
201555
+ if (output !== null && typeof output === 'object' && !Array.isArray(output)) {
201556
+ // Only inject 'ts' if the output doesn't already have one (avoids overwriting Slack API timestamps)
201557
+ outputWithTimestamp = 'ts' in output ? { ...output, _engine_ts: Date.now() } : { ...output, ts: Date.now() };
201558
+ }
201559
+ else {
199825
201560
  outputWithTimestamp = output;
201561
+ }
199826
201562
  }
199827
201563
  const enrichedResultWithContent = renderedContent
199828
201564
  ? { ...enrichedResult, content: renderedContent }
@@ -204222,8 +205958,8 @@ async function executeSingleCheck(checkId, context, state, emitEvent, transition
204222
205958
  if (result.output !== undefined) {
204223
205959
  const output = result.output;
204224
205960
  if (output !== null && typeof output === 'object' && !Array.isArray(output)) {
204225
- // Only add timestamp to plain objects
204226
- outputWithTimestamp = { ...output, ts: Date.now() };
205961
+ // Only add timestamp to plain objects if they don't already have one
205962
+ outputWithTimestamp = 'ts' in output ? { ...output, _engine_ts: Date.now() } : { ...output, ts: Date.now() };
204227
205963
  }
204228
205964
  else {
204229
205965
  // Preserve primitives, arrays, and null as-is
@@ -208136,7 +209872,7 @@ async function initTelemetry(opts = {}) {
208136
209872
  const path = __nccwpck_require__(16928);
208137
209873
  const outDir = opts.file?.dir ||
208138
209874
  process.env.VISOR_TRACE_DIR ||
208139
- __nccwpck_require__.ab + "traces";
209875
+ path.join(process.cwd(), 'output', 'traces');
208140
209876
  fs.mkdirSync(outDir, { recursive: true });
208141
209877
  const ts = new Date().toISOString().replace(/[:.]/g, '-');
208142
209878
  process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -208339,7 +210075,7 @@ async function shutdownTelemetry() {
208339
210075
  if (process.env.VISOR_TRACE_REPORT === 'true') {
208340
210076
  const fs = __nccwpck_require__(79896);
208341
210077
  const path = __nccwpck_require__(16928);
208342
- const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
210078
+ const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
208343
210079
  if (!fs.existsSync(outDir))
208344
210080
  fs.mkdirSync(outDir, { recursive: true });
208345
210081
  const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -208838,7 +210574,7 @@ function __getOrCreateNdjsonPath() {
208838
210574
  fs.mkdirSync(dir, { recursive: true });
208839
210575
  return __ndjsonPath;
208840
210576
  }
208841
- const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
210577
+ const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
208842
210578
  if (!fs.existsSync(outDir))
208843
210579
  fs.mkdirSync(outDir, { recursive: true });
208844
210580
  if (!__ndjsonPath) {
@@ -222165,22 +223901,6 @@ class WorkflowRegistry {
222165
223901
  exports.WorkflowRegistry = WorkflowRegistry;
222166
223902
 
222167
223903
 
222168
- /***/ }),
222169
-
222170
- /***/ 7065:
222171
- /***/ ((module) => {
222172
-
222173
- module.exports = eval("require")("./enterprise/loader");
222174
-
222175
-
222176
- /***/ }),
222177
-
222178
- /***/ 71370:
222179
- /***/ ((module) => {
222180
-
222181
- module.exports = eval("require")("./enterprise/policy/policy-input-builder");
222182
-
222183
-
222184
223904
  /***/ }),
222185
223905
 
222186
223906
  /***/ 18327:
@@ -396134,7 +397854,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"100":"Continue","101":"Switching Pro
396134
397854
  /***/ ((module) => {
396135
397855
 
396136
397856
  "use strict";
396137
- module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.140","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@probelabs/probe":"^0.6.0-rc257","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
397857
+ module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@probelabs/probe":"^0.6.0-rc257","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
396138
397858
 
396139
397859
  /***/ })
396140
397860