@probelabs/visor 0.1.165 → 0.1.166-ee

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.165';
-process.env.PROBE_VERSION = '0.6.0-rc278';
-process.env.VISOR_COMMIT_SHA = '0431072b1fb3764b178496aa042aaa2a90adfd84';
-process.env.VISOR_COMMIT_SHORT = '0431072b';
+process.env.VISOR_VERSION = '0.1.166';
+process.env.PROBE_VERSION = '0.6.0-rc280';
+process.env.VISOR_COMMIT_SHA = 'eff5ed2df07d89e22e1c88d7d96b97572b0fd908';
+process.env.VISOR_COMMIT_SHORT = 'eff5ed2';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -161217,7 +161217,7 @@ async function handleDumpPolicyInput(checkId, argv) {
     let PolicyInputBuilder;
     try {
         // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
+        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
         PolicyInputBuilder = mod.PolicyInputBuilder;
     }
     catch {
@@ -167104,6 +167104,1810 @@ class DependencyResolver {
 exports.DependencyResolver = DependencyResolver;
 
 
+/***/ }),
+
+/***/ 50069:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.LicenseValidator = void 0;
+const crypto = __importStar(__nccwpck_require__(76982));
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+class LicenseValidator {
+    /** Ed25519 public key for license verification (PEM format). */
+    static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
+        'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
+        '-----END PUBLIC KEY-----\n';
+    cache = null;
+    static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
+    /**
+     * Load and validate license from environment or file.
+     *
+     * Resolution order:
+     * 1. VISOR_LICENSE env var (JWT string)
+     * 2. VISOR_LICENSE_FILE env var (path to file)
+     * 3. .visor-license in project root (cwd)
+     * 4. .visor-license in ~/.config/visor/
+     */
+    async loadAndValidate() {
+        // Return cached result if still fresh
+        if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
+            return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token)
+            return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload)
+            return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+    }
+    /** Check if a specific feature is licensed */
+    hasFeature(feature) {
+        if (!this.cache)
+            return false;
+        return this.cache.payload.features.includes(feature);
+    }
+    /** Check if license is valid (with grace period) */
+    isValid() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    /** Check if the license is within its grace period (expired but still valid) */
+    isInGracePeriod() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    resolveToken() {
+        // 1. Direct env var
+        if (process.env.VISOR_LICENSE) {
+            return process.env.VISOR_LICENSE.trim();
+        }
+        // 2. File path from env (validate against path traversal)
+        if (process.env.VISOR_LICENSE_FILE) {
+            // path.resolve() produces an absolute path with all '..' segments resolved,
+            // so a separate resolved.includes('..') check is unnecessary.
+            const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
+            const home = process.env.HOME || process.env.USERPROFILE || '';
+            const allowedPrefixes = [path.normalize(process.cwd())];
+            if (home)
+                allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
+            // Resolve symlinks so an attacker cannot create a symlink inside an
+            // allowed prefix that points to an arbitrary file outside it.
+            let realPath;
+            try {
+                realPath = fs.realpathSync(resolved);
+            }
+            catch {
+                return null; // File doesn't exist or isn't accessible
+            }
+            const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
+            if (!isSafe)
+                return null;
+            return this.readFile(realPath);
+        }
+        // 3. .visor-license in cwd
+        const cwdPath = path.join(process.cwd(), '.visor-license');
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken)
+            return cwdToken;
+        // 4. ~/.config/visor/.visor-license
+        const home = process.env.HOME || process.env.USERPROFILE || '';
+        if (home) {
+            const configPath = path.join(home, '.config', 'visor', '.visor-license');
+            const configToken = this.readFile(configPath);
+            if (configToken)
+                return configToken;
+        }
+        return null;
+    }
+    readFile(filePath) {
+        try {
+            return fs.readFileSync(filePath, 'utf-8').trim();
+        }
+        catch {
+            return null;
+        }
+    }
+    verifyAndDecode(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [headerB64, payloadB64, signatureB64] = parts;
+            // Decode header to verify algorithm
+            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+            if (header.alg !== 'EdDSA')
+                return null;
+            // Verify signature
+            const data = `${headerB64}.${payloadB64}`;
+            const signature = Buffer.from(signatureB64, 'base64url');
+            const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
+            // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
+            // This prevents algorithm-confusion attacks if the embedded key were ever
+            // swapped to a different type.
+            if (publicKey.asymmetricKeyType !== 'ed25519') {
+                return null;
+            }
+            // Ed25519 verification: algorithm must be null because EdDSA performs its
+            // own internal hashing (SHA-512) — passing a digest algorithm here would
+            // cause Node.js to throw. The key type is validated above.
+            const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
+            if (!isValid)
+                return null;
+            // Decode payload
+            const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+            // Validate required fields
+            if (!payload.org ||
+                !Array.isArray(payload.features) ||
+                typeof payload.exp !== 'number' ||
+                typeof payload.iat !== 'number' ||
+                !payload.sub) {
+                return null;
+            }
+            // Check expiry (with grace period)
+            const now = Date.now();
+            const expiryMs = payload.exp * 1000;
+            if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
+                return null;
+            }
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.LicenseValidator = LicenseValidator;
+
+
+/***/ }),
+
+/***/ 87068:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
+exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
+const default_engine_1 = __nccwpck_require__(93866);
+/**
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
+ *
+ * This is the sole import boundary between OSS and enterprise code. Core code
+ * must only import from this module (via dynamic `await import()`), never from
+ * individual enterprise submodules.
+ */
+async function loadEnterprisePolicyEngine(config) {
+    try {
+        const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+        const validator = new LicenseValidator();
+        const license = await validator.loadAndValidate();
+        if (!license || !validator.hasFeature('policy')) {
+            return new default_engine_1.DefaultPolicyEngine();
+        }
+        if (validator.isInGracePeriod()) {
+            // eslint-disable-next-line no-console
+            console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+                'Please renew your license.');
+        }
+        const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
+        const engine = new OpaPolicyEngine(config);
+        await engine.initialize(config);
+        return engine;
+    }
+    catch (err) {
+        // Enterprise code not available or initialization failed
+        const msg = err instanceof Error ? err.message : String(err);
+        try {
+            const { logger } = __nccwpck_require__(86999);
+            logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+        }
+        catch {
+            // silent
+        }
+        return new default_engine_1.DefaultPolicyEngine();
+    }
+}
+/**
+ * Load the enterprise schedule store backend if licensed.
+ *
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
+ * @param storageConfig Storage configuration with connection details
+ * @param haConfig Optional HA configuration
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
+ */
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+    const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+    const validator = new LicenseValidator();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature('scheduler-sql')) {
+        throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
+            `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
+    }
+    if (validator.isInGracePeriod()) {
+        // eslint-disable-next-line no-console
+        console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+            'Please renew your license.');
+    }
+    const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
+    return new KnexStoreBackend(driver, storageConfig, haConfig);
+}
+
+
+/***/ }),
+
+/***/ 628:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaCompiler = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const os = __importStar(__nccwpck_require__(70857));
+const crypto = __importStar(__nccwpck_require__(76982));
+const child_process_1 = __nccwpck_require__(35317);
+/**
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
+ *
+ * Handles:
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
+ * - Compiling .rego files to WASM via `opa build`
+ * - Caching compiled bundles based on content hashes
+ * - Extracting policy.wasm from OPA tar.gz bundles
+ *
+ * Requires:
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaCompiler {
+    static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
+    /**
+     * Resolve the input paths to WASM bytes.
+     *
+     * Strategy:
+     * 1. If any path is a .wasm file, read it directly
+     * 2. If a directory contains policy.wasm, read it
+     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+     */
+    async resolveWasmBytes(paths) {
+        // Collect .rego files and check for existing .wasm
+        const regoFiles = [];
+        for (const p of paths) {
+            const resolved = path.resolve(p);
+            // Reject paths containing '..' after resolution (path traversal)
+            if (path.normalize(resolved).includes('..')) {
+                throw new Error(`Policy path contains traversal sequences: ${p}`);
+            }
+            // Direct .wasm file
+            if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
+                return fs.readFileSync(resolved);
+            }
+            if (!fs.existsSync(resolved))
+                continue;
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                // Check for pre-compiled policy.wasm in directory
+                const wasmCandidate = path.join(resolved, 'policy.wasm');
+                if (fs.existsSync(wasmCandidate)) {
+                    return fs.readFileSync(wasmCandidate);
+                }
+                // Collect all .rego files from directory
+                const files = fs.readdirSync(resolved);
+                for (const f of files) {
+                    if (f.endsWith('.rego')) {
+                        regoFiles.push(path.join(resolved, f));
+                    }
+                }
+            }
+            else if (resolved.endsWith('.rego')) {
+                regoFiles.push(resolved);
+            }
+        }
+        if (regoFiles.length === 0) {
+            throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
+        }
+        // Auto-compile .rego -> .wasm
+        return this.compileRego(regoFiles);
+    }
+    /**
+     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+     *
+     * Caches the compiled bundle based on a content hash of all input .rego files
+     * so subsequent runs skip compilation if policies haven't changed.
+     */
+    compileRego(regoFiles) {
+        // Check that `opa` CLI is available
+        try {
+            (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
+        }
+        catch {
+            throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
+                'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
+                regoFiles.join(' '));
+        }
+        // Compute content hash for cache key
+        const hash = crypto.createHash('sha256');
+        for (const f of regoFiles.sort()) {
+            hash.update(fs.readFileSync(f));
+            hash.update(f); // include filename for disambiguation
+        }
+        const cacheKey = hash.digest('hex').slice(0, 16);
+        const cacheDir = OpaCompiler.CACHE_DIR;
+        const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
+        // Return cached bundle if still valid
+        if (fs.existsSync(cachedWasm)) {
+            return fs.readFileSync(cachedWasm);
+        }
+        // Compile to WASM via opa build
+        fs.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+            const args = [
+                'build',
+                '-t',
+                'wasm',
+                '-e',
+                'visor', // entrypoint: the visor package tree
+                '-o',
+                bundleTar,
+                ...regoFiles,
+            ];
+            (0, child_process_1.execFileSync)('opa', args, {
+                stdio: 'pipe',
+                timeout: 30000,
+            });
+        }
+        catch (err) {
+            const stderr = err?.stderr?.toString() || '';
+            throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
+                'Ensure your .rego files are valid and the `opa` CLI is installed.');
+        }
+        // Extract policy.wasm from the tar.gz bundle
+        // OPA bundles are tar.gz with /policy.wasm inside
+        try {
+            (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
+                stdio: 'pipe',
+            });
+            const extractedWasm = path.join(cacheDir, 'policy.wasm');
+            if (fs.existsSync(extractedWasm)) {
+                // Move to cache-key named file
+                fs.renameSync(extractedWasm, cachedWasm);
+            }
+        }
+        catch {
+            // Some tar implementations don't like leading /
+            try {
+                (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
+                    stdio: 'pipe',
+                });
+                const extractedWasm = path.join(cacheDir, 'policy.wasm');
+                if (fs.existsSync(extractedWasm)) {
+                    fs.renameSync(extractedWasm, cachedWasm);
+                }
+            }
+            catch (err2) {
+                throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+            }
+        }
+        // Clean up tar
+        try {
+            fs.unlinkSync(bundleTar);
+        }
+        catch { }
+        if (!fs.existsSync(cachedWasm)) {
+            throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
+        }
+        return fs.readFileSync(cachedWasm);
+    }
+}
+exports.OpaCompiler = OpaCompiler;
+
+
+/***/ }),
+
+/***/ 44693:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaHttpEvaluator = void 0;
+/**
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
+ *
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
+ */
+class OpaHttpEvaluator {
+    baseUrl;
+    timeout;
+    constructor(baseUrl, timeout = 5000) {
+        // Validate URL format and protocol
+        let parsed;
+        try {
+            parsed = new URL(baseUrl);
+        }
+        catch {
+            throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
+        }
+        // Block cloud metadata, loopback, link-local, and private network addresses
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+            throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
+        }
+        // Normalize: strip trailing slash
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.timeout = timeout;
+    }
+    /**
+     * Check if a hostname is blocked due to SSRF concerns.
+     *
+     * Blocks:
+     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+     * - Link-local addresses (169.254.x.x)
+     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+     * - IPv6 unique local addresses (fd00::/8)
+     * - Cloud metadata services (*.internal)
+     */
+    isBlockedHostname(hostname) {
+        if (!hostname)
+            return true; // block empty hostnames
+        // Normalize hostname: lowercase and remove brackets for IPv6
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
+        // Block .internal domains (cloud metadata services)
+        if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
+            return true;
+        }
+        // Block localhost variants
+        if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
+            return true;
+        }
+        // Block IPv6 loopback
+        if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
+            return true;
+        }
+        // Check IPv4 patterns
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+            const octets = ipv4Match.slice(1, 5).map(Number);
+            // Validate octets are in range [0, 255]
+            if (octets.some(octet => octet > 255)) {
+                return false;
+            }
+            const [a, b] = octets;
+            // Block loopback: 127.0.0.0/8
+            if (a === 127) {
+                return true;
+            }
+            // Block 0.0.0.0/8 (this host)
+            if (a === 0) {
+                return true;
+            }
+            // Block link-local: 169.254.0.0/16
+            if (a === 169 && b === 254) {
+                return true;
+            }
+            // Block private networks
+            // 10.0.0.0/8
+            if (a === 10) {
+                return true;
+            }
+            // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
+            if (a === 172 && b >= 16 && b <= 31) {
+                return true;
+            }
+            // 192.168.0.0/16
+            if (a === 192 && b === 168) {
+                return true;
+            }
+        }
+        // Check IPv6 patterns
+        // Block unique local addresses: fd00::/8
+        if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
+            return true;
+        }
+        // Block link-local: fe80::/10
+        if (normalized.startsWith('fe80:')) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Evaluate a policy rule against an input document via OPA REST API.
+     *
+     * @param input - The input document to evaluate
+     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+     * @returns The result object from OPA, or undefined on error
+     */
+    async evaluate(input, rulePath) {
+        // OPA Data API: POST /v1/data/<path>
+        const encodedPath = rulePath
+            .split('/')
+            .map(s => encodeURIComponent(s))
+            .join('/');
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ input }),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+            }
+            let body;
+            try {
+                body = await response.json();
+            }
+            catch (jsonErr) {
+                throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
+            }
+            // OPA returns { result: { ... } }
+            return body?.result;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async shutdown() {
+        // No persistent connections to close
+    }
+}
+exports.OpaHttpEvaluator = OpaHttpEvaluator;
+
+
+/***/ }),
+
+/***/ 39530:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaPolicyEngine = void 0;
+const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
+const opa_http_evaluator_1 = __nccwpck_require__(44693);
+const policy_input_builder_1 = __nccwpck_require__(17117);
+/**
+ * Enterprise OPA Policy Engine.
+ *
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
+ * OSS PolicyEngine interface. All OPA input building and role resolution
+ * is handled internally — the OSS call sites pass only plain types.
+ */
+class OpaPolicyEngine {
+    evaluator = null;
+    fallback;
+    timeout;
+    config;
+    inputBuilder = null;
+    logger = null;
+    constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || 'deny';
+        this.timeout = config.timeout || 5000;
+    }
+    async initialize(config) {
+        // Resolve logger once at initialization
+        try {
+            this.logger = (__nccwpck_require__(86999).logger);
+        }
+        catch {
+            // logger not available in this context
+        }
+        // Build actor/repo context from environment (available at engine init time)
+        const actor = {
+            authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+            login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+            isLocalMode: !process.env.GITHUB_ACTIONS,
+        };
+        const repo = {
+            owner: process.env.GITHUB_REPOSITORY_OWNER,
+            name: process.env.GITHUB_REPOSITORY?.split('/')[1],
+            branch: process.env.GITHUB_HEAD_REF,
+            baseBranch: process.env.GITHUB_BASE_REF,
+            event: process.env.GITHUB_EVENT_NAME,
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER
+            ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
+            : undefined;
+        const pullRequest = {
+            number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
+        };
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === 'local') {
+            if (!config.rules) {
+                throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
+            }
+            const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
+            await wasm.initialize(config.rules);
+            if (config.data) {
+                wasm.loadData(config.data);
+            }
+            this.evaluator = wasm;
+        }
+        else if (config.engine === 'remote') {
+            if (!config.url) {
+                throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
+            }
+            this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
+        }
+        else {
+            this.evaluator = null;
+        }
+    }
+    /**
+     * Update actor/repo/PR context (e.g., after PR info becomes available).
+     * Called by the enterprise loader when engine context is enriched.
+     */
+    setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
+    }
+    async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === 'object'
+            ? checkConfig
+            : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+            id: checkId,
+            type: cfg.type || 'ai',
+            group: cfg.group,
+            tags: cfg.tags,
+            criticality: cfg.criticality,
+            sandbox: cfg.sandbox,
+            policy: policyOverride,
+        });
+        return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
+    }
+    async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, 'visor/tool/invoke');
+    }
+    async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, 'visor/capability/resolve');
+    }
+    async shutdown() {
+        if (this.evaluator && 'shutdown' in this.evaluator) {
+            await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+    }
+    resolveRulePath(defaultScope, override) {
+        if (override) {
+            return override.startsWith('visor/') ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, '/')}`;
+    }
+    async doEvaluate(input, rulePath) {
+        try {
+            this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+            let timer;
+            const timeoutPromise = new Promise((_resolve, reject) => {
+                timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
+            });
+            try {
+                const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+                const decision = this.parseDecision(result);
+                // In warn mode, override denied decisions to allowed but flag as warn
+                if (!decision.allowed && this.fallback === 'warn') {
+                    decision.allowed = true;
+                    decision.warn = true;
+                    decision.reason = `audit: ${decision.reason || 'policy denied'}`;
+                }
+                this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
+                return decision;
+            }
+            finally {
+                if (timer)
+                    clearTimeout(timer);
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: `policy evaluation failed, fallback=${this.fallback}`,
+            };
+        }
+    }
+    async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
+            const result = await this.evaluator.evaluate(input);
+            // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
+            // Navigate to the specific rule subtree using rulePath segments.
+            // e.g., 'visor/check/execute' → result.check.execute
+            return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+    }
+    /**
+     * Navigate nested OPA WASM result tree to reach the specific rule's output.
+     * The WASM entrypoint `-e visor` means the result root IS the visor package,
+     * so we strip the `visor/` prefix and walk the remaining segments.
+     */
+    navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== 'object')
+            return result;
+        // Strip the 'visor/' prefix (matches our compilation entrypoint)
+        const segments = rulePath.replace(/^visor\//, '').split('/');
+        let current = result;
+        for (const seg of segments) {
+            if (current && typeof current === 'object' && seg in current) {
+                current = current[seg];
+            }
+            else {
+                return undefined; // path not found in result tree
+            }
+        }
+        return current;
+    }
+    parseDecision(result) {
+        if (result === undefined || result === null) {
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
+            };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+            allowed,
+            reason: result.reason,
+        };
+        if (result.capabilities) {
+            decision.capabilities = result.capabilities;
+        }
+        return decision;
+    }
+}
+exports.OpaPolicyEngine = OpaPolicyEngine;
+
+
+/***/ }),
+
+/***/ 8613:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaWasmEvaluator = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const opa_compiler_1 = __nccwpck_require__(628);
+/**
+ * OPA WASM Evaluator - loads and evaluates OPA policies locally.
+ *
+ * Supports three input formats:
+ * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
+ * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
+ * 3. Directory with `policy.wasm` inside — loaded directly
+ *
+ * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
+ *
+ * Requires:
+ * - `@open-policy-agent/opa-wasm` npm package (optional dep)
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaWasmEvaluator {
+    policy = null;
+    dataDocument = {};
+    compiler = new opa_compiler_1.OpaCompiler();
+    async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+            // Use createRequire to load the optional dep at runtime without ncc bundling it.
+            // `new Function('id', 'return require(id)')` fails in ncc bundles because
+            // `require` is not in the `new Function` scope. `createRequire` works correctly
+            // because it creates a real Node.js require rooted at the given path.
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const { createRequire } = __nccwpck_require__(73339);
+            const runtimeRequire = createRequire(__filename);
+            const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
+            const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+            if (!loadPolicy) {
+                throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
+            }
+            this.policy = await loadPolicy(wasmBytes);
+        }
+        catch (err) {
+            if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
+                    'Install it with: npm install @open-policy-agent/opa-wasm');
+            }
+            throw err;
+        }
+    }
+    /**
+     * Load external data from a JSON file to use as the OPA data document.
+     * The loaded data will be passed to `policy.setData()` during evaluation,
+     * making it available in Rego via `data.<key>`.
+     */
+    loadData(dataPath) {
+        const resolved = path.resolve(dataPath);
+        if (path.normalize(resolved).includes('..')) {
+            throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat = fs.statSync(resolved);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
+        }
+        const raw = fs.readFileSync(resolved, 'utf-8');
+        try {
+            const parsed = JSON.parse(raw);
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
+            }
+            this.dataDocument = parsed;
+        }
+        catch (err) {
+            if (err.message.startsWith('OPA data file must')) {
+                throw err;
+            }
+            throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+    }
+    async evaluate(input) {
+        if (!this.policy) {
+            throw new Error('OPA WASM evaluator not initialized');
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+            return resultSet[0].result;
+        }
+        return undefined;
+    }
+    async shutdown() {
+        if (this.policy) {
+            // opa-wasm policy objects may have a close/free method for WASM cleanup
+            if (typeof this.policy.close === 'function') {
+                try {
+                    this.policy.close();
+                }
+                catch { }
+            }
+            else if (typeof this.policy.free === 'function') {
+                try {
+                    this.policy.free();
+                }
+                catch { }
+            }
+        }
+        this.policy = null;
+    }
+}
+exports.OpaWasmEvaluator = OpaWasmEvaluator;
+
+
+/***/ }),
+
+/***/ 17117:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.PolicyInputBuilder = void 0;
+/**
+ * Builds OPA-compatible input documents from engine context.
+ *
+ * Resolves actor roles from the `policy.roles` config section by matching
+ * the actor's authorAssociation and login against role definitions.
+ */
+class PolicyInputBuilder {
+    roles;
+    actor;
+    repository;
+    pullRequest;
+    constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+    }
+    /** Resolve which roles apply to the current actor. */
+    resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+            let identityMatch = false;
+            if (roleConfig.author_association &&
+                this.actor.authorAssociation &&
+                roleConfig.author_association.includes(this.actor.authorAssociation)) {
+                identityMatch = true;
+            }
+            if (!identityMatch &&
+                roleConfig.users &&
+                this.actor.login &&
+                roleConfig.users.includes(this.actor.login)) {
+                identityMatch = true;
+            }
+            // Slack user ID match
+            if (!identityMatch &&
+                roleConfig.slack_users &&
+                this.actor.slack?.userId &&
+                roleConfig.slack_users.includes(this.actor.slack.userId)) {
+                identityMatch = true;
+            }
+            // Email match (case-insensitive)
+            if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+                const actorEmail = this.actor.slack.email.toLowerCase();
+                if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
+                    identityMatch = true;
+                }
+            }
+            // Note: teams-based role resolution requires GitHub API access (read:org scope)
+            // and is not yet implemented. If configured, the role will not match via teams.
+            if (!identityMatch)
+                continue;
+            // slack_channels gate: if set, the role only applies when triggered from one of these channels
+            if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+                if (!this.actor.slack?.channelId ||
+                    !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+                    continue;
+                }
+            }
+            matched.push(roleName);
+        }
+        return matched;
+    }
+    buildActor() {
+        return {
+            authorAssociation: this.actor.authorAssociation,
+            login: this.actor.login,
+            roles: this.resolveRoles(),
+            isLocalMode: this.actor.isLocalMode,
+            ...(this.actor.slack && { slack: this.actor.slack }),
+        };
+    }
+    forCheckExecution(check) {
+        return {
+            scope: 'check.execute',
+            check: {
+                id: check.id,
+                type: check.type,
+                group: check.group,
+                tags: check.tags,
+                criticality: check.criticality,
+                sandbox: check.sandbox,
+                policy: check.policy,
+            },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forToolInvocation(serverName, methodName, transport) {
+        return {
+            scope: 'tool.invoke',
+            tool: { serverName, methodName, transport },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forCapabilityResolve(checkId, capabilities) {
+        return {
+            scope: 'capability.resolve',
+            check: { id: checkId, type: 'ai' },
+            capability: capabilities,
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+}
+exports.PolicyInputBuilder = PolicyInputBuilder;
+
+
+/***/ }),
+
+/***/ 63737:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.KnexStoreBackend = void 0;
+/**
+ * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
+ *
+ * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
+ * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
+ */
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const uuid_1 = __nccwpck_require__(31914);
+const logger_1 = __nccwpck_require__(86999);
+function toNum(val) {
+    if (val === null || val === undefined)
+        return undefined;
+    return typeof val === 'string' ? parseInt(val, 10) : val;
+}
+function safeJsonParse(value) {
+    if (!value)
+        return undefined;
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+function fromTriggerRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        description: row.description ?? undefined,
+        channels: safeJsonParse(row.channels),
+        fromUsers: safeJsonParse(row.from_users),
+        fromBots: row.from_bots === true || row.from_bots === 1,
+        contains: safeJsonParse(row.contains),
+        matchPattern: row.match_pattern ?? undefined,
+        threads: row.threads,
+        workflow: row.workflow,
+        inputs: safeJsonParse(row.inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        enabled: row.enabled === true || row.enabled === 1,
+        createdAt: toNum(row.created_at),
+    };
+}
+function toTriggerInsertRow(trigger) {
+    return {
+        id: trigger.id,
+        creator_id: trigger.creatorId,
+        creator_context: trigger.creatorContext ?? null,
+        creator_name: trigger.creatorName ?? null,
+        description: trigger.description ?? null,
+        channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+        from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+        from_bots: trigger.fromBots,
+        contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+        match_pattern: trigger.matchPattern ?? null,
+        threads: trigger.threads,
+        workflow: trigger.workflow,
+        inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+        output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+        status: trigger.status,
+        enabled: trigger.enabled,
+        created_at: trigger.createdAt,
+    };
+}
+function fromDbRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        timezone: row.timezone,
+        schedule: row.schedule_expr,
+        runAt: toNum(row.run_at),
+        isRecurring: row.is_recurring === true || row.is_recurring === 1,
+        originalExpression: row.original_expression,
+        workflow: row.workflow ?? undefined,
+        workflowInputs: safeJsonParse(row.workflow_inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        createdAt: toNum(row.created_at),
+        lastRunAt: toNum(row.last_run_at),
+        nextRunAt: toNum(row.next_run_at),
+        runCount: row.run_count,
+        failureCount: row.failure_count,
+        lastError: row.last_error ?? undefined,
+        previousResponse: row.previous_response ?? undefined,
+    };
+}
+function toInsertRow(schedule) {
+    return {
+        id: schedule.id,
+        creator_id: schedule.creatorId,
+        creator_context: schedule.creatorContext ?? null,
+        creator_name: schedule.creatorName ?? null,
+        timezone: schedule.timezone,
+        schedule_expr: schedule.schedule,
+        run_at: schedule.runAt ?? null,
+        is_recurring: schedule.isRecurring,
+        original_expression: schedule.originalExpression,
+        workflow: schedule.workflow ?? null,
+        workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+        output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+        status: schedule.status,
+        created_at: schedule.createdAt,
+        last_run_at: schedule.lastRunAt ?? null,
+        next_run_at: schedule.nextRunAt ?? null,
+        run_count: schedule.runCount,
+        failure_count: schedule.failureCount,
+        last_error: schedule.lastError ?? null,
+        previous_response: schedule.previousResponse ?? null,
+    };
+}
+/**
+ * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
+ */
+class KnexStoreBackend {
+    knex = null;
+    driver;
+    connection;
+    constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = (storageConfig.connection || {});
+    }
+    async initialize() {
+        // Load knex dynamically
+        const { createRequire } = __nccwpck_require__(73339);
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+            knexFactory = runtimeRequire('knex');
+        }
+        catch (err) {
+            const code = err?.code;
+            if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
+                    'Install it with: npm install knex');
+            }
+            throw err;
+        }
+        const clientMap = {
+            postgresql: 'pg',
+            mysql: 'mysql2',
+            mssql: 'tedious',
+        };
+        const client = clientMap[this.driver];
+        // Build connection config
+        let connection;
+        if (this.connection.connection_string) {
+            connection = this.connection.connection_string;
+        }
+        else if (this.driver === 'mssql') {
+            connection = this.buildMssqlConnection();
+        }
+        else {
+            connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+            client,
+            connection,
+            pool: {
+                min: this.connection.pool?.min ?? 0,
+                max: this.connection.pool?.max ?? 10,
+            },
+        });
+        // Run schema migration
+        await this.migrateSchema();
+        logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
+    }
+    buildStandardConnection() {
+        return {
+            host: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            ssl: this.resolveSslConfig(),
+        };
+    }
+    buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
+        return {
+            server: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            options: {
+                encrypt: sslEnabled,
+                trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
+            },
+        };
+    }
+    resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === undefined)
+            return false;
+        if (ssl === true)
+            return { rejectUnauthorized: true };
+        // Object config
+        if (ssl.enabled === false)
+            return false;
+        const result = {
+            rejectUnauthorized: ssl.reject_unauthorized !== false,
+        };
+        if (ssl.ca) {
+            const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
+            result.ca = fs.readFileSync(caPath, 'utf8');
+        }
+        if (ssl.cert) {
+            const certPath = this.validateSslPath(ssl.cert, 'client certificate');
+            result.cert = fs.readFileSync(certPath, 'utf8');
+        }
+        if (ssl.key) {
+            const keyPath = this.validateSslPath(ssl.key, 'client key');
+            result.key = fs.readFileSync(keyPath, 'utf8');
+        }
+        return result;
+    }
+    validateSslPath(filePath, label) {
+        const resolved = path.resolve(filePath);
+        if (resolved !== path.normalize(resolved)) {
+            throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+    }
+    async shutdown() {
+        if (this.knex) {
+            await this.knex.destroy();
+            this.knex = null;
+        }
+    }
+    async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable('schedules');
+        if (!exists) {
+            await knex.schema.createTable('schedules', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.string('timezone', 64).notNullable().defaultTo('UTC');
+                table.string('schedule_expr', 255);
+                table.bigInteger('run_at');
+                table.boolean('is_recurring').notNullable();
+                table.text('original_expression');
+                table.string('workflow', 255);
+                table.text('workflow_inputs');
+                table.text('output_context');
+                table.string('status', 20).notNullable().index();
+                table.bigInteger('created_at').notNullable();
+                table.bigInteger('last_run_at');
+                table.bigInteger('next_run_at');
+                table.integer('run_count').notNullable().defaultTo(0);
+                table.integer('failure_count').notNullable().defaultTo(0);
+                table.text('last_error');
+                table.text('previous_response');
+                table.index(['status', 'next_run_at']);
+            });
+        }
+        // Create message_triggers table
+        const triggersExist = await knex.schema.hasTable('message_triggers');
+        if (!triggersExist) {
+            await knex.schema.createTable('message_triggers', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.text('description');
+                table.text('channels'); // JSON array
+                table.text('from_users'); // JSON array
+                table.boolean('from_bots').notNullable().defaultTo(false);
+                table.text('contains'); // JSON array
+                table.text('match_pattern');
+                table.string('threads', 20).notNullable().defaultTo('any');
+                table.string('workflow', 255).notNullable();
+                table.text('inputs'); // JSON
+                table.text('output_context'); // JSON
+                table.string('status', 20).notNullable().defaultTo('active').index();
+                table.boolean('enabled').notNullable().defaultTo(true);
+                table.bigInteger('created_at').notNullable();
+            });
+        }
+        // Create scheduler_locks table for distributed locking
+        const locksExist = await knex.schema.hasTable('scheduler_locks');
+        if (!locksExist) {
+            await knex.schema.createTable('scheduler_locks', table => {
+                table.string('lock_id', 255).primary();
+                table.string('node_id', 255).notNullable();
+                table.string('lock_token', 36).notNullable();
+                table.bigInteger('acquired_at').notNullable();
+                table.bigInteger('expires_at').notNullable();
+            });
+        }
+    }
+    getKnex() {
+        if (!this.knex) {
+            throw new Error('[KnexStore] Not initialized. Call initialize() first.');
+        }
+        return this.knex;
+    }
+    // --- CRUD ---
+    async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+            ...schedule,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+            runCount: 0,
+            failureCount: 0,
+            status: 'active',
+        };
+        await knex('schedules').insert(toInsertRow(newSchedule));
+        logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+    }
+    async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', schedule.id).first();
+        if (existing)
+            return; // Already imported (idempotent)
+        await knex('schedules').insert(toInsertRow(schedule));
+    }
+    async get(id) {
+        const knex = this.getKnex();
+        const row = await knex('schedules').where('id', id).first();
+        return row ? fromDbRow(row) : undefined;
+    }
+    async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromDbRow(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        // Remove id from update (PK cannot change)
+        delete row.id;
+        await knex('schedules').where('id', id).update(row);
+        return updated;
+    }
+    async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('schedules').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
+            return true;
+        }
+        return false;
+    }
+    // --- Queries ---
+    async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('creator_id', creatorId);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('status', 'active');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans
+        const bFalse = this.driver === 'mssql' ? 0 : false;
+        const bTrue = this.driver === 'mssql' ? 1 : true;
+        const rows = await knex('schedules')
+            .where('status', 'active')
+            .andWhere(function () {
+            this.where(function () {
+                this.where('is_recurring', bFalse)
+                    .whereNotNull('run_at')
+                    .where('run_at', '<=', ts);
+            }).orWhere(function () {
+                this.where('is_recurring', bTrue)
+                    .whereNotNull('next_run_at')
+                    .where('next_run_at', '<=', ts);
+            });
+        });
+        return rows.map((r) => fromDbRow(r));
+    }
+    async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
+        const pattern = `%${escaped}%`;
+        const rows = await knex('schedules')
+            .where('creator_id', creatorId)
+            .where('status', 'active')
+            .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getStats() {
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
+        const boolTrue = this.driver === 'mssql' ? '1' : 'true';
+        const boolFalse = this.driver === 'mssql' ? '0' : 'false';
+        const result = await knex('schedules')
+            .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
+            .first();
+        return {
+            total: Number(result.total) || 0,
+            active: Number(result.active) || 0,
+            paused: Number(result.paused) || 0,
+            completed: Number(result.completed) || 0,
+            failed: Number(result.failed) || 0,
+            recurring: Number(result.recurring) || 0,
+            oneTime: Number(result.one_time) || 0,
+        };
+    }
+    async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+            const result = await knex('schedules').count('* as cnt').first();
+            if (Number(result?.cnt) >= limits.maxGlobal) {
+                throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+            }
+        }
+        if (limits.maxPerUser) {
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxPerUser) {
+                throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+            }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+            const bTrue = this.driver === 'mssql' ? 1 : true;
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .where('is_recurring', bTrue)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+                throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
+            }
+        }
+    }
+    // --- HA Distributed Locking (via scheduler_locks table) ---
+    async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const token = (0, uuid_1.v4)();
+        // Step 1: Try to claim an existing expired lock
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('expires_at', '<', now)
+            .update({
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt,
+        });
+        if (updated > 0)
+            return token;
+        // Step 2: Try to INSERT a new lock row
+        try {
+            await knex('scheduler_locks').insert({
+                lock_id: lockId,
+                node_id: nodeId,
+                lock_token: token,
+                acquired_at: now,
+                expires_at: expiresAt,
+            });
+            return token;
+        }
+        catch {
+            // Unique constraint violation — another node holds the lock
+            return null;
+        }
+    }
+    async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
+    }
+    async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('lock_token', lockToken)
+            .update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+    }
+    async flush() {
+        // No-op for server-based backends
+    }
+    // --- Message Trigger CRUD ---
+    async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+            ...trigger,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+        };
+        await knex('message_triggers').insert(toTriggerInsertRow(newTrigger));
+        logger_1.logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+    }
+    async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex('message_triggers').where('id', id).first();
+        return row ? fromTriggerRow(row) : undefined;
+    }
+    async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('message_triggers').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromTriggerRow(existing);
+        const updated = {
+            ...current,
+            ...patch,
+            id: current.id,
+            createdAt: current.createdAt,
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex('message_triggers').where('id', id).update(row);
+        return updated;
+    }
+    async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('message_triggers').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted trigger ${id}`);
+            return true;
+        }
+        return false;
+    }
+    async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers').where('creator_id', creatorId);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+    async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers')
+            .where('status', 'active')
+            .where('enabled', this.driver === 'mssql' ? 1 : true);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+}
+exports.KnexStoreBackend = KnexStoreBackend;
+
+
 /***/ }),
 
 /***/ 83864:
@@ -178117,6 +179921,35 @@ class OutputFormatters {
 exports.OutputFormatters = OutputFormatters;
 
 
+/***/ }),
+
+/***/ 93866:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.DefaultPolicyEngine = void 0;
+/**
+ * Default (no-op) policy engine — always allows everything.
+ * Used when no enterprise license is present or policy is disabled.
+ */
+class DefaultPolicyEngine {
+    async initialize(_config) { }
+    async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+    }
+    async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+    }
+    async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+    }
+    async shutdown() { }
+}
+exports.DefaultPolicyEngine = DefaultPolicyEngine;
+
+
 /***/ }),
 
 /***/ 96611:
@@ -178585,10 +180418,12 @@ const file_exclusion_1 = __nccwpck_require__(69342);
 class PRAnalyzer {
     octokit;
     maxRetries;
+    baseDelay;
     fileExclusionHelper;
-    constructor(octokit, maxRetries = 3, workingDirectory = path.resolve(process.cwd())) {
+    constructor(octokit, maxRetries = 3, workingDirectory = path.resolve(process.cwd()), baseDelay = 1000) {
         this.octokit = octokit;
         this.maxRetries = maxRetries;
+        this.baseDelay = baseDelay;
         this.fileExclusionHelper = new file_exclusion_1.FileExclusionHelper(workingDirectory);
     }
     /**
@@ -178780,7 +180615,7 @@ class PRAnalyzer {
                 }
                 // Check if this is a retryable error
                 if (this.isRetryableError(error)) {
-                    const delay = Math.min(1000 * Math.pow(2, attempt), 5000); // Exponential backoff, max 5s
+                    const delay = Math.min(this.baseDelay * Math.pow(2, attempt), this.baseDelay * 5); // Exponential backoff
                     await new Promise(resolve => setTimeout(resolve, delay));
                 }
                 else {
@@ -185511,6 +187346,7 @@ const liquid_extensions_1 = __nccwpck_require__(33042);
 const env_resolver_1 = __nccwpck_require__(58749);
 const sandbox_1 = __nccwpck_require__(12630);
 const template_context_1 = __nccwpck_require__(1581);
+const oauth2_token_cache_1 = __nccwpck_require__(34713);
 const logger_1 = __nccwpck_require__(86999);
 const fs = __importStar(__nccwpck_require__(79896));
 const path = __importStar(__nccwpck_require__(16928));
@@ -185542,13 +187378,15 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
         if (cfg.type !== 'http_client') {
             return false;
         }
-        // Must have URL specified
-        if (typeof cfg.url !== 'string' || !cfg.url) {
+        // Must have either `url` or `base_url` specified
+        const hasUrl = typeof cfg.url === 'string' && cfg.url;
+        const hasBaseUrl = typeof cfg.base_url === 'string' && cfg.base_url;
+        if (!hasUrl && !hasBaseUrl) {
             return false;
         }
-        // Validate URL format
+        // Validate URL format (check whichever is provided)
         try {
-            new URL(cfg.url);
+            new URL((hasUrl ? cfg.url : cfg.base_url));
             return true;
         }
         catch {
@@ -185556,13 +187394,34 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
         }
     }
     async execute(prInfo, config, dependencyResults, context) {
-        const url = config.url;
+        const baseUrl = config.base_url;
+        const rawPath = config.path;
+        const pathParams = config.params || {};
+        const queryParams = config.query || {};
+        const authConfig = config.auth;
+        // Build URL: either direct `url` or `base_url` + `path` with param substitution
+        let url;
+        if (baseUrl && rawPath) {
+            // Substitute {param} placeholders in path
+            let resolvedPath = rawPath;
+            for (const [key, value] of Object.entries(pathParams)) {
+                resolvedPath = resolvedPath.replace(`{${key}}`, encodeURIComponent(value));
+            }
+            url = `${baseUrl.replace(/\/+$/, '')}/${resolvedPath.replace(/^\/+/, '')}`;
+            // Append query parameters
+            if (Object.keys(queryParams).length > 0) {
+                const qs = new URLSearchParams(queryParams).toString();
+                url += `${url.includes('?') ? '&' : '?'}${qs}`;
+            }
+        }
+        else {
+            url = config.url;
+        }
         const method = config.method || 'GET';
         const headers = config.headers || {};
         const timeout = config.timeout || 30000;
         const transform = config.transform;
         const transformJs = config.transform_js;
-        const bodyTemplate = config.body;
         const outputFileTemplate = config.output_file;
         const skipIfExists = config.skip_if_exists !== false; // Default true for caching
         // Track resolved URL for error messages
@@ -185583,9 +187442,14 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
                 renderedUrl = await this.liquid.parseAndRender(renderedUrl, templateContext);
                 resolvedUrlForErrors = renderedUrl; // Update after Liquid rendering
             }
-            // Prepare request body if provided
+            // Prepare request body — supports both Liquid template strings and JSON objects
             let requestBody;
-            if (bodyTemplate) {
+            const rawBody = config.body;
+            const bodyTemplate = typeof rawBody === 'string' ? rawBody : undefined;
+            if (rawBody && typeof rawBody === 'object') {
+                requestBody = JSON.stringify(rawBody);
+            }
+            else if (bodyTemplate) {
                 // First resolve shell-style environment variables
                 let resolvedBody = String(env_resolver_1.EnvironmentResolver.resolveValue(bodyTemplate));
                 // Then render Liquid templates if present
@@ -185611,6 +187475,12 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
                     logger_1.logger.verbose(`[http_client] ${key}: ${maskedValue}`);
                 }
             }
+            // Inject OAuth2 Bearer token if auth config is provided
+            if (authConfig?.type === 'oauth2_client_credentials') {
+                const tokenCache = oauth2_token_cache_1.OAuth2TokenCache.getInstance();
+                const token = await tokenCache.getToken(authConfig);
+                resolvedHeaders['Authorization'] = `Bearer ${token}`;
+            }
             // Resolve output_file path if specified
             let resolvedOutputFile;
             if (outputFileTemplate) {
@@ -185908,6 +187778,11 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
         return [
             'type',
             'url',
+            'base_url',
+            'path',
+            'params',
+            'query',
+            'auth',
             'method',
             'headers',
             'body',
@@ -198589,6 +200464,9 @@ class SlackSocketRunner {
     genericScheduler;
     messageTriggerEvaluator;
     activeThreads = new Set();
+    heartbeatTimer;
+    lastPong = 0;
+    closing = false; // prevent duplicate reconnects
     constructor(engine, cfg, opts) {
         const app = opts.appToken || process.env.SLACK_APP_TOKEN || '';
         if (!app)
@@ -198779,21 +200657,93 @@ class SlackSocketRunner {
         return json.url;
     }
     async connect(url) {
-        this.ws = new ws_1.default(url);
-        this.ws.on('open', () => {
+        // Close previous WebSocket to prevent ghost event handlers
+        this.closeWebSocket();
+        const ws = new ws_1.default(url);
+        this.ws = ws;
+        this.closing = false;
+        ws.on('open', () => {
             this.retryCount = 0; // Reset on successful connection
+            this.lastPong = Date.now();
             logger_1.logger.info('[SlackSocket] WebSocket connected');
+            this.startHeartbeat();
         });
-        this.ws.on('close', (code, reason) => {
+        ws.on('close', (code, reason) => {
             logger_1.logger.warn(`[SlackSocket] WebSocket closed: ${code} ${reason}`);
-            setTimeout(() => this.restart().catch(() => { }), 1000);
+            this.stopHeartbeat();
+            // Only reconnect if this is still the active WebSocket
+            if (this.ws === ws && !this.closing) {
+                this.closing = true;
+                setTimeout(() => this.restart(), 1000);
+            }
         });
-        this.ws.on('error', err => {
+        ws.on('error', err => {
             logger_1.logger.error(`[SlackSocket] WebSocket error: ${err}`);
         });
-        this.ws.on('message', data => this.handleMessage(data.toString()).catch(() => { }));
+        ws.on('pong', () => {
+            this.lastPong = Date.now();
+        });
+        ws.on('message', data => this.handleMessage(data.toString()).catch(() => { }));
+    }
+    /**
+     * Close the current WebSocket connection and stop heartbeat.
+     * Safe to call multiple times.
+     */
+    closeWebSocket() {
+        this.stopHeartbeat();
+        if (this.ws) {
+            const old = this.ws;
+            this.ws = undefined;
+            try {
+                // Remove listeners to prevent ghost close/message handlers
+                old.removeAllListeners();
+                old.close();
+            }
+            catch {
+                // best effort
+            }
+        }
+    }
+    /**
+     * Start periodic WebSocket ping to detect dead connections.
+     * If no pong is received within 60s, force a reconnect.
+     */
+    startHeartbeat() {
+        this.stopHeartbeat();
+        const PING_INTERVAL_MS = 30_000; // ping every 30s
+        const PONG_TIMEOUT_MS = 60_000; // dead if no pong for 60s
+        this.heartbeatTimer = setInterval(() => {
+            if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+                return;
+            // Check if last pong is stale
+            const sincePong = Date.now() - this.lastPong;
+            if (this.lastPong > 0 && sincePong > PONG_TIMEOUT_MS) {
+                logger_1.logger.warn(`[SlackSocket] No pong received for ${Math.round(sincePong / 1000)}s, forcing reconnect`);
+                this.closeWebSocket();
+                this.closing = true;
+                this.restart();
+                return;
+            }
+            try {
+                this.ws.ping();
+            }
+            catch {
+                // ping failed — connection is likely dead
+                logger_1.logger.warn('[SlackSocket] Ping failed, forcing reconnect');
+                this.closeWebSocket();
+                this.closing = true;
+                this.restart();
+            }
+        }, PING_INTERVAL_MS);
+    }
+    stopHeartbeat() {
+        if (this.heartbeatTimer) {
+            clearInterval(this.heartbeatTimer);
+            this.heartbeatTimer = undefined;
+        }
     }
     async restart() {
+        this.closing = false;
         try {
             const url = await this.openConnection();
             await this.connect(url);
@@ -198803,7 +200753,7 @@ class SlackSocketRunner {
             // Exponential backoff: 2s, 4s, 8s, 16s, 32s, capped at 60s
             const delay = Math.min(2000 * Math.pow(2, this.retryCount - 1), 60000);
             logger_1.logger.error(`[SlackSocket] Restart failed (attempt ${this.retryCount}), retrying in ${Math.round(delay / 1000)}s: ${e instanceof Error ? e.message : e}`);
-            setTimeout(() => this.restart().catch(() => { }), delay);
+            setTimeout(() => this.restart(), delay);
         }
     }
     send(obj) {
@@ -198881,6 +200831,16 @@ class SlackSocketRunner {
             return;
         if (env.envelope_id)
             this.send({ envelope_id: env.envelope_id }); // ack ASAP
+        // Handle Slack disconnect events — proactively reconnect before the connection dies
+        if (env.type === 'disconnect') {
+            const reason = env.reason || 'unknown';
+            logger_1.logger.info(`[SlackSocket] Received disconnect event (reason: ${reason}), reconnecting`);
+            // Slack will close the connection shortly; proactively reconnect now
+            this.closeWebSocket();
+            this.closing = true;
+            this.restart();
+            return;
+        }
         if (env.type !== 'events_api' || !env.payload) {
             if (process.env.VISOR_DEBUG === 'true') {
                 logger_1.logger.debug(`[SlackSocket] Dropping non-events payload: type=${String(env.type || '-')}`);
@@ -199584,17 +201544,10 @@ class SlackSocketRunner {
                 logger_1.logger.warn(`[SlackSocket] Error stopping generic scheduler: ${e instanceof Error ? e.message : e}`);
             }
         }
-        // Close WebSocket connection
-        if (this.ws) {
-            try {
-                this.ws.close();
-                this.ws = undefined;
-                logger_1.logger.info('[SlackSocket] WebSocket closed');
-            }
-            catch {
-                // Best effort
-            }
-        }
+        // Close WebSocket connection and stop heartbeat
+        this.closing = true; // prevent reconnect on close
+        this.closeWebSocket();
+        logger_1.logger.info('[SlackSocket] WebSocket closed');
     }
     /**
      * Get the scheduler instance
@@ -200209,7 +202162,7 @@ class StateMachineExecutionEngine {
             try {
                 logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
                 // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
+                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
                 context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
                 logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
             }
@@ -210483,7 +212436,7 @@ async function initTelemetry(opts = {}) {
                 const path = __nccwpck_require__(16928);
                 const outDir = opts.file?.dir ||
                     process.env.VISOR_TRACE_DIR ||
-                    __nccwpck_require__.ab + "traces";
+                    path.join(process.cwd(), 'output', 'traces');
                 fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
                 process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -210688,7 +212641,7 @@ async function shutdownTelemetry() {
             if (process.env.VISOR_TRACE_REPORT === 'true') {
                 const fs = __nccwpck_require__(79896);
                 const path = __nccwpck_require__(16928);
-                const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+                const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
                 if (!fs.existsSync(outDir))
                     fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -211187,7 +213140,7 @@ function __getOrCreateNdjsonPath() {
                 fs.mkdirSync(dir, { recursive: true });
             return __ndjsonPath;
         }
-        const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+        const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
         if (!fs.existsSync(outDir))
             fs.mkdirSync(outDir, { recursive: true });
         if (!__ndjsonPath) {
@@ -221188,6 +223141,130 @@ function emitMermaidFromMarkdown(checkName, markdown, origin) {
 }
 
 
+/***/ }),
+
+/***/ 34713:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OAuth2TokenCache = void 0;
+const logger_1 = __nccwpck_require__(86999);
+const env_resolver_1 = __nccwpck_require__(58749);
+/**
+ * Singleton cache for OAuth2 tokens.
+ *
+ * - Keyed by hash(token_url + client_id) to support multiple providers
+ * - Lazy refresh: only fetches when expired or near-expiry
+ * - Deduplicates concurrent requests: if two calls hit with an expired token,
+ *   both await the same fetch promise
+ */
+class OAuth2TokenCache {
+    static instance;
+    cache = new Map();
+    static getInstance() {
+        if (!OAuth2TokenCache.instance) {
+            OAuth2TokenCache.instance = new OAuth2TokenCache();
+        }
+        return OAuth2TokenCache.instance;
+    }
+    /** Visible for testing */
+    static resetInstance() {
+        OAuth2TokenCache.instance = undefined;
+    }
+    /**
+     * Get a valid Bearer token for the given config.
+     * Returns a cached token if still valid, otherwise fetches a new one.
+     */
+    async getToken(config) {
+        const clientId = String(env_resolver_1.EnvironmentResolver.resolveValue(config.client_id));
+        const clientSecret = String(env_resolver_1.EnvironmentResolver.resolveValue(config.client_secret));
+        const tokenUrl = String(env_resolver_1.EnvironmentResolver.resolveValue(config.token_url));
+        const bufferMs = (config.token_ttl_buffer ?? 300) * 1000;
+        const cacheKey = `${tokenUrl}|${clientId}`;
+        const cached = this.cache.get(cacheKey);
+        // Return cached token if still valid (with buffer)
+        if (cached && cached.expires_at - bufferMs > Date.now()) {
+            logger_1.logger.verbose('[oauth2] Using cached token');
+            return cached.access_token;
+        }
+        // If another request is already refreshing, await it
+        if (cached?.refreshPromise) {
+            logger_1.logger.verbose('[oauth2] Awaiting in-flight token refresh');
+            return cached.refreshPromise;
+        }
+        // Fetch a new token
+        const refreshPromise = this.fetchToken(tokenUrl, clientId, clientSecret, config.scopes);
+        // Store the promise so concurrent callers share it
+        if (cached) {
+            cached.refreshPromise = refreshPromise;
+        }
+        else {
+            this.cache.set(cacheKey, {
+                access_token: '',
+                expires_at: 0,
+                refreshPromise,
+            });
+        }
+        try {
+            const token = await refreshPromise;
+            return token;
+        }
+        finally {
+            // Clear the in-flight promise regardless of outcome
+            const entry = this.cache.get(cacheKey);
+            if (entry) {
+                entry.refreshPromise = undefined;
+            }
+        }
+    }
+    async fetchToken(tokenUrl, clientId, clientSecret, scopes) {
+        logger_1.logger.verbose(`[oauth2] Fetching token from ${tokenUrl}`);
+        const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+        const bodyParams = new URLSearchParams({ grant_type: 'client_credentials' });
+        if (scopes?.length) {
+            bodyParams.set('scope', scopes.join(' '));
+        }
+        const response = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Authorization: `Basic ${credentials}`,
+            },
+            body: bodyParams.toString(),
+        });
+        if (!response.ok) {
+            let errorDetail = '';
+            try {
+                errorDetail = await response.text();
+            }
+            catch { }
+            throw new Error(`OAuth2 token request failed: HTTP ${response.status} ${response.statusText}${errorDetail ? ` - ${errorDetail.substring(0, 200)}` : ''}`);
+        }
+        const data = (await response.json());
+        if (!data.access_token) {
+            throw new Error('OAuth2 token response missing access_token');
+        }
+        // Default to 1 hour if expires_in not provided
+        const expiresIn = data.expires_in ?? 3600;
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const cacheKey = `${tokenUrl}|${clientId}`;
+        this.cache.set(cacheKey, {
+            access_token: data.access_token,
+            expires_at: expiresAt,
+        });
+        logger_1.logger.verbose(`[oauth2] Token acquired, expires in ${expiresIn}s`);
+        return data.access_token;
+    }
+    /** Clear all cached tokens (for testing or credential rotation) */
+    clear() {
+        this.cache.clear();
+    }
+}
+exports.OAuth2TokenCache = OAuth2TokenCache;
+
+
 /***/ }),
 
 /***/ 12630:
@@ -225148,22 +227225,6 @@ class WorkflowRegistry {
 exports.WorkflowRegistry = WorkflowRegistry;
 
 
-/***/ }),
-
-/***/ 7065:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/loader");
-
-
-/***/ }),
-
-/***/ 71370:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/policy/policy-input-builder");
-
-
 /***/ }),
 
 /***/ 18327:
@@ -248108,9 +250169,7 @@ async function acquireFileLock(lockPath, version2) {
   };
   try {
     await import_fs_extra2.default.writeFile(lockPath, JSON.stringify(lockData), { flag: "wx" });
-    if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-      console.log(`Acquired file lock: ${lockPath}`);
-    }
+    console.log(`Acquired file lock: ${lockPath}`);
     return true;
   } catch (error2) {
     if (error2.code === "EEXIST") {
@@ -248118,15 +250177,11 @@ async function acquireFileLock(lockPath, version2) {
         const existingLock = JSON.parse(await import_fs_extra2.default.readFile(lockPath, "utf-8"));
         const lockAge = Date.now() - existingLock.timestamp;
         if (lockAge > LOCK_TIMEOUT_MS) {
-          if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-            console.log(`Removing stale lock file (age: ${Math.round(lockAge / 1e3)}s, pid: ${existingLock.pid})`);
-          }
+          console.log(`Removing stale lock file (age: ${Math.round(lockAge / 1e3)}s, pid: ${existingLock.pid})`);
           await import_fs_extra2.default.remove(lockPath);
           return false;
         }
-        if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-          console.log(`Download in progress by process ${existingLock.pid}, waiting...`);
-        }
+        console.log(`Download in progress by process ${existingLock.pid}, waiting...`);
         return false;
       } catch (readError) {
         if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
@@ -248167,36 +250222,36 @@ async function releaseFileLock(lockPath) {
 }
 async function waitForFileLock(lockPath, binaryPath) {
   const startTime = Date.now();
+  let lastStatusTime = startTime;
+  console.log(`Waiting for file lock to clear: ${lockPath}`);
   while (Date.now() - startTime < MAX_LOCK_WAIT_MS) {
     if (await import_fs_extra2.default.pathExists(binaryPath)) {
-      if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-        console.log(`Binary now available at ${binaryPath}, download completed by another process`);
-      }
+      const waitedSeconds = Math.round((Date.now() - startTime) / 1e3);
+      console.log(`Binary now available at ${binaryPath}, download completed by another process (waited ${waitedSeconds}s)`);
       return true;
     }
     const lockExists = await import_fs_extra2.default.pathExists(lockPath);
     if (!lockExists) {
-      if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-        console.log(`Lock file removed but binary not found - download may have failed`);
-      }
+      console.log(`Lock file removed but binary not found - download may have failed`);
       return false;
     }
     try {
       const lockData = JSON.parse(await import_fs_extra2.default.readFile(lockPath, "utf-8"));
       const lockAge = Date.now() - lockData.timestamp;
       if (lockAge > LOCK_TIMEOUT_MS) {
-        if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-          console.log(`Lock expired (age: ${Math.round(lockAge / 1e3)}s), will retry download`);
-        }
+        console.log(`Lock expired (age: ${Math.round(lockAge / 1e3)}s), will retry download`);
         return false;
       }
     } catch {
     }
+    if (Date.now() - lastStatusTime >= 15e3) {
+      const elapsedSeconds = Math.round((Date.now() - startTime) / 1e3);
+      console.log(`Still waiting for file lock (${elapsedSeconds}s/${MAX_LOCK_WAIT_MS / 1e3}s max)`);
+      lastStatusTime = Date.now();
+    }
     await new Promise((resolve8) => setTimeout(resolve8, LOCK_POLL_INTERVAL_MS));
   }
-  if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-    console.log(`Timeout waiting for file lock`);
-  }
+  console.log(`Timeout waiting for file lock after ${MAX_LOCK_WAIT_MS / 1e3}s`);
   return false;
 }
 async function withDownloadLock(version2, downloadFn) {
@@ -248210,9 +250265,7 @@ async function withDownloadLock(version2, downloadFn) {
       }
       downloadLocks.delete(lockKey);
     } else {
-      if (process.env.DEBUG === "1" || process.env.VERBOSE === "1") {
-        console.log(`Download already in progress in this process for version ${lockKey}, waiting...`);
-      }
+      console.log(`Download already in progress in this process for version ${lockKey}, waiting...`);
       try {
         return await lock.promise;
       } catch (error2) {
@@ -248222,10 +250275,16 @@ async function withDownloadLock(version2, downloadFn) {
       }
     }
   }
+  let timeoutId = null;
   const downloadPromise = Promise.race([
     downloadFn(),
     new Promise(
-      (_, reject2) => setTimeout(() => reject2(new Error(`Download timeout after ${LOCK_TIMEOUT_MS / 1e3}s`)), LOCK_TIMEOUT_MS)
+      (_, reject2) => {
+        timeoutId = setTimeout(() => reject2(new Error(`Download timeout after ${LOCK_TIMEOUT_MS / 1e3}s`)), LOCK_TIMEOUT_MS);
+        if (timeoutId.unref) {
+          timeoutId.unref();
+        }
+      }
     )
   ]);
   downloadLocks.set(lockKey, {
@@ -248236,6 +250295,9 @@ async function withDownloadLock(version2, downloadFn) {
     const result = await downloadPromise;
     return result;
   } finally {
+    if (timeoutId) {
+      clearTimeout(timeoutId);
+    }
     downloadLocks.delete(lockKey);
   }
 }
@@ -283766,14 +285828,14 @@ function resolveTargetPath(target, cwd) {
   }
   return filePart + suffix;
 }
-var import_path5, searchSchema, searchAllSchema, querySchema, extractSchema, delegateSchema, listSkillsSchema, useSkillSchema, listFilesSchema, searchFilesSchema, readImageSchema, bashSchema, analyzeAllSchema, executePlanSchema, cleanupExecutePlanSchema, attemptCompletionSchema, searchDescription, queryDescription, extractDescription, delegateDescription, bashDescription, analyzeAllDescription;
+var import_path5, searchSchema, searchAllSchema, querySchema, extractSchema, delegateSchema, listSkillsSchema, useSkillSchema, listFilesSchema, searchFilesSchema, readImageSchema, bashSchema, analyzeAllSchema, executePlanSchema, cleanupExecutePlanSchema, attemptCompletionSchema, searchDescription, searchDelegateDescription, queryDescription, extractDescription, delegateDescription, bashDescription, analyzeAllDescription;
 var init_common2 = __esm({
   "src/tools/common.js"() {
     "use strict";
     init_zod();
     import_path5 = __nccwpck_require__(16928);
     searchSchema = external_exports.object({
-      query: external_exports.string().describe("Search query with Elasticsearch syntax. Use quotes for exact matches, AND/OR for boolean logic, - for negation."),
+      query: external_exports.string().describe("Search query \u2014 natural language questions or Elasticsearch-style keywords both work. For keywords: use quotes for exact phrases, AND/OR for boolean logic, - for negation. Probe handles stemming and camelCase/snake_case splitting automatically, so do NOT try case or style variations of the same keyword."),
       path: external_exports.string().optional().default(".").describe('Path to search in. For dependencies use "go:github.com/owner/repo", "js:package_name", or "rust:cargo_name" etc.'),
       exact: external_exports.boolean().optional().default(false).describe('Default (false) enables stemming and keyword splitting for exploratory search - "getUserData" matches "get", "user", "data", etc. Set true for precise symbol lookup where "getUserData" matches only "getUserData". Use true when you know the exact symbol name.'),
       maxTokens: external_exports.number().nullable().optional().describe("Maximum tokens to return. Default is 20000. Set to null for unlimited results."),
@@ -283781,7 +285843,7 @@ var init_common2 = __esm({
       nextPage: external_exports.boolean().optional().default(false).describe("Set to true when requesting the next page of results. Requires passing the same session ID from the previous search output.")
     });
     searchAllSchema = external_exports.object({
-      query: external_exports.string().describe("Search query with Elasticsearch syntax. Use quotes for exact matches, AND/OR for boolean logic, - for negation."),
+      query: external_exports.string().describe("Search query \u2014 natural language questions or Elasticsearch-style keywords both work. For keywords: use quotes for exact phrases, AND/OR for boolean logic, - for negation. Probe handles stemming and camelCase/snake_case splitting automatically, so do NOT try case or style variations of the same keyword."),
       path: external_exports.string().optional().default(".").describe("Path to search in."),
       exact: external_exports.boolean().optional().default(false).describe("Use exact matching instead of stemming."),
       maxTokensPerPage: external_exports.number().optional().default(2e4).describe("Tokens per page when paginating. Default 20000."),
@@ -283888,7 +285950,8 @@ var init_common2 = __esm({
         };
       }
     };
-    searchDescription = "Search code in the repository. Free-form questions are accepted, but Elasticsearch-style keyword queries work best. Use this tool first for any code-related questions.";
+    searchDescription = 'Search code in the repository. Free-form questions are accepted, but Elasticsearch-style keyword queries work best. Use this tool first for any code-related questions. NOTE: By default, search handles stemming, case-insensitive matching, and camelCase/snake_case splitting automatically \u2014 do NOT manually try keyword variations like "getAllUsers" then "get_all_users" then "GetAllUsers". One search covers all variations.';
+    searchDelegateDescription = 'Search code in the repository by asking a question. Accepts natural language questions (e.g., "How does authentication work?", "Where is the user validation logic?"). A specialized subagent breaks down your question into targeted keyword searches and returns extracted code blocks. Do NOT formulate keyword queries yourself \u2014 just ask the question naturally.';
     queryDescription = "Search code using ast-grep structural pattern matching. Use this tool to find specific code structures like functions, classes, or methods.";
     extractDescription = "Extract code blocks from files based on file paths and optional line numbers. Use this tool to see complete context after finding relevant files. Line numbers from output can be used with edit start_line/end_line for precise editing.";
     delegateDescription = "Automatically delegate big distinct tasks to specialized probe subagents within the agentic loop. Used by AI agents to break down complex requests into focused, parallel tasks.";
@@ -349208,6 +351271,7 @@ function generateSandboxGlobals(options) {
       executing.add(p5);
       results.push(p5);
       if (executing.size >= mapConcurrency) {
+        console.error(`[map] Concurrency limit reached (${executing.size}/${mapConcurrency}), waiting for a slot...`);
         await Promise.race(executing);
       }
     }
@@ -353437,8 +355501,23 @@ __export(ProbeAgent_exports, {
   ENGINE_ACTIVITY_TIMEOUT_DEFAULT: () => ENGINE_ACTIVITY_TIMEOUT_DEFAULT,
   ENGINE_ACTIVITY_TIMEOUT_MAX: () => ENGINE_ACTIVITY_TIMEOUT_MAX,
   ENGINE_ACTIVITY_TIMEOUT_MIN: () => ENGINE_ACTIVITY_TIMEOUT_MIN,
-  ProbeAgent: () => ProbeAgent
+  ProbeAgent: () => ProbeAgent,
+  debugLogToolResults: () => debugLogToolResults,
+  debugTruncate: () => debugTruncate
 });
+function debugTruncate(s5, limit = 200) {
+  if (s5.length <= limit) return s5;
+  const half = Math.floor(limit / 2);
+  return s5.substring(0, half) + ` ... [${s5.length} chars] ... ` + s5.substring(s5.length - half);
+}
+function debugLogToolResults(toolResults) {
+  if (!toolResults || toolResults.length === 0) return;
+  for (const tr of toolResults) {
+    const argsStr = JSON.stringify(tr.args || {});
+    const resultStr = typeof tr.result === "string" ? tr.result : JSON.stringify(tr.result || "");
+    console.log(`[DEBUG]   tool: ${tr.toolName} | args: ${debugTruncate(argsStr)} | result: ${debugTruncate(resultStr)}`);
+  }
+}
 var import_dotenv, import_anthropic2, import_openai2, import_google2, import_ai4, import_crypto8, import_events4, import_fs10, import_promises6, import_path15, ENGINE_ACTIVITY_TIMEOUT_DEFAULT, ENGINE_ACTIVITY_TIMEOUT_MIN, ENGINE_ACTIVITY_TIMEOUT_MAX, MAX_TOOL_ITERATIONS, MAX_HISTORY_MESSAGES, MAX_IMAGE_FILE_SIZE, ProbeAgent;
 var init_ProbeAgent = __esm({
   "src/agent/ProbeAgent.js"() {
@@ -353558,6 +355637,7 @@ var init_ProbeAgent = __esm({
         this.enableExecutePlan = !!options.enableExecutePlan;
         this.debug = options.debug || process.env.DEBUG === "1";
         this.cancelled = false;
+        this._abortController = new AbortController();
         this.tracer = options.tracer || null;
         this.outline = !!options.outline;
         this.searchDelegate = options.searchDelegate !== void 0 ? !!options.searchDelegate : true;
@@ -353586,6 +355666,7 @@ var init_ProbeAgent = __esm({
         this.completionPrompt = options.completionPrompt || null;
         this.thinkingEffort = options.thinkingEffort || null;
         const effectiveAllowedTools = options.disableTools ? [] : options.allowedTools;
+        this._rawAllowedTools = options.allowedTools;
         this.allowedTools = this._parseAllowedTools(effectiveAllowedTools);
         this.storageAdapter = options.storageAdapter || new InMemoryStorageAdapter();
         this.hooks = new HookManager();
@@ -353728,6 +355809,16 @@ var init_ProbeAgent = __esm({
       _filterMcpTools(mcpToolNames) {
         return mcpToolNames.filter((toolName) => this._isMcpToolAllowed(toolName));
       }
+      /**
+       * Check if query tool was explicitly listed in allowedTools (not via wildcard).
+       * Query (ast-grep) is excluded by default because models struggle with AST pattern syntax.
+       * @returns {boolean}
+       * @private
+       */
+      _isQueryExplicitlyAllowed() {
+        if (!this._rawAllowedTools) return false;
+        return Array.isArray(this._rawAllowedTools) && this._rawAllowedTools.includes("query");
+      }
       /**
        * Check if tracer is AppTracer (expects sessionId as first param) vs SimpleAppTracer
        * @returns {boolean} - True if tracer is AppTracer style (requires sessionId)
@@ -354003,6 +356094,8 @@ var init_ProbeAgent = __esm({
           searchDelegateModel: this.searchDelegateModel,
           delegationManager: this.delegationManager,
           // Per-instance delegation limits
+          parentAbortSignal: this._abortController.signal,
+          // Propagate cancellation to delegations
           outputBuffer: this._outputBuffer,
           concurrencyLimiter: this.concurrencyLimiter,
           // Global AI concurrency limiter
@@ -354019,7 +356112,7 @@ var init_ProbeAgent = __esm({
         if (wrappedTools.searchToolInstance && isToolAllowed("search")) {
           this.toolImplementations.search = wrappedTools.searchToolInstance;
         }
-        if (wrappedTools.queryToolInstance && isToolAllowed("query")) {
+        if (wrappedTools.queryToolInstance && isToolAllowed("query") && this._isQueryExplicitlyAllowed()) {
           this.toolImplementations.query = wrappedTools.queryToolInstance;
         }
         if (wrappedTools.extractToolInstance && isToolAllowed("extract")) {
@@ -354450,6 +356543,15 @@ var init_ProbeAgent = __esm({
         }
         const controller = new AbortController();
         const timeoutState = { timeoutId: null };
+        if (this._abortController.signal.aborted) {
+          controller.abort();
+        } else {
+          const onAgentAbort = () => controller.abort();
+          this._abortController.signal.addEventListener("abort", onAgentAbort, { once: true });
+          controller.signal.addEventListener("abort", () => {
+            this._abortController.signal.removeEventListener("abort", onAgentAbort);
+          }, { once: true });
+        }
         if (this.maxOperationTimeout && this.maxOperationTimeout > 0) {
           timeoutState.timeoutId = setTimeout(() => {
             controller.abort();
@@ -354753,7 +356855,8 @@ var init_ProbeAgent = __esm({
                     allowEdit: this.allowEdit,
                     allowedTools: allowedToolsForDelegate,
                     debug: this.debug,
-                    tracer: this.tracer
+                    tracer: this.tracer,
+                    parentAbortSignal: this._abortController.signal
                   };
                   if (this.debug) {
                     console.log(`[DEBUG] Executing delegate tool`);
@@ -354948,12 +357051,13 @@ var init_ProbeAgent = __esm({
         const toolMap = {
           search: {
             schema: searchSchema,
-            description: "Search code in the repository using keyword queries with Elasticsearch syntax."
-          },
-          query: {
-            schema: querySchema,
-            description: "Search code using ast-grep structural pattern matching."
+            description: this.searchDelegate ? "Search code in the repository by asking a question. Accepts natural language questions \u2014 a subagent breaks them into targeted keyword searches and returns extracted code blocks. Do NOT formulate keyword queries yourself." : "Search code in the repository using keyword queries with Elasticsearch syntax. Handles stemming, case-insensitive matching, and camelCase/snake_case splitting automatically \u2014 do NOT try keyword variations manually."
           },
+          // query tool (ast-grep) removed from AI-facing tools — models struggle with pattern syntax
+          // query: {
+          //   schema: querySchema,
+          //   description: 'Search code using ast-grep structural pattern matching.'
+          // },
           extract: {
             schema: extractSchema,
             description: "Extract code blocks from files based on file paths and optional line numbers."
@@ -355621,25 +357725,27 @@ ${this.architectureContext.content}
         } else {
           systemPrompt += predefinedPrompts["code-explorer"] + "\n\n";
         }
+        const searchToolDesc1 = this.searchDelegate ? '- search: Ask natural language questions to find code (e.g., "How does authentication work?"). A subagent handles keyword searches and returns extracted code blocks. Do NOT formulate keyword queries \u2014 just ask questions.' : "- search: Find code patterns using keyword queries with Elasticsearch syntax. Handles stemming and case variations automatically \u2014 do NOT try manual keyword variations.";
         systemPrompt += `You have access to powerful code search and analysis tools through MCP:
-- search: Find code patterns using semantic search
+${searchToolDesc1}
 - extract: Extract specific code sections with context
-- query: Use AST patterns for structural code matching
 - listFiles: Browse directory contents
 - searchFiles: Find files by name patterns`;
         if (this.enableBash) {
           systemPrompt += `
 - bash: Execute bash commands for system operations`;
         }
-        const searchGuidance = this.searchDelegate ? "1. Start with search to retrieve extracted code blocks" : "1. Start with search to find relevant code patterns";
-        const extractGuidance = this.searchDelegate ? "2. Use extract only if you need more context or a full file" : "2. Use extract to get detailed context when needed";
+        const searchGuidance1 = this.searchDelegate ? "1. Start with search \u2014 ask a question about what you want to understand. It returns extracted code blocks directly." : "1. Start with search to find relevant code patterns. One search per concept is usually enough \u2014 probe handles stemming and case variations.";
+        const extractGuidance1 = this.searchDelegate ? "2. Use extract only if you need more context or a full file" : "2. Use extract to get detailed context when needed";
         systemPrompt += `
 
 When exploring code:
-${searchGuidance}
-${extractGuidance}
+${searchGuidance1}
+${extractGuidance1}
 3. Prefer focused, specific searches over broad queries
-4. Combine multiple tools to build complete understanding`;
+4. Do NOT repeat the same search or try trivial keyword variations \u2014 probe handles stemming and case variations automatically
+5. If 2-3 consecutive searches return no results for a concept, stop searching for it \u2014 the term likely does not exist in that codebase
+6. Combine multiple tools to build complete understanding`;
         if (this.allowedFolders && this.allowedFolders.length > 0) {
           systemPrompt += `
 
@@ -355674,25 +357780,27 @@ Workspace: ${this.allowedFolders.join(", ")}`;
         } else {
           systemPrompt += predefinedPrompts["code-explorer"] + "\n\n";
         }
+        const searchToolDesc2 = this.searchDelegate ? '- search: Ask natural language questions to find code (e.g., "How does authentication work?"). A subagent handles keyword searches and returns extracted code blocks. Do NOT formulate keyword queries \u2014 just ask questions.' : "- search: Find code patterns using keyword queries with Elasticsearch syntax. Handles stemming and case variations automatically \u2014 do NOT try manual keyword variations.";
         systemPrompt += `You have access to powerful code search and analysis tools through MCP:
-- search: Find code patterns using semantic search
+${searchToolDesc2}
 - extract: Extract specific code sections with context
-- query: Use AST patterns for structural code matching
 - listFiles: Browse directory contents
 - searchFiles: Find files by name patterns`;
         if (this.enableBash) {
           systemPrompt += `
 - bash: Execute bash commands for system operations`;
         }
-        const searchGuidance = this.searchDelegate ? "1. Start with search to retrieve extracted code blocks" : "1. Start with search to find relevant code patterns";
-        const extractGuidance = this.searchDelegate ? "2. Use extract only if you need more context or a full file" : "2. Use extract to get detailed context when needed";
+        const searchGuidance2 = this.searchDelegate ? "1. Start with search \u2014 ask a question about what you want to understand. It returns extracted code blocks directly." : "1. Start with search to find relevant code patterns. One search per concept is usually enough \u2014 probe handles stemming and case variations.";
+        const extractGuidance2 = this.searchDelegate ? "2. Use extract only if you need more context or a full file" : "2. Use extract to get detailed context when needed";
         systemPrompt += `
 
 When exploring code:
-${searchGuidance}
-${extractGuidance}
+${searchGuidance2}
+${extractGuidance2}
 3. Prefer focused, specific searches over broad queries
-4. Combine multiple tools to build complete understanding`;
+4. Do NOT repeat the same search or try trivial keyword variations \u2014 probe handles stemming and case variations automatically
+5. If 2-3 consecutive searches return no results for a concept, stop searching for it \u2014 the term likely does not exist in that codebase
+6. Combine multiple tools to build complete understanding`;
         if (this.allowedFolders && this.allowedFolders.length > 0) {
           systemPrompt += `
 
@@ -355743,10 +357851,10 @@ Workspace: ${this.allowedFolders.join(", ")}`;
 Follow these instructions carefully:
 1. Analyze the user's request.
 2. Use the available tools step-by-step to fulfill the request.
-3. You should always prefer the search tool for code-related questions.${this.searchDelegate ? " It already returns extracted code blocks; use extract only to expand context or read full files." : " Read full files only if really necessary."}
+3. You should always prefer the search tool for code-related questions.${this.searchDelegate ? " Ask natural language questions \u2014 the search subagent handles keyword formulation and returns extracted code blocks. Use extract only to expand context or read full files." : " Search handles stemming and case variations automatically \u2014 do NOT try keyword variations manually. Read full files only if really necessary."}
 4. Ensure to get really deep and understand the full picture before answering.
 5. Once the task is fully completed, use the attempt_completion tool to provide the final result.
-6. Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results.${this.allowEdit ? `
+6. ${this.searchDelegate ? "Ask clear, specific questions when searching. Each search should target a distinct concept or question." : "Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results."}${this.allowEdit ? `
 7. When modifying files, choose the appropriate tool:
     - Use 'edit' for all code modifications:
       * PREFERRED: Use start_line (and optionally end_line) for line-targeted editing \u2014 this is the safest and most precise approach.${this.hashLines ? ' Use the line:hash references from extract/search output (e.g. "42:ab") for integrity verification.' : ""} Always use extract first to see line numbers${this.hashLines ? " and hashes" : ""}, then edit by line reference.
@@ -356070,6 +358178,10 @@ You are working with a workspace. Available paths: ${workspaceDesc}
             completionResult = result;
             completionAttempted = true;
           }, toolContext);
+          if (this.debug) {
+            const toolNames = Object.keys(tools2);
+            console.log(`[DEBUG] Agent tools registered (${toolNames.length}): ${toolNames.join(", ")}`);
+          }
           let maxResponseTokens = this.maxResponseTokens;
           if (!maxResponseTokens) {
             maxResponseTokens = 4e3;
@@ -356109,6 +358221,7 @@ You are working with a workspace. Available paths: ${workspaceDesc}
                   }
                   if (this.debug) {
                     console.log(`[DEBUG] Step ${currentIteration}/${maxIterations} finished (reason: ${finishReason}, tools: ${toolResults?.length || 0})`);
+                    debugLogToolResults(toolResults);
                   }
                 }
               };
@@ -356265,6 +358378,7 @@ Double-check your response based on the criteria above. If everything looks good
                   }
                   if (this.debug) {
                     console.log(`[DEBUG] Completion prompt step finished (reason: ${finishReason}, tools: ${toolResults?.length || 0})`);
+                    debugLogToolResults(toolResults);
                   }
                 }
               };
@@ -356975,6 +359089,9 @@ Convert your previous response content into actual JSON data that follows this s
        * Clean up resources (including MCP connections)
        */
       async cleanup() {
+        if (!this._abortController.signal.aborted) {
+          this._abortController.abort();
+        }
         if (this.mcpBridge) {
           try {
             await this.mcpBridge.cleanup();
@@ -356998,14 +359115,25 @@ Convert your previous response content into actual JSON data that follows this s
         this.clearHistory();
       }
       /**
-       * Cancel the current request
+       * Cancel the current request and all in-flight delegations.
+       * Aborts the internal AbortController so streamText, subagents,
+       * and any code checking the signal will stop.
        */
       cancel() {
         this.cancelled = true;
+        this._abortController.abort();
         if (this.debug) {
           console.log(`[DEBUG] Agent cancelled for session ${this.sessionId}`);
         }
       }
+      /**
+       * Get the abort signal for this agent.
+       * Delegations and subagents should check this signal.
+       * @returns {AbortSignal}
+       */
+      get abortSignal() {
+        return this._abortController.signal;
+      }
     };
   }
 });
@@ -357038,12 +359166,17 @@ async function delegate({
   mcpConfigPath = null,
   delegationManager = null,
   // Optional per-instance manager, falls back to default singleton
-  concurrencyLimiter = null
+  concurrencyLimiter = null,
   // Optional global AI concurrency limiter
+  parentAbortSignal = null
+  // Optional AbortSignal from parent to cancel this delegation
 }) {
   if (!task || typeof task !== "string") {
     throw new Error("Task parameter is required and must be a string");
   }
+  if (parentAbortSignal?.aborted) {
+    throw new Error("Delegation cancelled: parent operation was aborted");
+  }
   const hasExplicitTimeout = Object.prototype.hasOwnProperty.call(arguments?.[0] ?? {}, "timeout");
   if (!hasExplicitTimeout) {
     const envTimeoutMs = parseInt(process.env.DELEGATION_TIMEOUT_MS || "", 10);
@@ -357128,12 +359261,37 @@ async function delegate({
     }
     const timeoutPromise = new Promise((_, reject2) => {
       timeoutId = setTimeout(() => {
+        subagent.cancel();
         reject2(new Error(`Delegation timed out after ${timeout} seconds`));
       }, timeout * 1e3);
     });
+    let parentAbortHandler;
+    const parentAbortPromise = new Promise((_, reject2) => {
+      if (parentAbortSignal) {
+        if (parentAbortSignal.aborted) {
+          subagent.cancel();
+          reject2(new Error("Delegation cancelled: parent operation was aborted"));
+          return;
+        }
+        parentAbortHandler = () => {
+          subagent.cancel();
+          reject2(new Error("Delegation cancelled: parent operation was aborted"));
+        };
+        parentAbortSignal.addEventListener("abort", parentAbortHandler, { once: true });
+      }
+    });
     const answerOptions = schema ? { schema } : void 0;
     const answerPromise = answerOptions ? subagent.answer(task, [], answerOptions) : subagent.answer(task);
-    const response = await Promise.race([answerPromise, timeoutPromise]);
+    const racers = [answerPromise, timeoutPromise];
+    if (parentAbortSignal) racers.push(parentAbortPromise);
+    let response;
+    try {
+      response = await Promise.race(racers);
+    } finally {
+      if (parentAbortHandler && parentAbortSignal) {
+        parentAbortSignal.removeEventListener("abort", parentAbortHandler);
+      }
+    }
     if (timeoutId !== null) {
       clearTimeout(timeoutId);
       timeoutId = null;
@@ -357289,10 +359447,9 @@ var init_delegate = __esm({
         if (this.tryAcquire(parentSessionId)) {
           return true;
         }
-        if (debug) {
-          console.error(`[DelegationManager] Slot unavailable (${this.globalActive}/${this.maxConcurrent}), queuing... (queue size: ${this.waitQueue.length}, timeout: ${effectiveTimeout}ms)`);
-        }
+        console.error(`[DelegationManager] Slot unavailable (${this.globalActive}/${this.maxConcurrent}), queuing... (queue size: ${this.waitQueue.length + 1}, timeout: ${effectiveTimeout}ms)`);
         return new Promise((resolve8, reject2) => {
+          const queuedAt = Date.now();
           const entry = {
             resolve: null,
             // Will be wrapped below
@@ -357300,20 +359457,23 @@ var init_delegate = __esm({
             // Will be wrapped below
             parentSessionId,
             debug,
-            queuedAt: Date.now(),
-            timeoutId: null
+            queuedAt,
+            timeoutId: null,
+            reminderId: null
           };
           let settled = false;
           entry.resolve = (value) => {
             if (settled) return;
             settled = true;
             if (entry.timeoutId) clearTimeout(entry.timeoutId);
+            if (entry.reminderId) clearInterval(entry.reminderId);
             resolve8(value);
           };
           entry.reject = (error2) => {
             if (settled) return;
             settled = true;
             if (entry.timeoutId) clearTimeout(entry.timeoutId);
+            if (entry.reminderId) clearInterval(entry.reminderId);
             reject2(error2);
           };
           if (effectiveTimeout > 0) {
@@ -357325,6 +359485,13 @@ var init_delegate = __esm({
               entry.reject(new Error(`Delegation queue timeout: waited ${effectiveTimeout}ms for an available slot`));
             }, effectiveTimeout);
           }
+          entry.reminderId = setInterval(() => {
+            const waitedSeconds = Math.round((Date.now() - queuedAt) / 1e3);
+            console.error(`[DelegationManager] Still waiting for slot (${waitedSeconds}s). ${this.globalActive}/${this.maxConcurrent} active, ${this.waitQueue.length} queued.`);
+          }, 15e3);
+          if (entry.reminderId.unref) {
+            entry.reminderId.unref();
+          }
           this.waitQueue.push(entry);
         });
       }
@@ -357363,18 +359530,14 @@ var init_delegate = __esm({
             const sessionData = this.sessionDelegations.get(parentSessionId);
             const sessionCount = sessionData?.count || 0;
             if (sessionCount >= this.maxPerSession) {
-              if (debug) {
-                console.error(`[DelegationManager] Session limit (${this.maxPerSession}) reached for queued item, rejecting`);
-              }
+              console.error(`[DelegationManager] Session limit (${this.maxPerSession}) reached for queued item, rejecting`);
               toReject.push({ reject: reject2, error: new Error(`Maximum delegations per session (${this.maxPerSession}) reached for session ${parentSessionId}`) });
               continue;
             }
           }
           this._incrementCounters(parentSessionId);
-          if (debug) {
-            const waitTime = Date.now() - queuedAt;
-            console.error(`[DelegationManager] Granted slot from queue (waited ${waitTime}ms). Active: ${this.globalActive}/${this.maxConcurrent}`);
-          }
+          const waitTime = Date.now() - queuedAt;
+          console.error(`[DelegationManager] Granted slot from queue (waited ${waitTime}ms). Active: ${this.globalActive}/${this.maxConcurrent}`);
           toResolve.push(resolve8);
         }
         if (toResolve.length > 0 || toReject.length > 0) {
@@ -357424,6 +359587,9 @@ var init_delegate = __esm({
           if (entry.timeoutId) {
             clearTimeout(entry.timeoutId);
           }
+          if (entry.reminderId) {
+            clearInterval(entry.reminderId);
+          }
           if (entry.reject) {
             entry.reject(new Error("DelegationManager was cleaned up"));
           }
@@ -357546,8 +359712,9 @@ Instructions:
       promptType: "code-researcher",
       allowedTools: ["extract"],
       maxIterations: 5,
-      delegationManager: options.delegationManager
+      delegationManager: options.delegationManager,
       // Per-instance delegation limits
+      parentAbortSignal: options.parentAbortSignal || null
       // timeout removed - inherit default from delegate (300s)
     });
     return { chunk, result };
@@ -357567,16 +359734,12 @@ async function processChunksParallel(chunks, extractionPrompt, maxWorkers, optio
         return result;
       });
       active.add(promise);
-      if (options.debug) {
-        console.error(`[analyze_all] Started processing chunk ${chunk.id}/${chunk.total}`);
-      }
+      console.error(`[analyze_all] Started processing chunk ${chunk.id}/${chunk.total}`);
     }
     if (active.size > 0) {
       const result = await Promise.race(active);
       results.push(result);
-      if (options.debug) {
-        console.error(`[analyze_all] Completed chunk ${result.chunk.id}/${result.chunk.total}`);
-      }
+      console.error(`[analyze_all] Completed chunk ${result.chunk.id}/${result.chunk.total}`);
     }
   }
   results.sort((a5, b5) => a5.chunk.id - b5.chunk.id);
@@ -357646,8 +359809,9 @@ Organize all findings into clear categories with items listed under each.${compl
       promptType: "code-researcher",
       allowedTools: [],
       maxIterations: 5,
-      delegationManager: options.delegationManager
+      delegationManager: options.delegationManager,
       // Per-instance delegation limits
+      parentAbortSignal: options.parentAbortSignal || null
       // timeout removed - inherit default from delegate (300s)
     });
     return result;
@@ -357711,8 +359875,9 @@ CRITICAL: Do NOT guess keywords. Actually run searches and see what returns resu
       promptType: "code-researcher",
       // Full tool access for exploration and experimentation
       maxIterations: 15,
-      delegationManager: options.delegationManager
+      delegationManager: options.delegationManager,
       // Per-instance delegation limits
+      parentAbortSignal: options.parentAbortSignal || null
       // timeout removed - inherit default from delegate (300s)
     });
     const plan = parsePlanningResult(stripResultTags(result));
@@ -357769,8 +359934,9 @@ When done, use the attempt_completion tool with your answer as the result.`;
       promptType: "code-researcher",
       allowedTools: [],
       maxIterations: 5,
-      delegationManager: options.delegationManager
+      delegationManager: options.delegationManager,
       // Per-instance delegation limits
+      parentAbortSignal: options.parentAbortSignal || null
       // timeout removed - inherit default from delegate (300s)
     });
     return stripResultTags(result);
@@ -358083,11 +360249,41 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     "- extract: Verify code snippets to ensure targets are actually relevant before including them.",
     "- listFiles: Understand directory structure to find where relevant code might live.",
     "",
-    "Strategy for complex queries:",
+    "CRITICAL - How probe search works (do NOT ignore):",
+    "- By default (exact=false), probe ALREADY handles stemming, case-insensitive matching, and camelCase/snake_case splitting.",
+    '- Searching "allowed_ips" ALREADY matches "AllowedIPs", "allowedIps", "allowed_ips", etc. Do NOT manually try case/style variations.',
+    '- Searching "getUserData" ALREADY matches "get", "user", "data" and their variations.',
+    "- NEVER repeat the same search query \u2014 you will get the same results.",
+    "- NEVER search trivial variations of the same keyword (e.g., AllowedIPs then allowedIps then allowed_ips). This is wasteful \u2014 probe handles it.",
+    "- If a search returns no results, the term likely does not exist in that path. Try a genuinely DIFFERENT keyword or concept, not a variation.",
+    "- If 2-3 consecutive searches return no results for a concept, STOP searching for it and move on.",
+    "",
+    "GOOD search strategy (do this):",
+    '  Query: "How does authentication work and how are sessions managed?"',
+    '  \u2192 search "authentication" \u2192 search "session management" (two different concepts)',
+    '  Query: "Find the IP allowlist middleware"',
+    '  \u2192 search "allowlist middleware" (one search, probe handles IP/ip/Ip variations)',
+    '  Query: "How does BM25 scoring work with SIMD optimization?"',
+    '  \u2192 search "BM25 scoring" \u2192 search "SIMD optimization" (two different concepts)',
+    "",
+    "BAD search strategy (never do this):",
+    '  \u2192 search "AllowedIPs" \u2192 search "allowedIps" \u2192 search "allowed_ips" (WRONG: these are trivial case variations, probe handles them)',
+    '  \u2192 search "CIDR" \u2192 search "cidr" \u2192 search "Cidr" \u2192 search "*cidr*" (WRONG: same keyword repeated with variations)',
+    '  \u2192 search "error handling" \u2192 search "error handling" \u2192 search "error handling" (WRONG: repeating exact same query)',
+    "",
+    "Keyword tips:",
+    "- Common programming keywords are filtered as stopwords when unquoted: function, class, return, new, struct, impl, var, let, const, etc.",
+    '- Avoid searching for these alone \u2014 combine with a specific term (e.g., "middleware function" is fine, "function" alone is too generic).',
+    '- To bypass stopword filtering: wrap terms in quotes ("return", "struct") or set exact=true. Both disable stemming and splitting too.',
+    "- Multiple words without operators use OR logic: foo bar = foo OR bar. Use AND explicitly if you need both: foo AND bar.",
+    '- camelCase terms are split: getUserData becomes "get", "user", "data" \u2014 so one search covers all naming styles.',
+    "",
+    "Strategy:",
     "1. Analyze the query - identify key concepts, entities, and relationships",
-    '2. Run focused searches for each independent concept (e.g., for "how do payments work and how are emails sent", search "payments" and "emails" separately since they are unrelated)',
-    "3. Use extract to verify relevance of promising results",
-    "4. Combine all relevant targets in your final response",
+    "2. Run ONE focused search per concept with the most natural keyword. Trust probe to handle variations.",
+    "3. If a search returns results, use extract to verify relevance",
+    "4. Only try a different keyword if the first one returned irrelevant results (not if it returned no results \u2014 that means the concept is absent)",
+    "5. Combine all relevant targets in your final response",
     "",
     `Query: ${searchQuery}`,
     `Search path(s): ${searchPath}`,
@@ -358140,9 +360336,12 @@ var init_vercel = __esm({
         }
         return result;
       };
+      const previousSearches = /* @__PURE__ */ new Set();
+      const paginationCounts = /* @__PURE__ */ new Map();
+      const MAX_PAGES_PER_QUERY = 3;
       return (0, import_ai5.tool)({
         name: "search",
-        description: searchDelegate ? `${searchDescription} (delegates code search to a subagent and returns extracted code blocks)` : searchDescription,
+        description: searchDelegate ? searchDelegateDescription : searchDescription,
         inputSchema: searchSchema,
         execute: async ({ query: searchQuery, path: path9, allow_tests, exact, maxTokens: paramMaxTokens, language, session, nextPage }) => {
           const effectiveMaxTokens = paramMaxTokens || maxTokens;
@@ -358180,6 +360379,26 @@ var init_vercel = __esm({
             return await search(searchOptions);
           };
           if (!searchDelegate) {
+            const searchKey = `${searchQuery}::${searchPath}::${exact || false}`;
+            if (!nextPage) {
+              if (previousSearches.has(searchKey)) {
+                if (debug) {
+                  console.error(`[DEDUP] Blocked duplicate search: "${searchQuery}" in "${searchPath}"`);
+                }
+                return "DUPLICATE SEARCH BLOCKED: You already searched for this exact query in this path. Do NOT repeat the same search. If you need more results, set nextPage=true with the session ID from the previous search. Otherwise, try a genuinely different keyword, use extract to examine results you already found, or use attempt_completion if you have enough information.";
+              }
+              previousSearches.add(searchKey);
+              paginationCounts.set(searchKey, 0);
+            } else {
+              const pageCount = (paginationCounts.get(searchKey) || 0) + 1;
+              paginationCounts.set(searchKey, pageCount);
+              if (pageCount > MAX_PAGES_PER_QUERY) {
+                if (debug) {
+                  console.error(`[DEDUP] Blocked excessive pagination (page ${pageCount}/${MAX_PAGES_PER_QUERY}): "${searchQuery}" in "${searchPath}"`);
+                }
+                return `PAGINATION LIMIT REACHED: You have already retrieved ${MAX_PAGES_PER_QUERY} pages of results for this query. You have enough results \u2014 use extract to examine specific files, or use attempt_completion to return your findings.`;
+              }
+            }
             try {
               const result = maybeAnnotate(await runRawSearch());
               if (options.fileTracker && typeof result === "string") {
@@ -358218,7 +360437,8 @@ var init_vercel = __esm({
               promptType: "code-searcher",
               allowedTools: ["search", "extract", "listFiles", "attempt_completion"],
               searchDelegate: false,
-              schema: CODE_SEARCH_SCHEMA
+              schema: CODE_SEARCH_SCHEMA,
+              parentAbortSignal: options.parentAbortSignal || null
             });
             const delegateResult = options.tracer?.withSpan ? await options.tracer.withSpan("search.delegate", runDelegation, {
               "search.query": searchQuery,
@@ -358432,7 +360652,7 @@ var init_vercel = __esm({
         name: "delegate",
         description: delegateDescription,
         inputSchema: delegateSchema,
-        execute: async ({ task, currentIteration, maxIterations, parentSessionId, path: path9, provider, model, tracer, searchDelegate }) => {
+        execute: async ({ task, currentIteration, maxIterations, parentSessionId, path: path9, provider, model, tracer, searchDelegate, parentAbortSignal }) => {
           if (!task || typeof task !== "string") {
             throw new Error("Task parameter is required and must be a non-empty string");
           }
@@ -358490,8 +360710,9 @@ var init_vercel = __esm({
             enableMcp,
             mcpConfig,
             mcpConfigPath,
-            delegationManager
+            delegationManager,
             // Per-instance delegation limits
+            parentAbortSignal
           });
           return result;
         }
@@ -358529,8 +360750,9 @@ var init_vercel = __esm({
               provider: options.provider,
               model: options.model,
               tracer: options.tracer,
-              delegationManager
+              delegationManager,
               // Per-instance delegation limits
+              parentAbortSignal: options.parentAbortSignal || null
             });
             return result;
           } catch (error2) {
@@ -395746,7 +397968,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"100":"Continue","101":"Switching Pro
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.165","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc278","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc280","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
 
 /***/ })