@probelabs/visor 0.1.150 → 0.1.151-ee

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.150';
-process.env.PROBE_VERSION = '0.6.0-rc266';
-process.env.VISOR_COMMIT_SHA = '3b87c12790f72a2050000f18b840f18909bda118';
-process.env.VISOR_COMMIT_SHORT = '3b87c127';
+process.env.VISOR_VERSION = '0.1.151';
+process.env.PROBE_VERSION = '0.6.0-rc268';
+process.env.VISOR_COMMIT_SHA = 'b06d244c0580c243801a29bbeae739a8198bea09';
+process.env.VISOR_COMMIT_SHORT = 'b06d244';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -161210,7 +161210,7 @@ async function handleDumpPolicyInput(checkId, argv) {
     let PolicyInputBuilder;
     try {
         // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
+        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
         PolicyInputBuilder = mod.PolicyInputBuilder;
     }
     catch {
@@ -167053,6 +167053,1810 @@ class DependencyResolver {
 exports.DependencyResolver = DependencyResolver;
 
 
+/***/ }),
+
+/***/ 50069:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.LicenseValidator = void 0;
+const crypto = __importStar(__nccwpck_require__(76982));
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+class LicenseValidator {
+    /** Ed25519 public key for license verification (PEM format). */
+    static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
+        'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
+        '-----END PUBLIC KEY-----\n';
+    cache = null;
+    static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
+    /**
+     * Load and validate license from environment or file.
+     *
+     * Resolution order:
+     * 1. VISOR_LICENSE env var (JWT string)
+     * 2. VISOR_LICENSE_FILE env var (path to file)
+     * 3. .visor-license in project root (cwd)
+     * 4. .visor-license in ~/.config/visor/
+     */
+    async loadAndValidate() {
+        // Return cached result if still fresh
+        if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
+            return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token)
+            return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload)
+            return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+    }
+    /** Check if a specific feature is licensed */
+    hasFeature(feature) {
+        if (!this.cache)
+            return false;
+        return this.cache.payload.features.includes(feature);
+    }
+    /** Check if license is valid (with grace period) */
+    isValid() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    /** Check if the license is within its grace period (expired but still valid) */
+    isInGracePeriod() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    resolveToken() {
+        // 1. Direct env var
+        if (process.env.VISOR_LICENSE) {
+            return process.env.VISOR_LICENSE.trim();
+        }
+        // 2. File path from env (validate against path traversal)
+        if (process.env.VISOR_LICENSE_FILE) {
+            // path.resolve() produces an absolute path with all '..' segments resolved,
+            // so a separate resolved.includes('..') check is unnecessary.
+            const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
+            const home = process.env.HOME || process.env.USERPROFILE || '';
+            const allowedPrefixes = [path.normalize(process.cwd())];
+            if (home)
+                allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
+            // Resolve symlinks so an attacker cannot create a symlink inside an
+            // allowed prefix that points to an arbitrary file outside it.
+            let realPath;
+            try {
+                realPath = fs.realpathSync(resolved);
+            }
+            catch {
+                return null; // File doesn't exist or isn't accessible
+            }
+            const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
+            if (!isSafe)
+                return null;
+            return this.readFile(realPath);
+        }
+        // 3. .visor-license in cwd
+        const cwdPath = path.join(process.cwd(), '.visor-license');
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken)
+            return cwdToken;
+        // 4. ~/.config/visor/.visor-license
+        const home = process.env.HOME || process.env.USERPROFILE || '';
+        if (home) {
+            const configPath = path.join(home, '.config', 'visor', '.visor-license');
+            const configToken = this.readFile(configPath);
+            if (configToken)
+                return configToken;
+        }
+        return null;
+    }
+    readFile(filePath) {
+        try {
+            return fs.readFileSync(filePath, 'utf-8').trim();
+        }
+        catch {
+            return null;
+        }
+    }
+    verifyAndDecode(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [headerB64, payloadB64, signatureB64] = parts;
+            // Decode header to verify algorithm
+            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+            if (header.alg !== 'EdDSA')
+                return null;
+            // Verify signature
+            const data = `${headerB64}.${payloadB64}`;
+            const signature = Buffer.from(signatureB64, 'base64url');
+            const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
+            // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
+            // This prevents algorithm-confusion attacks if the embedded key were ever
+            // swapped to a different type.
+            if (publicKey.asymmetricKeyType !== 'ed25519') {
+                return null;
+            }
+            // Ed25519 verification: algorithm must be null because EdDSA performs its
+            // own internal hashing (SHA-512) — passing a digest algorithm here would
+            // cause Node.js to throw. The key type is validated above.
+            const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
+            if (!isValid)
+                return null;
+            // Decode payload
+            const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+            // Validate required fields
+            if (!payload.org ||
+                !Array.isArray(payload.features) ||
+                typeof payload.exp !== 'number' ||
+                typeof payload.iat !== 'number' ||
+                !payload.sub) {
+                return null;
+            }
+            // Check expiry (with grace period)
+            const now = Date.now();
+            const expiryMs = payload.exp * 1000;
+            if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
+                return null;
+            }
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.LicenseValidator = LicenseValidator;
+
+
+/***/ }),
+
+/***/ 87068:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
+exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
+const default_engine_1 = __nccwpck_require__(93866);
+/**
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
+ *
+ * This is the sole import boundary between OSS and enterprise code. Core code
+ * must only import from this module (via dynamic `await import()`), never from
+ * individual enterprise submodules.
+ */
+async function loadEnterprisePolicyEngine(config) {
+    try {
+        const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+        const validator = new LicenseValidator();
+        const license = await validator.loadAndValidate();
+        if (!license || !validator.hasFeature('policy')) {
+            return new default_engine_1.DefaultPolicyEngine();
+        }
+        if (validator.isInGracePeriod()) {
+            // eslint-disable-next-line no-console
+            console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+                'Please renew your license.');
+        }
+        const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
+        const engine = new OpaPolicyEngine(config);
+        await engine.initialize(config);
+        return engine;
+    }
+    catch (err) {
+        // Enterprise code not available or initialization failed
+        const msg = err instanceof Error ? err.message : String(err);
+        try {
+            const { logger } = __nccwpck_require__(86999);
+            logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+        }
+        catch {
+            // silent
+        }
+        return new default_engine_1.DefaultPolicyEngine();
+    }
+}
+/**
+ * Load the enterprise schedule store backend if licensed.
+ *
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
+ * @param storageConfig Storage configuration with connection details
+ * @param haConfig Optional HA configuration
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
+ */
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+    const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+    const validator = new LicenseValidator();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature('scheduler-sql')) {
+        throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
+            `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
+    }
+    if (validator.isInGracePeriod()) {
+        // eslint-disable-next-line no-console
+        console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+            'Please renew your license.');
+    }
+    const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
+    return new KnexStoreBackend(driver, storageConfig, haConfig);
+}
+
+
+/***/ }),
+
+/***/ 628:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaCompiler = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const os = __importStar(__nccwpck_require__(70857));
+const crypto = __importStar(__nccwpck_require__(76982));
+const child_process_1 = __nccwpck_require__(35317);
+/**
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
+ *
+ * Handles:
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
+ * - Compiling .rego files to WASM via `opa build`
+ * - Caching compiled bundles based on content hashes
+ * - Extracting policy.wasm from OPA tar.gz bundles
+ *
+ * Requires:
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaCompiler {
+    static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
+    /**
+     * Resolve the input paths to WASM bytes.
+     *
+     * Strategy:
+     * 1. If any path is a .wasm file, read it directly
+     * 2. If a directory contains policy.wasm, read it
+     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+     */
+    async resolveWasmBytes(paths) {
+        // Collect .rego files and check for existing .wasm
+        const regoFiles = [];
+        for (const p of paths) {
+            const resolved = path.resolve(p);
+            // Reject paths containing '..' after resolution (path traversal)
+            if (path.normalize(resolved).includes('..')) {
+                throw new Error(`Policy path contains traversal sequences: ${p}`);
+            }
+            // Direct .wasm file
+            if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
+                return fs.readFileSync(resolved);
+            }
+            if (!fs.existsSync(resolved))
+                continue;
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                // Check for pre-compiled policy.wasm in directory
+                const wasmCandidate = path.join(resolved, 'policy.wasm');
+                if (fs.existsSync(wasmCandidate)) {
+                    return fs.readFileSync(wasmCandidate);
+                }
+                // Collect all .rego files from directory
+                const files = fs.readdirSync(resolved);
+                for (const f of files) {
+                    if (f.endsWith('.rego')) {
+                        regoFiles.push(path.join(resolved, f));
+                    }
+                }
+            }
+            else if (resolved.endsWith('.rego')) {
+                regoFiles.push(resolved);
+            }
+        }
+        if (regoFiles.length === 0) {
+            throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
+        }
+        // Auto-compile .rego -> .wasm
+        return this.compileRego(regoFiles);
+    }
+    /**
+     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+     *
+     * Caches the compiled bundle based on a content hash of all input .rego files
+     * so subsequent runs skip compilation if policies haven't changed.
+     */
+    compileRego(regoFiles) {
+        // Check that `opa` CLI is available
+        try {
+            (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
+        }
+        catch {
+            throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
+                'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
+                regoFiles.join(' '));
+        }
+        // Compute content hash for cache key
+        const hash = crypto.createHash('sha256');
+        for (const f of regoFiles.sort()) {
+            hash.update(fs.readFileSync(f));
+            hash.update(f); // include filename for disambiguation
+        }
+        const cacheKey = hash.digest('hex').slice(0, 16);
+        const cacheDir = OpaCompiler.CACHE_DIR;
+        const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
+        // Return cached bundle if still valid
+        if (fs.existsSync(cachedWasm)) {
+            return fs.readFileSync(cachedWasm);
+        }
+        // Compile to WASM via opa build
+        fs.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+            const args = [
+                'build',
+                '-t',
+                'wasm',
+                '-e',
+                'visor', // entrypoint: the visor package tree
+                '-o',
+                bundleTar,
+                ...regoFiles,
+            ];
+            (0, child_process_1.execFileSync)('opa', args, {
+                stdio: 'pipe',
+                timeout: 30000,
+            });
+        }
+        catch (err) {
+            const stderr = err?.stderr?.toString() || '';
+            throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
+                'Ensure your .rego files are valid and the `opa` CLI is installed.');
+        }
+        // Extract policy.wasm from the tar.gz bundle
+        // OPA bundles are tar.gz with /policy.wasm inside
+        try {
+            (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
+                stdio: 'pipe',
+            });
+            const extractedWasm = path.join(cacheDir, 'policy.wasm');
+            if (fs.existsSync(extractedWasm)) {
+                // Move to cache-key named file
+                fs.renameSync(extractedWasm, cachedWasm);
+            }
+        }
+        catch {
+            // Some tar implementations don't like leading /
+            try {
+                (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
+                    stdio: 'pipe',
+                });
+                const extractedWasm = path.join(cacheDir, 'policy.wasm');
+                if (fs.existsSync(extractedWasm)) {
+                    fs.renameSync(extractedWasm, cachedWasm);
+                }
+            }
+            catch (err2) {
+                throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+            }
+        }
+        // Clean up tar
+        try {
+            fs.unlinkSync(bundleTar);
+        }
+        catch { }
+        if (!fs.existsSync(cachedWasm)) {
+            throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
+        }
+        return fs.readFileSync(cachedWasm);
+    }
+}
+exports.OpaCompiler = OpaCompiler;
+
+
+/***/ }),
+
+/***/ 44693:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaHttpEvaluator = void 0;
+/**
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
+ *
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
+ */
+class OpaHttpEvaluator {
+    baseUrl;
+    timeout;
+    constructor(baseUrl, timeout = 5000) {
+        // Validate URL format and protocol
+        let parsed;
+        try {
+            parsed = new URL(baseUrl);
+        }
+        catch {
+            throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
+        }
+        // Block cloud metadata, loopback, link-local, and private network addresses
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+            throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
+        }
+        // Normalize: strip trailing slash
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.timeout = timeout;
+    }
+    /**
+     * Check if a hostname is blocked due to SSRF concerns.
+     *
+     * Blocks:
+     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+     * - Link-local addresses (169.254.x.x)
+     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+     * - IPv6 unique local addresses (fd00::/8)
+     * - Cloud metadata services (*.internal)
+     */
+    isBlockedHostname(hostname) {
+        if (!hostname)
+            return true; // block empty hostnames
+        // Normalize hostname: lowercase and remove brackets for IPv6
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
+        // Block .internal domains (cloud metadata services)
+        if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
+            return true;
+        }
+        // Block localhost variants
+        if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
+            return true;
+        }
+        // Block IPv6 loopback
+        if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
+            return true;
+        }
+        // Check IPv4 patterns
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+            const octets = ipv4Match.slice(1, 5).map(Number);
+            // Validate octets are in range [0, 255]
+            if (octets.some(octet => octet > 255)) {
+                return false;
+            }
+            const [a, b] = octets;
+            // Block loopback: 127.0.0.0/8
+            if (a === 127) {
+                return true;
+            }
+            // Block 0.0.0.0/8 (this host)
+            if (a === 0) {
+                return true;
+            }
+            // Block link-local: 169.254.0.0/16
+            if (a === 169 && b === 254) {
+                return true;
+            }
+            // Block private networks
+            // 10.0.0.0/8
+            if (a === 10) {
+                return true;
+            }
+            // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
+            if (a === 172 && b >= 16 && b <= 31) {
+                return true;
+            }
+            // 192.168.0.0/16
+            if (a === 192 && b === 168) {
+                return true;
+            }
+        }
+        // Check IPv6 patterns
+        // Block unique local addresses: fd00::/8
+        if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
+            return true;
+        }
+        // Block link-local: fe80::/10
+        if (normalized.startsWith('fe80:')) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Evaluate a policy rule against an input document via OPA REST API.
+     *
+     * @param input - The input document to evaluate
+     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+     * @returns The result object from OPA, or undefined on error
+     */
+    async evaluate(input, rulePath) {
+        // OPA Data API: POST /v1/data/<path>
+        const encodedPath = rulePath
+            .split('/')
+            .map(s => encodeURIComponent(s))
+            .join('/');
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ input }),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+            }
+            let body;
+            try {
+                body = await response.json();
+            }
+            catch (jsonErr) {
+                throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
+            }
+            // OPA returns { result: { ... } }
+            return body?.result;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async shutdown() {
+        // No persistent connections to close
+    }
+}
+exports.OpaHttpEvaluator = OpaHttpEvaluator;
+
+
+/***/ }),
+
+/***/ 39530:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaPolicyEngine = void 0;
+const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
+const opa_http_evaluator_1 = __nccwpck_require__(44693);
+const policy_input_builder_1 = __nccwpck_require__(17117);
+/**
+ * Enterprise OPA Policy Engine.
+ *
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
+ * OSS PolicyEngine interface. All OPA input building and role resolution
+ * is handled internally — the OSS call sites pass only plain types.
+ */
+class OpaPolicyEngine {
+    evaluator = null;
+    fallback;
+    timeout;
+    config;
+    inputBuilder = null;
+    logger = null;
+    constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || 'deny';
+        this.timeout = config.timeout || 5000;
+    }
+    async initialize(config) {
+        // Resolve logger once at initialization
+        try {
+            this.logger = (__nccwpck_require__(86999).logger);
+        }
+        catch {
+            // logger not available in this context
+        }
+        // Build actor/repo context from environment (available at engine init time)
+        const actor = {
+            authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+            login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+            isLocalMode: !process.env.GITHUB_ACTIONS,
+        };
+        const repo = {
+            owner: process.env.GITHUB_REPOSITORY_OWNER,
+            name: process.env.GITHUB_REPOSITORY?.split('/')[1],
+            branch: process.env.GITHUB_HEAD_REF,
+            baseBranch: process.env.GITHUB_BASE_REF,
+            event: process.env.GITHUB_EVENT_NAME,
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER
+            ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
+            : undefined;
+        const pullRequest = {
+            number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
+        };
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === 'local') {
+            if (!config.rules) {
+                throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
+            }
+            const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
+            await wasm.initialize(config.rules);
+            if (config.data) {
+                wasm.loadData(config.data);
+            }
+            this.evaluator = wasm;
+        }
+        else if (config.engine === 'remote') {
+            if (!config.url) {
+                throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
+            }
+            this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
+        }
+        else {
+            this.evaluator = null;
+        }
+    }
+    /**
+     * Update actor/repo/PR context (e.g., after PR info becomes available).
+     * Called by the enterprise loader when engine context is enriched.
+     */
+    setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
+    }
+    async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === 'object'
+            ? checkConfig
+            : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+            id: checkId,
+            type: cfg.type || 'ai',
+            group: cfg.group,
+            tags: cfg.tags,
+            criticality: cfg.criticality,
+            sandbox: cfg.sandbox,
+            policy: policyOverride,
+        });
+        return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
+    }
+    async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, 'visor/tool/invoke');
+    }
+    async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, 'visor/capability/resolve');
+    }
+    async shutdown() {
+        if (this.evaluator && 'shutdown' in this.evaluator) {
+            await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+    }
+    resolveRulePath(defaultScope, override) {
+        if (override) {
+            return override.startsWith('visor/') ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, '/')}`;
+    }
+    async doEvaluate(input, rulePath) {
+        try {
+            this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+            let timer;
+            const timeoutPromise = new Promise((_resolve, reject) => {
+                timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
+            });
+            try {
+                const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+                const decision = this.parseDecision(result);
+                // In warn mode, override denied decisions to allowed but flag as warn
+                if (!decision.allowed && this.fallback === 'warn') {
+                    decision.allowed = true;
+                    decision.warn = true;
+                    decision.reason = `audit: ${decision.reason || 'policy denied'}`;
+                }
+                this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
+                return decision;
+            }
+            finally {
+                if (timer)
+                    clearTimeout(timer);
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: `policy evaluation failed, fallback=${this.fallback}`,
+            };
+        }
+    }
+    async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
+            const result = await this.evaluator.evaluate(input);
+            // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
+            // Navigate to the specific rule subtree using rulePath segments.
+            // e.g., 'visor/check/execute' → result.check.execute
+            return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+    }
+    /**
+     * Navigate nested OPA WASM result tree to reach the specific rule's output.
+     * The WASM entrypoint `-e visor` means the result root IS the visor package,
+     * so we strip the `visor/` prefix and walk the remaining segments.
+     */
+    navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== 'object')
+            return result;
+        // Strip the 'visor/' prefix (matches our compilation entrypoint)
+        const segments = rulePath.replace(/^visor\//, '').split('/');
+        let current = result;
+        for (const seg of segments) {
+            if (current && typeof current === 'object' && seg in current) {
+                current = current[seg];
+            }
+            else {
+                return undefined; // path not found in result tree
+            }
+        }
+        return current;
+    }
+    parseDecision(result) {
+        if (result === undefined || result === null) {
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
+            };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+            allowed,
+            reason: result.reason,
+        };
+        if (result.capabilities) {
+            decision.capabilities = result.capabilities;
+        }
+        return decision;
+    }
+}
+exports.OpaPolicyEngine = OpaPolicyEngine;
+
+
+/***/ }),
+
+/***/ 8613:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaWasmEvaluator = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const opa_compiler_1 = __nccwpck_require__(628);
+/**
+ * OPA WASM Evaluator - loads and evaluates OPA policies locally.
+ *
+ * Supports three input formats:
+ * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
+ * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
+ * 3. Directory with `policy.wasm` inside — loaded directly
+ *
+ * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
+ *
+ * Requires:
+ * - `@open-policy-agent/opa-wasm` npm package (optional dep)
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaWasmEvaluator {
+    policy = null;
+    dataDocument = {};
+    compiler = new opa_compiler_1.OpaCompiler();
+    async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+            // Use createRequire to load the optional dep at runtime without ncc bundling it.
+            // `new Function('id', 'return require(id)')` fails in ncc bundles because
+            // `require` is not in the `new Function` scope. `createRequire` works correctly
+            // because it creates a real Node.js require rooted at the given path.
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const { createRequire } = __nccwpck_require__(73339);
+            const runtimeRequire = createRequire(__filename);
+            const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
+            const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+            if (!loadPolicy) {
+                throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
+            }
+            this.policy = await loadPolicy(wasmBytes);
+        }
+        catch (err) {
+            if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
+                    'Install it with: npm install @open-policy-agent/opa-wasm');
+            }
+            throw err;
+        }
+    }
+    /**
+     * Load external data from a JSON file to use as the OPA data document.
+     * The loaded data will be passed to `policy.setData()` during evaluation,
+     * making it available in Rego via `data.<key>`.
+     */
+    loadData(dataPath) {
+        const resolved = path.resolve(dataPath);
+        if (path.normalize(resolved).includes('..')) {
+            throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat = fs.statSync(resolved);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
+        }
+        const raw = fs.readFileSync(resolved, 'utf-8');
+        try {
+            const parsed = JSON.parse(raw);
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
+            }
+            this.dataDocument = parsed;
+        }
+        catch (err) {
+            if (err.message.startsWith('OPA data file must')) {
+                throw err;
+            }
+            throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+    }
+    async evaluate(input) {
+        if (!this.policy) {
+            throw new Error('OPA WASM evaluator not initialized');
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+            return resultSet[0].result;
+        }
+        return undefined;
+    }
+    async shutdown() {
+        if (this.policy) {
+            // opa-wasm policy objects may have a close/free method for WASM cleanup
+            if (typeof this.policy.close === 'function') {
+                try {
+                    this.policy.close();
+                }
+                catch { }
+            }
+            else if (typeof this.policy.free === 'function') {
+                try {
+                    this.policy.free();
+                }
+                catch { }
+            }
+        }
+        this.policy = null;
+    }
+}
+exports.OpaWasmEvaluator = OpaWasmEvaluator;
+
+
+/***/ }),
+
+/***/ 17117:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.PolicyInputBuilder = void 0;
+/**
+ * Builds OPA-compatible input documents from engine context.
+ *
+ * Resolves actor roles from the `policy.roles` config section by matching
+ * the actor's authorAssociation and login against role definitions.
+ */
+class PolicyInputBuilder {
+    roles;
+    actor;
+    repository;
+    pullRequest;
+    constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+    }
+    /** Resolve which roles apply to the current actor. */
+    resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+            let identityMatch = false;
+            if (roleConfig.author_association &&
+                this.actor.authorAssociation &&
+                roleConfig.author_association.includes(this.actor.authorAssociation)) {
+                identityMatch = true;
+            }
+            if (!identityMatch &&
+                roleConfig.users &&
+                this.actor.login &&
+                roleConfig.users.includes(this.actor.login)) {
+                identityMatch = true;
+            }
+            // Slack user ID match
+            if (!identityMatch &&
+                roleConfig.slack_users &&
+                this.actor.slack?.userId &&
+                roleConfig.slack_users.includes(this.actor.slack.userId)) {
+                identityMatch = true;
+            }
+            // Email match (case-insensitive)
+            if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+                const actorEmail = this.actor.slack.email.toLowerCase();
+                if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
+                    identityMatch = true;
+                }
+            }
+            // Note: teams-based role resolution requires GitHub API access (read:org scope)
+            // and is not yet implemented. If configured, the role will not match via teams.
+            if (!identityMatch)
+                continue;
+            // slack_channels gate: if set, the role only applies when triggered from one of these channels
+            if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+                if (!this.actor.slack?.channelId ||
+                    !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+                    continue;
+                }
+            }
+            matched.push(roleName);
+        }
+        return matched;
+    }
+    buildActor() {
+        return {
+            authorAssociation: this.actor.authorAssociation,
+            login: this.actor.login,
+            roles: this.resolveRoles(),
+            isLocalMode: this.actor.isLocalMode,
+            ...(this.actor.slack && { slack: this.actor.slack }),
+        };
+    }
+    forCheckExecution(check) {
+        return {
+            scope: 'check.execute',
+            check: {
+                id: check.id,
+                type: check.type,
+                group: check.group,
+                tags: check.tags,
+                criticality: check.criticality,
+                sandbox: check.sandbox,
+                policy: check.policy,
+            },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forToolInvocation(serverName, methodName, transport) {
+        return {
+            scope: 'tool.invoke',
+            tool: { serverName, methodName, transport },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forCapabilityResolve(checkId, capabilities) {
+        return {
+            scope: 'capability.resolve',
+            check: { id: checkId, type: 'ai' },
+            capability: capabilities,
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+}
+exports.PolicyInputBuilder = PolicyInputBuilder;
+
+
+/***/ }),
+
+/***/ 63737:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.KnexStoreBackend = void 0;
+/**
+ * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
+ *
+ * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
+ * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
+ */
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const uuid_1 = __nccwpck_require__(31914);
+const logger_1 = __nccwpck_require__(86999);
+function toNum(val) {
+    if (val === null || val === undefined)
+        return undefined;
+    return typeof val === 'string' ? parseInt(val, 10) : val;
+}
+function safeJsonParse(value) {
+    if (!value)
+        return undefined;
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+function fromTriggerRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        description: row.description ?? undefined,
+        channels: safeJsonParse(row.channels),
+        fromUsers: safeJsonParse(row.from_users),
+        fromBots: row.from_bots === true || row.from_bots === 1,
+        contains: safeJsonParse(row.contains),
+        matchPattern: row.match_pattern ?? undefined,
+        threads: row.threads,
+        workflow: row.workflow,
+        inputs: safeJsonParse(row.inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        enabled: row.enabled === true || row.enabled === 1,
+        createdAt: toNum(row.created_at),
+    };
+}
+function toTriggerInsertRow(trigger) {
+    return {
+        id: trigger.id,
+        creator_id: trigger.creatorId,
+        creator_context: trigger.creatorContext ?? null,
+        creator_name: trigger.creatorName ?? null,
+        description: trigger.description ?? null,
+        channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+        from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+        from_bots: trigger.fromBots,
+        contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+        match_pattern: trigger.matchPattern ?? null,
+        threads: trigger.threads,
+        workflow: trigger.workflow,
+        inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+        output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+        status: trigger.status,
+        enabled: trigger.enabled,
+        created_at: trigger.createdAt,
+    };
+}
+function fromDbRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        timezone: row.timezone,
+        schedule: row.schedule_expr,
+        runAt: toNum(row.run_at),
+        isRecurring: row.is_recurring === true || row.is_recurring === 1,
+        originalExpression: row.original_expression,
+        workflow: row.workflow ?? undefined,
+        workflowInputs: safeJsonParse(row.workflow_inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        createdAt: toNum(row.created_at),
+        lastRunAt: toNum(row.last_run_at),
+        nextRunAt: toNum(row.next_run_at),
+        runCount: row.run_count,
+        failureCount: row.failure_count,
+        lastError: row.last_error ?? undefined,
+        previousResponse: row.previous_response ?? undefined,
+    };
+}
+function toInsertRow(schedule) {
+    return {
+        id: schedule.id,
+        creator_id: schedule.creatorId,
+        creator_context: schedule.creatorContext ?? null,
+        creator_name: schedule.creatorName ?? null,
+        timezone: schedule.timezone,
+        schedule_expr: schedule.schedule,
+        run_at: schedule.runAt ?? null,
+        is_recurring: schedule.isRecurring,
+        original_expression: schedule.originalExpression,
+        workflow: schedule.workflow ?? null,
+        workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+        output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+        status: schedule.status,
+        created_at: schedule.createdAt,
+        last_run_at: schedule.lastRunAt ?? null,
+        next_run_at: schedule.nextRunAt ?? null,
+        run_count: schedule.runCount,
+        failure_count: schedule.failureCount,
+        last_error: schedule.lastError ?? null,
+        previous_response: schedule.previousResponse ?? null,
+    };
+}
+/**
+ * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
+ */
+class KnexStoreBackend {
+    knex = null;
+    driver;
+    connection;
+    constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = (storageConfig.connection || {});
+    }
+    async initialize() {
+        // Load knex dynamically
+        const { createRequire } = __nccwpck_require__(73339);
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+            knexFactory = runtimeRequire('knex');
+        }
+        catch (err) {
+            const code = err?.code;
+            if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
+                    'Install it with: npm install knex');
+            }
+            throw err;
+        }
+        const clientMap = {
+            postgresql: 'pg',
+            mysql: 'mysql2',
+            mssql: 'tedious',
+        };
+        const client = clientMap[this.driver];
+        // Build connection config
+        let connection;
+        if (this.connection.connection_string) {
+            connection = this.connection.connection_string;
+        }
+        else if (this.driver === 'mssql') {
+            connection = this.buildMssqlConnection();
+        }
+        else {
+            connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+            client,
+            connection,
+            pool: {
+                min: this.connection.pool?.min ?? 0,
+                max: this.connection.pool?.max ?? 10,
+            },
+        });
+        // Run schema migration
+        await this.migrateSchema();
+        logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
+    }
+    buildStandardConnection() {
+        return {
+            host: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            ssl: this.resolveSslConfig(),
+        };
+    }
+    buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
+        return {
+            server: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            options: {
+                encrypt: sslEnabled,
+                trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
+            },
+        };
+    }
+    resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === undefined)
+            return false;
+        if (ssl === true)
+            return { rejectUnauthorized: true };
+        // Object config
+        if (ssl.enabled === false)
+            return false;
+        const result = {
+            rejectUnauthorized: ssl.reject_unauthorized !== false,
+        };
+        if (ssl.ca) {
+            const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
+            result.ca = fs.readFileSync(caPath, 'utf8');
+        }
+        if (ssl.cert) {
+            const certPath = this.validateSslPath(ssl.cert, 'client certificate');
+            result.cert = fs.readFileSync(certPath, 'utf8');
+        }
+        if (ssl.key) {
+            const keyPath = this.validateSslPath(ssl.key, 'client key');
+            result.key = fs.readFileSync(keyPath, 'utf8');
+        }
+        return result;
+    }
+    validateSslPath(filePath, label) {
+        const resolved = path.resolve(filePath);
+        if (resolved !== path.normalize(resolved)) {
+            throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+    }
+    async shutdown() {
+        if (this.knex) {
+            await this.knex.destroy();
+            this.knex = null;
+        }
+    }
+    async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable('schedules');
+        if (!exists) {
+            await knex.schema.createTable('schedules', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.string('timezone', 64).notNullable().defaultTo('UTC');
+                table.string('schedule_expr', 255);
+                table.bigInteger('run_at');
+                table.boolean('is_recurring').notNullable();
+                table.text('original_expression');
+                table.string('workflow', 255);
+                table.text('workflow_inputs');
+                table.text('output_context');
+                table.string('status', 20).notNullable().index();
+                table.bigInteger('created_at').notNullable();
+                table.bigInteger('last_run_at');
+                table.bigInteger('next_run_at');
+                table.integer('run_count').notNullable().defaultTo(0);
+                table.integer('failure_count').notNullable().defaultTo(0);
+                table.text('last_error');
+                table.text('previous_response');
+                table.index(['status', 'next_run_at']);
+            });
+        }
+        // Create message_triggers table
+        const triggersExist = await knex.schema.hasTable('message_triggers');
+        if (!triggersExist) {
+            await knex.schema.createTable('message_triggers', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.text('description');
+                table.text('channels'); // JSON array
+                table.text('from_users'); // JSON array
+                table.boolean('from_bots').notNullable().defaultTo(false);
+                table.text('contains'); // JSON array
+                table.text('match_pattern');
+                table.string('threads', 20).notNullable().defaultTo('any');
+                table.string('workflow', 255).notNullable();
+                table.text('inputs'); // JSON
+                table.text('output_context'); // JSON
+                table.string('status', 20).notNullable().defaultTo('active').index();
+                table.boolean('enabled').notNullable().defaultTo(true);
+                table.bigInteger('created_at').notNullable();
+            });
+        }
+        // Create scheduler_locks table for distributed locking
+        const locksExist = await knex.schema.hasTable('scheduler_locks');
+        if (!locksExist) {
+            await knex.schema.createTable('scheduler_locks', table => {
+                table.string('lock_id', 255).primary();
+                table.string('node_id', 255).notNullable();
+                table.string('lock_token', 36).notNullable();
+                table.bigInteger('acquired_at').notNullable();
+                table.bigInteger('expires_at').notNullable();
+            });
+        }
+    }
+    getKnex() {
+        if (!this.knex) {
+            throw new Error('[KnexStore] Not initialized. Call initialize() first.');
+        }
+        return this.knex;
+    }
+    // --- CRUD ---
+    async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+            ...schedule,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+            runCount: 0,
+            failureCount: 0,
+            status: 'active',
+        };
+        await knex('schedules').insert(toInsertRow(newSchedule));
+        logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+    }
+    async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', schedule.id).first();
+        if (existing)
+            return; // Already imported (idempotent)
+        await knex('schedules').insert(toInsertRow(schedule));
+    }
+    async get(id) {
+        const knex = this.getKnex();
+        const row = await knex('schedules').where('id', id).first();
+        return row ? fromDbRow(row) : undefined;
+    }
+    async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromDbRow(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        // Remove id from update (PK cannot change)
+        delete row.id;
+        await knex('schedules').where('id', id).update(row);
+        return updated;
+    }
+    async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('schedules').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
+            return true;
+        }
+        return false;
+    }
+    // --- Queries ---
+    async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('creator_id', creatorId);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('status', 'active');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans
+        const bFalse = this.driver === 'mssql' ? 0 : false;
+        const bTrue = this.driver === 'mssql' ? 1 : true;
+        const rows = await knex('schedules')
+            .where('status', 'active')
+            .andWhere(function () {
+            this.where(function () {
+                this.where('is_recurring', bFalse)
+                    .whereNotNull('run_at')
+                    .where('run_at', '<=', ts);
+            }).orWhere(function () {
+                this.where('is_recurring', bTrue)
+                    .whereNotNull('next_run_at')
+                    .where('next_run_at', '<=', ts);
+            });
+        });
+        return rows.map((r) => fromDbRow(r));
+    }
+    async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
+        const pattern = `%${escaped}%`;
+        const rows = await knex('schedules')
+            .where('creator_id', creatorId)
+            .where('status', 'active')
+            .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getStats() {
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
+        const boolTrue = this.driver === 'mssql' ? '1' : 'true';
+        const boolFalse = this.driver === 'mssql' ? '0' : 'false';
+        const result = await knex('schedules')
+            .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
+            .first();
+        return {
+            total: Number(result.total) || 0,
+            active: Number(result.active) || 0,
+            paused: Number(result.paused) || 0,
+            completed: Number(result.completed) || 0,
+            failed: Number(result.failed) || 0,
+            recurring: Number(result.recurring) || 0,
+            oneTime: Number(result.one_time) || 0,
+        };
+    }
+    async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+            const result = await knex('schedules').count('* as cnt').first();
+            if (Number(result?.cnt) >= limits.maxGlobal) {
+                throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+            }
+        }
+        if (limits.maxPerUser) {
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxPerUser) {
+                throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+            }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+            const bTrue = this.driver === 'mssql' ? 1 : true;
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .where('is_recurring', bTrue)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+                throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
+            }
+        }
+    }
+    // --- HA Distributed Locking (via scheduler_locks table) ---
+    async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const token = (0, uuid_1.v4)();
+        // Step 1: Try to claim an existing expired lock
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('expires_at', '<', now)
+            .update({
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt,
+        });
+        if (updated > 0)
+            return token;
+        // Step 2: Try to INSERT a new lock row
+        try {
+            await knex('scheduler_locks').insert({
+                lock_id: lockId,
+                node_id: nodeId,
+                lock_token: token,
+                acquired_at: now,
+                expires_at: expiresAt,
+            });
+            return token;
+        }
+        catch {
+            // Unique constraint violation — another node holds the lock
+            return null;
+        }
+    }
+    async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
+    }
+    async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('lock_token', lockToken)
+            .update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+    }
+    async flush() {
+        // No-op for server-based backends
+    }
+    // --- Message Trigger CRUD ---
+    async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+            ...trigger,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+        };
+        await knex('message_triggers').insert(toTriggerInsertRow(newTrigger));
+        logger_1.logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+    }
+    async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex('message_triggers').where('id', id).first();
+        return row ? fromTriggerRow(row) : undefined;
+    }
+    async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('message_triggers').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromTriggerRow(existing);
+        const updated = {
+            ...current,
+            ...patch,
+            id: current.id,
+            createdAt: current.createdAt,
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex('message_triggers').where('id', id).update(row);
+        return updated;
+    }
+    async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('message_triggers').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted trigger ${id}`);
+            return true;
+        }
+        return false;
+    }
+    async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers').where('creator_id', creatorId);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+    async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers')
+            .where('status', 'active')
+            .where('enabled', this.driver === 'mssql' ? 1 : true);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+}
+exports.KnexStoreBackend = KnexStoreBackend;
+
+
 /***/ }),
 
 /***/ 83864:
@@ -178026,6 +179830,35 @@ class OutputFormatters {
 exports.OutputFormatters = OutputFormatters;
 
 
+/***/ }),
+
+/***/ 93866:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.DefaultPolicyEngine = void 0;
+/**
+ * Default (no-op) policy engine — always allows everything.
+ * Used when no enterprise license is present or policy is disabled.
+ */
+class DefaultPolicyEngine {
+    async initialize(_config) { }
+    async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+    }
+    async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+    }
+    async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+    }
+    async shutdown() { }
+}
+exports.DefaultPolicyEngine = DefaultPolicyEngine;
+
+
 /***/ }),
 
 /***/ 96611:
@@ -199642,7 +201475,7 @@ class StateMachineExecutionEngine {
             try {
                 logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
                 // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
+                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
                 context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
                 logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
             }
@@ -209913,7 +211746,7 @@ async function initTelemetry(opts = {}) {
                 const path = __nccwpck_require__(16928);
                 const outDir = opts.file?.dir ||
                     process.env.VISOR_TRACE_DIR ||
-                    __nccwpck_require__.ab + "traces";
+                    path.join(process.cwd(), 'output', 'traces');
                 fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
                 process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -210118,7 +211951,7 @@ async function shutdownTelemetry() {
             if (process.env.VISOR_TRACE_REPORT === 'true') {
                 const fs = __nccwpck_require__(79896);
                 const path = __nccwpck_require__(16928);
-                const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+                const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
                 if (!fs.existsSync(outDir))
                     fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -210617,7 +212450,7 @@ function __getOrCreateNdjsonPath() {
                 fs.mkdirSync(dir, { recursive: true });
             return __ndjsonPath;
         }
-        const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+        const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
         if (!fs.existsSync(outDir))
             fs.mkdirSync(outDir, { recursive: true });
         if (!__ndjsonPath) {
@@ -224571,22 +226404,6 @@ class WorkflowRegistry {
 exports.WorkflowRegistry = WorkflowRegistry;
 
 
-/***/ }),
-
-/***/ 7065:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/loader");
-
-
-/***/ }),
-
-/***/ 71370:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/policy/policy-input-builder");
-
-
 /***/ }),
 
 /***/ 18327:
@@ -260861,7 +262678,7 @@ var require_fxp = __commonJS({
       }, o: (t6, e6) => Object.prototype.hasOwnProperty.call(t6, e6), r: (t6) => {
         "undefined" != typeof Symbol && Symbol.toStringTag && Object.defineProperty(t6, Symbol.toStringTag, { value: "Module" }), Object.defineProperty(t6, "__esModule", { value: true });
       } }, e5 = {};
-      t5.r(e5), t5.d(e5, { XMLBuilder: () => dt, XMLParser: () => it, XMLValidator: () => gt });
+      t5.r(e5), t5.d(e5, { XMLBuilder: () => gt, XMLParser: () => it, XMLValidator: () => xt });
       const n5 = ":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD", i5 = new RegExp("^[" + n5 + "][" + n5 + "\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");
       function s5(t6, e6) {
         const n6 = [];
@@ -260883,90 +262700,90 @@ var require_fxp = __commonJS({
         const n6 = [];
         let i6 = false, s6 = false;
         "\uFEFF" === t6[0] && (t6 = t6.substr(1));
-        for (let o6 = 0; o6 < t6.length; o6++) if ("<" === t6[o6] && "?" === t6[o6 + 1]) {
-          if (o6 += 2, o6 = u5(t6, o6), o6.err) return o6;
+        for (let r6 = 0; r6 < t6.length; r6++) if ("<" === t6[r6] && "?" === t6[r6 + 1]) {
+          if (r6 += 2, r6 = u5(t6, r6), r6.err) return r6;
         } else {
-          if ("<" !== t6[o6]) {
-            if (l5(t6[o6])) continue;
-            return m5("InvalidChar", "char '" + t6[o6] + "' is not expected.", b5(t6, o6));
+          if ("<" !== t6[r6]) {
+            if (l5(t6[r6])) continue;
+            return m5("InvalidChar", "char '" + t6[r6] + "' is not expected.", N(t6, r6));
           }
           {
-            let a6 = o6;
-            if (o6++, "!" === t6[o6]) {
-              o6 = h5(t6, o6);
+            let o6 = r6;
+            if (r6++, "!" === t6[r6]) {
+              r6 = d5(t6, r6);
               continue;
             }
             {
-              let d6 = false;
-              "/" === t6[o6] && (d6 = true, o6++);
-              let p6 = "";
-              for (; o6 < t6.length && ">" !== t6[o6] && " " !== t6[o6] && "	" !== t6[o6] && "\n" !== t6[o6] && "\r" !== t6[o6]; o6++) p6 += t6[o6];
-              if (p6 = p6.trim(), "/" === p6[p6.length - 1] && (p6 = p6.substring(0, p6.length - 1), o6--), !r5(p6)) {
+              let a6 = false;
+              "/" === t6[r6] && (a6 = true, r6++);
+              let h6 = "";
+              for (; r6 < t6.length && ">" !== t6[r6] && " " !== t6[r6] && "	" !== t6[r6] && "\n" !== t6[r6] && "\r" !== t6[r6]; r6++) h6 += t6[r6];
+              if (h6 = h6.trim(), "/" === h6[h6.length - 1] && (h6 = h6.substring(0, h6.length - 1), r6--), !b5(h6)) {
                 let e7;
-                return e7 = 0 === p6.trim().length ? "Invalid space after '<'." : "Tag '" + p6 + "' is an invalid name.", m5("InvalidTag", e7, b5(t6, o6));
+                return e7 = 0 === h6.trim().length ? "Invalid space after '<'." : "Tag '" + h6 + "' is an invalid name.", m5("InvalidTag", e7, N(t6, r6));
               }
-              const c6 = f5(t6, o6);
-              if (false === c6) return m5("InvalidAttr", "Attributes for '" + p6 + "' have open quote.", b5(t6, o6));
-              let E3 = c6.value;
-              if (o6 = c6.index, "/" === E3[E3.length - 1]) {
-                const n7 = o6 - E3.length;
-                E3 = E3.substring(0, E3.length - 1);
-                const s7 = g5(E3, e6);
-                if (true !== s7) return m5(s7.err.code, s7.err.msg, b5(t6, n7 + s7.err.line));
+              const p6 = c5(t6, r6);
+              if (false === p6) return m5("InvalidAttr", "Attributes for '" + h6 + "' have open quote.", N(t6, r6));
+              let f6 = p6.value;
+              if (r6 = p6.index, "/" === f6[f6.length - 1]) {
+                const n7 = r6 - f6.length;
+                f6 = f6.substring(0, f6.length - 1);
+                const s7 = g5(f6, e6);
+                if (true !== s7) return m5(s7.err.code, s7.err.msg, N(t6, n7 + s7.err.line));
                 i6 = true;
-              } else if (d6) {
-                if (!c6.tagClosed) return m5("InvalidTag", "Closing tag '" + p6 + "' doesn't have proper closing.", b5(t6, o6));
-                if (E3.trim().length > 0) return m5("InvalidTag", "Closing tag '" + p6 + "' can't have attributes or invalid starting.", b5(t6, a6));
-                if (0 === n6.length) return m5("InvalidTag", "Closing tag '" + p6 + "' has not been opened.", b5(t6, a6));
+              } else if (a6) {
+                if (!p6.tagClosed) return m5("InvalidTag", "Closing tag '" + h6 + "' doesn't have proper closing.", N(t6, r6));
+                if (f6.trim().length > 0) return m5("InvalidTag", "Closing tag '" + h6 + "' can't have attributes or invalid starting.", N(t6, o6));
+                if (0 === n6.length) return m5("InvalidTag", "Closing tag '" + h6 + "' has not been opened.", N(t6, o6));
                 {
                   const e7 = n6.pop();
-                  if (p6 !== e7.tagName) {
-                    let n7 = b5(t6, e7.tagStartPos);
-                    return m5("InvalidTag", "Expected closing tag '" + e7.tagName + "' (opened in line " + n7.line + ", col " + n7.col + ") instead of closing tag '" + p6 + "'.", b5(t6, a6));
+                  if (h6 !== e7.tagName) {
+                    let n7 = N(t6, e7.tagStartPos);
+                    return m5("InvalidTag", "Expected closing tag '" + e7.tagName + "' (opened in line " + n7.line + ", col " + n7.col + ") instead of closing tag '" + h6 + "'.", N(t6, o6));
                   }
                   0 == n6.length && (s6 = true);
                 }
               } else {
-                const r6 = g5(E3, e6);
-                if (true !== r6) return m5(r6.err.code, r6.err.msg, b5(t6, o6 - E3.length + r6.err.line));
-                if (true === s6) return m5("InvalidXml", "Multiple possible root nodes found.", b5(t6, o6));
-                -1 !== e6.unpairedTags.indexOf(p6) || n6.push({ tagName: p6, tagStartPos: a6 }), i6 = true;
+                const a7 = g5(f6, e6);
+                if (true !== a7) return m5(a7.err.code, a7.err.msg, N(t6, r6 - f6.length + a7.err.line));
+                if (true === s6) return m5("InvalidXml", "Multiple possible root nodes found.", N(t6, r6));
+                -1 !== e6.unpairedTags.indexOf(h6) || n6.push({ tagName: h6, tagStartPos: o6 }), i6 = true;
               }
-              for (o6++; o6 < t6.length; o6++) if ("<" === t6[o6]) {
-                if ("!" === t6[o6 + 1]) {
-                  o6++, o6 = h5(t6, o6);
+              for (r6++; r6 < t6.length; r6++) if ("<" === t6[r6]) {
+                if ("!" === t6[r6 + 1]) {
+                  r6++, r6 = d5(t6, r6);
                   continue;
                 }
-                if ("?" !== t6[o6 + 1]) break;
-                if (o6 = u5(t6, ++o6), o6.err) return o6;
-              } else if ("&" === t6[o6]) {
-                const e7 = x5(t6, o6);
-                if (-1 == e7) return m5("InvalidChar", "char '&' is not expected.", b5(t6, o6));
-                o6 = e7;
-              } else if (true === s6 && !l5(t6[o6])) return m5("InvalidXml", "Extra text at the end", b5(t6, o6));
-              "<" === t6[o6] && o6--;
+                if ("?" !== t6[r6 + 1]) break;
+                if (r6 = u5(t6, ++r6), r6.err) return r6;
+              } else if ("&" === t6[r6]) {
+                const e7 = x5(t6, r6);
+                if (-1 == e7) return m5("InvalidChar", "char '&' is not expected.", N(t6, r6));
+                r6 = e7;
+              } else if (true === s6 && !l5(t6[r6])) return m5("InvalidXml", "Extra text at the end", N(t6, r6));
+              "<" === t6[r6] && r6--;
             }
           }
         }
-        return i6 ? 1 == n6.length ? m5("InvalidTag", "Unclosed tag '" + n6[0].tagName + "'.", b5(t6, n6[0].tagStartPos)) : !(n6.length > 0) || m5("InvalidXml", "Invalid '" + JSON.stringify(n6.map(((t7) => t7.tagName)), null, 4).replace(/\r?\n/g, "") + "' found.", { line: 1, col: 1 }) : m5("InvalidXml", "Start tag expected.", 1);
+        return i6 ? 1 == n6.length ? m5("InvalidTag", "Unclosed tag '" + n6[0].tagName + "'.", N(t6, n6[0].tagStartPos)) : !(n6.length > 0) || m5("InvalidXml", "Invalid '" + JSON.stringify(n6.map((t7) => t7.tagName), null, 4).replace(/\r?\n/g, "") + "' found.", { line: 1, col: 1 }) : m5("InvalidXml", "Start tag expected.", 1);
       }
       function l5(t6) {
         return " " === t6 || "	" === t6 || "\n" === t6 || "\r" === t6;
       }
       function u5(t6, e6) {
         const n6 = e6;
-        for (; e6 < t6.length; e6++) if ("?" != t6[e6] && " " != t6[e6]) ;
-        else {
+        for (; e6 < t6.length; e6++) if ("?" == t6[e6] || " " == t6[e6]) {
           const i6 = t6.substr(n6, e6 - n6);
-          if (e6 > 5 && "xml" === i6) return m5("InvalidXml", "XML declaration allowed only at the start of the document.", b5(t6, e6));
+          if (e6 > 5 && "xml" === i6) return m5("InvalidXml", "XML declaration allowed only at the start of the document.", N(t6, e6));
           if ("?" == t6[e6] && ">" == t6[e6 + 1]) {
             e6++;
             break;
           }
+          continue;
         }
         return e6;
       }
-      function h5(t6, e6) {
+      function d5(t6, e6) {
         if (t6.length > e6 + 5 && "-" === t6[e6 + 1] && "-" === t6[e6 + 2]) {
           for (e6 += 3; e6 < t6.length; e6++) if ("-" === t6[e6] && "-" === t6[e6 + 1] && ">" === t6[e6 + 2]) {
             e6 += 2;
@@ -260984,11 +262801,11 @@ var require_fxp = __commonJS({
         }
         return e6;
       }
-      const d5 = '"', p5 = "'";
-      function f5(t6, e6) {
+      const h5 = '"', p5 = "'";
+      function c5(t6, e6) {
         let n6 = "", i6 = "", s6 = false;
         for (; e6 < t6.length; e6++) {
-          if (t6[e6] === d5 || t6[e6] === p5) "" === i6 ? i6 = t6[e6] : i6 !== t6[e6] || (i6 = "");
+          if (t6[e6] === h5 || t6[e6] === p5) "" === i6 ? i6 = t6[e6] : i6 !== t6[e6] || (i6 = "");
           else if (">" === t6[e6] && "" === i6) {
             s6 = true;
             break;
@@ -260997,16 +262814,16 @@ var require_fxp = __commonJS({
         }
         return "" === i6 && { value: n6, index: e6, tagClosed: s6 };
       }
-      const c5 = new RegExp(`(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['"])(([\\s\\S])*?)\\5)?`, "g");
+      const f5 = new RegExp(`(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['"])(([\\s\\S])*?)\\5)?`, "g");
       function g5(t6, e6) {
-        const n6 = s5(t6, c5), i6 = {};
+        const n6 = s5(t6, f5), i6 = {};
         for (let t7 = 0; t7 < n6.length; t7++) {
-          if (0 === n6[t7][1].length) return m5("InvalidAttr", "Attribute '" + n6[t7][2] + "' has no space in starting.", N(n6[t7]));
-          if (void 0 !== n6[t7][3] && void 0 === n6[t7][4]) return m5("InvalidAttr", "Attribute '" + n6[t7][2] + "' is without value.", N(n6[t7]));
-          if (void 0 === n6[t7][3] && !e6.allowBooleanAttributes) return m5("InvalidAttr", "boolean attribute '" + n6[t7][2] + "' is not allowed.", N(n6[t7]));
+          if (0 === n6[t7][1].length) return m5("InvalidAttr", "Attribute '" + n6[t7][2] + "' has no space in starting.", y2(n6[t7]));
+          if (void 0 !== n6[t7][3] && void 0 === n6[t7][4]) return m5("InvalidAttr", "Attribute '" + n6[t7][2] + "' is without value.", y2(n6[t7]));
+          if (void 0 === n6[t7][3] && !e6.allowBooleanAttributes) return m5("InvalidAttr", "boolean attribute '" + n6[t7][2] + "' is not allowed.", y2(n6[t7]));
           const s6 = n6[t7][2];
-          if (!E2(s6)) return m5("InvalidAttr", "Attribute '" + s6 + "' is an invalid name.", N(n6[t7]));
-          if (i6.hasOwnProperty(s6)) return m5("InvalidAttr", "Attribute '" + s6 + "' is repeated.", N(n6[t7]));
+          if (!E2(s6)) return m5("InvalidAttr", "Attribute '" + s6 + "' is an invalid name.", y2(n6[t7]));
+          if (Object.prototype.hasOwnProperty.call(i6, s6)) return m5("InvalidAttr", "Attribute '" + s6 + "' is repeated.", y2(n6[t7]));
           i6[s6] = 1;
         }
         return true;
@@ -261034,49 +262851,52 @@ var require_fxp = __commonJS({
       function E2(t6) {
         return r5(t6);
       }
-      function b5(t6, e6) {
+      function b5(t6) {
+        return r5(t6);
+      }
+      function N(t6, e6) {
         const n6 = t6.substring(0, e6).split(/\r?\n/);
         return { line: n6.length, col: n6[n6.length - 1].length + 1 };
       }
-      function N(t6) {
+      function y2(t6) {
         return t6.startIndex + t6[1].length;
       }
-      const y2 = { preserveOrder: false, attributeNamePrefix: "@_", attributesGroupName: false, textNodeName: "#text", ignoreAttributes: true, removeNSPrefix: false, allowBooleanAttributes: false, parseTagValue: true, parseAttributeValue: false, trimValues: true, cdataPropName: false, numberParseOptions: { hex: true, leadingZeros: true, eNotation: true }, tagValueProcessor: function(t6, e6) {
+      const T = { preserveOrder: false, attributeNamePrefix: "@_", attributesGroupName: false, textNodeName: "#text", ignoreAttributes: true, removeNSPrefix: false, allowBooleanAttributes: false, parseTagValue: true, parseAttributeValue: false, trimValues: true, cdataPropName: false, numberParseOptions: { hex: true, leadingZeros: true, eNotation: true }, tagValueProcessor: function(t6, e6) {
         return e6;
       }, attributeValueProcessor: function(t6, e6) {
         return e6;
       }, stopNodes: [], alwaysCreateTextNode: false, isArray: () => false, commentPropName: false, unpairedTags: [], processEntities: true, htmlEntities: false, ignoreDeclaration: false, ignorePiTags: false, transformTagName: false, transformAttributeName: false, updateTag: function(t6, e6, n6) {
         return t6;
-      }, captureMetaData: false };
-      function T(t6) {
-        return "boolean" == typeof t6 ? { enabled: t6, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, allowedTags: null, tagFilter: null } : "object" == typeof t6 && null !== t6 ? { enabled: false !== t6.enabled, maxEntitySize: t6.maxEntitySize ?? 1e4, maxExpansionDepth: t6.maxExpansionDepth ?? 10, maxTotalExpansions: t6.maxTotalExpansions ?? 1e3, maxExpandedLength: t6.maxExpandedLength ?? 1e5, allowedTags: t6.allowedTags ?? null, tagFilter: t6.tagFilter ?? null } : T(true);
+      }, captureMetaData: false, maxNestedTags: 100, strictReservedNames: true };
+      function w5(t6) {
+        return "boolean" == typeof t6 ? { enabled: t6, maxEntitySize: 1e4, maxExpansionDepth: 10, maxTotalExpansions: 1e3, maxExpandedLength: 1e5, allowedTags: null, tagFilter: null } : "object" == typeof t6 && null !== t6 ? { enabled: false !== t6.enabled, maxEntitySize: t6.maxEntitySize ?? 1e4, maxExpansionDepth: t6.maxExpansionDepth ?? 10, maxTotalExpansions: t6.maxTotalExpansions ?? 1e3, maxExpandedLength: t6.maxExpandedLength ?? 1e5, allowedTags: t6.allowedTags ?? null, tagFilter: t6.tagFilter ?? null } : w5(true);
       }
-      const w5 = function(t6) {
-        const e6 = Object.assign({}, y2, t6);
-        return e6.processEntities = T(e6.processEntities), e6;
+      const v5 = function(t6) {
+        const e6 = Object.assign({}, T, t6);
+        return e6.processEntities = w5(e6.processEntities), e6;
       };
-      let v5;
-      v5 = "function" != typeof Symbol ? "@@xmlMetadata" : Symbol("XML Node Metadata");
+      let O;
+      O = "function" != typeof Symbol ? "@@xmlMetadata" : Symbol("XML Node Metadata");
       class I2 {
         constructor(t6) {
-          this.tagname = t6, this.child = [], this[":@"] = {};
+          this.tagname = t6, this.child = [], this[":@"] = /* @__PURE__ */ Object.create(null);
         }
         add(t6, e6) {
           "__proto__" === t6 && (t6 = "#__proto__"), this.child.push({ [t6]: e6 });
         }
         addChild(t6, e6) {
-          "__proto__" === t6.tagname && (t6.tagname = "#__proto__"), t6[":@"] && Object.keys(t6[":@"]).length > 0 ? this.child.push({ [t6.tagname]: t6.child, ":@": t6[":@"] }) : this.child.push({ [t6.tagname]: t6.child }), void 0 !== e6 && (this.child[this.child.length - 1][v5] = { startIndex: e6 });
+          "__proto__" === t6.tagname && (t6.tagname = "#__proto__"), t6[":@"] && Object.keys(t6[":@"]).length > 0 ? this.child.push({ [t6.tagname]: t6.child, ":@": t6[":@"] }) : this.child.push({ [t6.tagname]: t6.child }), void 0 !== e6 && (this.child[this.child.length - 1][O] = { startIndex: e6 });
         }
         static getMetaDataSymbol() {
-          return v5;
+          return O;
         }
       }
-      class O {
+      class P {
         constructor(t6) {
           this.suppressValidationErr = !t6, this.options = t6;
         }
         readDocType(t6, e6) {
-          const n6 = {};
+          const n6 = /* @__PURE__ */ Object.create(null);
           if ("O" !== t6[e6 + 3] || "C" !== t6[e6 + 4] || "T" !== t6[e6 + 5] || "Y" !== t6[e6 + 6] || "P" !== t6[e6 + 7] || "E" !== t6[e6 + 8]) throw new Error("Invalid Tag instead of DOCTYPE");
           {
             e6 += 9;
@@ -261085,23 +262905,23 @@ var require_fxp = __commonJS({
               if (r6 ? "-" === t6[e6 - 1] && "-" === t6[e6 - 2] && (r6 = false, i6--) : i6--, 0 === i6) break;
             } else "[" === t6[e6] ? s6 = true : o6 += t6[e6];
             else {
-              if (s6 && A2(t6, "!ENTITY", e6)) {
+              if (s6 && S(t6, "!ENTITY", e6)) {
                 let i7, s7;
                 if (e6 += 7, [i7, s7, e6] = this.readEntityExp(t6, e6 + 1, this.suppressValidationErr), -1 === s7.indexOf("&")) {
                   const t7 = i7.replace(/[.\-+*:]/g, "\\.");
                   n6[i7] = { regx: RegExp(`&${t7};`, "g"), val: s7 };
                 }
-              } else if (s6 && A2(t6, "!ELEMENT", e6)) {
+              } else if (s6 && S(t6, "!ELEMENT", e6)) {
                 e6 += 8;
                 const { index: n7 } = this.readElementExp(t6, e6 + 1);
                 e6 = n7;
-              } else if (s6 && A2(t6, "!ATTLIST", e6)) e6 += 8;
-              else if (s6 && A2(t6, "!NOTATION", e6)) {
+              } else if (s6 && S(t6, "!ATTLIST", e6)) e6 += 8;
+              else if (s6 && S(t6, "!NOTATION", e6)) {
                 e6 += 9;
                 const { index: n7 } = this.readNotationExp(t6, e6 + 1, this.suppressValidationErr);
                 e6 = n7;
               } else {
-                if (!A2(t6, "!--", e6)) throw new Error("Invalid DOCTYPE");
+                if (!S(t6, "!--", e6)) throw new Error("Invalid DOCTYPE");
                 r6 = true;
               }
               i6++, o6 = "";
@@ -261111,10 +262931,10 @@ var require_fxp = __commonJS({
           return { entities: n6, i: e6 };
         }
         readEntityExp(t6, e6) {
-          e6 = P(t6, e6);
+          e6 = A2(t6, e6);
           let n6 = "";
           for (; e6 < t6.length && !/\s/.test(t6[e6]) && '"' !== t6[e6] && "'" !== t6[e6]; ) n6 += t6[e6], e6++;
-          if (S(n6), e6 = P(t6, e6), !this.suppressValidationErr) {
+          if (C2(n6), e6 = A2(t6, e6), !this.suppressValidationErr) {
             if ("SYSTEM" === t6.substring(e6, e6 + 6).toUpperCase()) throw new Error("External entities are not supported");
             if ("%" === t6[e6]) throw new Error("Parameter entities are not supported");
           }
@@ -261123,15 +262943,15 @@ var require_fxp = __commonJS({
           return [n6, i6, --e6];
         }
         readNotationExp(t6, e6) {
-          e6 = P(t6, e6);
+          e6 = A2(t6, e6);
           let n6 = "";
           for (; e6 < t6.length && !/\s/.test(t6[e6]); ) n6 += t6[e6], e6++;
-          !this.suppressValidationErr && S(n6), e6 = P(t6, e6);
+          !this.suppressValidationErr && C2(n6), e6 = A2(t6, e6);
           const i6 = t6.substring(e6, e6 + 6).toUpperCase();
           if (!this.suppressValidationErr && "SYSTEM" !== i6 && "PUBLIC" !== i6) throw new Error(`Expected SYSTEM or PUBLIC, found "${i6}"`);
-          e6 += i6.length, e6 = P(t6, e6);
+          e6 += i6.length, e6 = A2(t6, e6);
           let s6 = null, r6 = null;
-          if ("PUBLIC" === i6) [e6, s6] = this.readIdentifierVal(t6, e6, "publicIdentifier"), '"' !== t6[e6 = P(t6, e6)] && "'" !== t6[e6] || ([e6, r6] = this.readIdentifierVal(t6, e6, "systemIdentifier"));
+          if ("PUBLIC" === i6) [e6, s6] = this.readIdentifierVal(t6, e6, "publicIdentifier"), '"' !== t6[e6 = A2(t6, e6)] && "'" !== t6[e6] || ([e6, r6] = this.readIdentifierVal(t6, e6, "systemIdentifier"));
           else if ("SYSTEM" === i6 && ([e6, r6] = this.readIdentifierVal(t6, e6, "systemIdentifier"), !this.suppressValidationErr && !r6)) throw new Error("Missing mandatory system identifier for SYSTEM notation");
           return { notationName: n6, publicIdentifier: s6, systemIdentifier: r6, index: --e6 };
         }
@@ -261144,13 +262964,13 @@ var require_fxp = __commonJS({
           return [++e6, i6];
         }
         readElementExp(t6, e6) {
-          e6 = P(t6, e6);
+          e6 = A2(t6, e6);
           let n6 = "";
           for (; e6 < t6.length && !/\s/.test(t6[e6]); ) n6 += t6[e6], e6++;
           if (!this.suppressValidationErr && !r5(n6)) throw new Error(`Invalid element name: "${n6}"`);
           let i6 = "";
-          if ("E" === t6[e6 = P(t6, e6)] && A2(t6, "MPTY", e6)) e6 += 4;
-          else if ("A" === t6[e6] && A2(t6, "NY", e6)) e6 += 2;
+          if ("E" === t6[e6 = A2(t6, e6)] && S(t6, "MPTY", e6)) e6 += 4;
+          else if ("A" === t6[e6] && S(t6, "NY", e6)) e6 += 2;
           else if ("(" === t6[e6]) {
             for (e6++; e6 < t6.length && ")" !== t6[e6]; ) i6 += t6[e6], e6++;
             if (")" !== t6[e6]) throw new Error("Unterminated content model");
@@ -261158,24 +262978,24 @@ var require_fxp = __commonJS({
           return { elementName: n6, contentModel: i6.trim(), index: e6 };
         }
         readAttlistExp(t6, e6) {
-          e6 = P(t6, e6);
+          e6 = A2(t6, e6);
           let n6 = "";
           for (; e6 < t6.length && !/\s/.test(t6[e6]); ) n6 += t6[e6], e6++;
-          S(n6), e6 = P(t6, e6);
+          C2(n6), e6 = A2(t6, e6);
           let i6 = "";
           for (; e6 < t6.length && !/\s/.test(t6[e6]); ) i6 += t6[e6], e6++;
-          if (!S(i6)) throw new Error(`Invalid attribute name: "${i6}"`);
-          e6 = P(t6, e6);
+          if (!C2(i6)) throw new Error(`Invalid attribute name: "${i6}"`);
+          e6 = A2(t6, e6);
           let s6 = "";
           if ("NOTATION" === t6.substring(e6, e6 + 8).toUpperCase()) {
-            if (s6 = "NOTATION", "(" !== t6[e6 = P(t6, e6 += 8)]) throw new Error(`Expected '(', found "${t6[e6]}"`);
+            if (s6 = "NOTATION", "(" !== t6[e6 = A2(t6, e6 += 8)]) throw new Error(`Expected '(', found "${t6[e6]}"`);
             e6++;
             let n7 = [];
             for (; e6 < t6.length && ")" !== t6[e6]; ) {
               let i7 = "";
               for (; e6 < t6.length && "|" !== t6[e6] && ")" !== t6[e6]; ) i7 += t6[e6], e6++;
-              if (i7 = i7.trim(), !S(i7)) throw new Error(`Invalid notation name: "${i7}"`);
-              n7.push(i7), "|" === t6[e6] && (e6++, e6 = P(t6, e6));
+              if (i7 = i7.trim(), !C2(i7)) throw new Error(`Invalid notation name: "${i7}"`);
+              n7.push(i7), "|" === t6[e6] && (e6++, e6 = A2(t6, e6));
             }
             if (")" !== t6[e6]) throw new Error("Unterminated list of notations");
             e6++, s6 += " (" + n7.join("|") + ")";
@@ -261184,45 +263004,43 @@ var require_fxp = __commonJS({
             const n7 = ["CDATA", "ID", "IDREF", "IDREFS", "ENTITY", "ENTITIES", "NMTOKEN", "NMTOKENS"];
             if (!this.suppressValidationErr && !n7.includes(s6.toUpperCase())) throw new Error(`Invalid attribute type: "${s6}"`);
           }
-          e6 = P(t6, e6);
+          e6 = A2(t6, e6);
           let r6 = "";
           return "#REQUIRED" === t6.substring(e6, e6 + 8).toUpperCase() ? (r6 = "#REQUIRED", e6 += 8) : "#IMPLIED" === t6.substring(e6, e6 + 7).toUpperCase() ? (r6 = "#IMPLIED", e6 += 7) : [e6, r6] = this.readIdentifierVal(t6, e6, "ATTLIST"), { elementName: n6, attributeName: i6, attributeType: s6, defaultValue: r6, index: e6 };
         }
       }
-      const P = (t6, e6) => {
+      const A2 = (t6, e6) => {
         for (; e6 < t6.length && /\s/.test(t6[e6]); ) e6++;
         return e6;
       };
-      function A2(t6, e6, n6) {
+      function S(t6, e6, n6) {
         for (let i6 = 0; i6 < e6.length; i6++) if (e6[i6] !== t6[n6 + i6 + 1]) return false;
         return true;
       }
-      function S(t6) {
+      function C2(t6) {
         if (r5(t6)) return t6;
         throw new Error(`Invalid entity name ${t6}`);
       }
-      const C2 = /^[-+]?0x[a-fA-F0-9]+$/, $ = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, V = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
-      const D2 = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
-      function L(t6) {
-        return "function" == typeof t6 ? t6 : Array.isArray(t6) ? (e6) => {
-          for (const n6 of t6) {
-            if ("string" == typeof n6 && e6 === n6) return true;
-            if (n6 instanceof RegExp && n6.test(e6)) return true;
-          }
-        } : () => false;
-      }
-      class F2 {
+      const $ = /^[-+]?0x[a-fA-F0-9]+$/, V = /^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/, D2 = { hex: true, leadingZeros: true, decimalPoint: ".", eNotation: true };
+      const j5 = /^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;
+      class L {
         constructor(t6) {
-          if (this.options = t6, this.currentNode = null, this.tagsNodeStack = [], this.docTypeEntities = {}, this.lastEntities = { apos: { regex: /&(apos|#39|#x27);/g, val: "'" }, gt: { regex: /&(gt|#62|#x3E);/g, val: ">" }, lt: { regex: /&(lt|#60|#x3C);/g, val: "<" }, quot: { regex: /&(quot|#34|#x22);/g, val: '"' } }, this.ampEntity = { regex: /&(amp|#38|#x26);/g, val: "&" }, this.htmlEntities = { space: { regex: /&(nbsp|#160);/g, val: " " }, cent: { regex: /&(cent|#162);/g, val: "\xA2" }, pound: { regex: /&(pound|#163);/g, val: "\xA3" }, yen: { regex: /&(yen|#165);/g, val: "\xA5" }, euro: { regex: /&(euro|#8364);/g, val: "\u20AC" }, copyright: { regex: /&(copy|#169);/g, val: "\xA9" }, reg: { regex: /&(reg|#174);/g, val: "\xAE" }, inr: { regex: /&(inr|#8377);/g, val: "\u20B9" }, num_dec: { regex: /&#([0-9]{1,7});/g, val: (t7, e6) => K(e6, 10, "&#") }, num_hex: { regex: /&#x([0-9a-fA-F]{1,6});/g, val: (t7, e6) => K(e6, 16, "&#x") } }, this.addExternalEntities = j5, this.parseXml = B2, this.parseTextData = M, this.resolveNameSpace = _, this.buildAttributesMap = U, this.isItStopNode = X, this.replaceEntitiesValue = Y, this.readStopNodeData = q5, this.saveTextToParentTag = G2, this.addChild = R, this.ignoreAttributesFn = L(this.options.ignoreAttributes), this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.options.stopNodes && this.options.stopNodes.length > 0) {
+          var e6;
+          if (this.options = t6, this.currentNode = null, this.tagsNodeStack = [], this.docTypeEntities = {}, this.lastEntities = { apos: { regex: /&(apos|#39|#x27);/g, val: "'" }, gt: { regex: /&(gt|#62|#x3E);/g, val: ">" }, lt: { regex: /&(lt|#60|#x3C);/g, val: "<" }, quot: { regex: /&(quot|#34|#x22);/g, val: '"' } }, this.ampEntity = { regex: /&(amp|#38|#x26);/g, val: "&" }, this.htmlEntities = { space: { regex: /&(nbsp|#160);/g, val: " " }, cent: { regex: /&(cent|#162);/g, val: "\xA2" }, pound: { regex: /&(pound|#163);/g, val: "\xA3" }, yen: { regex: /&(yen|#165);/g, val: "\xA5" }, euro: { regex: /&(euro|#8364);/g, val: "\u20AC" }, copyright: { regex: /&(copy|#169);/g, val: "\xA9" }, reg: { regex: /&(reg|#174);/g, val: "\xAE" }, inr: { regex: /&(inr|#8377);/g, val: "\u20B9" }, num_dec: { regex: /&#([0-9]{1,7});/g, val: (t7, e7) => K(e7, 10, "&#") }, num_hex: { regex: /&#x([0-9a-fA-F]{1,6});/g, val: (t7, e7) => K(e7, 16, "&#x") } }, this.addExternalEntities = F2, this.parseXml = R, this.parseTextData = M, this.resolveNameSpace = k5, this.buildAttributesMap = U, this.isItStopNode = X, this.replaceEntitiesValue = Y, this.readStopNodeData = q5, this.saveTextToParentTag = G2, this.addChild = B2, this.ignoreAttributesFn = "function" == typeof (e6 = this.options.ignoreAttributes) ? e6 : Array.isArray(e6) ? (t7) => {
+            for (const n6 of e6) {
+              if ("string" == typeof n6 && t7 === n6) return true;
+              if (n6 instanceof RegExp && n6.test(t7)) return true;
+            }
+          } : () => false, this.entityExpansionCount = 0, this.currentExpandedLength = 0, this.options.stopNodes && this.options.stopNodes.length > 0) {
             this.stopNodesExact = /* @__PURE__ */ new Set(), this.stopNodesWildcard = /* @__PURE__ */ new Set();
             for (let t7 = 0; t7 < this.options.stopNodes.length; t7++) {
-              const e6 = this.options.stopNodes[t7];
-              "string" == typeof e6 && (e6.startsWith("*.") ? this.stopNodesWildcard.add(e6.substring(2)) : this.stopNodesExact.add(e6));
+              const e7 = this.options.stopNodes[t7];
+              "string" == typeof e7 && (e7.startsWith("*.") ? this.stopNodesWildcard.add(e7.substring(2)) : this.stopNodesExact.add(e7));
             }
           }
         }
       }
-      function j5(t6) {
+      function F2(t6) {
         const e6 = Object.keys(t6);
         for (let n6 = 0; n6 < e6.length; n6++) {
           const i6 = e6[n6], s6 = i6.replace(/[.\-+*:]/g, "\\.");
@@ -261236,7 +263054,7 @@ var require_fxp = __commonJS({
           return null == i7 ? t6 : typeof i7 != typeof t6 || i7 !== t6 ? i7 : this.options.trimValues || t6.trim() === t6 ? Z(t6, this.options.parseTagValue, this.options.numberParseOptions) : t6;
         }
       }
-      function _(t6) {
+      function k5(t6) {
         if (this.options.removeNSPrefix) {
           const e6 = t6.split(":"), n6 = "/" === t6.charAt(0) ? "/" : "";
           if ("xmlns" === e6[0]) return "";
@@ -261244,10 +263062,10 @@ var require_fxp = __commonJS({
         }
         return t6;
       }
-      const k5 = new RegExp(`([^\\s=]+)\\s*(=\\s*(['"])([\\s\\S]*?)\\3)?`, "gm");
+      const _ = new RegExp(`([^\\s=]+)\\s*(=\\s*(['"])([\\s\\S]*?)\\3)?`, "gm");
       function U(t6, e6, n6) {
         if (true !== this.options.ignoreAttributes && "string" == typeof t6) {
-          const i6 = s5(t6, k5), r6 = i6.length, o6 = {};
+          const i6 = s5(t6, _), r6 = i6.length, o6 = {};
           for (let t7 = 0; t7 < r6; t7++) {
             const s6 = this.resolveNameSpace(i6[t7][1]);
             if (this.ignoreAttributesFn(s6, e6)) continue;
@@ -261266,12 +263084,12 @@ var require_fxp = __commonJS({
           return o6;
         }
       }
-      const B2 = function(t6) {
+      const R = function(t6) {
         t6 = t6.replace(/\r\n?/g, "\n");
         const e6 = new I2("!xml");
         let n6 = e6, i6 = "", s6 = "";
         this.entityExpansionCount = 0, this.currentExpandedLength = 0;
-        const r6 = new O(this.options.processEntities);
+        const r6 = new P(this.options.processEntities);
         for (let o6 = 0; o6 < t6.length; o6++) if ("<" === t6[o6]) if ("/" === t6[o6 + 1]) {
           const e7 = z2(t6, ">", o6, "Closing Tag is not closed.");
           let r7 = t6.substring(o6 + 2, e7).trim();
@@ -261311,26 +263129,27 @@ var require_fxp = __commonJS({
         } else {
           let r7 = W(t6, o6, this.options.removeNSPrefix), a6 = r7.tagName;
           const l6 = r7.rawTagName;
-          let u6 = r7.tagExp, h6 = r7.attrExpPresent, d6 = r7.closeIndex;
+          let u6 = r7.tagExp, d6 = r7.attrExpPresent, h6 = r7.closeIndex;
           if (this.options.transformTagName) {
             const t7 = this.options.transformTagName(a6);
             u6 === a6 && (u6 = t7), a6 = t7;
           }
+          if (this.options.strictReservedNames && (a6 === this.options.commentPropName || a6 === this.options.cdataPropName)) throw new Error(`Invalid tag name: ${a6}`);
           n6 && i6 && "!xml" !== n6.tagname && (i6 = this.saveTextToParentTag(i6, n6, s6, false));
           const p6 = n6;
           p6 && -1 !== this.options.unpairedTags.indexOf(p6.tagname) && (n6 = this.tagsNodeStack.pop(), s6 = s6.substring(0, s6.lastIndexOf("."))), a6 !== e6.tagname && (s6 += s6 ? "." + a6 : a6);
-          const f6 = o6;
+          const c6 = o6;
           if (this.isItStopNode(this.stopNodesExact, this.stopNodesWildcard, s6, a6)) {
             let e7 = "";
             if (u6.length > 0 && u6.lastIndexOf("/") === u6.length - 1) "/" === a6[a6.length - 1] ? (a6 = a6.substr(0, a6.length - 1), s6 = s6.substr(0, s6.length - 1), u6 = a6) : u6 = u6.substr(0, u6.length - 1), o6 = r7.closeIndex;
             else if (-1 !== this.options.unpairedTags.indexOf(a6)) o6 = r7.closeIndex;
             else {
-              const n7 = this.readStopNodeData(t6, l6, d6 + 1);
+              const n7 = this.readStopNodeData(t6, l6, h6 + 1);
               if (!n7) throw new Error(`Unexpected end of ${l6}`);
               o6 = n7.i, e7 = n7.tagContent;
             }
             const i7 = new I2(a6);
-            a6 !== u6 && h6 && (i7[":@"] = this.buildAttributesMap(u6, s6, a6)), e7 && (e7 = this.parseTextData(e7, a6, s6, true, h6, true, true)), s6 = s6.substr(0, s6.lastIndexOf(".")), i7.add(this.options.textNodeName, e7), this.addChild(n6, i7, s6, f6);
+            a6 !== u6 && d6 && (i7[":@"] = this.buildAttributesMap(u6, s6, a6)), e7 && (e7 = this.parseTextData(e7, a6, s6, true, d6, true, true)), s6 = s6.substr(0, s6.lastIndexOf(".")), i7.add(this.options.textNodeName, e7), this.addChild(n6, i7, s6, c6);
           } else {
             if (u6.length > 0 && u6.lastIndexOf("/") === u6.length - 1) {
               if ("/" === a6[a6.length - 1] ? (a6 = a6.substr(0, a6.length - 1), s6 = s6.substr(0, s6.length - 1), u6 = a6) : u6 = u6.substr(0, u6.length - 1), this.options.transformTagName) {
@@ -261338,18 +263157,26 @@ var require_fxp = __commonJS({
                 u6 === a6 && (u6 = t8), a6 = t8;
               }
               const t7 = new I2(a6);
-              a6 !== u6 && h6 && (t7[":@"] = this.buildAttributesMap(u6, s6, a6)), this.addChild(n6, t7, s6, f6), s6 = s6.substr(0, s6.lastIndexOf("."));
+              a6 !== u6 && d6 && (t7[":@"] = this.buildAttributesMap(u6, s6, a6)), this.addChild(n6, t7, s6, c6), s6 = s6.substr(0, s6.lastIndexOf("."));
             } else {
-              const t7 = new I2(a6);
-              this.tagsNodeStack.push(n6), a6 !== u6 && h6 && (t7[":@"] = this.buildAttributesMap(u6, s6, a6)), this.addChild(n6, t7, s6, f6), n6 = t7;
+              if (-1 !== this.options.unpairedTags.indexOf(a6)) {
+                const t7 = new I2(a6);
+                a6 !== u6 && d6 && (t7[":@"] = this.buildAttributesMap(u6, s6)), this.addChild(n6, t7, s6, c6), s6 = s6.substr(0, s6.lastIndexOf(".")), o6 = r7.closeIndex;
+                continue;
+              }
+              {
+                const t7 = new I2(a6);
+                if (this.tagsNodeStack.length > this.options.maxNestedTags) throw new Error("Maximum nested tags exceeded");
+                this.tagsNodeStack.push(n6), a6 !== u6 && d6 && (t7[":@"] = this.buildAttributesMap(u6, s6, a6)), this.addChild(n6, t7, s6, c6), n6 = t7;
+              }
             }
-            i6 = "", o6 = d6;
+            i6 = "", o6 = h6;
           }
         }
         else i6 += t6[o6];
         return e6.child;
       };
-      function R(t6, e6, n6, i6) {
+      function B2(t6, e6, n6, i6) {
         this.options.captureMetaData || (i6 = void 0);
         const s6 = this.options.updateTag(e6.tagname, n6, e6[":@"]);
         false === s6 || ("string" == typeof s6 ? (e6.tagname = s6, t6.addChild(e6, i6)) : t6.addChild(e6, i6));
@@ -261410,12 +263237,12 @@ var require_fxp = __commonJS({
         const o6 = s6.index, a6 = r6.search(/\s/);
         let l6 = r6, u6 = true;
         -1 !== a6 && (l6 = r6.substring(0, a6), r6 = r6.substring(a6 + 1).trimStart());
-        const h6 = l6;
+        const d6 = l6;
         if (n6) {
           const t7 = l6.indexOf(":");
           -1 !== t7 && (l6 = l6.substr(t7 + 1), u6 = l6 !== s6.data.substr(t7 + 1));
         }
-        return { tagName: l6, tagExp: r6, closeIndex: o6, attrExpPresent: u6, rawTagName: h6 };
+        return { tagName: l6, tagExp: r6, closeIndex: o6, attrExpPresent: u6, rawTagName: d6 };
       }
       function q5(t6, e6, n6) {
         const i6 = n6;
@@ -261436,19 +263263,19 @@ var require_fxp = __commonJS({
         if (e6 && "string" == typeof t6) {
           const e7 = t6.trim();
           return "true" === e7 || "false" !== e7 && (function(t7, e8 = {}) {
-            if (e8 = Object.assign({}, V, e8), !t7 || "string" != typeof t7) return t7;
+            if (e8 = Object.assign({}, D2, e8), !t7 || "string" != typeof t7) return t7;
             let n7 = t7.trim();
             if (void 0 !== e8.skipLike && e8.skipLike.test(n7)) return t7;
             if ("0" === t7) return 0;
-            if (e8.hex && C2.test(n7)) return (function(t8) {
+            if (e8.hex && $.test(n7)) return (function(t8) {
               if (parseInt) return parseInt(t8, 16);
               if (Number.parseInt) return Number.parseInt(t8, 16);
               if (window && window.parseInt) return window.parseInt(t8, 16);
               throw new Error("parseInt, Number.parseInt, window.parseInt are not supported");
             })(n7);
-            if (-1 !== n7.search(/.+[eE].+/)) return (function(t8, e9, n8) {
+            if (n7.includes("e") || n7.includes("E")) return (function(t8, e9, n8) {
               if (!n8.eNotation) return t8;
-              const i7 = e9.match(D2);
+              const i7 = e9.match(j5);
               if (i7) {
                 let s6 = i7[1] || "";
                 const r6 = -1 === i7[3].indexOf("e") ? "E" : "e", o6 = i7[2], a6 = s6 ? t8[o6.length + 1] === r6 : t8[o6.length] === r6;
@@ -261457,7 +263284,7 @@ var require_fxp = __commonJS({
               return t8;
             })(t7, n7, e8);
             {
-              const s6 = $.exec(n7);
+              const s6 = V.exec(n7);
               if (s6) {
                 const r6 = s6[1] || "", o6 = s6[2];
                 let a6 = (i6 = s6[3]) && -1 !== i6.indexOf(".") ? ("." === (i6 = i6.replace(/0+$/, "")) ? i6 = "0" : "." === i6[0] ? i6 = "0" + i6 : "." === i6[i6.length - 1] && (i6 = i6.substring(0, i6.length - 1)), i6) : i6;
@@ -261465,7 +263292,7 @@ var require_fxp = __commonJS({
                 if (!e8.leadingZeros && (o6.length > 1 || 1 === o6.length && !l6)) return t7;
                 {
                   const i7 = Number(n7), s7 = String(i7);
-                  if (0 === i7 || -0 === i7) return i7;
+                  if (0 === i7) return i7;
                   if (-1 !== s7.search(/[eE]/)) return e8.eNotation ? i7 : t7;
                   if (-1 !== n7.indexOf(".")) return "0" === s7 || s7 === a6 || s7 === `${r6}${a6}` ? i7 : t7;
                   let l7 = o6 ? a6 : n7;
@@ -261499,7 +263326,7 @@ var require_fxp = __commonJS({
             if (o6[a6]) {
               let t7 = H2(o6[a6], e6, l6);
               const n7 = nt(t7, e6);
-              void 0 !== o6[Q] && (t7[Q] = o6[Q]), o6[":@"] ? et(t7, o6[":@"], l6, e6) : 1 !== Object.keys(t7).length || void 0 === t7[e6.textNodeName] || e6.alwaysCreateTextNode ? 0 === Object.keys(t7).length && (e6.alwaysCreateTextNode ? t7[e6.textNodeName] = "" : t7 = "") : t7 = t7[e6.textNodeName], void 0 !== s6[a6] && s6.hasOwnProperty(a6) ? (Array.isArray(s6[a6]) || (s6[a6] = [s6[a6]]), s6[a6].push(t7)) : e6.isArray(a6, l6, n7) ? s6[a6] = [t7] : s6[a6] = t7;
+              o6[":@"] ? et(t7, o6[":@"], l6, e6) : 1 !== Object.keys(t7).length || void 0 === t7[e6.textNodeName] || e6.alwaysCreateTextNode ? 0 === Object.keys(t7).length && (e6.alwaysCreateTextNode ? t7[e6.textNodeName] = "" : t7 = "") : t7 = t7[e6.textNodeName], void 0 !== o6[Q] && "object" == typeof t7 && null !== t7 && (t7[Q] = o6[Q]), void 0 !== s6[a6] && Object.prototype.hasOwnProperty.call(s6, a6) ? (Array.isArray(s6[a6]) || (s6[a6] = [s6[a6]]), s6[a6].push(t7)) : e6.isArray(a6, l6, n7) ? s6[a6] = [t7] : s6[a6] = t7;
             }
           }
         }
@@ -261527,7 +263354,7 @@ var require_fxp = __commonJS({
       }
       class it {
         constructor(t6) {
-          this.externalEntities = {}, this.options = w5(t6);
+          this.externalEntities = {}, this.options = v5(t6);
         }
         parse(t6, e6) {
           if ("string" != typeof t6 && t6.toString) t6 = t6.toString();
@@ -261537,7 +263364,7 @@ var require_fxp = __commonJS({
             const n7 = a5(t6, e6);
             if (true !== n7) throw Error(`${n7.err.msg}:${n7.err.line}:${n7.err.col}`);
           }
-          const n6 = new F2(this.options);
+          const n6 = new L(this.options);
           n6.addExternalEntities(this.externalEntities);
           const i6 = n6.parseXml(t6);
           return this.options.preserveOrder || void 0 === i6 ? i6 : J2(i6, this.options);
@@ -261558,6 +263385,13 @@ var require_fxp = __commonJS({
       }
       function rt(t6, e6, n6, i6) {
         let s6 = "", r6 = false;
+        if (!Array.isArray(t6)) {
+          if (null != t6) {
+            let n7 = t6.toString();
+            return n7 = ut(n7, e6), n7;
+          }
+          return "";
+        }
         for (let o6 = 0; o6 < t6.length; o6++) {
           const a6 = t6[o6], l6 = ot(a6);
           if (void 0 === l6) continue;
@@ -261581,10 +263415,10 @@ var require_fxp = __commonJS({
             o7 = 0 !== o7.length ? " " + o7 : "", s6 += n7 + `<${l6}${o7}${t7}?>`, r6 = true;
             continue;
           }
-          let h6 = i6;
-          "" !== h6 && (h6 += e6.indentBy);
-          const d6 = i6 + `<${l6}${at3(a6[":@"], e6)}`, p6 = rt(a6[l6], e6, u6, h6);
-          -1 !== e6.unpairedTags.indexOf(l6) ? e6.suppressUnpairedNode ? s6 += d6 + ">" : s6 += d6 + "/>" : p6 && 0 !== p6.length || !e6.suppressEmptyNode ? p6 && p6.endsWith(">") ? s6 += d6 + `>${p6}${i6}</${l6}>` : (s6 += d6 + ">", p6 && "" !== i6 && (p6.includes("/>") || p6.includes("</")) ? s6 += i6 + e6.indentBy + p6 + i6 : s6 += p6, s6 += `</${l6}>`) : s6 += d6 + "/>", r6 = true;
+          let d6 = i6;
+          "" !== d6 && (d6 += e6.indentBy);
+          const h6 = i6 + `<${l6}${at3(a6[":@"], e6)}`, p6 = rt(a6[l6], e6, u6, d6);
+          -1 !== e6.unpairedTags.indexOf(l6) ? e6.suppressUnpairedNode ? s6 += h6 + ">" : s6 += h6 + "/>" : p6 && 0 !== p6.length || !e6.suppressEmptyNode ? p6 && p6.endsWith(">") ? s6 += h6 + `>${p6}${i6}</${l6}>` : (s6 += h6 + ">", p6 && "" !== i6 && (p6.includes("/>") || p6.includes("</")) ? s6 += i6 + e6.indentBy + p6 + i6 : s6 += p6, s6 += `</${l6}>`) : s6 += h6 + "/>", r6 = true;
         }
         return s6;
       }
@@ -261592,13 +263426,13 @@ var require_fxp = __commonJS({
         const e6 = Object.keys(t6);
         for (let n6 = 0; n6 < e6.length; n6++) {
           const i6 = e6[n6];
-          if (t6.hasOwnProperty(i6) && ":@" !== i6) return i6;
+          if (Object.prototype.hasOwnProperty.call(t6, i6) && ":@" !== i6) return i6;
         }
       }
       function at3(t6, e6) {
         let n6 = "";
         if (t6 && !e6.ignoreAttributes) for (let i6 in t6) {
-          if (!t6.hasOwnProperty(i6)) continue;
+          if (!Object.prototype.hasOwnProperty.call(t6, i6)) continue;
           let s6 = e6.attributeValueProcessor(i6, t6[i6]);
           s6 = ut(s6, e6), true === s6 && e6.suppressBooleanAttributes ? n6 += ` ${i6.substr(e6.attributeNamePrefix.length)}` : n6 += ` ${i6.substr(e6.attributeNamePrefix.length)}="${s6}"`;
         }
@@ -261616,15 +263450,21 @@ var require_fxp = __commonJS({
         }
         return t6;
       }
-      const ht = { attributeNamePrefix: "@_", attributesGroupName: false, textNodeName: "#text", ignoreAttributes: true, cdataPropName: false, format: false, indentBy: "  ", suppressEmptyNode: false, suppressUnpairedNode: true, suppressBooleanAttributes: true, tagValueProcessor: function(t6, e6) {
+      const dt = { attributeNamePrefix: "@_", attributesGroupName: false, textNodeName: "#text", ignoreAttributes: true, cdataPropName: false, format: false, indentBy: "  ", suppressEmptyNode: false, suppressUnpairedNode: true, suppressBooleanAttributes: true, tagValueProcessor: function(t6, e6) {
         return e6;
       }, attributeValueProcessor: function(t6, e6) {
         return e6;
       }, preserveOrder: false, commentPropName: false, unpairedTags: [], entities: [{ regex: new RegExp("&", "g"), val: "&amp;" }, { regex: new RegExp(">", "g"), val: "&gt;" }, { regex: new RegExp("<", "g"), val: "&lt;" }, { regex: new RegExp("'", "g"), val: "&apos;" }, { regex: new RegExp('"', "g"), val: "&quot;" }], processEntities: true, stopNodes: [], oneListGroup: false };
-      function dt(t6) {
-        this.options = Object.assign({}, ht, t6), true === this.options.ignoreAttributes || this.options.attributesGroupName ? this.isAttribute = function() {
+      function ht(t6) {
+        var e6;
+        this.options = Object.assign({}, dt, t6), true === this.options.ignoreAttributes || this.options.attributesGroupName ? this.isAttribute = function() {
           return false;
-        } : (this.ignoreAttributesFn = L(this.options.ignoreAttributes), this.attrPrefixLen = this.options.attributeNamePrefix.length, this.isAttribute = ct), this.processTextOrObjNode = pt, this.options.format ? (this.indentate = ft, this.tagEndChar = ">\n", this.newLine = "\n") : (this.indentate = function() {
+        } : (this.ignoreAttributesFn = "function" == typeof (e6 = this.options.ignoreAttributes) ? e6 : Array.isArray(e6) ? (t7) => {
+          for (const n6 of e6) {
+            if ("string" == typeof n6 && t7 === n6) return true;
+            if (n6 instanceof RegExp && n6.test(t7)) return true;
+          }
+        } : () => false, this.attrPrefixLen = this.options.attributeNamePrefix.length, this.isAttribute = ft), this.processTextOrObjNode = pt, this.options.format ? (this.indentate = ct, this.tagEndChar = ">\n", this.newLine = "\n") : (this.indentate = function() {
           return "";
         }, this.tagEndChar = ">", this.newLine = "");
       }
@@ -261632,15 +263472,15 @@ var require_fxp = __commonJS({
         const s6 = this.j2x(t6, n6 + 1, i6.concat(e6));
         return void 0 !== t6[this.options.textNodeName] && 1 === Object.keys(t6).length ? this.buildTextValNode(t6[this.options.textNodeName], e6, s6.attrStr, n6) : this.buildObjectNode(s6.val, e6, s6.attrStr, n6);
       }
-      function ft(t6) {
+      function ct(t6) {
         return this.options.indentBy.repeat(t6);
       }
-      function ct(t6) {
+      function ft(t6) {
         return !(!t6.startsWith(this.options.attributeNamePrefix) || t6 === this.options.textNodeName) && t6.substr(this.attrPrefixLen);
       }
-      dt.prototype.build = function(t6) {
+      ht.prototype.build = function(t6) {
         return this.options.preserveOrder ? st(t6, this.options) : (Array.isArray(t6) && this.options.arrayNodeName && this.options.arrayNodeName.length > 1 && (t6 = { [this.options.arrayNodeName]: t6 }), this.j2x(t6, 0, []).val);
-      }, dt.prototype.j2x = function(t6, e6, n6) {
+      }, ht.prototype.j2x = function(t6, e6, n6) {
         let i6 = "", s6 = "";
         const r6 = n6.join(".");
         for (let o6 in t6) if (Object.prototype.hasOwnProperty.call(t6, o6)) if (void 0 === t6[o6]) this.isAttribute(o6) && (s6 += "");
@@ -261675,18 +263515,18 @@ var require_fxp = __commonJS({
           for (let s7 = 0; s7 < n7; s7++) i6 += this.buildAttrPairStr(e7[s7], "" + t6[o6][e7[s7]]);
         } else s6 += this.processTextOrObjNode(t6[o6], o6, e6, n6);
         return { attrStr: i6, val: s6 };
-      }, dt.prototype.buildAttrPairStr = function(t6, e6) {
+      }, ht.prototype.buildAttrPairStr = function(t6, e6) {
         return e6 = this.options.attributeValueProcessor(t6, "" + e6), e6 = this.replaceEntitiesValue(e6), this.options.suppressBooleanAttributes && "true" === e6 ? " " + t6 : " " + t6 + '="' + e6 + '"';
-      }, dt.prototype.buildObjectNode = function(t6, e6, n6, i6) {
+      }, ht.prototype.buildObjectNode = function(t6, e6, n6, i6) {
         if ("" === t6) return "?" === e6[0] ? this.indentate(i6) + "<" + e6 + n6 + "?" + this.tagEndChar : this.indentate(i6) + "<" + e6 + n6 + this.closeTag(e6) + this.tagEndChar;
         {
           let s6 = "</" + e6 + this.tagEndChar, r6 = "";
           return "?" === e6[0] && (r6 = "?", s6 = ""), !n6 && "" !== n6 || -1 !== t6.indexOf("<") ? false !== this.options.commentPropName && e6 === this.options.commentPropName && 0 === r6.length ? this.indentate(i6) + `<!--${t6}-->` + this.newLine : this.indentate(i6) + "<" + e6 + n6 + r6 + this.tagEndChar + t6 + this.indentate(i6) + s6 : this.indentate(i6) + "<" + e6 + n6 + r6 + ">" + t6 + s6;
         }
-      }, dt.prototype.closeTag = function(t6) {
+      }, ht.prototype.closeTag = function(t6) {
         let e6 = "";
         return -1 !== this.options.unpairedTags.indexOf(t6) ? this.options.suppressUnpairedNode || (e6 = "/") : e6 = this.options.suppressEmptyNode ? "/" : `></${t6}`, e6;
-      }, dt.prototype.buildTextValNode = function(t6, e6, n6, i6) {
+      }, ht.prototype.buildTextValNode = function(t6, e6, n6, i6) {
         if (false !== this.options.cdataPropName && e6 === this.options.cdataPropName) return this.indentate(i6) + `<![CDATA[${t6}]]>` + this.newLine;
         if (false !== this.options.commentPropName && e6 === this.options.commentPropName) return this.indentate(i6) + `<!--${t6}-->` + this.newLine;
         if ("?" === e6[0]) return this.indentate(i6) + "<" + e6 + n6 + "?" + this.tagEndChar;
@@ -261694,14 +263534,14 @@ var require_fxp = __commonJS({
           let s6 = this.options.tagValueProcessor(e6, t6);
           return s6 = this.replaceEntitiesValue(s6), "" === s6 ? this.indentate(i6) + "<" + e6 + n6 + this.closeTag(e6) + this.tagEndChar : this.indentate(i6) + "<" + e6 + n6 + ">" + s6 + "</" + e6 + this.tagEndChar;
         }
-      }, dt.prototype.replaceEntitiesValue = function(t6) {
+      }, ht.prototype.replaceEntitiesValue = function(t6) {
         if (t6 && t6.length > 0 && this.options.processEntities) for (let e6 = 0; e6 < this.options.entities.length; e6++) {
           const n6 = this.options.entities[e6];
           t6 = t6.replace(n6.regex, n6.val);
         }
         return t6;
       };
-      const gt = { validate: a5 };
+      const gt = ht, xt = { validate: a5 };
       module2.exports = e5;
     })();
   }
@@ -261721,7 +263561,8 @@ var require_xml_parser = __commonJS({
       ignoreDeclaration: true,
       parseTagValue: false,
       trimValues: false,
-      tagValueProcessor: (_, val) => val.trim() === "" && val.includes("\n") ? "" : void 0
+      tagValueProcessor: (_, val) => val.trim() === "" && val.includes("\n") ? "" : void 0,
+      maxNestedTags: 1024
     });
     parser.addEntity("#xD", "\r");
     parser.addEntity("#10", "\n");
@@ -266274,7 +268115,7 @@ var require_package2 = __commonJS({
     module2.exports = {
       name: "@aws-sdk/client-bedrock-runtime",
       description: "AWS SDK for JavaScript Bedrock Runtime Client for Node.js, Browser and React Native",
-      version: "3.1000.0",
+      version: "3.1001.0",
       scripts: {
         build: "concurrently 'yarn:build:types' 'yarn:build:es' && yarn build:cjs",
         "build:cjs": "node ../../scripts/compilation/inline client-bedrock-runtime",
@@ -266298,54 +268139,54 @@ var require_package2 = __commonJS({
       dependencies: {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
+        "@aws-sdk/core": "^3.973.16",
+        "@aws-sdk/credential-provider-node": "^3.972.15",
         "@aws-sdk/eventstream-handler-node": "^3.972.9",
         "@aws-sdk/middleware-eventstream": "^3.972.6",
         "@aws-sdk/middleware-host-header": "^3.972.6",
         "@aws-sdk/middleware-logger": "^3.972.6",
         "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/middleware-websocket": "^3.972.10",
+        "@aws-sdk/middleware-user-agent": "^3.972.16",
+        "@aws-sdk/middleware-websocket": "^3.972.11",
         "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/token-providers": "3.1000.0",
+        "@aws-sdk/token-providers": "3.1001.0",
         "@aws-sdk/types": "^3.973.4",
         "@aws-sdk/util-endpoints": "^3.996.3",
         "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
+        "@aws-sdk/util-user-agent-node": "^3.973.1",
         "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
+        "@smithy/core": "^3.23.7",
         "@smithy/eventstream-serde-browser": "^4.2.10",
         "@smithy/eventstream-serde-config-resolver": "^4.3.10",
         "@smithy/eventstream-serde-node": "^4.2.10",
-        "@smithy/fetch-http-handler": "^5.3.11",
+        "@smithy/fetch-http-handler": "^5.3.12",
         "@smithy/hash-node": "^4.2.10",
         "@smithy/invalid-dependency": "^4.2.10",
         "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
+        "@smithy/middleware-endpoint": "^4.4.21",
+        "@smithy/middleware-retry": "^4.4.38",
         "@smithy/middleware-serde": "^4.2.11",
         "@smithy/middleware-stack": "^4.2.10",
         "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
+        "@smithy/node-http-handler": "^4.4.13",
         "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
+        "@smithy/smithy-client": "^4.12.1",
         "@smithy/types": "^4.13.0",
         "@smithy/url-parser": "^4.2.10",
         "@smithy/util-base64": "^4.3.1",
         "@smithy/util-body-length-browser": "^4.2.1",
         "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
+        "@smithy/util-defaults-mode-browser": "^4.3.37",
+        "@smithy/util-defaults-mode-node": "^4.2.40",
         "@smithy/util-endpoints": "^3.3.1",
         "@smithy/util-middleware": "^4.2.10",
         "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
+        "@smithy/util-stream": "^4.5.16",
         "@smithy/util-utf8": "^4.2.1",
         tslib: "^2.6.2"
       },
       devDependencies: {
-        "@smithy/snapshot-testing": "^1.0.7",
+        "@smithy/snapshot-testing": "^1.0.8",
         "@tsconfig/node20": "20.1.8",
         "@types/node": "^20.14.8",
         concurrently: "7.0.0",
@@ -267061,7 +268902,7 @@ var init_package = __esm({
   "node_modules/@aws-sdk/nested-clients/package.json"() {
     package_default = {
       name: "@aws-sdk/nested-clients",
-      version: "3.996.3",
+      version: "3.996.4",
       description: "Nested clients for AWS SDK packages.",
       main: "./dist-cjs/index.js",
       module: "./dist-es/index.js",
@@ -267090,37 +268931,37 @@ var init_package = __esm({
       dependencies: {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
+        "@aws-sdk/core": "^3.973.16",
         "@aws-sdk/middleware-host-header": "^3.972.6",
         "@aws-sdk/middleware-logger": "^3.972.6",
         "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
+        "@aws-sdk/middleware-user-agent": "^3.972.16",
         "@aws-sdk/region-config-resolver": "^3.972.6",
         "@aws-sdk/types": "^3.973.4",
         "@aws-sdk/util-endpoints": "^3.996.3",
         "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
+        "@aws-sdk/util-user-agent-node": "^3.973.1",
         "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
+        "@smithy/core": "^3.23.7",
+        "@smithy/fetch-http-handler": "^5.3.12",
         "@smithy/hash-node": "^4.2.10",
         "@smithy/invalid-dependency": "^4.2.10",
         "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
+        "@smithy/middleware-endpoint": "^4.4.21",
+        "@smithy/middleware-retry": "^4.4.38",
         "@smithy/middleware-serde": "^4.2.11",
         "@smithy/middleware-stack": "^4.2.10",
         "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
+        "@smithy/node-http-handler": "^4.4.13",
         "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
+        "@smithy/smithy-client": "^4.12.1",
         "@smithy/types": "^4.13.0",
         "@smithy/url-parser": "^4.2.10",
         "@smithy/util-base64": "^4.3.1",
         "@smithy/util-body-length-browser": "^4.2.1",
         "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
+        "@smithy/util-defaults-mode-browser": "^4.3.37",
+        "@smithy/util-defaults-mode-node": "^4.2.40",
         "@smithy/util-endpoints": "^3.3.1",
         "@smithy/util-middleware": "^4.2.10",
         "@smithy/util-retry": "^4.2.10",
@@ -267225,17 +269066,30 @@ var require_dist_cjs51 = __commonJS({
       }
       return ["md/nodejs", node_process.versions.node];
     };
-    var getTypeScriptPackageJsonPath = (dirname6 = "") => {
-      let nodeModulesPath;
+    var SEMVER_REGEX = /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*)?$/;
+    var getSanitizedTypeScriptVersion = (version2 = "") => {
+      const match2 = version2.match(SEMVER_REGEX);
+      if (!match2) {
+        return void 0;
+      }
+      const [major, minor, patch, prerelease] = [match2[1], match2[2], match2[3], match2[4]];
+      return prerelease ? `${major}.${minor}.${patch}-${prerelease}` : `${major}.${minor}.${patch}`;
+    };
+    var typescriptPackageJsonPath = node_path.join("node_modules", "typescript", "package.json");
+    var getTypeScriptPackageJsonPaths = (dirname6) => {
+      const cwdPath = node_path.join(process.cwd(), typescriptPackageJsonPath);
+      if (!dirname6) {
+        return [cwdPath];
+      }
       const normalizedPath = node_path.normalize(dirname6);
       const parts = normalizedPath.split(node_path.sep);
       const nodeModulesIndex = parts.indexOf("node_modules");
-      if (nodeModulesIndex !== -1) {
-        nodeModulesPath = parts.slice(0, nodeModulesIndex).join(node_path.sep);
-      } else {
-        nodeModulesPath = dirname6;
+      const parentDir = nodeModulesIndex !== -1 ? parts.slice(0, nodeModulesIndex).join(node_path.sep) : dirname6;
+      const parentDirPath = node_path.join(parentDir, typescriptPackageJsonPath);
+      if (cwdPath === parentDirPath) {
+        return [cwdPath];
       }
-      return node_path.join(nodeModulesPath, "node_modules", "typescript", "package.json");
+      return [parentDirPath, cwdPath];
     };
     var tscVersion;
     var getTypeScriptUserAgentPair = async () => {
@@ -267244,18 +269098,22 @@ var require_dist_cjs51 = __commonJS({
       } else if (typeof tscVersion === "string") {
         return ["md/tsc", tscVersion];
       }
-      try {
-        const packageJson = await promises.readFile(getTypeScriptPackageJsonPath(__dirname), "utf-8");
-        const { version: version2 } = JSON.parse(packageJson);
-        if (typeof version2 !== "string") {
-          tscVersion = null;
-          return void 0;
+      const dirname6 = typeof __dirname !== "undefined" ? __dirname : void 0;
+      for (const typescriptPackageJsonPath2 of getTypeScriptPackageJsonPaths(dirname6)) {
+        try {
+          const packageJson = await promises.readFile(typescriptPackageJsonPath2, "utf-8");
+          const { version: version2 } = JSON.parse(packageJson);
+          const sanitizedVersion = getSanitizedTypeScriptVersion(version2);
+          if (typeof sanitizedVersion !== "string") {
+            continue;
+          }
+          tscVersion = sanitizedVersion;
+          return ["md/tsc", tscVersion];
+        } catch {
         }
-        tscVersion = version2;
-        return ["md/tsc", tscVersion];
-      } catch {
-        tscVersion = null;
       }
+      tscVersion = null;
+      return void 0;
     };
     var crtAvailability = {
       isCrtAvailable: false
@@ -268354,9 +270212,9 @@ var init_sso_oidc = __esm({
   }
 });
 
-// node_modules/@aws-sdk/credential-provider-sso/node_modules/@aws-sdk/token-providers/dist-cjs/index.js
+// node_modules/@aws-sdk/token-providers/dist-cjs/index.js
 var require_dist_cjs56 = __commonJS({
-  "node_modules/@aws-sdk/credential-provider-sso/node_modules/@aws-sdk/token-providers/dist-cjs/index.js"(exports2) {
+  "node_modules/@aws-sdk/token-providers/dist-cjs/index.js"(exports2) {
     "use strict";
     var client = (init_client(), __toCommonJS(client_exports));
     var httpAuthSchemes = (init_httpAuthSchemes2(), __toCommonJS(httpAuthSchemes_exports));
@@ -272189,155 +274047,8 @@ var require_dist_cjs63 = __commonJS({
   }
 });
 
-// node_modules/@aws-sdk/token-providers/dist-cjs/index.js
-var require_dist_cjs64 = __commonJS({
-  "node_modules/@aws-sdk/token-providers/dist-cjs/index.js"(exports2) {
-    "use strict";
-    var client = (init_client(), __toCommonJS(client_exports));
-    var httpAuthSchemes = (init_httpAuthSchemes2(), __toCommonJS(httpAuthSchemes_exports));
-    var propertyProvider = require_dist_cjs24();
-    var sharedIniFileLoader = require_dist_cjs42();
-    var node_fs = __nccwpck_require__(73024);
-    var fromEnvSigningName = ({ logger: logger2, signingName } = {}) => async () => {
-      logger2?.debug?.("@aws-sdk/token-providers - fromEnvSigningName");
-      if (!signingName) {
-        throw new propertyProvider.TokenProviderError("Please pass 'signingName' to compute environment variable key", { logger: logger2 });
-      }
-      const bearerTokenKey = httpAuthSchemes.getBearerTokenEnvKey(signingName);
-      if (!(bearerTokenKey in process.env)) {
-        throw new propertyProvider.TokenProviderError(`Token not present in '${bearerTokenKey}' environment variable`, { logger: logger2 });
-      }
-      const token = { token: process.env[bearerTokenKey] };
-      client.setTokenFeature(token, "BEARER_SERVICE_ENV_VARS", "3");
-      return token;
-    };
-    var EXPIRE_WINDOW_MS = 5 * 60 * 1e3;
-    var REFRESH_MESSAGE = `To refresh this SSO session run 'aws sso login' with the corresponding profile.`;
-    var getSsoOidcClient = async (ssoRegion, init = {}, callerClientConfig) => {
-      const { SSOOIDCClient: SSOOIDCClient2 } = await Promise.resolve().then(() => (init_sso_oidc(), sso_oidc_exports));
-      const coalesce = (prop) => init.clientConfig?.[prop] ?? init.parentClientConfig?.[prop] ?? callerClientConfig?.[prop];
-      const ssoOidcClient = new SSOOIDCClient2(Object.assign({}, init.clientConfig ?? {}, {
-        region: ssoRegion ?? init.clientConfig?.region,
-        logger: coalesce("logger"),
-        userAgentAppId: coalesce("userAgentAppId")
-      }));
-      return ssoOidcClient;
-    };
-    var getNewSsoOidcToken = async (ssoToken, ssoRegion, init = {}, callerClientConfig) => {
-      const { CreateTokenCommand: CreateTokenCommand2 } = await Promise.resolve().then(() => (init_sso_oidc(), sso_oidc_exports));
-      const ssoOidcClient = await getSsoOidcClient(ssoRegion, init, callerClientConfig);
-      return ssoOidcClient.send(new CreateTokenCommand2({
-        clientId: ssoToken.clientId,
-        clientSecret: ssoToken.clientSecret,
-        refreshToken: ssoToken.refreshToken,
-        grantType: "refresh_token"
-      }));
-    };
-    var validateTokenExpiry = (token) => {
-      if (token.expiration && token.expiration.getTime() < Date.now()) {
-        throw new propertyProvider.TokenProviderError(`Token is expired. ${REFRESH_MESSAGE}`, false);
-      }
-    };
-    var validateTokenKey = (key, value, forRefresh = false) => {
-      if (typeof value === "undefined") {
-        throw new propertyProvider.TokenProviderError(`Value not present for '${key}' in SSO Token${forRefresh ? ". Cannot refresh" : ""}. ${REFRESH_MESSAGE}`, false);
-      }
-    };
-    var { writeFile: writeFile2 } = node_fs.promises;
-    var writeSSOTokenToFile = (id, ssoToken) => {
-      const tokenFilepath = sharedIniFileLoader.getSSOTokenFilepath(id);
-      const tokenString = JSON.stringify(ssoToken, null, 2);
-      return writeFile2(tokenFilepath, tokenString);
-    };
-    var lastRefreshAttemptTime = /* @__PURE__ */ new Date(0);
-    var fromSso = (init = {}) => async ({ callerClientConfig } = {}) => {
-      init.logger?.debug("@aws-sdk/token-providers - fromSso");
-      const profiles = await sharedIniFileLoader.parseKnownFiles(init);
-      const profileName = sharedIniFileLoader.getProfileName({
-        profile: init.profile ?? callerClientConfig?.profile
-      });
-      const profile = profiles[profileName];
-      if (!profile) {
-        throw new propertyProvider.TokenProviderError(`Profile '${profileName}' could not be found in shared credentials file.`, false);
-      } else if (!profile["sso_session"]) {
-        throw new propertyProvider.TokenProviderError(`Profile '${profileName}' is missing required property 'sso_session'.`);
-      }
-      const ssoSessionName = profile["sso_session"];
-      const ssoSessions = await sharedIniFileLoader.loadSsoSessionData(init);
-      const ssoSession = ssoSessions[ssoSessionName];
-      if (!ssoSession) {
-        throw new propertyProvider.TokenProviderError(`Sso session '${ssoSessionName}' could not be found in shared credentials file.`, false);
-      }
-      for (const ssoSessionRequiredKey of ["sso_start_url", "sso_region"]) {
-        if (!ssoSession[ssoSessionRequiredKey]) {
-          throw new propertyProvider.TokenProviderError(`Sso session '${ssoSessionName}' is missing required property '${ssoSessionRequiredKey}'.`, false);
-        }
-      }
-      ssoSession["sso_start_url"];
-      const ssoRegion = ssoSession["sso_region"];
-      let ssoToken;
-      try {
-        ssoToken = await sharedIniFileLoader.getSSOTokenFromFile(ssoSessionName);
-      } catch (e5) {
-        throw new propertyProvider.TokenProviderError(`The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`, false);
-      }
-      validateTokenKey("accessToken", ssoToken.accessToken);
-      validateTokenKey("expiresAt", ssoToken.expiresAt);
-      const { accessToken, expiresAt } = ssoToken;
-      const existingToken = { token: accessToken, expiration: new Date(expiresAt) };
-      if (existingToken.expiration.getTime() - Date.now() > EXPIRE_WINDOW_MS) {
-        return existingToken;
-      }
-      if (Date.now() - lastRefreshAttemptTime.getTime() < 30 * 1e3) {
-        validateTokenExpiry(existingToken);
-        return existingToken;
-      }
-      validateTokenKey("clientId", ssoToken.clientId, true);
-      validateTokenKey("clientSecret", ssoToken.clientSecret, true);
-      validateTokenKey("refreshToken", ssoToken.refreshToken, true);
-      try {
-        lastRefreshAttemptTime.setTime(Date.now());
-        const newSsoOidcToken = await getNewSsoOidcToken(ssoToken, ssoRegion, init, callerClientConfig);
-        validateTokenKey("accessToken", newSsoOidcToken.accessToken);
-        validateTokenKey("expiresIn", newSsoOidcToken.expiresIn);
-        const newTokenExpiration = new Date(Date.now() + newSsoOidcToken.expiresIn * 1e3);
-        try {
-          await writeSSOTokenToFile(ssoSessionName, {
-            ...ssoToken,
-            accessToken: newSsoOidcToken.accessToken,
-            expiresAt: newTokenExpiration.toISOString(),
-            refreshToken: newSsoOidcToken.refreshToken
-          });
-        } catch (error2) {
-        }
-        return {
-          token: newSsoOidcToken.accessToken,
-          expiration: newTokenExpiration
-        };
-      } catch (error2) {
-        validateTokenExpiry(existingToken);
-        return existingToken;
-      }
-    };
-    var fromStatic = ({ token, logger: logger2 }) => async () => {
-      logger2?.debug("@aws-sdk/token-providers - fromStatic");
-      if (!token || !token.token) {
-        throw new propertyProvider.TokenProviderError(`Please pass a valid token to fromStatic`, false);
-      }
-      return token;
-    };
-    var nodeProvider = (init = {}) => propertyProvider.memoize(propertyProvider.chain(fromSso(init), async () => {
-      throw new propertyProvider.TokenProviderError("Could not load token from any providers", false);
-    }), (token) => token.expiration !== void 0 && token.expiration.getTime() - Date.now() < 3e5, (token) => token.expiration !== void 0);
-    exports2.fromEnvSigningName = fromEnvSigningName;
-    exports2.fromSso = fromSso;
-    exports2.fromStatic = fromStatic;
-    exports2.nodeProvider = nodeProvider;
-  }
-});
-
 // node_modules/@smithy/eventstream-serde-node/dist-cjs/index.js
-var require_dist_cjs65 = __commonJS({
+var require_dist_cjs64 = __commonJS({
   "node_modules/@smithy/eventstream-serde-node/dist-cjs/index.js"(exports2) {
     "use strict";
     var eventstreamSerdeUniversal = require_dist_cjs35();
@@ -275019,11 +276730,11 @@ var require_runtimeConfig = __commonJS({
     var core_1 = (init_dist_es2(), __toCommonJS(dist_es_exports2));
     var credential_provider_node_1 = require_dist_cjs62();
     var eventstream_handler_node_1 = require_dist_cjs63();
-    var token_providers_1 = require_dist_cjs64();
+    var token_providers_1 = require_dist_cjs56();
     var util_user_agent_node_1 = require_dist_cjs51();
     var config_resolver_1 = require_dist_cjs39();
     var core_2 = (init_dist_es(), __toCommonJS(dist_es_exports));
-    var eventstream_serde_node_1 = require_dist_cjs65();
+    var eventstream_serde_node_1 = require_dist_cjs64();
     var hash_node_1 = require_dist_cjs52();
     var middleware_retry_1 = require_dist_cjs47();
     var node_config_provider_1 = require_dist_cjs43();
@@ -275095,7 +276806,7 @@ var require_runtimeConfig = __commonJS({
 });
 
 // node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js
-var require_dist_cjs66 = __commonJS({
+var require_dist_cjs65 = __commonJS({
   "node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js"(exports2) {
     "use strict";
     var middlewareEventstream = require_dist_cjs3();
@@ -275940,13 +277651,13 @@ var import_client_bedrock_runtime, import_client_bedrock_runtime2, import_client
 var init_dist3 = __esm({
   "node_modules/@ai-sdk/amazon-bedrock/dist/index.mjs"() {
     init_dist2();
-    import_client_bedrock_runtime = __toESM(require_dist_cjs66(), 1);
+    import_client_bedrock_runtime = __toESM(require_dist_cjs65(), 1);
     init_dist();
-    import_client_bedrock_runtime2 = __toESM(require_dist_cjs66(), 1);
+    import_client_bedrock_runtime2 = __toESM(require_dist_cjs65(), 1);
     init_dist();
     init_dist();
     init_dist2();
-    import_client_bedrock_runtime3 = __toESM(require_dist_cjs66(), 1);
+    import_client_bedrock_runtime3 = __toESM(require_dist_cjs65(), 1);
     generateFileId = createIdGenerator({ prefix: "file", size: 16 });
     BedrockChatLanguageModel = class {
       constructor(modelId, settings, config) {
@@ -283637,6 +285348,8 @@ var init_fileTracker = __esm({
         this.debug = options.debug || false;
         this._seenFiles = /* @__PURE__ */ new Set();
         this._contentRecords = /* @__PURE__ */ new Map();
+        this._textEditCounts = /* @__PURE__ */ new Map();
+        this.maxConsecutiveTextEdits = 3;
       }
       /**
        * Mark a file as "seen" — the LLM has read its content.
@@ -283644,6 +285357,7 @@ var init_fileTracker = __esm({
        */
       markFileSeen(resolvedPath2) {
         this._seenFiles.add(resolvedPath2);
+        this._textEditCounts.set(resolvedPath2, 0);
         if (this.debug) {
           console.error(`[FileTracker] Marked as seen: ${resolvedPath2}`);
         }
@@ -283789,9 +285503,37 @@ var init_fileTracker = __esm({
        * @param {string} resolvedPath - Absolute path to the file
        */
       async trackFileAfterWrite(resolvedPath2) {
-        this.markFileSeen(resolvedPath2);
+        this._seenFiles.add(resolvedPath2);
         this.invalidateFileRecords(resolvedPath2);
       }
+      /**
+       * Record a text-mode edit (old_string/new_string) to a file.
+       * Increments the consecutive edit counter.
+       * @param {string} resolvedPath - Absolute path to the file
+       */
+      recordTextEdit(resolvedPath2) {
+        const count = (this._textEditCounts.get(resolvedPath2) || 0) + 1;
+        this._textEditCounts.set(resolvedPath2, count);
+        if (this.debug) {
+          console.error(`[FileTracker] Text edit #${count} for ${resolvedPath2}`);
+        }
+      }
+      /**
+       * Check if a file has had too many consecutive text edits without a re-read.
+       * @param {string} resolvedPath - Absolute path to the file
+       * @returns {{ok: boolean, editCount?: number, message?: string}}
+       */
+      checkTextEditStaleness(resolvedPath2) {
+        const count = this._textEditCounts.get(resolvedPath2) || 0;
+        if (count >= this.maxConsecutiveTextEdits) {
+          return {
+            ok: false,
+            editCount: count,
+            message: `This file has been edited ${count} times without being re-read. Use 'extract' to re-read the current file content before making more edits, to ensure you are working with the actual state of the file.`
+          };
+        }
+        return { ok: true, editCount: count };
+      }
       /**
        * Update the stored hash for a symbol after a successful write.
        * Enables chained edits to the same symbol.
@@ -283835,6 +285577,7 @@ var init_fileTracker = __esm({
       clear() {
         this._seenFiles.clear();
         this._contentRecords.clear();
+        this._textEditCounts.clear();
       }
     };
   }
@@ -329635,6 +331378,9 @@ var init_prompts = __esm({
     predefinedPrompts = {
       "code-explorer": `You are ProbeChat Code Explorer, a specialized AI assistant focused on helping developers, product managers, and QAs understand and navigate codebases. Your primary function is to answer questions based on code, explain how systems work, and provide insights into code functionality using the provided code analysis tools.
 
+CRITICAL - You are READ-ONLY:
+You must NEVER create, modify, delete, or write files. You are strictly an exploration and analysis tool. If asked to make changes, implement features, fix bugs, or modify a PR, refuse and explain that file modifications must be done by the engineer tool \u2014 your role is only to investigate code and answer questions. Do not attempt workarounds using bash commands (echo, cat, tee, sed, etc.) to write files.
+
 When exploring code:
 - Provide clear, concise explanations based on user request
 - Find and highlight the most relevant code snippets, if required
@@ -354367,7 +356113,9 @@ var init_ProbeAgent = __esm({
           return nativeTools;
         }
         for (const [toolName, toolImpl] of Object.entries(this.toolImplementations)) {
-          const { schema, description } = this._getToolSchemaAndDescription(toolName);
+          const toolInfo = this._getToolSchemaAndDescription(toolName);
+          if (!toolInfo) continue;
+          const { schema, description } = toolInfo;
           if (schema && description) {
             nativeTools[toolName] = wrapTool(toolName, schema, description, toolImpl.execute);
           }
@@ -355270,11 +357018,11 @@ Follow these instructions carefully:
 6. Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results.${this.allowEdit ? `
 7. When modifying files, choose the appropriate tool:
     - Use 'edit' for all code modifications:
-      * For small changes (a line or a few lines), use old_string + new_string \u2014 copy old_string verbatim from the file.
-      * For rewriting entire functions/classes/methods, use the symbol parameter instead (no exact text matching needed).
-      * For editing specific lines from search/extract output, use start_line (and optionally end_line) with the line numbers shown in the output.${this.hashLines ? ' Line references include content hashes (e.g. "42:ab") for integrity verification.' : ""}
+      * PREFERRED: Use start_line (and optionally end_line) for line-targeted editing \u2014 this is the safest and most precise approach.${this.hashLines ? ' Use the line:hash references from extract/search output (e.g. "42:ab") for integrity verification.' : ""} Always use extract first to see line numbers${this.hashLines ? " and hashes" : ""}, then edit by line reference.
       * For editing inside large functions: first use extract with the symbol target (e.g. "file.js#myFunction") to see the function with line numbers${this.hashLines ? " and hashes" : ""}, then use start_line/end_line to surgically edit specific lines within it.
-      * IMPORTANT: Keep old_string as small as possible \u2014 include only the lines you need to change plus minimal context for uniqueness. For replacing large blocks (10+ lines), prefer line-targeted editing with start_line/end_line to constrain scope.
+      * For rewriting entire functions/classes/methods, use the symbol parameter instead (no exact text matching needed).
+      * FALLBACK ONLY: Use old_string + new_string for simple single-line changes where the text is unique. Copy old_string verbatim from the file. Keep old_string as small as possible.
+      * IMPORTANT: After multiple edits to the same file, re-read the changed areas before continuing \u2014 use extract with a targeted symbol (e.g. "file.js#myFunction") or a line range (e.g. "file.js:50-80") instead of re-reading the full file.
     - Use 'create' for new files or complete file rewrites.
     - If an edit fails, read the error message \u2014 it tells you exactly how to fix the call and retry.
     - The system tracks which files you've seen via search/extract. If you try to edit a file you haven't read, or one that changed since you last read it, the edit will fail with instructions to re-read first. Always use extract before editing to ensure you have current file content.` : ""}
@@ -358516,6 +360264,15 @@ Example: <extract><targets>${displayPath}</targets></extract>`;
             if (typeof old_string !== "string") {
               return `Error editing file: Invalid old_string - must be a string. Provide the exact text to find in the file, or use the symbol parameter instead for AST-aware editing by name.`;
             }
+            if (options.fileTracker) {
+              const staleCheck = options.fileTracker.checkTextEditStaleness(resolvedPath2);
+              if (!staleCheck.ok) {
+                const displayPath = toRelativePath(resolvedPath2, workspaceRoot);
+                return `Error editing ${displayPath}: ${staleCheck.message}
+
+Example: <extract><targets>${displayPath}</targets></extract>`;
+              }
+            }
             const content = await import_fs11.promises.readFile(resolvedPath2, "utf-8");
             let matchTarget = old_string;
             let matchStrategy = "exact";
@@ -358549,7 +360306,10 @@ Example: <extract><targets>${displayPath}</targets></extract>`;
               return `Error editing file: No changes made - the replacement result is identical to the original. Verify that old_string and new_string are actually different. If fuzzy matching was used, the matched text may already equal new_string.`;
             }
             await import_fs11.promises.writeFile(resolvedPath2, newContent, "utf-8");
-            if (options.fileTracker) await options.fileTracker.trackFileAfterWrite(resolvedPath2);
+            if (options.fileTracker) {
+              await options.fileTracker.trackFileAfterWrite(resolvedPath2);
+              options.fileTracker.recordTextEdit(resolvedPath2);
+            }
             const replacedCount = replace_all ? occurrences : 1;
             if (debug) {
               console.error(`[Edit] Successfully edited ${resolvedPath2}, replaced ${replacedCount} occurrence(s)`);
@@ -395174,7 +396934,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"100":"Continue","101":"Switching Pro
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.150","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc266","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc268","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
 
 /***/ })