@probelabs/visor 0.1.165 → 0.1.166-ee

package/dist/sdk/sdk.js

@@ -646,7 +646,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@probelabs/visor",
-      version: "0.1.165",
+      version: "0.1.42",
       main: "dist/index.js",
       bin: {
         visor: "./dist/index.js"
@@ -760,7 +760,7 @@ var require_package = __commonJS({
         "@opentelemetry/sdk-node": "^0.203.0",
         "@opentelemetry/sdk-trace-base": "^1.30.1",
         "@opentelemetry/semantic-conventions": "^1.30.1",
-        "@probelabs/probe": "^0.6.0-rc278",
+        "@probelabs/probe": "^0.6.0-rc280",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
         acorn: "^8.16.0",
@@ -864,11 +864,11 @@ function getTracer() {
 }
 async function withActiveSpan(name, attrs, fn) {
   const tracer = getTracer();
-  return await new Promise((resolve15, reject) => {
+  return await new Promise((resolve19, reject) => {
     const callback = async (span) => {
       try {
         const res = await fn(span);
-        resolve15(res);
+        resolve19(res);
       } catch (err) {
         try {
           if (err instanceof Error) span.recordException(err);
@@ -945,19 +945,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path27 = require("path");
-    const fs23 = require("fs");
+    const path31 = require("path");
+    const fs27 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path27.dirname(__ndjsonPath);
-      if (!fs23.existsSync(dir)) fs23.mkdirSync(dir, { recursive: true });
+      const dir = path31.dirname(__ndjsonPath);
+      if (!fs27.existsSync(dir)) fs27.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path27.join(process.cwd(), "output", "traces");
-    if (!fs23.existsSync(outDir)) fs23.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path31.join(process.cwd(), "output", "traces");
+    if (!fs27.existsSync(outDir)) fs27.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path27.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path31.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -966,11 +966,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs23 = require("fs");
+    const fs27 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs23.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs27.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -3193,7 +3193,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context2) {
         try {
-          const normalize4 = (expr) => {
+          const normalize8 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -3351,7 +3351,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec2 = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize4(condition);
+            const normalizedExpr = normalize8(condition);
             exec2 = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec2(scope).run();
@@ -3734,9 +3734,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path27 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path27) return obj;
-    const parts = path27.split(".");
+    const path31 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path31) return obj;
+    const parts = path31.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -3855,9 +3855,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path27) => {
-          if (!obj || !path27) return void 0;
-          const parts = path27.split(".");
+        const getNested = (obj, path31) => {
+          if (!obj || !path31) return void 0;
+          const parts = path31.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6409,8 +6409,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs23 = await import("fs/promises");
-    const path27 = await import("path");
+    const fs27 = await import("fs/promises");
+    const path31 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6418,24 +6418,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path27.resolve(process.cwd(), file);
-      templateContent = await fs23.readFile(resolved, "utf-8");
+      const resolved = path31.resolve(process.cwd(), file);
+      templateContent = await fs27.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path27.join(__dirname, "output", sanitized, "template.liquid"),
+          path31.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path27.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path31.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path27.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path31.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path27.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path31.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs23.readFile(p, "utf-8");
+            templateContent = await fs27.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -6840,7 +6840,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs23 = require("fs");
+    const fs27 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -6851,7 +6851,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs23.existsSync(candidatePath)) {
+      if (fs27.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -6958,7 +6958,7 @@ async function renderMermaidToPng(mermaidCode) {
     if (chromiumPath) {
       env.PUPPETEER_EXECUTABLE_PATH = chromiumPath;
     }
-    const result = await new Promise((resolve15) => {
+    const result = await new Promise((resolve19) => {
       const proc = (0, import_child_process.spawn)(
         "npx",
         [
@@ -6988,13 +6988,13 @@ async function renderMermaidToPng(mermaidCode) {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve15({ success: true });
+          resolve19({ success: true });
         } else {
-          resolve15({ success: false, error: stderr || `Exit code ${code}` });
+          resolve19({ success: false, error: stderr || `Exit code ${code}` });
         }
       });
       proc.on("error", (err) => {
-        resolve15({ success: false, error: err.message });
+        resolve19({ success: false, error: err.message });
       });
     });
     if (!result.success) {
@@ -8156,8 +8156,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
+              const fs27 = require("fs");
+              const path31 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8271,20 +8271,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
-              if (!fs23.existsSync(debugArtifactsDir)) {
-                fs23.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
+              if (!fs27.existsSync(debugArtifactsDir)) {
+                fs27.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path27.join(
+              const debugFile = path31.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs23.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path27.join(
+              fs27.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path31.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs23.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs27.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8317,8 +8317,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
+              const fs27 = require("fs");
+              const path31 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8329,8 +8329,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path27.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path31.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8342,7 +8342,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs23.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs27.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8369,7 +8369,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs23.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs27.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8378,11 +8378,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
+              const fs27 = require("fs");
+              const path31 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
-              const responseFile = path27.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
+              const responseFile = path31.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8415,7 +8415,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs23.writeFileSync(responseFile, responseContent, "utf-8");
+              fs27.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8431,9 +8431,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs23 = require("fs");
-                  if (fs23.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs23.statSync(agentAny._traceFilePath);
+                  const fs27 = require("fs");
+                  if (fs27.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs27.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8646,9 +8646,9 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
-              const os2 = require("os");
+              const fs27 = require("fs");
+              const path31 = require("path");
+              const os3 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
                 timestamp,
@@ -8720,19 +8720,19 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const tempDir = os2.tmpdir();
-              const promptFile = path27.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs23.writeFileSync(promptFile, prompt, "utf-8");
+              const tempDir = os3.tmpdir();
+              const promptFile = path31.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs27.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path27.join(
+                const base = path31.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs23.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs23.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs27.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs27.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -8777,8 +8777,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
+              const fs27 = require("fs");
+              const path31 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -8789,8 +8789,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path27.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path31.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8802,7 +8802,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs23.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs27.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8829,7 +8829,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs23.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs27.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8838,11 +8838,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs23 = require("fs");
-              const path27 = require("path");
+              const fs27 = require("fs");
+              const path31 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path27.join(process.cwd(), "debug-artifacts");
-              const responseFile = path27.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path31.join(process.cwd(), "debug-artifacts");
+              const responseFile = path31.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8875,7 +8875,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs23.writeFileSync(responseFile, responseContent, "utf-8");
+              fs27.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8893,9 +8893,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs23 = require("fs");
-                  if (fs23.existsSync(traceFilePath)) {
-                    const stats = fs23.statSync(traceFilePath);
+                  const fs27 = require("fs");
+                  if (fs27.existsSync(traceFilePath)) {
+                    const stats = fs27.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -8933,8 +8933,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs23 = require("fs").promises;
-        const path27 = require("path");
+        const fs27 = require("fs").promises;
+        const path31 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -8947,14 +8947,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path27.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path31.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path27.resolve(process.cwd(), schema);
+            const schemaPath = path31.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs23.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs27.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -8968,22 +8968,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path27.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path31.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path27.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path31.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path27.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path31.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs23.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs27.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path27.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path27.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path27.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path31.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path31.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path31.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -9228,7 +9228,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt, _checkName, _schema) {
-        await new Promise((resolve15) => setTimeout(resolve15, 500));
+        await new Promise((resolve19) => setTimeout(resolve19, 500));
         const name = (_checkName || "").toLowerCase();
         if (name.includes("extract-facts")) {
           const arr = Array.from({ length: 6 }, (_, i) => ({
@@ -9589,7 +9589,7 @@ var init_command_executor = __esm({
        * Execute command with stdin input
        */
       executeWithStdin(command, options) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           const childProcess = (0, import_child_process2.exec)(
             command,
             {
@@ -9601,7 +9601,7 @@ var init_command_executor = __esm({
               if (error && error.killed && (error.code === "ETIMEDOUT" || error.signal === "SIGTERM")) {
                 reject(new Error(`Command timed out after ${options.timeout || 3e4}ms`));
               } else {
-                resolve15({
+                resolve19({
                   stdout: stdout || "",
                   stderr: stderr || "",
                   exitCode: error ? error.code || 1 : 0
@@ -17704,17 +17704,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path27 = require("path");
-        const fs23 = require("fs");
+        const path31 = require("path");
+        const fs27 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path27.isAbsolute(sourcePath) ? sourcePath : path27.resolve(baseDir, sourcePath);
-        if (!fs23.existsSync(resolved)) {
+        const resolved = path31.isAbsolute(sourcePath) ? sourcePath : path31.resolve(baseDir, sourcePath);
+        if (!fs27.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs23.readFileSync(resolved, "utf8");
+        const rawContent = fs27.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path27.dirname(resolved);
+          const configDir = path31.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -17744,8 +17744,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path27.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path27.basename(resolved)}`;
+        const id = path31.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path31.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -18551,8 +18551,8 @@ async function createStoreBackend(storageConfig, haConfig) {
     case "mssql": {
       try {
         const loaderPath = "../../enterprise/loader";
-        const { loadEnterpriseStoreBackend } = await import(loaderPath);
-        return await loadEnterpriseStoreBackend(driver, storageConfig, haConfig);
+        const { loadEnterpriseStoreBackend: loadEnterpriseStoreBackend2 } = await import(loaderPath);
+        return await loadEnterpriseStoreBackend2(driver, storageConfig, haConfig);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error(`[StoreFactory] Failed to load enterprise ${driver} backend: ${msg}`);
@@ -21123,7 +21123,7 @@ var init_mcp_custom_sse_server = __esm({
        * Returns the actual bound port number
        */
       async start() {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           try {
             this.server = import_http.default.createServer((req, res) => {
               this.handleRequest(req, res).catch((error) => {
@@ -21157,7 +21157,7 @@ var init_mcp_custom_sse_server = __esm({
                 );
               }
               this.startKeepalive();
-              resolve15(this.port);
+              resolve19(this.port);
             });
           } catch (error) {
             reject(error);
@@ -21220,7 +21220,7 @@ var init_mcp_custom_sse_server = __esm({
             logger.debug(
               `[CustomToolsSSEServer:${this.sessionId}] Grace period before stop: ${waitMs}ms (activeToolCalls=${this.activeToolCalls})`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, waitMs));
+            await new Promise((resolve19) => setTimeout(resolve19, waitMs));
           }
         }
         if (this.activeToolCalls > 0) {
@@ -21229,7 +21229,7 @@ var init_mcp_custom_sse_server = __esm({
             `[CustomToolsSSEServer:${this.sessionId}] Waiting for ${this.activeToolCalls} active tool call(s) before stop`
           );
           while (this.activeToolCalls > 0 && Date.now() - startedAt < effectiveDrainTimeoutMs) {
-            await new Promise((resolve15) => setTimeout(resolve15, 250));
+            await new Promise((resolve19) => setTimeout(resolve19, 250));
           }
           if (this.activeToolCalls > 0) {
             logger.warn(
@@ -21254,21 +21254,21 @@ var init_mcp_custom_sse_server = __esm({
         }
         this.connections.clear();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
+          await new Promise((resolve19, reject) => {
             const timeout = setTimeout(() => {
               if (this.debug) {
                 logger.debug(
                   `[CustomToolsSSEServer:${this.sessionId}] Force closing server after timeout`
                 );
               }
-              this.server?.close(() => resolve15());
+              this.server?.close(() => resolve19());
             }, 5e3);
             this.server.close((error) => {
               clearTimeout(timeout);
               if (error) {
                 reject(error);
               } else {
-                resolve15();
+                resolve19();
               }
             });
           });
@@ -21703,7 +21703,7 @@ var init_mcp_custom_sse_server = __esm({
               logger.warn(
                 `[CustomToolsSSEServer:${this.sessionId}] Tool ${toolName} failed (attempt ${attempt + 1}/${retryCount + 1}): ${errorMsg}. Retrying in ${delay}ms`
               );
-              await new Promise((resolve15) => setTimeout(resolve15, delay));
+              await new Promise((resolve19) => setTimeout(resolve19, delay));
               attempt++;
             }
           }
@@ -22016,9 +22016,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path7.default.resolve(process.cwd(), str);
           }
-          const fs23 = require("fs").promises;
+          const fs27 = require("fs").promises;
           try {
-            const stat2 = await fs23.stat(resolvedPath);
+            const stat2 = await fs27.stat(resolvedPath);
             return stat2.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -24114,6 +24114,112 @@ var init_template_context = __esm({
   }
 });
 
+// src/utils/oauth2-token-cache.ts
+var OAuth2TokenCache;
+var init_oauth2_token_cache = __esm({
+  "src/utils/oauth2-token-cache.ts"() {
+    "use strict";
+    init_logger();
+    init_env_resolver();
+    OAuth2TokenCache = class _OAuth2TokenCache {
+      static instance;
+      cache = /* @__PURE__ */ new Map();
+      static getInstance() {
+        if (!_OAuth2TokenCache.instance) {
+          _OAuth2TokenCache.instance = new _OAuth2TokenCache();
+        }
+        return _OAuth2TokenCache.instance;
+      }
+      /** Visible for testing */
+      static resetInstance() {
+        _OAuth2TokenCache.instance = void 0;
+      }
+      /**
+       * Get a valid Bearer token for the given config.
+       * Returns a cached token if still valid, otherwise fetches a new one.
+       */
+      async getToken(config) {
+        const clientId = String(EnvironmentResolver.resolveValue(config.client_id));
+        const clientSecret = String(EnvironmentResolver.resolveValue(config.client_secret));
+        const tokenUrl = String(EnvironmentResolver.resolveValue(config.token_url));
+        const bufferMs = (config.token_ttl_buffer ?? 300) * 1e3;
+        const cacheKey = `${tokenUrl}|${clientId}`;
+        const cached = this.cache.get(cacheKey);
+        if (cached && cached.expires_at - bufferMs > Date.now()) {
+          logger.verbose("[oauth2] Using cached token");
+          return cached.access_token;
+        }
+        if (cached?.refreshPromise) {
+          logger.verbose("[oauth2] Awaiting in-flight token refresh");
+          return cached.refreshPromise;
+        }
+        const refreshPromise = this.fetchToken(tokenUrl, clientId, clientSecret, config.scopes);
+        if (cached) {
+          cached.refreshPromise = refreshPromise;
+        } else {
+          this.cache.set(cacheKey, {
+            access_token: "",
+            expires_at: 0,
+            refreshPromise
+          });
+        }
+        try {
+          const token = await refreshPromise;
+          return token;
+        } finally {
+          const entry = this.cache.get(cacheKey);
+          if (entry) {
+            entry.refreshPromise = void 0;
+          }
+        }
+      }
+      async fetchToken(tokenUrl, clientId, clientSecret, scopes) {
+        logger.verbose(`[oauth2] Fetching token from ${tokenUrl}`);
+        const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+        const bodyParams = new URLSearchParams({ grant_type: "client_credentials" });
+        if (scopes?.length) {
+          bodyParams.set("scope", scopes.join(" "));
+        }
+        const response = await fetch(tokenUrl, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Authorization: `Basic ${credentials}`
+          },
+          body: bodyParams.toString()
+        });
+        if (!response.ok) {
+          let errorDetail = "";
+          try {
+            errorDetail = await response.text();
+          } catch {
+          }
+          throw new Error(
+            `OAuth2 token request failed: HTTP ${response.status} ${response.statusText}${errorDetail ? ` - ${errorDetail.substring(0, 200)}` : ""}`
+          );
+        }
+        const data = await response.json();
+        if (!data.access_token) {
+          throw new Error("OAuth2 token response missing access_token");
+        }
+        const expiresIn = data.expires_in ?? 3600;
+        const expiresAt = Date.now() + expiresIn * 1e3;
+        const cacheKey = `${tokenUrl}|${clientId}`;
+        this.cache.set(cacheKey, {
+          access_token: data.access_token,
+          expires_at: expiresAt
+        });
+        logger.verbose(`[oauth2] Token acquired, expires in ${expiresIn}s`);
+        return data.access_token;
+      }
+      /** Clear all cached tokens (for testing or credential rotation) */
+      clear() {
+        this.cache.clear();
+      }
+    };
+  }
+});
+
 // src/providers/http-client-provider.ts
 var fs15, path18, HttpClientProvider;
 var init_http_client_provider = __esm({
@@ -24124,6 +24230,7 @@ var init_http_client_provider = __esm({
     init_env_resolver();
     init_sandbox();
     init_template_context();
+    init_oauth2_token_cache();
     init_logger();
     fs15 = __toESM(require("fs"));
     path18 = __toESM(require("path"));
@@ -24151,24 +24258,43 @@ var init_http_client_provider = __esm({
         if (cfg.type !== "http_client") {
           return false;
         }
-        if (typeof cfg.url !== "string" || !cfg.url) {
+        const hasUrl = typeof cfg.url === "string" && cfg.url;
+        const hasBaseUrl = typeof cfg.base_url === "string" && cfg.base_url;
+        if (!hasUrl && !hasBaseUrl) {
           return false;
         }
         try {
-          new URL(cfg.url);
+          new URL(hasUrl ? cfg.url : cfg.base_url);
           return true;
         } catch {
           return false;
         }
       }
       async execute(prInfo, config, dependencyResults, context2) {
-        const url = config.url;
+        const baseUrl = config.base_url;
+        const rawPath = config.path;
+        const pathParams = config.params || {};
+        const queryParams = config.query || {};
+        const authConfig = config.auth;
+        let url;
+        if (baseUrl && rawPath) {
+          let resolvedPath = rawPath;
+          for (const [key, value] of Object.entries(pathParams)) {
+            resolvedPath = resolvedPath.replace(`{${key}}`, encodeURIComponent(value));
+          }
+          url = `${baseUrl.replace(/\/+$/, "")}/${resolvedPath.replace(/^\/+/, "")}`;
+          if (Object.keys(queryParams).length > 0) {
+            const qs = new URLSearchParams(queryParams).toString();
+            url += `${url.includes("?") ? "&" : "?"}${qs}`;
+          }
+        } else {
+          url = config.url;
+        }
         const method = config.method || "GET";
         const headers = config.headers || {};
         const timeout = config.timeout || 3e4;
         const transform = config.transform;
         const transformJs = config.transform_js;
-        const bodyTemplate = config.body;
         const outputFileTemplate = config.output_file;
         const skipIfExists = config.skip_if_exists !== false;
         let resolvedUrlForErrors = url;
@@ -24192,7 +24318,11 @@ var init_http_client_provider = __esm({
             resolvedUrlForErrors = renderedUrl;
           }
           let requestBody;
-          if (bodyTemplate) {
+          const rawBody = config.body;
+          const bodyTemplate = typeof rawBody === "string" ? rawBody : void 0;
+          if (rawBody && typeof rawBody === "object") {
+            requestBody = JSON.stringify(rawBody);
+          } else if (bodyTemplate) {
             let resolvedBody = String(EnvironmentResolver.resolveValue(bodyTemplate));
             if (resolvedBody.includes("{{") || resolvedBody.includes("{%")) {
               resolvedBody = await this.liquid.parseAndRender(resolvedBody, templateContext);
@@ -24211,6 +24341,11 @@ var init_http_client_provider = __esm({
               logger.verbose(`[http_client] ${key}: ${maskedValue}`);
             }
           }
+          if (authConfig?.type === "oauth2_client_credentials") {
+            const tokenCache = OAuth2TokenCache.getInstance();
+            const token = await tokenCache.getToken(authConfig);
+            resolvedHeaders["Authorization"] = `Bearer ${token}`;
+          }
           let resolvedOutputFile;
           if (outputFileTemplate) {
             let outputPath = String(EnvironmentResolver.resolveValue(outputFileTemplate));
@@ -24489,6 +24624,11 @@ var init_http_client_provider = __esm({
         return [
           "type",
           "url",
+          "base_url",
+          "path",
+          "params",
+          "query",
+          "auth",
           "method",
           "headers",
           "body",
@@ -27980,14 +28120,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path27 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path31 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path27 && !path27.startsWith("/")) {
-          path27 = `/${path27}`;
+        if (path31 && !path31.startsWith("/")) {
+          path31 = `/${path31}`;
         }
-        url = new URL(origin + path27);
+        url = new URL(origin + path31);
       }
       return url;
     }
@@ -29601,20 +29741,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path27) {
-      if (typeof path27 !== "string") {
+    module2.exports = function basename4(path31) {
+      if (typeof path31 !== "string") {
         return "";
       }
-      for (var i = path27.length - 1; i >= 0; --i) {
-        switch (path27.charCodeAt(i)) {
+      for (var i = path31.length - 1; i >= 0; --i) {
+        switch (path31.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path27 = path27.slice(i + 1);
-            return path27 === ".." || path27 === "." ? "" : path27;
+            path31 = path31.slice(i + 1);
+            return path31 === ".." || path31 === "." ? "" : path31;
         }
       }
-      return path27 === ".." || path27 === "." ? "" : path27;
+      return path31 === ".." || path31 === "." ? "" : path31;
     };
   }
 });
@@ -30618,11 +30758,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto2;
+    var crypto4;
     try {
-      crypto2 = require("crypto");
+      crypto4 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -30899,7 +31039,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto2 === void 0) {
+      if (crypto4 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -30914,7 +31054,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -31007,8 +31147,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve15, reject) => {
-        res = resolve15;
+      const promise = new Promise((resolve19, reject) => {
+        res = resolve19;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -32261,8 +32401,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto2 = require("crypto");
-      random = (max) => crypto2.randomInt(0, max);
+      const crypto4 = require("crypto");
+      random = (max) => crypto4.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -32513,8 +32653,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
                 });
               }
             });
-            const busboyResolve = new Promise((resolve15, reject) => {
-              busboy.on("finish", resolve15);
+            const busboyResolve = new Promise((resolve19, reject) => {
+              busboy.on("finish", resolve19);
               busboy.on("error", (err) => reject(new TypeError(err)));
             });
             if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk);
@@ -32645,7 +32785,7 @@ var require_request = __commonJS({
     }
     var Request = class _Request {
       constructor(origin, {
-        path: path27,
+        path: path31,
         method,
         body,
         headers,
@@ -32659,11 +32799,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path27 !== "string") {
+        if (typeof path31 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path27[0] !== "/" && !(path27.startsWith("http://") || path27.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path31[0] !== "/" && !(path31.startsWith("http://") || path31.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path27) !== null) {
+        } else if (invalidPathRegex.exec(path31) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -32726,7 +32866,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path27, query) : path27;
+        this.path = query ? util.buildURL(path31, query) : path31;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -33048,9 +33188,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve19, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve15(data);
+              return err ? reject(err) : resolve19(data);
             });
           });
         }
@@ -33088,12 +33228,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve19, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve15(data);
+              ) : resolve19(data);
             });
           });
         }
@@ -33734,9 +33874,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path27 = search ? `${pathname}${search}` : pathname;
+        const path31 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path27;
+        this.opts.path = path31;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -34155,16 +34295,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve15) => {
+        return new Promise((resolve19) => {
           if (!this[kSize]) {
-            resolve15(null);
+            resolve19(null);
           } else {
-            this[kClosedResolve] = resolve15;
+            this[kClosedResolve] = resolve19;
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve15) => {
+        return new Promise((resolve19) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request = requests[i];
@@ -34175,7 +34315,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve15();
+            resolve19();
           };
           if (this[kHTTP2Session] != null) {
             util.destroy(this[kHTTP2Session], err);
@@ -34755,7 +34895,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve15, reject) => {
+        const socket = await new Promise((resolve19, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -34767,7 +34907,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve15(socket2);
+              resolve19(socket2);
             }
           });
         });
@@ -34978,7 +35118,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path27, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path31, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -35028,7 +35168,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path27} HTTP/1.1\r
+      let header = `${method} ${path31} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -35091,7 +35231,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path27, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path31, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -35134,7 +35274,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path27;
+      headers[HTTP2_HEADER_PATH] = path31;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -35391,12 +35531,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve15, reject) => {
+      const waitForDrain = () => new Promise((resolve19, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve15;
+          callback = resolve19;
         }
       });
       if (client[kHTTPConnVersion] === "h2") {
@@ -35742,8 +35882,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           return Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          return new Promise((resolve15) => {
-            this[kClosedResolve] = resolve15;
+          return new Promise((resolve19) => {
+            this[kClosedResolve] = resolve19;
           });
         }
       }
@@ -36321,7 +36461,7 @@ var require_readable = __commonJS({
         if (this.closed) {
           return Promise.resolve(null);
         }
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           const signalListenerCleanup = signal ? util.addAbortListener(signal, () => {
             this.destroy();
           }) : noop;
@@ -36330,7 +36470,7 @@ var require_readable = __commonJS({
             if (signal && signal.aborted) {
               reject(signal.reason || Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
             } else {
-              resolve15(null);
+              resolve19(null);
             }
           }).on("error", noop).on("data", function(chunk) {
             limit -= chunk.length;
@@ -36352,11 +36492,11 @@ var require_readable = __commonJS({
         throw new TypeError("unusable");
       }
       assert(!stream[kConsume]);
-      return new Promise((resolve15, reject) => {
+      return new Promise((resolve19, reject) => {
         stream[kConsume] = {
           type,
           stream,
-          resolve: resolve15,
+          resolve: resolve19,
           reject,
           length: 0,
           body: []
@@ -36391,12 +36531,12 @@ var require_readable = __commonJS({
       }
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve15, stream, length } = consume2;
+      const { type, body, resolve: resolve19, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve15(toUSVString(Buffer.concat(body)));
+          resolve19(toUSVString(Buffer.concat(body)));
         } else if (type === "json") {
-          resolve15(JSON.parse(Buffer.concat(body)));
+          resolve19(JSON.parse(Buffer.concat(body)));
         } else if (type === "arrayBuffer") {
           const dst = new Uint8Array(length);
           let pos = 0;
@@ -36404,12 +36544,12 @@ var require_readable = __commonJS({
             dst.set(buf, pos);
             pos += buf.byteLength;
           }
-          resolve15(dst.buffer);
+          resolve19(dst.buffer);
         } else if (type === "blob") {
           if (!Blob2) {
             Blob2 = require("buffer").Blob;
           }
-          resolve15(new Blob2(body, { type: stream[kContentType] }));
+          resolve19(new Blob2(body, { type: stream[kContentType] }));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -36666,9 +36806,9 @@ var require_api_request = __commonJS({
     };
     function request(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           request.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -36841,9 +36981,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -37124,9 +37264,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -37215,9 +37355,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -37377,20 +37517,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path27) {
-      if (typeof path27 !== "string") {
-        return path27;
+    function safeUrl(path31) {
+      if (typeof path31 !== "string") {
+        return path31;
       }
-      const pathSegments = path27.split("?");
+      const pathSegments = path31.split("?");
       if (pathSegments.length !== 2) {
-        return path27;
+        return path31;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path27, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path27);
+    function matchKey(mockDispatch2, { path: path31, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path31);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -37408,7 +37548,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path27 }) => matchValue(safeUrl(path27), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path31 }) => matchValue(safeUrl(path31), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -37445,9 +37585,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path27, method, body, headers, query } = opts;
+      const { path: path31, method, body, headers, query } = opts;
       return {
-        path: path27,
+        path: path31,
         method,
         body,
         headers,
@@ -37896,10 +38036,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path27, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path31, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path27,
+            Path: path31,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -40840,7 +40980,7 @@ var require_fetch = __commonJS({
       async function dispatch({ body }) {
         const url = requestCurrentURL(request);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve15, reject) => agent.dispatch(
+        return new Promise((resolve19, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -40916,7 +41056,7 @@ var require_fetch = __commonJS({
                   }
                 }
               }
-              resolve15({
+              resolve19({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
@@ -40959,7 +41099,7 @@ var require_fetch = __commonJS({
                 const val = headersList[n + 1].toString("latin1");
                 headers[kHeadersList].append(key, val);
               }
-              resolve15({
+              resolve19({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList: headers[kHeadersList],
@@ -42520,8 +42660,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path27) {
-      for (const char of path27) {
+    function validateCookiePath(path31) {
+      for (const char of path31) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -43318,9 +43458,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto2;
+    var crypto4;
     try {
-      crypto2 = require("crypto");
+      crypto4 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -43339,7 +43479,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto2.randomBytes(16).toString("base64");
+      const keyValue = crypto4.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -43368,7 +43508,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto4.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -43448,9 +43588,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto2;
+    var crypto4;
     try {
-      crypto2 = require("crypto");
+      crypto4 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -43459,7 +43599,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto2.randomBytes(4);
+        this.maskKey = crypto4.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -44201,11 +44341,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path27 = opts.path;
+          let path31 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path27 = `/${path27}`;
+            path31 = `/${path31}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path27);
+          url = new URL(util.parseOrigin(url).origin + path31);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -44754,7 +44894,7 @@ var init_mcp_check_provider = __esm({
             logger.warn(
               `MCP ${transportName} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying in ${delay}ms: ${error instanceof Error ? error.message : String(error)}`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, delay));
+            await new Promise((resolve19) => setTimeout(resolve19, delay));
             attempt += 1;
           } finally {
             try {
@@ -45036,7 +45176,7 @@ async function acquirePromptLock() {
     activePrompt = true;
     return;
   }
-  await new Promise((resolve15) => waiters.push(resolve15));
+  await new Promise((resolve19) => waiters.push(resolve19));
   activePrompt = true;
 }
 function releasePromptLock() {
@@ -45046,7 +45186,7 @@ function releasePromptLock() {
 }
 async function interactivePrompt(options) {
   await acquirePromptLock();
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve19, reject) => {
     const dbg = process.env.VISOR_DEBUG === "true";
     try {
       if (dbg) {
@@ -45133,12 +45273,12 @@ async function interactivePrompt(options) {
     };
     const finish = (value) => {
       cleanup();
-      resolve15(value);
+      resolve19(value);
     };
     if (options.timeout && options.timeout > 0) {
       timeoutId = setTimeout(() => {
         cleanup();
-        if (defaultValue !== void 0) return resolve15(defaultValue);
+        if (defaultValue !== void 0) return resolve19(defaultValue);
         return reject(new Error("Input timeout"));
       }, options.timeout);
     }
@@ -45270,7 +45410,7 @@ async function interactivePrompt(options) {
   });
 }
 async function simplePrompt(prompt) {
-  return new Promise((resolve15) => {
+  return new Promise((resolve19) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
@@ -45286,7 +45426,7 @@ async function simplePrompt(prompt) {
     rl.question(`${prompt}
 > `, (answer) => {
       rl.close();
-      resolve15(answer.trim());
+      resolve19(answer.trim());
     });
   });
 }
@@ -45454,7 +45594,7 @@ function isStdinAvailable() {
   return !process.stdin.isTTY;
 }
 async function readStdin(timeout, maxSize = 1024 * 1024) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve19, reject) => {
     let data = "";
     let timeoutId;
     if (timeout) {
@@ -45481,7 +45621,7 @@ async function readStdin(timeout, maxSize = 1024 * 1024) {
     };
     const onEnd = () => {
       cleanup();
-      resolve15(data.trim());
+      resolve19(data.trim());
     };
     const onError = (err) => {
       cleanup();
@@ -49607,23 +49747,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs23 = await import("fs/promises");
-    const path27 = await import("path");
+    const fs27 = await import("fs/promises");
+    const path31 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path27.join(__dirname, "output", sanitized, "schema.json"),
+      path31.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path27.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path31.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path27.join(process.cwd(), "output", sanitized, "schema.json"),
+      path31.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path27.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path31.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs23.readFile(p, "utf-8");
+        const raw = await fs27.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -52042,8 +52182,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs23 = await import("fs/promises");
-    const path27 = await import("path");
+    const fs27 = await import("fs/promises");
+    const path31 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -52052,27 +52192,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path27.resolve(process.cwd(), file);
-      templateContent = await fs23.readFile(resolved, "utf-8");
+      const resolved = path31.resolve(process.cwd(), file);
+      templateContent = await fs27.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path27.join(__dirname, "output", sanitized, "template.liquid"),
+          path31.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path27.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path31.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path27.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path31.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path27.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path31.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path27.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path31.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs23.readFile(p, "utf-8");
+            templateContent = await fs27.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -54212,8 +54352,8 @@ var init_workspace_manager = __esm({
         );
         if (this.cleanupRequested && this.activeOperations === 0) {
           logger.debug(`[Workspace] All references released, proceeding with deferred cleanup`);
-          for (const resolve15 of this.cleanupResolvers) {
-            resolve15();
+          for (const resolve19 of this.cleanupResolvers) {
+            resolve19();
           }
           this.cleanupResolvers = [];
         }
@@ -54370,19 +54510,19 @@ var init_workspace_manager = __esm({
           );
           this.cleanupRequested = true;
           await Promise.race([
-            new Promise((resolve15) => {
+            new Promise((resolve19) => {
               if (this.activeOperations === 0) {
-                resolve15();
+                resolve19();
               } else {
-                this.cleanupResolvers.push(resolve15);
+                this.cleanupResolvers.push(resolve19);
               }
             }),
-            new Promise((resolve15) => {
+            new Promise((resolve19) => {
               setTimeout(() => {
                 logger.warn(
                   `[Workspace] Cleanup timeout after ${timeout}ms, proceeding anyway (${this.activeOperations} operations still active)`
                 );
-                resolve15();
+                resolve19();
               }, timeout);
             })
           ]);
@@ -54860,6 +55000,1380 @@ var init_build_engine_context = __esm({
   }
 });
 
+// src/policy/default-engine.ts
+var DefaultPolicyEngine;
+var init_default_engine = __esm({
+  "src/policy/default-engine.ts"() {
+    "use strict";
+    DefaultPolicyEngine = class {
+      async initialize(_config) {
+      }
+      async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+      }
+      async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+      }
+      async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+
+// src/enterprise/license/validator.ts
+var validator_exports = {};
+__export(validator_exports, {
+  LicenseValidator: () => LicenseValidator
+});
+var crypto2, fs21, path25, LicenseValidator;
+var init_validator = __esm({
+  "src/enterprise/license/validator.ts"() {
+    "use strict";
+    crypto2 = __toESM(require("crypto"));
+    fs21 = __toESM(require("fs"));
+    path25 = __toESM(require("path"));
+    LicenseValidator = class _LicenseValidator {
+      /** Ed25519 public key for license verification (PEM format). */
+      static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
+      cache = null;
+      static CACHE_TTL = 5 * 60 * 1e3;
+      // 5 minutes
+      static GRACE_PERIOD = 72 * 3600 * 1e3;
+      // 72 hours after expiry
+      /**
+       * Load and validate license from environment or file.
+       *
+       * Resolution order:
+       * 1. VISOR_LICENSE env var (JWT string)
+       * 2. VISOR_LICENSE_FILE env var (path to file)
+       * 3. .visor-license in project root (cwd)
+       * 4. .visor-license in ~/.config/visor/
+       */
+      async loadAndValidate() {
+        if (this.cache && Date.now() - this.cache.validatedAt < _LicenseValidator.CACHE_TTL) {
+          return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token) return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload) return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+      }
+      /** Check if a specific feature is licensed */
+      hasFeature(feature) {
+        if (!this.cache) return false;
+        return this.cache.payload.features.includes(feature);
+      }
+      /** Check if license is valid (with grace period) */
+      isValid() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      /** Check if the license is within its grace period (expired but still valid) */
+      isInGracePeriod() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now >= expiryMs && now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      resolveToken() {
+        if (process.env.VISOR_LICENSE) {
+          return process.env.VISOR_LICENSE.trim();
+        }
+        if (process.env.VISOR_LICENSE_FILE) {
+          const resolved = path25.resolve(process.env.VISOR_LICENSE_FILE);
+          const home2 = process.env.HOME || process.env.USERPROFILE || "";
+          const allowedPrefixes = [path25.normalize(process.cwd())];
+          if (home2) allowedPrefixes.push(path25.normalize(path25.join(home2, ".config", "visor")));
+          let realPath;
+          try {
+            realPath = fs21.realpathSync(resolved);
+          } catch {
+            return null;
+          }
+          const isSafe = allowedPrefixes.some(
+            (prefix) => realPath === prefix || realPath.startsWith(prefix + path25.sep)
+          );
+          if (!isSafe) return null;
+          return this.readFile(realPath);
+        }
+        const cwdPath = path25.join(process.cwd(), ".visor-license");
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken) return cwdToken;
+        const home = process.env.HOME || process.env.USERPROFILE || "";
+        if (home) {
+          const configPath = path25.join(home, ".config", "visor", ".visor-license");
+          const configToken = this.readFile(configPath);
+          if (configToken) return configToken;
+        }
+        return null;
+      }
+      readFile(filePath) {
+        try {
+          return fs21.readFileSync(filePath, "utf-8").trim();
+        } catch {
+          return null;
+        }
+      }
+      verifyAndDecode(token) {
+        try {
+          const parts = token.split(".");
+          if (parts.length !== 3) return null;
+          const [headerB64, payloadB64, signatureB64] = parts;
+          const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+          if (header.alg !== "EdDSA") return null;
+          const data = `${headerB64}.${payloadB64}`;
+          const signature = Buffer.from(signatureB64, "base64url");
+          const publicKey = crypto2.createPublicKey(_LicenseValidator.PUBLIC_KEY);
+          if (publicKey.asymmetricKeyType !== "ed25519") {
+            return null;
+          }
+          const isValid = crypto2.verify(null, Buffer.from(data), publicKey, signature);
+          if (!isValid) return null;
+          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+          if (!payload.org || !Array.isArray(payload.features) || typeof payload.exp !== "number" || typeof payload.iat !== "number" || !payload.sub) {
+            return null;
+          }
+          const now = Date.now();
+          const expiryMs = payload.exp * 1e3;
+          if (now >= expiryMs + _LicenseValidator.GRACE_PERIOD) {
+            return null;
+          }
+          return payload;
+        } catch {
+          return null;
+        }
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-compiler.ts
+var fs22, path26, os2, crypto3, import_child_process8, OpaCompiler;
+var init_opa_compiler = __esm({
+  "src/enterprise/policy/opa-compiler.ts"() {
+    "use strict";
+    fs22 = __toESM(require("fs"));
+    path26 = __toESM(require("path"));
+    os2 = __toESM(require("os"));
+    crypto3 = __toESM(require("crypto"));
+    import_child_process8 = require("child_process");
+    OpaCompiler = class _OpaCompiler {
+      static CACHE_DIR = path26.join(os2.tmpdir(), "visor-opa-cache");
+      /**
+       * Resolve the input paths to WASM bytes.
+       *
+       * Strategy:
+       * 1. If any path is a .wasm file, read it directly
+       * 2. If a directory contains policy.wasm, read it
+       * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+       */
+      async resolveWasmBytes(paths) {
+        const regoFiles = [];
+        for (const p of paths) {
+          const resolved = path26.resolve(p);
+          if (path26.normalize(resolved).includes("..")) {
+            throw new Error(`Policy path contains traversal sequences: ${p}`);
+          }
+          if (resolved.endsWith(".wasm") && fs22.existsSync(resolved)) {
+            return fs22.readFileSync(resolved);
+          }
+          if (!fs22.existsSync(resolved)) continue;
+          const stat2 = fs22.statSync(resolved);
+          if (stat2.isDirectory()) {
+            const wasmCandidate = path26.join(resolved, "policy.wasm");
+            if (fs22.existsSync(wasmCandidate)) {
+              return fs22.readFileSync(wasmCandidate);
+            }
+            const files = fs22.readdirSync(resolved);
+            for (const f of files) {
+              if (f.endsWith(".rego")) {
+                regoFiles.push(path26.join(resolved, f));
+              }
+            }
+          } else if (resolved.endsWith(".rego")) {
+            regoFiles.push(resolved);
+          }
+        }
+        if (regoFiles.length === 0) {
+          throw new Error(
+            `OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(", ")}`
+          );
+        }
+        return this.compileRego(regoFiles);
+      }
+      /**
+       * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+       *
+       * Caches the compiled bundle based on a content hash of all input .rego files
+       * so subsequent runs skip compilation if policies haven't changed.
+       */
+      compileRego(regoFiles) {
+        try {
+          (0, import_child_process8.execFileSync)("opa", ["version"], { stdio: "pipe" });
+        } catch {
+          throw new Error(
+            "OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\nOr pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz " + regoFiles.join(" ")
+          );
+        }
+        const hash = crypto3.createHash("sha256");
+        for (const f of regoFiles.sort()) {
+          hash.update(fs22.readFileSync(f));
+          hash.update(f);
+        }
+        const cacheKey = hash.digest("hex").slice(0, 16);
+        const cacheDir = _OpaCompiler.CACHE_DIR;
+        const cachedWasm = path26.join(cacheDir, `${cacheKey}.wasm`);
+        if (fs22.existsSync(cachedWasm)) {
+          return fs22.readFileSync(cachedWasm);
+        }
+        fs22.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path26.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+          const args = [
+            "build",
+            "-t",
+            "wasm",
+            "-e",
+            "visor",
+            // entrypoint: the visor package tree
+            "-o",
+            bundleTar,
+            ...regoFiles
+          ];
+          (0, import_child_process8.execFileSync)("opa", args, {
+            stdio: "pipe",
+            timeout: 3e4
+          });
+        } catch (err) {
+          const stderr = err?.stderr?.toString() || "";
+          throw new Error(
+            `Failed to compile .rego files to WASM:
+${stderr}
+Ensure your .rego files are valid and the \`opa\` CLI is installed.`
+          );
+        }
+        try {
+          (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
+            stdio: "pipe"
+          });
+          const extractedWasm = path26.join(cacheDir, "policy.wasm");
+          if (fs22.existsSync(extractedWasm)) {
+            fs22.renameSync(extractedWasm, cachedWasm);
+          }
+        } catch {
+          try {
+            (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
+              stdio: "pipe"
+            });
+            const extractedWasm = path26.join(cacheDir, "policy.wasm");
+            if (fs22.existsSync(extractedWasm)) {
+              fs22.renameSync(extractedWasm, cachedWasm);
+            }
+          } catch (err2) {
+            throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+          }
+        }
+        try {
+          fs22.unlinkSync(bundleTar);
+        } catch {
+        }
+        if (!fs22.existsSync(cachedWasm)) {
+          throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
+        }
+        return fs22.readFileSync(cachedWasm);
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-wasm-evaluator.ts
+var fs23, path27, OpaWasmEvaluator;
+var init_opa_wasm_evaluator = __esm({
+  "src/enterprise/policy/opa-wasm-evaluator.ts"() {
+    "use strict";
+    fs23 = __toESM(require("fs"));
+    path27 = __toESM(require("path"));
+    init_opa_compiler();
+    OpaWasmEvaluator = class {
+      policy = null;
+      dataDocument = {};
+      compiler = new OpaCompiler();
+      async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+          const { createRequire } = require("module");
+          const runtimeRequire = createRequire(__filename);
+          const opaWasm = runtimeRequire("@open-policy-agent/opa-wasm");
+          const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+          if (!loadPolicy) {
+            throw new Error("loadPolicy not found in @open-policy-agent/opa-wasm");
+          }
+          this.policy = await loadPolicy(wasmBytes);
+        } catch (err) {
+          if (err?.code === "MODULE_NOT_FOUND" || err?.code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "OPA WASM evaluator requires @open-policy-agent/opa-wasm. Install it with: npm install @open-policy-agent/opa-wasm"
+            );
+          }
+          throw err;
+        }
+      }
+      /**
+       * Load external data from a JSON file to use as the OPA data document.
+       * The loaded data will be passed to `policy.setData()` during evaluation,
+       * making it available in Rego via `data.<key>`.
+       */
+      loadData(dataPath) {
+        const resolved = path27.resolve(dataPath);
+        if (path27.normalize(resolved).includes("..")) {
+          throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs23.existsSync(resolved)) {
+          throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat2 = fs23.statSync(resolved);
+        if (stat2.size > 10 * 1024 * 1024) {
+          throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat2.size} bytes)`);
+        }
+        const raw = fs23.readFileSync(resolved, "utf-8");
+        try {
+          const parsed = JSON.parse(raw);
+          if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+            throw new Error("OPA data file must contain a JSON object (not an array or primitive)");
+          }
+          this.dataDocument = parsed;
+        } catch (err) {
+          if (err.message.startsWith("OPA data file must")) {
+            throw err;
+          }
+          throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+      }
+      async evaluate(input) {
+        if (!this.policy) {
+          throw new Error("OPA WASM evaluator not initialized");
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+          return resultSet[0].result;
+        }
+        return void 0;
+      }
+      async shutdown() {
+        if (this.policy) {
+          if (typeof this.policy.close === "function") {
+            try {
+              this.policy.close();
+            } catch {
+            }
+          } else if (typeof this.policy.free === "function") {
+            try {
+              this.policy.free();
+            } catch {
+            }
+          }
+        }
+        this.policy = null;
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-http-evaluator.ts
+var OpaHttpEvaluator;
+var init_opa_http_evaluator = __esm({
+  "src/enterprise/policy/opa-http-evaluator.ts"() {
+    "use strict";
+    OpaHttpEvaluator = class {
+      baseUrl;
+      timeout;
+      constructor(baseUrl, timeout = 5e3) {
+        let parsed;
+        try {
+          parsed = new URL(baseUrl);
+        } catch {
+          throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!["http:", "https:"].includes(parsed.protocol)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`
+          );
+        }
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`
+          );
+        }
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+        this.timeout = timeout;
+      }
+      /**
+       * Check if a hostname is blocked due to SSRF concerns.
+       *
+       * Blocks:
+       * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+       * - Link-local addresses (169.254.x.x)
+       * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+       * - IPv6 unique local addresses (fd00::/8)
+       * - Cloud metadata services (*.internal)
+       */
+      isBlockedHostname(hostname) {
+        if (!hostname) return true;
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+        if (normalized === "metadata.google.internal" || normalized.endsWith(".internal")) {
+          return true;
+        }
+        if (normalized === "localhost" || normalized === "localhost.localdomain") {
+          return true;
+        }
+        if (normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
+          return true;
+        }
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+          const octets = ipv4Match.slice(1, 5).map(Number);
+          if (octets.some((octet) => octet > 255)) {
+            return false;
+          }
+          const [a, b] = octets;
+          if (a === 127) {
+            return true;
+          }
+          if (a === 0) {
+            return true;
+          }
+          if (a === 169 && b === 254) {
+            return true;
+          }
+          if (a === 10) {
+            return true;
+          }
+          if (a === 172 && b >= 16 && b <= 31) {
+            return true;
+          }
+          if (a === 192 && b === 168) {
+            return true;
+          }
+        }
+        if (normalized.startsWith("fd") || normalized.startsWith("fc")) {
+          return true;
+        }
+        if (normalized.startsWith("fe80:")) {
+          return true;
+        }
+        return false;
+      }
+      /**
+       * Evaluate a policy rule against an input document via OPA REST API.
+       *
+       * @param input - The input document to evaluate
+       * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+       * @returns The result object from OPA, or undefined on error
+       */
+      async evaluate(input, rulePath) {
+        const encodedPath = rulePath.split("/").map((s) => encodeURIComponent(s)).join("/");
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+          const response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ input }),
+            signal: controller.signal
+          });
+          if (!response.ok) {
+            throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+          }
+          let body;
+          try {
+            body = await response.json();
+          } catch (jsonErr) {
+            throw new Error(
+              `OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`
+            );
+          }
+          return body?.result;
+        } finally {
+          clearTimeout(timer);
+        }
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/policy-input-builder.ts
+var PolicyInputBuilder;
+var init_policy_input_builder = __esm({
+  "src/enterprise/policy/policy-input-builder.ts"() {
+    "use strict";
+    PolicyInputBuilder = class {
+      roles;
+      actor;
+      repository;
+      pullRequest;
+      constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+      }
+      /** Resolve which roles apply to the current actor. */
+      resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+          let identityMatch = false;
+          if (roleConfig.author_association && this.actor.authorAssociation && roleConfig.author_association.includes(this.actor.authorAssociation)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.users && this.actor.login && roleConfig.users.includes(this.actor.login)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.slack_users && this.actor.slack?.userId && roleConfig.slack_users.includes(this.actor.slack.userId)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+            const actorEmail = this.actor.slack.email.toLowerCase();
+            if (roleConfig.emails.some((e) => e.toLowerCase() === actorEmail)) {
+              identityMatch = true;
+            }
+          }
+          if (!identityMatch) continue;
+          if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+            if (!this.actor.slack?.channelId || !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+              continue;
+            }
+          }
+          matched.push(roleName);
+        }
+        return matched;
+      }
+      buildActor() {
+        return {
+          authorAssociation: this.actor.authorAssociation,
+          login: this.actor.login,
+          roles: this.resolveRoles(),
+          isLocalMode: this.actor.isLocalMode,
+          ...this.actor.slack && { slack: this.actor.slack }
+        };
+      }
+      forCheckExecution(check) {
+        return {
+          scope: "check.execute",
+          check: {
+            id: check.id,
+            type: check.type,
+            group: check.group,
+            tags: check.tags,
+            criticality: check.criticality,
+            sandbox: check.sandbox,
+            policy: check.policy
+          },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forToolInvocation(serverName, methodName, transport) {
+        return {
+          scope: "tool.invoke",
+          tool: { serverName, methodName, transport },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forCapabilityResolve(checkId, capabilities) {
+        return {
+          scope: "capability.resolve",
+          check: { id: checkId, type: "ai" },
+          capability: capabilities,
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-policy-engine.ts
+var opa_policy_engine_exports = {};
+__export(opa_policy_engine_exports, {
+  OpaPolicyEngine: () => OpaPolicyEngine
+});
+var OpaPolicyEngine;
+var init_opa_policy_engine = __esm({
+  "src/enterprise/policy/opa-policy-engine.ts"() {
+    "use strict";
+    init_opa_wasm_evaluator();
+    init_opa_http_evaluator();
+    init_policy_input_builder();
+    OpaPolicyEngine = class {
+      evaluator = null;
+      fallback;
+      timeout;
+      config;
+      inputBuilder = null;
+      logger = null;
+      constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || "deny";
+        this.timeout = config.timeout || 5e3;
+      }
+      async initialize(config) {
+        try {
+          this.logger = (init_logger(), __toCommonJS(logger_exports)).logger;
+        } catch {
+        }
+        const actor = {
+          authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+          login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+          isLocalMode: !process.env.GITHUB_ACTIONS
+        };
+        const repo = {
+          owner: process.env.GITHUB_REPOSITORY_OWNER,
+          name: process.env.GITHUB_REPOSITORY?.split("/")[1],
+          branch: process.env.GITHUB_HEAD_REF,
+          baseBranch: process.env.GITHUB_BASE_REF,
+          event: process.env.GITHUB_EVENT_NAME
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER, 10) : void 0;
+        const pullRequest = {
+          number: prNum !== void 0 && Number.isFinite(prNum) ? prNum : void 0
+        };
+        this.inputBuilder = new PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === "local") {
+          if (!config.rules) {
+            throw new Error("OPA local mode requires `policy.rules` path to .wasm or .rego files");
+          }
+          const wasm = new OpaWasmEvaluator();
+          await wasm.initialize(config.rules);
+          if (config.data) {
+            wasm.loadData(config.data);
+          }
+          this.evaluator = wasm;
+        } else if (config.engine === "remote") {
+          if (!config.url) {
+            throw new Error("OPA remote mode requires `policy.url` pointing to OPA server");
+          }
+          this.evaluator = new OpaHttpEvaluator(config.url, this.timeout);
+        } else {
+          this.evaluator = null;
+        }
+      }
+      /**
+       * Update actor/repo/PR context (e.g., after PR info becomes available).
+       * Called by the enterprise loader when engine context is enriched.
+       */
+      setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new PolicyInputBuilder(this.config, actor, repo, pullRequest);
+      }
+      async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === "object" ? checkConfig : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+          id: checkId,
+          type: cfg.type || "ai",
+          group: cfg.group,
+          tags: cfg.tags,
+          criticality: cfg.criticality,
+          sandbox: cfg.sandbox,
+          policy: policyOverride
+        });
+        return this.doEvaluate(input, this.resolveRulePath("check.execute", policyOverride?.rule));
+      }
+      async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, "visor/tool/invoke");
+      }
+      async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, "visor/capability/resolve");
+      }
+      async shutdown() {
+        if (this.evaluator && "shutdown" in this.evaluator) {
+          await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+      }
+      resolveRulePath(defaultScope, override) {
+        if (override) {
+          return override.startsWith("visor/") ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, "/")}`;
+      }
+      async doEvaluate(input, rulePath) {
+        try {
+          this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+          let timer;
+          const timeoutPromise = new Promise((_resolve, reject) => {
+            timer = setTimeout(() => reject(new Error("policy evaluation timeout")), this.timeout);
+          });
+          try {
+            const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+            const decision = this.parseDecision(result);
+            if (!decision.allowed && this.fallback === "warn") {
+              decision.allowed = true;
+              decision.warn = true;
+              decision.reason = `audit: ${decision.reason || "policy denied"}`;
+            }
+            this.logger?.debug(
+              `[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || "none"}`
+            );
+            return decision;
+          } finally {
+            if (timer) clearTimeout(timer);
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: `policy evaluation failed, fallback=${this.fallback}`
+          };
+        }
+      }
+      async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof OpaWasmEvaluator) {
+          const result = await this.evaluator.evaluate(input);
+          return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+      }
+      /**
+       * Navigate nested OPA WASM result tree to reach the specific rule's output.
+       * The WASM entrypoint `-e visor` means the result root IS the visor package,
+       * so we strip the `visor/` prefix and walk the remaining segments.
+       */
+      navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== "object") return result;
+        const segments = rulePath.replace(/^visor\//, "").split("/");
+        let current = result;
+        for (const seg of segments) {
+          if (current && typeof current === "object" && seg in current) {
+            current = current[seg];
+          } else {
+            return void 0;
+          }
+        }
+        return current;
+      }
+      parseDecision(result) {
+        if (result === void 0 || result === null) {
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: this.fallback === "warn" ? "audit: no policy result" : "no policy result"
+          };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+          allowed,
+          reason: result.reason
+        };
+        if (result.capabilities) {
+          decision.capabilities = result.capabilities;
+        }
+        return decision;
+      }
+    };
+  }
+});
+
+// src/enterprise/scheduler/knex-store.ts
+var knex_store_exports = {};
+__export(knex_store_exports, {
+  KnexStoreBackend: () => KnexStoreBackend
+});
+function toNum(val) {
+  if (val === null || val === void 0) return void 0;
+  return typeof val === "string" ? parseInt(val, 10) : val;
+}
+function safeJsonParse2(value) {
+  if (!value) return void 0;
+  try {
+    return JSON.parse(value);
+  } catch {
+    return void 0;
+  }
+}
+function fromTriggerRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    description: row.description ?? void 0,
+    channels: safeJsonParse2(row.channels),
+    fromUsers: safeJsonParse2(row.from_users),
+    fromBots: row.from_bots === true || row.from_bots === 1,
+    contains: safeJsonParse2(row.contains),
+    matchPattern: row.match_pattern ?? void 0,
+    threads: row.threads,
+    workflow: row.workflow,
+    inputs: safeJsonParse2(row.inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    enabled: row.enabled === true || row.enabled === 1,
+    createdAt: toNum(row.created_at)
+  };
+}
+function toTriggerInsertRow(trigger) {
+  return {
+    id: trigger.id,
+    creator_id: trigger.creatorId,
+    creator_context: trigger.creatorContext ?? null,
+    creator_name: trigger.creatorName ?? null,
+    description: trigger.description ?? null,
+    channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+    from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+    from_bots: trigger.fromBots,
+    contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+    match_pattern: trigger.matchPattern ?? null,
+    threads: trigger.threads,
+    workflow: trigger.workflow,
+    inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+    output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+    status: trigger.status,
+    enabled: trigger.enabled,
+    created_at: trigger.createdAt
+  };
+}
+function fromDbRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    timezone: row.timezone,
+    schedule: row.schedule_expr,
+    runAt: toNum(row.run_at),
+    isRecurring: row.is_recurring === true || row.is_recurring === 1,
+    originalExpression: row.original_expression,
+    workflow: row.workflow ?? void 0,
+    workflowInputs: safeJsonParse2(row.workflow_inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    createdAt: toNum(row.created_at),
+    lastRunAt: toNum(row.last_run_at),
+    nextRunAt: toNum(row.next_run_at),
+    runCount: row.run_count,
+    failureCount: row.failure_count,
+    lastError: row.last_error ?? void 0,
+    previousResponse: row.previous_response ?? void 0
+  };
+}
+function toInsertRow(schedule) {
+  return {
+    id: schedule.id,
+    creator_id: schedule.creatorId,
+    creator_context: schedule.creatorContext ?? null,
+    creator_name: schedule.creatorName ?? null,
+    timezone: schedule.timezone,
+    schedule_expr: schedule.schedule,
+    run_at: schedule.runAt ?? null,
+    is_recurring: schedule.isRecurring,
+    original_expression: schedule.originalExpression,
+    workflow: schedule.workflow ?? null,
+    workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+    output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+    status: schedule.status,
+    created_at: schedule.createdAt,
+    last_run_at: schedule.lastRunAt ?? null,
+    next_run_at: schedule.nextRunAt ?? null,
+    run_count: schedule.runCount,
+    failure_count: schedule.failureCount,
+    last_error: schedule.lastError ?? null,
+    previous_response: schedule.previousResponse ?? null
+  };
+}
+var fs24, path28, import_uuid2, KnexStoreBackend;
+var init_knex_store = __esm({
+  "src/enterprise/scheduler/knex-store.ts"() {
+    "use strict";
+    fs24 = __toESM(require("fs"));
+    path28 = __toESM(require("path"));
+    import_uuid2 = require("uuid");
+    init_logger();
+    KnexStoreBackend = class {
+      knex = null;
+      driver;
+      connection;
+      constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = storageConfig.connection || {};
+      }
+      async initialize() {
+        const { createRequire } = require("module");
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+          knexFactory = runtimeRequire("knex");
+        } catch (err) {
+          const code = err?.code;
+          if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "knex is required for PostgreSQL/MySQL/MSSQL schedule storage. Install it with: npm install knex"
+            );
+          }
+          throw err;
+        }
+        const clientMap = {
+          postgresql: "pg",
+          mysql: "mysql2",
+          mssql: "tedious"
+        };
+        const client = clientMap[this.driver];
+        let connection;
+        if (this.connection.connection_string) {
+          connection = this.connection.connection_string;
+        } else if (this.driver === "mssql") {
+          connection = this.buildMssqlConnection();
+        } else {
+          connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+          client,
+          connection,
+          pool: {
+            min: this.connection.pool?.min ?? 0,
+            max: this.connection.pool?.max ?? 10
+          }
+        });
+        await this.migrateSchema();
+        logger.info(`[KnexStore] Initialized (${this.driver})`);
+      }
+      buildStandardConnection() {
+        return {
+          host: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          ssl: this.resolveSslConfig()
+        };
+      }
+      buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || typeof ssl === "object" && ssl.enabled !== false;
+        return {
+          server: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          options: {
+            encrypt: sslEnabled,
+            trustServerCertificate: typeof ssl === "object" ? ssl.reject_unauthorized === false : !sslEnabled
+          }
+        };
+      }
+      resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === void 0) return false;
+        if (ssl === true) return { rejectUnauthorized: true };
+        if (ssl.enabled === false) return false;
+        const result = {
+          rejectUnauthorized: ssl.reject_unauthorized !== false
+        };
+        if (ssl.ca) {
+          const caPath = this.validateSslPath(ssl.ca, "CA certificate");
+          result.ca = fs24.readFileSync(caPath, "utf8");
+        }
+        if (ssl.cert) {
+          const certPath = this.validateSslPath(ssl.cert, "client certificate");
+          result.cert = fs24.readFileSync(certPath, "utf8");
+        }
+        if (ssl.key) {
+          const keyPath = this.validateSslPath(ssl.key, "client key");
+          result.key = fs24.readFileSync(keyPath, "utf8");
+        }
+        return result;
+      }
+      validateSslPath(filePath, label) {
+        const resolved = path28.resolve(filePath);
+        if (resolved !== path28.normalize(resolved)) {
+          throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs24.existsSync(resolved)) {
+          throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+      }
+      async shutdown() {
+        if (this.knex) {
+          await this.knex.destroy();
+          this.knex = null;
+        }
+      }
+      async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable("schedules");
+        if (!exists) {
+          await knex.schema.createTable("schedules", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.string("timezone", 64).notNullable().defaultTo("UTC");
+            table.string("schedule_expr", 255);
+            table.bigInteger("run_at");
+            table.boolean("is_recurring").notNullable();
+            table.text("original_expression");
+            table.string("workflow", 255);
+            table.text("workflow_inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().index();
+            table.bigInteger("created_at").notNullable();
+            table.bigInteger("last_run_at");
+            table.bigInteger("next_run_at");
+            table.integer("run_count").notNullable().defaultTo(0);
+            table.integer("failure_count").notNullable().defaultTo(0);
+            table.text("last_error");
+            table.text("previous_response");
+            table.index(["status", "next_run_at"]);
+          });
+        }
+        const triggersExist = await knex.schema.hasTable("message_triggers");
+        if (!triggersExist) {
+          await knex.schema.createTable("message_triggers", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.text("description");
+            table.text("channels");
+            table.text("from_users");
+            table.boolean("from_bots").notNullable().defaultTo(false);
+            table.text("contains");
+            table.text("match_pattern");
+            table.string("threads", 20).notNullable().defaultTo("any");
+            table.string("workflow", 255).notNullable();
+            table.text("inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().defaultTo("active").index();
+            table.boolean("enabled").notNullable().defaultTo(true);
+            table.bigInteger("created_at").notNullable();
+          });
+        }
+        const locksExist = await knex.schema.hasTable("scheduler_locks");
+        if (!locksExist) {
+          await knex.schema.createTable("scheduler_locks", (table) => {
+            table.string("lock_id", 255).primary();
+            table.string("node_id", 255).notNullable();
+            table.string("lock_token", 36).notNullable();
+            table.bigInteger("acquired_at").notNullable();
+            table.bigInteger("expires_at").notNullable();
+          });
+        }
+      }
+      getKnex() {
+        if (!this.knex) {
+          throw new Error("[KnexStore] Not initialized. Call initialize() first.");
+        }
+        return this.knex;
+      }
+      // --- CRUD ---
+      async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+          ...schedule,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now(),
+          runCount: 0,
+          failureCount: 0,
+          status: "active"
+        };
+        await knex("schedules").insert(toInsertRow(newSchedule));
+        logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+      }
+      async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", schedule.id).first();
+        if (existing) return;
+        await knex("schedules").insert(toInsertRow(schedule));
+      }
+      async get(id) {
+        const knex = this.getKnex();
+        const row = await knex("schedules").where("id", id).first();
+        return row ? fromDbRow2(row) : void 0;
+      }
+      async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromDbRow2(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        delete row.id;
+        await knex("schedules").where("id", id).update(row);
+        return updated;
+      }
+      async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("schedules").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted schedule ${id}`);
+          return true;
+        }
+        return false;
+      }
+      // --- Queries ---
+      async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("creator_id", creatorId);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("status", "active");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        const bFalse = this.driver === "mssql" ? 0 : false;
+        const bTrue = this.driver === "mssql" ? 1 : true;
+        const rows = await knex("schedules").where("status", "active").andWhere(function() {
+          this.where(function() {
+            this.where("is_recurring", bFalse).whereNotNull("run_at").where("run_at", "<=", ts);
+          }).orWhere(function() {
+            this.where("is_recurring", bTrue).whereNotNull("next_run_at").where("next_run_at", "<=", ts);
+          });
+        });
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, "\\$&");
+        const pattern = `%${escaped}%`;
+        const rows = await knex("schedules").where("creator_id", creatorId).where("status", "active").whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getStats() {
+        const knex = this.getKnex();
+        const boolTrue = this.driver === "mssql" ? "1" : "true";
+        const boolFalse = this.driver === "mssql" ? "0" : "false";
+        const result = await knex("schedules").select(
+          knex.raw("COUNT(*) as total"),
+          knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"),
+          knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"),
+          knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"),
+          knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`)
+        ).first();
+        return {
+          total: Number(result.total) || 0,
+          active: Number(result.active) || 0,
+          paused: Number(result.paused) || 0,
+          completed: Number(result.completed) || 0,
+          failed: Number(result.failed) || 0,
+          recurring: Number(result.recurring) || 0,
+          oneTime: Number(result.one_time) || 0
+        };
+      }
+      async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+          const result = await knex("schedules").count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxGlobal) {
+            throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+          }
+        }
+        if (limits.maxPerUser) {
+          const result = await knex("schedules").where("creator_id", creatorId).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxPerUser) {
+            throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+          }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+          const bTrue = this.driver === "mssql" ? 1 : true;
+          const result = await knex("schedules").where("creator_id", creatorId).where("is_recurring", bTrue).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+            throw new Error(
+              `You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`
+            );
+          }
+        }
+      }
+      // --- HA Distributed Locking (via scheduler_locks table) ---
+      async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const token = (0, import_uuid2.v4)();
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("expires_at", "<", now).update({
+          node_id: nodeId,
+          lock_token: token,
+          acquired_at: now,
+          expires_at: expiresAt
+        });
+        if (updated > 0) return token;
+        try {
+          await knex("scheduler_locks").insert({
+            lock_id: lockId,
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt
+          });
+          return token;
+        } catch {
+          return null;
+        }
+      }
+      async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).del();
+      }
+      async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+      }
+      async flush() {
+      }
+      // --- Message Trigger CRUD ---
+      async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+          ...trigger,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now()
+        };
+        await knex("message_triggers").insert(toTriggerInsertRow(newTrigger));
+        logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+      }
+      async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex("message_triggers").where("id", id).first();
+        return row ? fromTriggerRow2(row) : void 0;
+      }
+      async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("message_triggers").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromTriggerRow2(existing);
+        const updated = {
+          ...current,
+          ...patch,
+          id: current.id,
+          createdAt: current.createdAt
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex("message_triggers").where("id", id).update(row);
+        return updated;
+      }
+      async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("message_triggers").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted trigger ${id}`);
+          return true;
+        }
+        return false;
+      }
+      async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("creator_id", creatorId);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+      async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("status", "active").where("enabled", this.driver === "mssql" ? 1 : true);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+    };
+  }
+});
+
+// src/enterprise/loader.ts
+var loader_exports = {};
+__export(loader_exports, {
+  loadEnterprisePolicyEngine: () => loadEnterprisePolicyEngine,
+  loadEnterpriseStoreBackend: () => loadEnterpriseStoreBackend
+});
+async function loadEnterprisePolicyEngine(config) {
+  try {
+    const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+    const validator = new LicenseValidator2();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature("policy")) {
+      return new DefaultPolicyEngine();
+    }
+    if (validator.isInGracePeriod()) {
+      console.warn(
+        "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+      );
+    }
+    const { OpaPolicyEngine: OpaPolicyEngine2 } = await Promise.resolve().then(() => (init_opa_policy_engine(), opa_policy_engine_exports));
+    const engine = new OpaPolicyEngine2(config);
+    await engine.initialize(config);
+    return engine;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    try {
+      const { logger: logger2 } = (init_logger(), __toCommonJS(logger_exports));
+      logger2.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+    } catch {
+    }
+    return new DefaultPolicyEngine();
+  }
+}
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+  const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+  const validator = new LicenseValidator2();
+  const license = await validator.loadAndValidate();
+  if (!license || !validator.hasFeature("scheduler-sql")) {
+    throw new Error(
+      `The ${driver} schedule storage driver requires a Visor Enterprise license with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`
+    );
+  }
+  if (validator.isInGracePeriod()) {
+    console.warn(
+      "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+    );
+  }
+  const { KnexStoreBackend: KnexStoreBackend2 } = await Promise.resolve().then(() => (init_knex_store(), knex_store_exports));
+  return new KnexStoreBackend2(driver, storageConfig, haConfig);
+}
+var init_loader = __esm({
+  "src/enterprise/loader.ts"() {
+    "use strict";
+    init_default_engine();
+  }
+});
+
 // src/event-bus/event-bus.ts
 var event_bus_exports = {};
 __export(event_bus_exports, {
@@ -55766,8 +57280,8 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve15) => {
-          const t = setTimeout(resolve15, ms);
+        return new Promise((resolve19) => {
+          const t = setTimeout(resolve19, ms);
           if (typeof t.unref === "function") {
             try {
               t.unref();
@@ -56052,8 +57566,8 @@ ${end}`);
       async updateGroupedComment(ctx, comments, group, changedIds) {
         const existingLock = this.updateLocks.get(group);
         let resolveLock;
-        const ourLock = new Promise((resolve15) => {
-          resolveLock = resolve15;
+        const ourLock = new Promise((resolve19) => {
+          resolveLock = resolve19;
         });
         this.updateLocks.set(group, ourLock);
         try {
@@ -56366,7 +57880,7 @@ ${blocks}
        * Sleep utility for enforcing delays
        */
       sleep(ms) {
-        return new Promise((resolve15) => setTimeout(resolve15, ms));
+        return new Promise((resolve19) => setTimeout(resolve19, ms));
       }
     };
   }
@@ -57658,15 +59172,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path26, fs22, StateMachineExecutionEngine;
+var path30, fs26, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path26 = __toESM(require("path"));
-    fs22 = __toESM(require("fs"));
+    path30 = __toESM(require("path"));
+    fs26 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -57898,8 +59412,8 @@ var init_state_machine_execution_engine = __esm({
             logger.debug(
               `[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`
             );
-            const { loadEnterprisePolicyEngine } = await import("./enterprise/loader");
-            context2.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
+            const { loadEnterprisePolicyEngine: loadEnterprisePolicyEngine2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
+            context2.policyEngine = await loadEnterprisePolicyEngine2(configWithTagFilter.policy);
             logger.debug(
               `[PolicyEngine] Initialized: ${context2.policyEngine?.constructor?.name || "unknown"}`
             );
@@ -58051,9 +59565,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path26.resolve(process.cwd(), ".visor", "snapshots");
-                  fs22.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path26.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path30.resolve(process.cwd(), ".visor", "snapshots");
+                  fs26.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path30.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -58194,7 +59708,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs23 = await import("fs/promises");
+        const fs27 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -58214,14 +59728,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs23.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs27.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs23 = await import("fs/promises");
-        const raw = await fs23.readFile(filePath, "utf8");
+        const fs27 = await import("fs/promises");
+        const raw = await fs27.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**