@probelabs/visor 0.1.170 → 0.1.171-ee

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.170';
-process.env.PROBE_VERSION = '0.6.0-rc286';
-process.env.VISOR_COMMIT_SHA = '3e49bfdee61154013b28eba096637ac60cdd08ac';
-process.env.VISOR_COMMIT_SHORT = '3e49bfdee';
+process.env.VISOR_VERSION = '0.1.171';
+process.env.PROBE_VERSION = '0.6.0-rc290';
+process.env.VISOR_COMMIT_SHA = '12d9273ce614376592cf397b6c874dcbfa220b8b';
+process.env.VISOR_COMMIT_SHORT = '12d9273';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -168110,6 +168110,13 @@ class SqliteTaskStore {
                 messageText = textPart?.text ?? '';
             }
             catch { }
+            let source = '-';
+            let metadata = {};
+            try {
+                metadata = JSON.parse(r.request_metadata || '{}');
+                source = metadata.source || '-';
+            }
+            catch { }
             return {
                 id: r.id,
                 context_id: r.context_id,
@@ -168121,6 +168128,8 @@ class SqliteTaskStore {
                 workflow_id: r.workflow_id,
                 run_id: r.run_id,
                 request_message: messageText,
+                source,
+                metadata,
             };
         });
         return { rows, total };
@@ -168139,6 +168148,11 @@ class SqliteTaskStore {
        SET state = ?, updated_at = ?, status_message = ?
        WHERE id = ?`).run(newState, now, statusMessage ? JSON.stringify(statusMessage) : null, taskId);
     }
+    claimTask(taskId, workerId) {
+        const db = this.getDb();
+        const now = nowISO();
+        db.prepare(`UPDATE agent_tasks SET claimed_by = ?, claimed_at = ?, updated_at = ? WHERE id = ?`).run(workerId, now, now, taskId);
+    }
     addArtifact(taskId, artifact) {
         const db = this.getDb();
         const row = db.prepare('SELECT artifacts FROM agent_tasks WHERE id = ?').get(taskId);
@@ -168396,6 +168410,7 @@ exports.handleTasksCommand = handleTasksCommand;
  *   visor tasks help                       - Show usage
  */
 const logger_1 = __nccwpck_require__(86999);
+const instance_id_1 = __nccwpck_require__(89942);
 const task_store_1 = __nccwpck_require__(24711);
 const state_transitions_1 = __nccwpck_require__(68612);
 // ---------------------------------------------------------------------------
@@ -168477,22 +168492,34 @@ function buildFilter(flags) {
 // ---------------------------------------------------------------------------
 // Table formatting
 // ---------------------------------------------------------------------------
+function formatMeta(meta) {
+    const parts = [];
+    if (meta.slack_user)
+        parts.push(`user:${meta.slack_user}`);
+    if (meta.slack_channel)
+        parts.push(`ch:${meta.slack_channel}`);
+    if (meta.trace_id)
+        parts.push(`trace:${String(meta.trace_id).slice(0, 8)}`);
+    if (meta.schedule_id)
+        parts.push(`sched:${meta.schedule_id}`);
+    return parts.join(' ') || '-';
+}
 function formatTable(rows, total) {
     if (rows.length === 0)
         return 'No tasks found.';
-    const header = ['ID', 'State', 'Agent', 'Duration', 'Worker', 'Input'];
+    const header = ['ID', 'Source', 'State', 'Workflow', 'Duration', 'Instance', 'Meta', 'Input'];
     const data = rows.map(r => {
-        const duration = r.state === 'working' && r.claimed_at
-            ? formatDuration(r.claimed_at)
-            : r.state === 'submitted'
-                ? formatDuration(r.created_at)
-                : formatDuration(r.created_at, r.updated_at);
-        const worker = r.claimed_by ? r.claimed_by.slice(0, 8) : '-';
-        const agent = r.workflow_id || '-';
+        const duration = (0, state_transitions_1.isTerminalState)(r.state)
+            ? formatDuration(r.created_at, r.updated_at)
+            : formatDuration(r.claimed_at || r.created_at);
+        const instance = r.claimed_by || '-';
+        const workflow = r.workflow_id || '-';
+        const source = r.source || '-';
+        const meta = formatMeta(r.metadata);
         const input = r.request_message.length > 60
             ? r.request_message.slice(0, 57) + '...'
             : r.request_message || '-';
-        return [r.id.slice(0, 8), r.state, agent, duration, worker, input];
+        return [r.id.slice(0, 8), source, r.state, workflow, duration, instance, meta, input];
     });
     const widths = header.map((h, i) => Math.max(h.length, ...data.map(row => row[i].length)));
     const sep = widths.map(w => '-'.repeat(w)).join('  ');
@@ -168505,19 +168532,19 @@ function formatTable(rows, total) {
 function formatMarkdown(rows, total) {
     if (rows.length === 0)
         return 'No tasks found.';
-    const header = ['ID', 'State', 'Agent', 'Duration', 'Worker', 'Input'];
+    const header = ['ID', 'Source', 'State', 'Workflow', 'Duration', 'Instance', 'Meta', 'Input'];
     const data = rows.map(r => {
-        const duration = r.state === 'working' && r.claimed_at
-            ? formatDuration(r.claimed_at)
-            : r.state === 'submitted'
-                ? formatDuration(r.created_at)
-                : formatDuration(r.created_at, r.updated_at);
-        const worker = r.claimed_by ? r.claimed_by.slice(0, 8) : '-';
-        const agent = r.workflow_id || '-';
+        const duration = (0, state_transitions_1.isTerminalState)(r.state)
+            ? formatDuration(r.created_at, r.updated_at)
+            : formatDuration(r.claimed_at || r.created_at);
+        const instance = r.claimed_by || '-';
+        const workflow = r.workflow_id || '-';
+        const source = r.source || '-';
+        const meta = formatMeta(r.metadata);
         const input = r.request_message.length > 60
             ? r.request_message.slice(0, 57) + '...'
             : r.request_message || '-';
-        return [r.id.slice(0, 8), r.state, agent, duration, worker, input];
+        return [r.id.slice(0, 8), source, r.state, workflow, duration, instance, meta, input];
     });
     const lines = [
         '| ' + header.join(' | ') + ' |',
@@ -168534,16 +168561,19 @@ function formatMarkdown(rows, total) {
 async function handleList(flags) {
     const filter = buildFilter(flags);
     const output = typeof flags.output === 'string' ? flags.output : 'table';
+    const instanceId = (0, instance_id_1.getInstanceId)();
     const render = async () => {
         await withTaskStore(async (store) => {
             const { rows, total } = store.listTasksRaw(filter);
             if (output === 'json') {
-                console.log(JSON.stringify({ tasks: rows, total }, null, 2));
+                console.log(JSON.stringify({ instance_id: instanceId, tasks: rows, total }, null, 2));
             }
             else if (output === 'markdown') {
+                console.log(`Instance: ${instanceId}\n`);
                 console.log(formatMarkdown(rows, total));
             }
             else {
+                console.log(`Instance: ${instanceId}\n`);
                 console.log(formatTable(rows, total));
             }
         });
@@ -168551,7 +168581,7 @@ async function handleList(flags) {
     if (flags.watch) {
         const watchRender = async () => {
             process.stdout.write('\x1Bc'); // clear terminal
-            console.log(`visor tasks list (watching, Ctrl+C to exit)\n`);
+            console.log(`visor tasks list (instance: ${instanceId}, watching, Ctrl+C to exit)\n`);
             try {
                 await render();
             }
@@ -168657,17 +168687,67 @@ async function handleCancel(positional, _flags) {
     });
 }
 // ---------------------------------------------------------------------------
+// Subcommand: show
+// ---------------------------------------------------------------------------
+async function handleShow(positional, flags) {
+    const taskId = positional[0];
+    if (!taskId) {
+        console.error('Usage: visor tasks show <task-id>');
+        process.exitCode = 1;
+        return;
+    }
+    const output = typeof flags.output === 'string' ? flags.output : 'table';
+    await withTaskStore(async (store) => {
+        // Try to find by prefix match
+        const { rows } = store.listTasksRaw({ limit: 200 });
+        const match = rows.find(r => r.id.startsWith(taskId));
+        if (!match) {
+            console.error(`Task not found: ${taskId}`);
+            process.exitCode = 1;
+            return;
+        }
+        if (output === 'json') {
+            console.log(JSON.stringify(match, null, 2));
+            return;
+        }
+        const duration = (0, state_transitions_1.isTerminalState)(match.state)
+            ? formatDuration(match.created_at, match.updated_at)
+            : formatDuration(match.claimed_at || match.created_at);
+        console.log(`Task: ${match.id}`);
+        console.log(`State:     ${match.state}`);
+        console.log(`Source:    ${match.source}`);
+        console.log(`Workflow:  ${match.workflow_id || '-'}`);
+        console.log(`Instance:  ${match.claimed_by || '-'}`);
+        console.log(`Duration:  ${duration}`);
+        console.log(`Created:   ${match.created_at}`);
+        console.log(`Updated:   ${match.updated_at}`);
+        if (match.run_id)
+            console.log(`Run ID:    ${match.run_id}`);
+        console.log(`Input:     ${match.request_message}`);
+        // Show metadata
+        const meta = match.metadata;
+        const metaKeys = Object.keys(meta).filter(k => k !== 'source');
+        if (metaKeys.length > 0) {
+            console.log(`\nMetadata:`);
+            for (const key of metaKeys) {
+                console.log(`  ${key}: ${JSON.stringify(meta[key])}`);
+            }
+        }
+    });
+}
+// ---------------------------------------------------------------------------
 // Help
 // ---------------------------------------------------------------------------
 function printHelp() {
     console.log(`
-Visor Tasks - Monitor and manage A2A agent tasks
+Visor Tasks - Monitor and manage agent tasks
 
 USAGE:
   visor tasks [command] [options]
 
 COMMANDS:
   list                            List tasks (default)
+  show <task-id>                  Show task details (supports prefix match)
   stats                           Queue summary statistics
   cancel <task-id>                Cancel a task
   help                            Show this help
@@ -168681,6 +168761,7 @@ OPTIONS:
 
 EXAMPLES:
   visor tasks                     List all tasks
+  visor tasks show abc123         Show full task details
   visor tasks list --state working   Show only working tasks
   visor tasks list --agent security-review   Show tasks for a specific agent
   visor tasks list --output json  JSON output
@@ -168704,6 +168785,9 @@ async function handleTasksCommand(argv) {
         case 'list':
             await handleList(flags);
             break;
+        case 'show':
+            await handleShow(positional, flags);
+            break;
         case 'stats':
             await handleStats(flags);
             break;
@@ -168730,6 +168814,93 @@ async function handleTasksCommand(argv) {
 }
 
 
+/***/ }),
+
+/***/ 7628:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Shared execution tracking helper.
+ *
+ * Wraps any engine execution call with task lifecycle management:
+ * creates a task in 'submitted' state, transitions to 'working',
+ * runs the executor, then sets terminal state (completed/failed).
+ *
+ * Used by CLI, Slack, TUI, and Scheduler frontends when task_tracking is enabled.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.trackExecution = trackExecution;
+const crypto_1 = __importDefault(__nccwpck_require__(76982));
+const path_1 = __importDefault(__nccwpck_require__(16928));
+const logger_1 = __nccwpck_require__(86999);
+const lazy_otel_1 = __nccwpck_require__(21084);
+const instance_id_1 = __nccwpck_require__(89942);
+/**
+ * Wrap an engine execution call with task lifecycle tracking.
+ *
+ * Creates a task, transitions to 'working', runs the executor,
+ * then sets terminal state. Returns both the task and the original result.
+ * Re-throws any executor error after marking the task as failed.
+ */
+async function trackExecution(opts, executor) {
+    const { taskStore, source, configPath, metadata, messageText } = opts;
+    const configName = configPath ? path_1.default.basename(configPath, path_1.default.extname(configPath)) : undefined;
+    const workflowId = configName && opts.workflowId ? `${configName}#${opts.workflowId}` : opts.workflowId;
+    const requestMessage = {
+        message_id: crypto_1.default.randomUUID(),
+        role: 'user',
+        parts: [{ text: messageText }],
+    };
+    const task = taskStore.createTask({
+        contextId: crypto_1.default.randomUUID(),
+        requestMessage,
+        workflowId,
+        requestMetadata: {
+            source,
+            instance_id: (0, instance_id_1.getInstanceId)(),
+            trace_id: lazy_otel_1.trace.getActiveSpan()?.spanContext().traceId || undefined,
+            ...metadata,
+        },
+    });
+    const instanceId = (0, instance_id_1.getInstanceId)();
+    taskStore.updateTaskState(task.id, 'working');
+    taskStore.claimTask(task.id, instanceId);
+    logger_1.logger.info(`[TaskTracking] Task ${task.id} started (source=${source}, workflow=${workflowId || '-'}, instance=${instanceId})`);
+    try {
+        const result = await executor();
+        const completedMsg = {
+            message_id: crypto_1.default.randomUUID(),
+            role: 'agent',
+            parts: [{ text: 'Execution completed' }],
+        };
+        taskStore.updateTaskState(task.id, 'completed', completedMsg);
+        logger_1.logger.info(`[TaskTracking] Task ${task.id} completed`);
+        return { task, result };
+    }
+    catch (err) {
+        const errorText = err instanceof Error ? err.message : String(err);
+        const failMessage = {
+            message_id: crypto_1.default.randomUUID(),
+            role: 'agent',
+            parts: [{ text: errorText }],
+        };
+        try {
+            taskStore.updateTaskState(task.id, 'failed', failMessage);
+            logger_1.logger.info(`[TaskTracking] Task ${task.id} failed: ${errorText}`);
+        }
+        catch {
+            // ignore double-failure
+        }
+        throw err; // re-throw to preserve original behavior
+    }
+}
+
+
 /***/ }),
 
 /***/ 43137:
@@ -171591,7 +171762,7 @@ async function handleDumpPolicyInput(checkId, argv) {
     let PolicyInputBuilder;
     try {
         // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
+        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
         PolicyInputBuilder = mod.PolicyInputBuilder;
     }
     catch {
@@ -172627,6 +172798,20 @@ async function main() {
         catch (err) {
             logger_1.logger.debug(`Startup snapshot failed: ${err}`);
         }
+        // ---- Shared Task Store (cross-frontend tracking) ----
+        let sharedTaskStore = null;
+        const taskTrackingEnabled = options.taskTracking || config.task_tracking === true;
+        if (taskTrackingEnabled) {
+            try {
+                const { SqliteTaskStore } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(24711)));
+                sharedTaskStore = new SqliteTaskStore();
+                await sharedTaskStore.initialize();
+                logger_1.logger.info('[TaskTracking] Shared task store initialized');
+            }
+            catch (err) {
+                logger_1.logger.warn(`[TaskTracking] Failed to initialize task store: ${err instanceof Error ? err.message : err}`);
+            }
+        }
         // ---- A2A Agent Protocol Server ----
         let a2aFrontendInstance = null;
         let sharedEngine = null;
@@ -172640,7 +172825,7 @@ async function main() {
                 process.exit(1);
             }
             const engine = new SMEngine();
-            const frontend = new A2AFrontend(agentConfig);
+            const frontend = new A2AFrontend(agentConfig, sharedTaskStore ?? undefined);
             frontend.setEngine(engine);
             frontend.setVisorConfig(config);
             const eventBus = new EventBus();
@@ -172717,6 +172902,8 @@ async function main() {
                 threads,
                 channel_allowlist: allow,
             });
+            if (sharedTaskStore)
+                runner.setTaskStore(sharedTaskStore, options.configPath);
             await runner.start();
             console.log('✅ Slack Socket Mode is running. Press Ctrl+C to exit.');
             // Start config file watcher if --watch is enabled
@@ -172773,6 +172960,12 @@ async function main() {
                     }
                 }
                 await runner.stop();
+                if (sharedTaskStore) {
+                    try {
+                        await sharedTaskStore.shutdown();
+                    }
+                    catch { }
+                }
                 process.exit(0);
             };
             process.on('SIGINT', sig => {
@@ -173144,12 +173337,27 @@ async function main() {
                         conversation: tuiConversation,
                     });
                     // Execute workflow
-                    const rerunResult = await (0, trace_helpers_1.withActiveSpan)('visor.run', {
+                    const tuiExecFn = () => (0, trace_helpers_1.withActiveSpan)('visor.run', {
                         ...(0, trace_helpers_1.getVisorRunAttributes)(),
                         'visor.run.checks_configured': checksToRun.length,
                         'visor.run.source': 'tui-rerun',
                     }, async () => rerunEngine.executeGroupedChecks(prInfo, checksToRun, options.timeout, config, options.output, options.debug || false, options.maxParallelism, options.failFast, tagFilter, async () => { } // No pause gate for TUI re-runs
                     ));
+                    let rerunResult;
+                    if (sharedTaskStore) {
+                        const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                        const tracked = await trackExecution({
+                            taskStore: sharedTaskStore,
+                            source: 'tui',
+                            workflowId: checksToRun.join(','),
+                            configPath: options.configPath,
+                            messageText: message,
+                        }, tuiExecFn);
+                        rerunResult = tracked.result;
+                    }
+                    else {
+                        rerunResult = await tuiExecFn();
+                    }
                     // Show any errors and the last result in the chat
                     if (rerunResult?.results) {
                         const allRerunResults = Object.values(rerunResult.results).flat();
@@ -173251,7 +173459,21 @@ async function main() {
             process.exit(0);
         }
         else {
-            executionResult = await (0, trace_helpers_1.withActiveSpan)('visor.run', { ...(0, trace_helpers_1.getVisorRunAttributes)(), 'visor.run.checks_configured': checksToRun.length }, async () => engine.executeGroupedChecks(prInfo, checksToRun, options.timeout, config, options.output, options.debug || false, options.maxParallelism, options.failFast, tagFilter, pauseGate));
+            const cliExecFn = () => (0, trace_helpers_1.withActiveSpan)('visor.run', { ...(0, trace_helpers_1.getVisorRunAttributes)(), 'visor.run.checks_configured': checksToRun.length }, async () => engine.executeGroupedChecks(prInfo, checksToRun, options.timeout, config, options.output, options.debug || false, options.maxParallelism, options.failFast, tagFilter, pauseGate));
+            if (sharedTaskStore) {
+                const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                const tracked = await trackExecution({
+                    taskStore: sharedTaskStore,
+                    source: 'cli',
+                    workflowId: checksToRun.join(','),
+                    configPath: options.configPath,
+                    messageText: options.message || `CLI run: ${checksToRun.join(', ')}`,
+                }, cliExecFn);
+                executionResult = tracked.result;
+            }
+            else {
+                executionResult = await cliExecFn();
+            }
         }
         // Extract results and statistics from the execution result
         const { results: groupedResults, statistics: executionStatistics } = executionResult;
@@ -173443,6 +173665,12 @@ async function main() {
             return;
         }
         // Normal exit path (no debug server)
+        if (sharedTaskStore) {
+            try {
+                await sharedTaskStore.shutdown();
+            }
+            catch { }
+        }
         try {
             await (0, fallback_ndjson_1.flushNdjson)();
         }
@@ -173652,6 +173880,7 @@ class CLI {
             .option('--workspace-name <name>', 'Workspace directory name (overrides VISOR_WORKSPACE_NAME)')
             .option('--workspace-project-name <name>', 'Main project folder name inside workspace (overrides VISOR_WORKSPACE_PROJECT)')
             .option('--watch', 'Watch config file for changes and reload automatically (requires --config)')
+            .option('--task-tracking', 'Enable cross-frontend task tracking (all executions recorded in visor tasks)')
             .option('--github-token <token>', 'GitHub token for API operations (env: GITHUB_TOKEN)')
             .option('--github-app-id <id>', 'GitHub App ID (env: GITHUB_APP_ID)')
             .option('--github-private-key <key>', 'GitHub App private key, PEM content or file path (env: GITHUB_APP_PRIVATE_KEY)')
@@ -173713,6 +173942,7 @@ class CLI {
                 .option('--workspace-name <name>', 'Workspace directory name (overrides VISOR_WORKSPACE_NAME)')
                 .option('--workspace-project-name <name>', 'Main project folder name inside workspace (overrides VISOR_WORKSPACE_PROJECT)')
                 .option('--watch', 'Watch config file for changes and reload automatically (requires --config)')
+                .option('--task-tracking', 'Enable cross-frontend task tracking (all executions recorded in visor tasks)')
                 .option('--github-token <token>', 'GitHub token for API operations (env: GITHUB_TOKEN)')
                 .option('--github-app-id <id>', 'GitHub App ID (env: GITHUB_APP_ID)')
                 .option('--github-private-key <key>', 'GitHub App private key, PEM content or file path (env: GITHUB_APP_PRIVATE_KEY)')
@@ -173787,6 +174017,7 @@ class CLI {
                 workspaceName: options.workspaceName,
                 workspaceProjectName: options.workspaceProjectName,
                 watch: Boolean(options.watch),
+                taskTracking: Boolean(options.taskTracking),
                 githubToken: options.githubToken,
                 githubAppId: options.githubAppId,
                 githubPrivateKey: options.githubPrivateKey,
@@ -177560,6 +177791,1810 @@ class DependencyResolver {
 exports.DependencyResolver = DependencyResolver;
 
 
+/***/ }),
+
+/***/ 50069:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.LicenseValidator = void 0;
+const crypto = __importStar(__nccwpck_require__(76982));
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+class LicenseValidator {
+    /** Ed25519 public key for license verification (PEM format). */
+    static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
+        'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
+        '-----END PUBLIC KEY-----\n';
+    cache = null;
+    static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
+    /**
+     * Load and validate license from environment or file.
+     *
+     * Resolution order:
+     * 1. VISOR_LICENSE env var (JWT string)
+     * 2. VISOR_LICENSE_FILE env var (path to file)
+     * 3. .visor-license in project root (cwd)
+     * 4. .visor-license in ~/.config/visor/
+     */
+    async loadAndValidate() {
+        // Return cached result if still fresh
+        if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
+            return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token)
+            return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload)
+            return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+    }
+    /** Check if a specific feature is licensed */
+    hasFeature(feature) {
+        if (!this.cache)
+            return false;
+        return this.cache.payload.features.includes(feature);
+    }
+    /** Check if license is valid (with grace period) */
+    isValid() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    /** Check if the license is within its grace period (expired but still valid) */
+    isInGracePeriod() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    resolveToken() {
+        // 1. Direct env var
+        if (process.env.VISOR_LICENSE) {
+            return process.env.VISOR_LICENSE.trim();
+        }
+        // 2. File path from env (validate against path traversal)
+        if (process.env.VISOR_LICENSE_FILE) {
+            // path.resolve() produces an absolute path with all '..' segments resolved,
+            // so a separate resolved.includes('..') check is unnecessary.
+            const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
+            const home = process.env.HOME || process.env.USERPROFILE || '';
+            const allowedPrefixes = [path.normalize(process.cwd())];
+            if (home)
+                allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
+            // Resolve symlinks so an attacker cannot create a symlink inside an
+            // allowed prefix that points to an arbitrary file outside it.
+            let realPath;
+            try {
+                realPath = fs.realpathSync(resolved);
+            }
+            catch {
+                return null; // File doesn't exist or isn't accessible
+            }
+            const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
+            if (!isSafe)
+                return null;
+            return this.readFile(realPath);
+        }
+        // 3. .visor-license in cwd
+        const cwdPath = path.join(process.cwd(), '.visor-license');
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken)
+            return cwdToken;
+        // 4. ~/.config/visor/.visor-license
+        const home = process.env.HOME || process.env.USERPROFILE || '';
+        if (home) {
+            const configPath = path.join(home, '.config', 'visor', '.visor-license');
+            const configToken = this.readFile(configPath);
+            if (configToken)
+                return configToken;
+        }
+        return null;
+    }
+    readFile(filePath) {
+        try {
+            return fs.readFileSync(filePath, 'utf-8').trim();
+        }
+        catch {
+            return null;
+        }
+    }
+    verifyAndDecode(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [headerB64, payloadB64, signatureB64] = parts;
+            // Decode header to verify algorithm
+            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+            if (header.alg !== 'EdDSA')
+                return null;
+            // Verify signature
+            const data = `${headerB64}.${payloadB64}`;
+            const signature = Buffer.from(signatureB64, 'base64url');
+            const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
+            // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
+            // This prevents algorithm-confusion attacks if the embedded key were ever
+            // swapped to a different type.
+            if (publicKey.asymmetricKeyType !== 'ed25519') {
+                return null;
+            }
+            // Ed25519 verification: algorithm must be null because EdDSA performs its
+            // own internal hashing (SHA-512) — passing a digest algorithm here would
+            // cause Node.js to throw. The key type is validated above.
+            const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
+            if (!isValid)
+                return null;
+            // Decode payload
+            const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+            // Validate required fields
+            if (!payload.org ||
+                !Array.isArray(payload.features) ||
+                typeof payload.exp !== 'number' ||
+                typeof payload.iat !== 'number' ||
+                !payload.sub) {
+                return null;
+            }
+            // Check expiry (with grace period)
+            const now = Date.now();
+            const expiryMs = payload.exp * 1000;
+            if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
+                return null;
+            }
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.LicenseValidator = LicenseValidator;
+
+
+/***/ }),
+
+/***/ 87068:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
+exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
+const default_engine_1 = __nccwpck_require__(93866);
+/**
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
+ *
+ * This is the sole import boundary between OSS and enterprise code. Core code
+ * must only import from this module (via dynamic `await import()`), never from
+ * individual enterprise submodules.
+ */
+async function loadEnterprisePolicyEngine(config) {
+    try {
+        const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+        const validator = new LicenseValidator();
+        const license = await validator.loadAndValidate();
+        if (!license || !validator.hasFeature('policy')) {
+            return new default_engine_1.DefaultPolicyEngine();
+        }
+        if (validator.isInGracePeriod()) {
+            // eslint-disable-next-line no-console
+            console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+                'Please renew your license.');
+        }
+        const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
+        const engine = new OpaPolicyEngine(config);
+        await engine.initialize(config);
+        return engine;
+    }
+    catch (err) {
+        // Enterprise code not available or initialization failed
+        const msg = err instanceof Error ? err.message : String(err);
+        try {
+            const { logger } = __nccwpck_require__(86999);
+            logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+        }
+        catch {
+            // silent
+        }
+        return new default_engine_1.DefaultPolicyEngine();
+    }
+}
+/**
+ * Load the enterprise schedule store backend if licensed.
+ *
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
+ * @param storageConfig Storage configuration with connection details
+ * @param haConfig Optional HA configuration
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
+ */
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+    const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+    const validator = new LicenseValidator();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature('scheduler-sql')) {
+        throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
+            `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
+    }
+    if (validator.isInGracePeriod()) {
+        // eslint-disable-next-line no-console
+        console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+            'Please renew your license.');
+    }
+    const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
+    return new KnexStoreBackend(driver, storageConfig, haConfig);
+}
+
+
+/***/ }),
+
+/***/ 628:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaCompiler = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const os = __importStar(__nccwpck_require__(70857));
+const crypto = __importStar(__nccwpck_require__(76982));
+const child_process_1 = __nccwpck_require__(35317);
+/**
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
+ *
+ * Handles:
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
+ * - Compiling .rego files to WASM via `opa build`
+ * - Caching compiled bundles based on content hashes
+ * - Extracting policy.wasm from OPA tar.gz bundles
+ *
+ * Requires:
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaCompiler {
+    static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
+    /**
+     * Resolve the input paths to WASM bytes.
+     *
+     * Strategy:
+     * 1. If any path is a .wasm file, read it directly
+     * 2. If a directory contains policy.wasm, read it
+     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+     */
+    async resolveWasmBytes(paths) {
+        // Collect .rego files and check for existing .wasm
+        const regoFiles = [];
+        for (const p of paths) {
+            const resolved = path.resolve(p);
+            // Reject paths containing '..' after resolution (path traversal)
+            if (path.normalize(resolved).includes('..')) {
+                throw new Error(`Policy path contains traversal sequences: ${p}`);
+            }
+            // Direct .wasm file
+            if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
+                return fs.readFileSync(resolved);
+            }
+            if (!fs.existsSync(resolved))
+                continue;
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                // Check for pre-compiled policy.wasm in directory
+                const wasmCandidate = path.join(resolved, 'policy.wasm');
+                if (fs.existsSync(wasmCandidate)) {
+                    return fs.readFileSync(wasmCandidate);
+                }
+                // Collect all .rego files from directory
+                const files = fs.readdirSync(resolved);
+                for (const f of files) {
+                    if (f.endsWith('.rego')) {
+                        regoFiles.push(path.join(resolved, f));
+                    }
+                }
+            }
+            else if (resolved.endsWith('.rego')) {
+                regoFiles.push(resolved);
+            }
+        }
+        if (regoFiles.length === 0) {
+            throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
+        }
+        // Auto-compile .rego -> .wasm
+        return this.compileRego(regoFiles);
+    }
+    /**
+     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+     *
+     * Caches the compiled bundle based on a content hash of all input .rego files
+     * so subsequent runs skip compilation if policies haven't changed.
+     */
+    compileRego(regoFiles) {
+        // Check that `opa` CLI is available
+        try {
+            (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
+        }
+        catch {
+            throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
+                'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
+                regoFiles.join(' '));
+        }
+        // Compute content hash for cache key
+        const hash = crypto.createHash('sha256');
+        for (const f of regoFiles.sort()) {
+            hash.update(fs.readFileSync(f));
+            hash.update(f); // include filename for disambiguation
+        }
+        const cacheKey = hash.digest('hex').slice(0, 16);
+        const cacheDir = OpaCompiler.CACHE_DIR;
+        const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
+        // Return cached bundle if still valid
+        if (fs.existsSync(cachedWasm)) {
+            return fs.readFileSync(cachedWasm);
+        }
+        // Compile to WASM via opa build
+        fs.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+            const args = [
+                'build',
+                '-t',
+                'wasm',
+                '-e',
+                'visor', // entrypoint: the visor package tree
+                '-o',
+                bundleTar,
+                ...regoFiles,
+            ];
+            (0, child_process_1.execFileSync)('opa', args, {
+                stdio: 'pipe',
+                timeout: 30000,
+            });
+        }
+        catch (err) {
+            const stderr = err?.stderr?.toString() || '';
+            throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
+                'Ensure your .rego files are valid and the `opa` CLI is installed.');
+        }
+        // Extract policy.wasm from the tar.gz bundle
+        // OPA bundles are tar.gz with /policy.wasm inside
+        try {
+            (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
+                stdio: 'pipe',
+            });
+            const extractedWasm = path.join(cacheDir, 'policy.wasm');
+            if (fs.existsSync(extractedWasm)) {
+                // Move to cache-key named file
+                fs.renameSync(extractedWasm, cachedWasm);
+            }
+        }
+        catch {
+            // Some tar implementations don't like leading /
+            try {
+                (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
+                    stdio: 'pipe',
+                });
+                const extractedWasm = path.join(cacheDir, 'policy.wasm');
+                if (fs.existsSync(extractedWasm)) {
+                    fs.renameSync(extractedWasm, cachedWasm);
+                }
+            }
+            catch (err2) {
+                throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+            }
+        }
+        // Clean up tar
+        try {
+            fs.unlinkSync(bundleTar);
+        }
+        catch { }
+        if (!fs.existsSync(cachedWasm)) {
+            throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
+        }
+        return fs.readFileSync(cachedWasm);
+    }
+}
+exports.OpaCompiler = OpaCompiler;
+
+
+/***/ }),
+
+/***/ 44693:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaHttpEvaluator = void 0;
+/**
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
+ *
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
+ */
+class OpaHttpEvaluator {
+    baseUrl;
+    timeout;
+    constructor(baseUrl, timeout = 5000) {
+        // Validate URL format and protocol
+        let parsed;
+        try {
+            parsed = new URL(baseUrl);
+        }
+        catch {
+            throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
+        }
+        // Block cloud metadata, loopback, link-local, and private network addresses
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+            throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
+        }
+        // Normalize: strip trailing slash
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.timeout = timeout;
+    }
+    /**
+     * Check if a hostname is blocked due to SSRF concerns.
+     *
+     * Blocks:
+     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+     * - Link-local addresses (169.254.x.x)
+     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+     * - IPv6 unique local addresses (fd00::/8)
+     * - Cloud metadata services (*.internal)
+     */
+    isBlockedHostname(hostname) {
+        if (!hostname)
+            return true; // block empty hostnames
+        // Normalize hostname: lowercase and remove brackets for IPv6
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
+        // Block .internal domains (cloud metadata services)
+        if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
+            return true;
+        }
+        // Block localhost variants
+        if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
+            return true;
+        }
+        // Block IPv6 loopback
+        if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
+            return true;
+        }
+        // Check IPv4 patterns
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+            const octets = ipv4Match.slice(1, 5).map(Number);
+            // Validate octets are in range [0, 255]
+            if (octets.some(octet => octet > 255)) {
+                return false;
+            }
+            const [a, b] = octets;
+            // Block loopback: 127.0.0.0/8
+            if (a === 127) {
+                return true;
+            }
+            // Block 0.0.0.0/8 (this host)
+            if (a === 0) {
+                return true;
+            }
+            // Block link-local: 169.254.0.0/16
+            if (a === 169 && b === 254) {
+                return true;
+            }
+            // Block private networks
+            // 10.0.0.0/8
+            if (a === 10) {
+                return true;
+            }
+            // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
+            if (a === 172 && b >= 16 && b <= 31) {
+                return true;
+            }
+            // 192.168.0.0/16
+            if (a === 192 && b === 168) {
+                return true;
+            }
+        }
+        // Check IPv6 patterns
+        // Block unique local addresses: fd00::/8
+        if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
+            return true;
+        }
+        // Block link-local: fe80::/10
+        if (normalized.startsWith('fe80:')) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Evaluate a policy rule against an input document via OPA REST API.
+     *
+     * @param input - The input document to evaluate
+     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+     * @returns The result object from OPA, or undefined on error
+     */
+    async evaluate(input, rulePath) {
+        // OPA Data API: POST /v1/data/<path>
+        const encodedPath = rulePath
+            .split('/')
+            .map(s => encodeURIComponent(s))
+            .join('/');
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ input }),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+            }
+            let body;
+            try {
+                body = await response.json();
+            }
+            catch (jsonErr) {
+                throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
+            }
+            // OPA returns { result: { ... } }
+            return body?.result;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async shutdown() {
+        // No persistent connections to close
+    }
+}
+exports.OpaHttpEvaluator = OpaHttpEvaluator;
+
+
+/***/ }),
+
+/***/ 39530:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaPolicyEngine = void 0;
+const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
+const opa_http_evaluator_1 = __nccwpck_require__(44693);
+const policy_input_builder_1 = __nccwpck_require__(17117);
+/**
+ * Enterprise OPA Policy Engine.
+ *
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
+ * OSS PolicyEngine interface. All OPA input building and role resolution
+ * is handled internally — the OSS call sites pass only plain types.
+ */
+class OpaPolicyEngine {
+    evaluator = null;
+    fallback;
+    timeout;
+    config;
+    inputBuilder = null;
+    logger = null;
+    constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || 'deny';
+        this.timeout = config.timeout || 5000;
+    }
+    async initialize(config) {
+        // Resolve logger once at initialization
+        try {
+            this.logger = (__nccwpck_require__(86999).logger);
+        }
+        catch {
+            // logger not available in this context
+        }
+        // Build actor/repo context from environment (available at engine init time)
+        const actor = {
+            authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+            login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+            isLocalMode: !process.env.GITHUB_ACTIONS,
+        };
+        const repo = {
+            owner: process.env.GITHUB_REPOSITORY_OWNER,
+            name: process.env.GITHUB_REPOSITORY?.split('/')[1],
+            branch: process.env.GITHUB_HEAD_REF,
+            baseBranch: process.env.GITHUB_BASE_REF,
+            event: process.env.GITHUB_EVENT_NAME,
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER
+            ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
+            : undefined;
+        const pullRequest = {
+            number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
+        };
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === 'local') {
+            if (!config.rules) {
+                throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
+            }
+            const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
+            await wasm.initialize(config.rules);
+            if (config.data) {
+                wasm.loadData(config.data);
+            }
+            this.evaluator = wasm;
+        }
+        else if (config.engine === 'remote') {
+            if (!config.url) {
+                throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
+            }
+            this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
+        }
+        else {
+            this.evaluator = null;
+        }
+    }
+    /**
+     * Update actor/repo/PR context (e.g., after PR info becomes available).
+     * Called by the enterprise loader when engine context is enriched.
+     */
+    setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
+    }
+    async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === 'object'
+            ? checkConfig
+            : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+            id: checkId,
+            type: cfg.type || 'ai',
+            group: cfg.group,
+            tags: cfg.tags,
+            criticality: cfg.criticality,
+            sandbox: cfg.sandbox,
+            policy: policyOverride,
+        });
+        return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
+    }
+    async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, 'visor/tool/invoke');
+    }
+    async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, 'visor/capability/resolve');
+    }
+    async shutdown() {
+        if (this.evaluator && 'shutdown' in this.evaluator) {
+            await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+    }
+    resolveRulePath(defaultScope, override) {
+        if (override) {
+            return override.startsWith('visor/') ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, '/')}`;
+    }
+    async doEvaluate(input, rulePath) {
+        try {
+            this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+            let timer;
+            const timeoutPromise = new Promise((_resolve, reject) => {
+                timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
+            });
+            try {
+                const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+                const decision = this.parseDecision(result);
+                // In warn mode, override denied decisions to allowed but flag as warn
+                if (!decision.allowed && this.fallback === 'warn') {
+                    decision.allowed = true;
+                    decision.warn = true;
+                    decision.reason = `audit: ${decision.reason || 'policy denied'}`;
+                }
+                this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
+                return decision;
+            }
+            finally {
+                if (timer)
+                    clearTimeout(timer);
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: `policy evaluation failed, fallback=${this.fallback}`,
+            };
+        }
+    }
+    async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
+            const result = await this.evaluator.evaluate(input);
+            // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
+            // Navigate to the specific rule subtree using rulePath segments.
+            // e.g., 'visor/check/execute' → result.check.execute
+            return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+    }
+    /**
+     * Navigate nested OPA WASM result tree to reach the specific rule's output.
+     * The WASM entrypoint `-e visor` means the result root IS the visor package,
+     * so we strip the `visor/` prefix and walk the remaining segments.
+     */
+    navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== 'object')
+            return result;
+        // Strip the 'visor/' prefix (matches our compilation entrypoint)
+        const segments = rulePath.replace(/^visor\//, '').split('/');
+        let current = result;
+        for (const seg of segments) {
+            if (current && typeof current === 'object' && seg in current) {
+                current = current[seg];
+            }
+            else {
+                return undefined; // path not found in result tree
+            }
+        }
+        return current;
+    }
+    parseDecision(result) {
+        if (result === undefined || result === null) {
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
+            };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+            allowed,
+            reason: result.reason,
+        };
+        if (result.capabilities) {
+            decision.capabilities = result.capabilities;
+        }
+        return decision;
+    }
+}
+exports.OpaPolicyEngine = OpaPolicyEngine;
+
+
+/***/ }),
+
+/***/ 8613:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaWasmEvaluator = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const opa_compiler_1 = __nccwpck_require__(628);
+/**
+ * OPA WASM Evaluator - loads and evaluates OPA policies locally.
+ *
+ * Supports three input formats:
+ * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
+ * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
+ * 3. Directory with `policy.wasm` inside — loaded directly
+ *
+ * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
+ *
+ * Requires:
+ * - `@open-policy-agent/opa-wasm` npm package (optional dep)
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaWasmEvaluator {
+    policy = null;
+    dataDocument = {};
+    compiler = new opa_compiler_1.OpaCompiler();
+    async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+            // Use createRequire to load the optional dep at runtime without ncc bundling it.
+            // `new Function('id', 'return require(id)')` fails in ncc bundles because
+            // `require` is not in the `new Function` scope. `createRequire` works correctly
+            // because it creates a real Node.js require rooted at the given path.
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const { createRequire } = __nccwpck_require__(73339);
+            const runtimeRequire = createRequire(__filename);
+            const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
+            const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+            if (!loadPolicy) {
+                throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
+            }
+            this.policy = await loadPolicy(wasmBytes);
+        }
+        catch (err) {
+            if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
+                    'Install it with: npm install @open-policy-agent/opa-wasm');
+            }
+            throw err;
+        }
+    }
+    /**
+     * Load external data from a JSON file to use as the OPA data document.
+     * The loaded data will be passed to `policy.setData()` during evaluation,
+     * making it available in Rego via `data.<key>`.
+     */
+    loadData(dataPath) {
+        const resolved = path.resolve(dataPath);
+        if (path.normalize(resolved).includes('..')) {
+            throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat = fs.statSync(resolved);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
+        }
+        const raw = fs.readFileSync(resolved, 'utf-8');
+        try {
+            const parsed = JSON.parse(raw);
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
+            }
+            this.dataDocument = parsed;
+        }
+        catch (err) {
+            if (err.message.startsWith('OPA data file must')) {
+                throw err;
+            }
+            throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+    }
+    async evaluate(input) {
+        if (!this.policy) {
+            throw new Error('OPA WASM evaluator not initialized');
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+            return resultSet[0].result;
+        }
+        return undefined;
+    }
+    async shutdown() {
+        if (this.policy) {
+            // opa-wasm policy objects may have a close/free method for WASM cleanup
+            if (typeof this.policy.close === 'function') {
+                try {
+                    this.policy.close();
+                }
+                catch { }
+            }
+            else if (typeof this.policy.free === 'function') {
+                try {
+                    this.policy.free();
+                }
+                catch { }
+            }
+        }
+        this.policy = null;
+    }
+}
+exports.OpaWasmEvaluator = OpaWasmEvaluator;
+
+
+/***/ }),
+
+/***/ 17117:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.PolicyInputBuilder = void 0;
+/**
+ * Builds OPA-compatible input documents from engine context.
+ *
+ * Resolves actor roles from the `policy.roles` config section by matching
+ * the actor's authorAssociation and login against role definitions.
+ */
+class PolicyInputBuilder {
+    roles;
+    actor;
+    repository;
+    pullRequest;
+    constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+    }
+    /** Resolve which roles apply to the current actor. */
+    resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+            let identityMatch = false;
+            if (roleConfig.author_association &&
+                this.actor.authorAssociation &&
+                roleConfig.author_association.includes(this.actor.authorAssociation)) {
+                identityMatch = true;
+            }
+            if (!identityMatch &&
+                roleConfig.users &&
+                this.actor.login &&
+                roleConfig.users.includes(this.actor.login)) {
+                identityMatch = true;
+            }
+            // Slack user ID match
+            if (!identityMatch &&
+                roleConfig.slack_users &&
+                this.actor.slack?.userId &&
+                roleConfig.slack_users.includes(this.actor.slack.userId)) {
+                identityMatch = true;
+            }
+            // Email match (case-insensitive)
+            if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+                const actorEmail = this.actor.slack.email.toLowerCase();
+                if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
+                    identityMatch = true;
+                }
+            }
+            // Note: teams-based role resolution requires GitHub API access (read:org scope)
+            // and is not yet implemented. If configured, the role will not match via teams.
+            if (!identityMatch)
+                continue;
+            // slack_channels gate: if set, the role only applies when triggered from one of these channels
+            if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+                if (!this.actor.slack?.channelId ||
+                    !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+                    continue;
+                }
+            }
+            matched.push(roleName);
+        }
+        return matched;
+    }
+    buildActor() {
+        return {
+            authorAssociation: this.actor.authorAssociation,
+            login: this.actor.login,
+            roles: this.resolveRoles(),
+            isLocalMode: this.actor.isLocalMode,
+            ...(this.actor.slack && { slack: this.actor.slack }),
+        };
+    }
+    forCheckExecution(check) {
+        return {
+            scope: 'check.execute',
+            check: {
+                id: check.id,
+                type: check.type,
+                group: check.group,
+                tags: check.tags,
+                criticality: check.criticality,
+                sandbox: check.sandbox,
+                policy: check.policy,
+            },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forToolInvocation(serverName, methodName, transport) {
+        return {
+            scope: 'tool.invoke',
+            tool: { serverName, methodName, transport },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forCapabilityResolve(checkId, capabilities) {
+        return {
+            scope: 'capability.resolve',
+            check: { id: checkId, type: 'ai' },
+            capability: capabilities,
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+}
+exports.PolicyInputBuilder = PolicyInputBuilder;
+
+
+/***/ }),
+
+/***/ 63737:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.KnexStoreBackend = void 0;
+/**
+ * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
+ *
+ * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
+ * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
+ */
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const uuid_1 = __nccwpck_require__(31914);
+const logger_1 = __nccwpck_require__(86999);
+function toNum(val) {
+    if (val === null || val === undefined)
+        return undefined;
+    return typeof val === 'string' ? parseInt(val, 10) : val;
+}
+function safeJsonParse(value) {
+    if (!value)
+        return undefined;
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+function fromTriggerRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        description: row.description ?? undefined,
+        channels: safeJsonParse(row.channels),
+        fromUsers: safeJsonParse(row.from_users),
+        fromBots: row.from_bots === true || row.from_bots === 1,
+        contains: safeJsonParse(row.contains),
+        matchPattern: row.match_pattern ?? undefined,
+        threads: row.threads,
+        workflow: row.workflow,
+        inputs: safeJsonParse(row.inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        enabled: row.enabled === true || row.enabled === 1,
+        createdAt: toNum(row.created_at),
+    };
+}
+function toTriggerInsertRow(trigger) {
+    return {
+        id: trigger.id,
+        creator_id: trigger.creatorId,
+        creator_context: trigger.creatorContext ?? null,
+        creator_name: trigger.creatorName ?? null,
+        description: trigger.description ?? null,
+        channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+        from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+        from_bots: trigger.fromBots,
+        contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+        match_pattern: trigger.matchPattern ?? null,
+        threads: trigger.threads,
+        workflow: trigger.workflow,
+        inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+        output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+        status: trigger.status,
+        enabled: trigger.enabled,
+        created_at: trigger.createdAt,
+    };
+}
+function fromDbRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        timezone: row.timezone,
+        schedule: row.schedule_expr,
+        runAt: toNum(row.run_at),
+        isRecurring: row.is_recurring === true || row.is_recurring === 1,
+        originalExpression: row.original_expression,
+        workflow: row.workflow ?? undefined,
+        workflowInputs: safeJsonParse(row.workflow_inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        createdAt: toNum(row.created_at),
+        lastRunAt: toNum(row.last_run_at),
+        nextRunAt: toNum(row.next_run_at),
+        runCount: row.run_count,
+        failureCount: row.failure_count,
+        lastError: row.last_error ?? undefined,
+        previousResponse: row.previous_response ?? undefined,
+    };
+}
+function toInsertRow(schedule) {
+    return {
+        id: schedule.id,
+        creator_id: schedule.creatorId,
+        creator_context: schedule.creatorContext ?? null,
+        creator_name: schedule.creatorName ?? null,
+        timezone: schedule.timezone,
+        schedule_expr: schedule.schedule,
+        run_at: schedule.runAt ?? null,
+        is_recurring: schedule.isRecurring,
+        original_expression: schedule.originalExpression,
+        workflow: schedule.workflow ?? null,
+        workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+        output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+        status: schedule.status,
+        created_at: schedule.createdAt,
+        last_run_at: schedule.lastRunAt ?? null,
+        next_run_at: schedule.nextRunAt ?? null,
+        run_count: schedule.runCount,
+        failure_count: schedule.failureCount,
+        last_error: schedule.lastError ?? null,
+        previous_response: schedule.previousResponse ?? null,
+    };
+}
+/**
+ * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
+ */
+class KnexStoreBackend {
+    knex = null;
+    driver;
+    connection;
+    constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = (storageConfig.connection || {});
+    }
+    async initialize() {
+        // Load knex dynamically
+        const { createRequire } = __nccwpck_require__(73339);
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+            knexFactory = runtimeRequire('knex');
+        }
+        catch (err) {
+            const code = err?.code;
+            if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
+                    'Install it with: npm install knex');
+            }
+            throw err;
+        }
+        const clientMap = {
+            postgresql: 'pg',
+            mysql: 'mysql2',
+            mssql: 'tedious',
+        };
+        const client = clientMap[this.driver];
+        // Build connection config
+        let connection;
+        if (this.connection.connection_string) {
+            connection = this.connection.connection_string;
+        }
+        else if (this.driver === 'mssql') {
+            connection = this.buildMssqlConnection();
+        }
+        else {
+            connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+            client,
+            connection,
+            pool: {
+                min: this.connection.pool?.min ?? 0,
+                max: this.connection.pool?.max ?? 10,
+            },
+        });
+        // Run schema migration
+        await this.migrateSchema();
+        logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
+    }
+    buildStandardConnection() {
+        return {
+            host: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            ssl: this.resolveSslConfig(),
+        };
+    }
+    buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
+        return {
+            server: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            options: {
+                encrypt: sslEnabled,
+                trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
+            },
+        };
+    }
+    resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === undefined)
+            return false;
+        if (ssl === true)
+            return { rejectUnauthorized: true };
+        // Object config
+        if (ssl.enabled === false)
+            return false;
+        const result = {
+            rejectUnauthorized: ssl.reject_unauthorized !== false,
+        };
+        if (ssl.ca) {
+            const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
+            result.ca = fs.readFileSync(caPath, 'utf8');
+        }
+        if (ssl.cert) {
+            const certPath = this.validateSslPath(ssl.cert, 'client certificate');
+            result.cert = fs.readFileSync(certPath, 'utf8');
+        }
+        if (ssl.key) {
+            const keyPath = this.validateSslPath(ssl.key, 'client key');
+            result.key = fs.readFileSync(keyPath, 'utf8');
+        }
+        return result;
+    }
+    validateSslPath(filePath, label) {
+        const resolved = path.resolve(filePath);
+        if (resolved !== path.normalize(resolved)) {
+            throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+    }
+    async shutdown() {
+        if (this.knex) {
+            await this.knex.destroy();
+            this.knex = null;
+        }
+    }
+    async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable('schedules');
+        if (!exists) {
+            await knex.schema.createTable('schedules', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.string('timezone', 64).notNullable().defaultTo('UTC');
+                table.string('schedule_expr', 255);
+                table.bigInteger('run_at');
+                table.boolean('is_recurring').notNullable();
+                table.text('original_expression');
+                table.string('workflow', 255);
+                table.text('workflow_inputs');
+                table.text('output_context');
+                table.string('status', 20).notNullable().index();
+                table.bigInteger('created_at').notNullable();
+                table.bigInteger('last_run_at');
+                table.bigInteger('next_run_at');
+                table.integer('run_count').notNullable().defaultTo(0);
+                table.integer('failure_count').notNullable().defaultTo(0);
+                table.text('last_error');
+                table.text('previous_response');
+                table.index(['status', 'next_run_at']);
+            });
+        }
+        // Create message_triggers table
+        const triggersExist = await knex.schema.hasTable('message_triggers');
+        if (!triggersExist) {
+            await knex.schema.createTable('message_triggers', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.text('description');
+                table.text('channels'); // JSON array
+                table.text('from_users'); // JSON array
+                table.boolean('from_bots').notNullable().defaultTo(false);
+                table.text('contains'); // JSON array
+                table.text('match_pattern');
+                table.string('threads', 20).notNullable().defaultTo('any');
+                table.string('workflow', 255).notNullable();
+                table.text('inputs'); // JSON
+                table.text('output_context'); // JSON
+                table.string('status', 20).notNullable().defaultTo('active').index();
+                table.boolean('enabled').notNullable().defaultTo(true);
+                table.bigInteger('created_at').notNullable();
+            });
+        }
+        // Create scheduler_locks table for distributed locking
+        const locksExist = await knex.schema.hasTable('scheduler_locks');
+        if (!locksExist) {
+            await knex.schema.createTable('scheduler_locks', table => {
+                table.string('lock_id', 255).primary();
+                table.string('node_id', 255).notNullable();
+                table.string('lock_token', 36).notNullable();
+                table.bigInteger('acquired_at').notNullable();
+                table.bigInteger('expires_at').notNullable();
+            });
+        }
+    }
+    getKnex() {
+        if (!this.knex) {
+            throw new Error('[KnexStore] Not initialized. Call initialize() first.');
+        }
+        return this.knex;
+    }
+    // --- CRUD ---
+    async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+            ...schedule,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+            runCount: 0,
+            failureCount: 0,
+            status: 'active',
+        };
+        await knex('schedules').insert(toInsertRow(newSchedule));
+        logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+    }
+    async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', schedule.id).first();
+        if (existing)
+            return; // Already imported (idempotent)
+        await knex('schedules').insert(toInsertRow(schedule));
+    }
+    async get(id) {
+        const knex = this.getKnex();
+        const row = await knex('schedules').where('id', id).first();
+        return row ? fromDbRow(row) : undefined;
+    }
+    async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromDbRow(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        // Remove id from update (PK cannot change)
+        delete row.id;
+        await knex('schedules').where('id', id).update(row);
+        return updated;
+    }
+    async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('schedules').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
+            return true;
+        }
+        return false;
+    }
+    // --- Queries ---
+    async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('creator_id', creatorId);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('status', 'active');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans
+        const bFalse = this.driver === 'mssql' ? 0 : false;
+        const bTrue = this.driver === 'mssql' ? 1 : true;
+        const rows = await knex('schedules')
+            .where('status', 'active')
+            .andWhere(function () {
+            this.where(function () {
+                this.where('is_recurring', bFalse)
+                    .whereNotNull('run_at')
+                    .where('run_at', '<=', ts);
+            }).orWhere(function () {
+                this.where('is_recurring', bTrue)
+                    .whereNotNull('next_run_at')
+                    .where('next_run_at', '<=', ts);
+            });
+        });
+        return rows.map((r) => fromDbRow(r));
+    }
+    async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
+        const pattern = `%${escaped}%`;
+        const rows = await knex('schedules')
+            .where('creator_id', creatorId)
+            .where('status', 'active')
+            .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getStats() {
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
+        const boolTrue = this.driver === 'mssql' ? '1' : 'true';
+        const boolFalse = this.driver === 'mssql' ? '0' : 'false';
+        const result = await knex('schedules')
+            .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
+            .first();
+        return {
+            total: Number(result.total) || 0,
+            active: Number(result.active) || 0,
+            paused: Number(result.paused) || 0,
+            completed: Number(result.completed) || 0,
+            failed: Number(result.failed) || 0,
+            recurring: Number(result.recurring) || 0,
+            oneTime: Number(result.one_time) || 0,
+        };
+    }
+    async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+            const result = await knex('schedules').count('* as cnt').first();
+            if (Number(result?.cnt) >= limits.maxGlobal) {
+                throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+            }
+        }
+        if (limits.maxPerUser) {
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxPerUser) {
+                throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+            }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+            const bTrue = this.driver === 'mssql' ? 1 : true;
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .where('is_recurring', bTrue)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+                throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
+            }
+        }
+    }
+    // --- HA Distributed Locking (via scheduler_locks table) ---
+    async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const token = (0, uuid_1.v4)();
+        // Step 1: Try to claim an existing expired lock
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('expires_at', '<', now)
+            .update({
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt,
+        });
+        if (updated > 0)
+            return token;
+        // Step 2: Try to INSERT a new lock row
+        try {
+            await knex('scheduler_locks').insert({
+                lock_id: lockId,
+                node_id: nodeId,
+                lock_token: token,
+                acquired_at: now,
+                expires_at: expiresAt,
+            });
+            return token;
+        }
+        catch {
+            // Unique constraint violation — another node holds the lock
+            return null;
+        }
+    }
+    async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
+    }
+    async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('lock_token', lockToken)
+            .update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+    }
+    async flush() {
+        // No-op for server-based backends
+    }
+    // --- Message Trigger CRUD ---
+    async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+            ...trigger,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+        };
+        await knex('message_triggers').insert(toTriggerInsertRow(newTrigger));
+        logger_1.logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+    }
+    async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex('message_triggers').where('id', id).first();
+        return row ? fromTriggerRow(row) : undefined;
+    }
+    async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('message_triggers').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromTriggerRow(existing);
+        const updated = {
+            ...current,
+            ...patch,
+            id: current.id,
+            createdAt: current.createdAt,
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex('message_triggers').where('id', id).update(row);
+        return updated;
+    }
+    async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('message_triggers').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted trigger ${id}`);
+            return true;
+        }
+        return false;
+    }
+    async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers').where('creator_id', creatorId);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+    async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers')
+            .where('status', 'active')
+            .where('enabled', this.driver === 'mssql' ? 1 : true);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+}
+exports.KnexStoreBackend = KnexStoreBackend;
+
+
 /***/ }),
 
 /***/ 83864:
@@ -179969,6 +182004,10 @@ exports.configSchema = {
                     $ref: '#/definitions/AgentProtocolConfig',
                     description: 'Agent protocol (A2A) server configuration',
                 },
+                task_tracking: {
+                    type: 'boolean',
+                    description: 'Enable cross-frontend task tracking (default: false). When true, all workflow executions (CLI, Slack, TUI, Scheduler) are recorded in a shared SQLite TaskStore visible via `visor tasks`.',
+                },
             },
             required: ['version'],
             patternProperties: {
@@ -180704,7 +182743,7 @@ exports.configSchema = {
                     description: 'Arguments/inputs for the workflow',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916%3E%3E',
                     description: 'Override specific step configurations in the workflow',
                 },
                 output_mapping: {
@@ -180720,7 +182759,7 @@ exports.configSchema = {
                     description: 'Config file path - alternative to workflow ID (loads a Visor config file as workflow)',
                 },
                 workflow_overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916%3E%3E',
                     description: 'Alias for overrides - workflow step overrides (backward compatibility)',
                 },
                 ref: {
@@ -181418,7 +183457,7 @@ exports.configSchema = {
                     description: 'Custom output name (defaults to workflow name)',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916%3E%3E',
                     description: 'Step overrides',
                 },
                 output_mapping: {
@@ -181433,13 +183472,13 @@ exports.configSchema = {
                 '^x-': {},
             },
         },
-        'Record<string,Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681>>': {
+        'Record<string,Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916>>': {
             type: 'object',
             additionalProperties: {
-                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681%3E',
+                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916%3E',
             },
         },
-        'Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-55681>': {
+        'Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-55916>': {
             type: 'object',
             additionalProperties: false,
         },
@@ -188869,6 +190908,35 @@ class OutputFormatters {
 exports.OutputFormatters = OutputFormatters;
 
 
+/***/ }),
+
+/***/ 93866:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.DefaultPolicyEngine = void 0;
+/**
+ * Default (no-op) policy engine — always allows everything.
+ * Used when no enterprise license is present or policy is disabled.
+ */
+class DefaultPolicyEngine {
+    async initialize(_config) { }
+    async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+    }
+    async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+    }
+    async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+    }
+    async shutdown() { }
+}
+exports.DefaultPolicyEngine = DefaultPolicyEngine;
+
+
 /***/ }),
 
 /***/ 96611:
@@ -206231,6 +208299,8 @@ class Scheduler {
     outputAdapters = new Map();
     executionContext = {};
     contextEnricher;
+    taskStore;
+    configPath;
     // HA fields
     haConfig;
     nodeId;
@@ -206256,6 +208326,11 @@ class Scheduler {
     setEngine(engine) {
         this.engine = engine;
     }
+    /** Set shared task store for execution tracking. */
+    setTaskStore(store, configPath) {
+        this.taskStore = store;
+        this.configPath = configPath;
+    }
     /**
      * Set the execution context (e.g., Slack client) for workflow executions
      */
@@ -206843,7 +208918,7 @@ class Scheduler {
         // Use common preparation helper
         const { engine: runEngine, config: cfgForRun } = this.prepareExecution(schedule);
         // Execute the workflow
-        await runEngine.executeChecks({
+        const schedExecFn = () => runEngine.executeChecks({
             checks: checksToRun,
             showDetails: true,
             outputFormat: 'json',
@@ -206852,6 +208927,20 @@ class Scheduler {
             debug: process.env.VISOR_DEBUG === 'true',
             inputs: schedule.workflowInputs,
         });
+        if (this.taskStore) {
+            const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+            await trackExecution({
+                taskStore: this.taskStore,
+                source: 'scheduler',
+                workflowId: schedule.workflow,
+                configPath: this.configPath,
+                messageText: `Scheduled: ${schedule.workflow} (${schedule.id})`,
+                metadata: { schedule_id: schedule.id, is_recurring: schedule.isRecurring },
+            }, schedExecFn);
+        }
+        else {
+            await schedExecFn();
+        }
         return { message: 'Workflow completed', workflow: schedule.workflow };
     }
     /**
@@ -206964,7 +209053,7 @@ Please provide an updated response based on the reminder above. You may referenc
         const { engine: runEngine, config: cfgForRun, responseRef, } = this.prepareExecution(schedule, reminderText);
         try {
             // Execute ALL checks - let the visor engine route based on config
-            await runEngine.executeChecks({
+            const reminderExecFn = () => runEngine.executeChecks({
                 checks: allChecks,
                 showDetails: true,
                 outputFormat: 'json',
@@ -206972,6 +209061,20 @@ Please provide an updated response based on the reminder above. You may referenc
                 webhookContext: { webhookData, eventType: 'schedule' },
                 debug: process.env.VISOR_DEBUG === 'true',
             });
+            if (this.taskStore) {
+                const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                await trackExecution({
+                    taskStore: this.taskStore,
+                    source: 'scheduler',
+                    workflowId: schedule.workflow,
+                    configPath: this.configPath,
+                    messageText: reminderText || `Reminder: ${schedule.id}`,
+                    metadata: { schedule_id: schedule.id, is_recurring: schedule.isRecurring },
+                }, reminderExecFn);
+            }
+            else {
+                await reminderExecFn();
+            }
             // The visor pipeline handles output via frontends (Slack, etc.)
             // We return success - the actual response was posted by the pipeline
             // Save captured response for recurring reminders (previousResponse feature)
@@ -209872,6 +211975,8 @@ class SlackSocketRunner {
     heartbeatTimer;
     lastPong = 0;
     closing = false; // prevent duplicate reconnects
+    taskStore;
+    configPath;
     constructor(engine, cfg, opts) {
         const app = opts.appToken || process.env.SLACK_APP_TOKEN || '';
         if (!app)
@@ -209894,6 +211999,11 @@ class SlackSocketRunner {
         this.cfg = cfg;
         this.initMessageTriggersFromConfig();
     }
+    /** Set shared task store for execution tracking. */
+    setTaskStore(store, configPath) {
+        this.taskStore = store;
+        this.configPath = configPath;
+    }
     /** Hot-swap the config used for future requests (does not affect in-flight ones). */
     updateConfig(cfg) {
         this.cfg = cfg;
@@ -210012,6 +212122,8 @@ class SlackSocketRunner {
                     defaultTimezone: schedulerCfg?.default_timezone,
                 });
                 this.genericScheduler.setEngine(this.engine);
+                if (this.taskStore)
+                    this.genericScheduler.setTaskStore(this.taskStore, this.configPath);
                 // Pass Slack client to scheduler so it can inject into workflow executions
                 this.genericScheduler.setExecutionContext({
                     slack: this.client,
@@ -210567,7 +212679,7 @@ class SlackSocketRunner {
                         }
                     }
                     // Cold run (no snapshot)
-                    await runEngine.executeChecks({
+                    const execFn = () => runEngine.executeChecks({
                         checks: allChecks,
                         showDetails: true,
                         outputFormat: 'json',
@@ -210575,6 +212687,24 @@ class SlackSocketRunner {
                         webhookContext: { webhookData: map, eventType: 'manual' },
                         debug: process.env.VISOR_DEBUG === 'true',
                     });
+                    if (this.taskStore) {
+                        const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                        await trackExecution({
+                            taskStore: this.taskStore,
+                            source: 'slack',
+                            workflowId: allChecks.join(','),
+                            configPath: this.configPath,
+                            messageText: String(ev.text || 'Slack message'),
+                            metadata: {
+                                slack_channel: channelId,
+                                slack_thread_ts: threadTs,
+                                slack_user: userId,
+                            },
+                        }, execFn);
+                    }
+                    else {
+                        await execFn();
+                    }
                 });
             }
             finally {
@@ -210707,7 +212837,7 @@ class SlackSocketRunner {
                 'slack.thread_ts': threadTs || ts,
                 'slack.user_id': user,
             }, async () => {
-                await runEngine.executeChecks({
+                const triggerExecFn = () => runEngine.executeChecks({
                     checks: checksToRun,
                     showDetails: true,
                     outputFormat: 'json',
@@ -210716,6 +212846,25 @@ class SlackSocketRunner {
                     debug: process.env.VISOR_DEBUG === 'true',
                     inputs: trigger.inputs,
                 });
+                if (this.taskStore) {
+                    const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                    await trackExecution({
+                        taskStore: this.taskStore,
+                        source: 'slack',
+                        workflowId: trigger.workflow || checksToRun.join(','),
+                        configPath: this.configPath,
+                        messageText: String(ev.text || `Trigger: ${id}`),
+                        metadata: {
+                            slack_channel: channel,
+                            slack_thread_ts: threadTs || ts,
+                            slack_user: user,
+                            trigger_id: id,
+                        },
+                    }, triggerExecFn);
+                }
+                else {
+                    await triggerExecFn();
+                }
             });
             logger_1.logger.info(`[SlackSocket] Message trigger '${id}' workflow completed`);
         }
@@ -211567,7 +213716,7 @@ class StateMachineExecutionEngine {
             try {
                 logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
                 // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
+                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
                 context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
                 logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
             }
@@ -221878,7 +224027,7 @@ async function initTelemetry(opts = {}) {
                 const path = __nccwpck_require__(16928);
                 const outDir = opts.file?.dir ||
                     process.env.VISOR_TRACE_DIR ||
-                    __nccwpck_require__.ab + "traces";
+                    path.join(process.cwd(), 'output', 'traces');
                 fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
                 process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -222083,7 +224232,7 @@ async function shutdownTelemetry() {
             if (process.env.VISOR_TRACE_REPORT === 'true') {
                 const fs = __nccwpck_require__(79896);
                 const path = __nccwpck_require__(16928);
-                const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+                const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
                 if (!fs.existsSync(outDir))
                     fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -222456,6 +224605,7 @@ exports.getVisorRunAttributes = getVisorRunAttributes;
 exports.__getOrCreateNdjsonPath = __getOrCreateNdjsonPath;
 exports._appendRunMarker = _appendRunMarker;
 const lazy_otel_1 = __nccwpck_require__(21084);
+const instance_id_1 = __nccwpck_require__(89942);
 function getTracer() {
     return lazy_otel_1.trace.getTracer('visor');
 }
@@ -222563,6 +224713,7 @@ function getVisorRunAttributes() {
     if (commitFull) {
         attrs['visor.commit.sha'] = commitFull;
     }
+    attrs['visor.instance_id'] = (0, instance_id_1.getInstanceId)();
     return attrs;
 }
 // Internal helper for tests: write a minimal run marker to NDJSON when using file sink
@@ -222582,7 +224733,7 @@ function __getOrCreateNdjsonPath() {
                 fs.mkdirSync(dir, { recursive: true });
             return __ndjsonPath;
         }
-        const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+        const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
         if (!fs.existsSync(outDir))
             fs.mkdirSync(outDir, { recursive: true });
         if (!__ndjsonPath) {
@@ -227075,10 +229226,43 @@ function validateTestsDoc(doc) {
 /***/ }),
 
 /***/ 20881:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
 
 "use strict";
 
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.TuiChatRunner = void 0;
 exports.startChatTUI = startChatTUI;
@@ -227106,6 +229290,8 @@ class TuiChatRunner {
     messageCounter = 0;
     isRunning = false;
     currentExecution;
+    taskStore;
+    configPath;
     constructor(config) {
         this.cfg = config.config;
         this.stateManager = config.stateManager ?? new chat_state_1.ChatStateManager();
@@ -227114,6 +229300,11 @@ class TuiChatRunner {
         // Set as global state manager
         (0, chat_state_1.setChatStateManager)(this.stateManager);
     }
+    /** Set shared task store for execution tracking. */
+    setTaskStore(store, configPath) {
+        this.taskStore = store;
+        this.configPath = configPath;
+    }
     async start() {
         // Create ChatTUI
         this.chatTui = new chat_tui_1.ChatTUI({
@@ -227260,16 +229451,28 @@ class TuiChatRunner {
             'tui.message_id': messageId,
         }, async () => {
             try {
-                await runEngine.executeChecks({
+                const tuiExecFn = () => runEngine.executeChecks({
                     checks: allChecks,
                     showDetails: true,
                     outputFormat: 'json',
                     config: cfgForRun,
                     webhookContext: { webhookData, eventType: 'manual' },
                     debug: this.debug,
-                    // Pass conversation directly in options for TUI mode
                     conversation: ctx.conversation,
                 });
+                if (this.taskStore) {
+                    const { trackExecution } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7628)));
+                    await trackExecution({
+                        taskStore: this.taskStore,
+                        source: 'tui',
+                        workflowId: allChecks.join(','),
+                        configPath: this.configPath,
+                        messageText: message,
+                    }, tuiExecFn);
+                }
+                else {
+                    await tuiExecFn();
+                }
             }
             catch (error) {
                 const errorMessage = error instanceof Error ? error.message : String(error);
@@ -232254,6 +234457,32 @@ function generateShortHumanId() {
 }
 
 
+/***/ }),
+
+/***/ 89942:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+/**
+ * Visor instance ID — unique per process lifetime.
+ *
+ * Used to identify which visor instance created/owns a task,
+ * especially in multi-node environments.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.getInstanceId = getInstanceId;
+const human_id_1 = __nccwpck_require__(30920);
+let _instanceId;
+/** Get or generate the visor instance ID for this process. */
+function getInstanceId() {
+    if (!_instanceId) {
+        _instanceId = (0, human_id_1.generateHumanId)();
+    }
+    return _instanceId;
+}
+
+
 /***/ }),
 
 /***/ 91784:
@@ -236960,22 +239189,6 @@ class WorkflowRegistry {
 exports.WorkflowRegistry = WorkflowRegistry;
 
 
-/***/ }),
-
-/***/ 7065:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/loader");
-
-
-/***/ }),
-
-/***/ 71370:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/policy/policy-input-builder");
-
-
 /***/ }),
 
 /***/ 18327:
@@ -261212,7 +263425,8 @@ var init_search = __esm({
       session: "--session",
       timeout: "--timeout",
       language: "--language",
-      format: "--format"
+      format: "--format",
+      lsp: "--lsp"
     };
   }
 });
@@ -261448,7 +263662,8 @@ var init_extract = __esm({
       allowTests: "--allow-tests",
       contextLines: "--context",
       format: "--format",
-      inputFile: "--input-file"
+      inputFile: "--input-file",
+      lsp: "--lsp"
     };
   }
 });
@@ -286325,7 +288540,14 @@ function parseTargets(targets) {
 }
 function parseAndResolvePaths(pathStr, cwd) {
   if (!pathStr) return [];
-  const paths = pathStr.split(",").map((p) => p.trim()).filter((p) => p.length > 0);
+  let paths = pathStr.split(",").map((p) => p.trim()).filter((p) => p.length > 0);
+  paths = paths.flatMap((p) => {
+    if (!/\s/.test(p)) return [p];
+    const parts = p.split(/\s+/).filter(Boolean);
+    if (parts.length <= 1) return [p];
+    const allLookLikePaths = parts.every((part) => /[/\\]/.test(part) || /\.\w+/.test(part));
+    return allLookLikePaths ? parts : [p];
+  });
   return paths.map((p) => {
     if ((0, import_path5.isAbsolute)(p)) {
       return p;
@@ -305988,6 +308210,7 @@ var init_parser2 = __esm({
                     { ALT: () => this.CONSUME(Identifier) },
                     { ALT: () => this.CONSUME(Text) },
                     { ALT: () => this.CONSUME(NumberLiteral) },
+                    { ALT: () => this.CONSUME(ColorValue) },
                     // Note: RoundOpen and RoundClose (parentheses) are NOT allowed in unquoted labels
                     // to match Mermaid's behavior - use quoted labels like ["text (with parens)"] instead
                     // Allow HTML-like tags (e.g., <br/>) inside labels
@@ -306079,6 +308302,7 @@ var init_parser2 = __esm({
               { ALT: () => this.CONSUME(Identifier) },
               { ALT: () => this.CONSUME(Text) },
               { ALT: () => this.CONSUME(NumberLiteral) },
+              { ALT: () => this.CONSUME(ColorValue) },
               // Allow HTML-like angle brackets and slashes for <br/>, <i>, etc.
               { ALT: () => this.CONSUME(AngleLess) },
               { ALT: () => this.CONSUME(AngleOpen) },
@@ -307254,13 +309478,24 @@ function mapFlowchartParserError(err, text) {
       length: len
     };
   }
-  if (tokType === "QuotedString" || tokType === "SquareOpen" || tokType === "SquareClose") {
+  if (tokType === "QuotedString" || tokType === "SquareOpen" || tokType === "SquareClose" || tokType === "DiamondOpen" || tokType === "DiamondClose") {
     const context = err?.context;
     const inLinkRule = context?.ruleStack?.includes("linkTextInline") || context?.ruleStack?.includes("link") || false;
     const lineContent = allLines[Math.max(0, line - 1)] || "";
     const beforeQuote = lineContent.slice(0, Math.max(0, column - 1));
     const hasLinkBefore = beforeQuote.match(/--\s*$|==\s*$|-\.\s*$|-\.-\s*$|\[\s*$/);
     if (inLinkRule || hasLinkBefore) {
+      if (tokType === "DiamondOpen" || tokType === "DiamondClose") {
+        return {
+          line,
+          column,
+          severity: "error",
+          code: "FL-EDGE-LABEL-CURLY-IN-PIPES",
+          message: "Curly braces { } are not supported inside pipe-delimited edge labels.",
+          hint: "Use HTML entities &#123; and &#125; inside |...|, e.g., --|Resolve $&#123;VAR&#125;|-->",
+          length: len
+        };
+      }
       if (tokType === "SquareOpen" || tokType === "SquareClose") {
         return {
           line,
@@ -307322,6 +309557,17 @@ function mapFlowchartParserError(err, text) {
           length: len
         };
       }
+      if (tokType === "DiamondOpen" || tokType === "DiamondClose") {
+        return {
+          line,
+          column,
+          severity: "error",
+          code: "FL-LABEL-CURLY-IN-UNQUOTED",
+          message: "Curly braces are not supported inside unquoted node labels.",
+          hint: "Use &#123; and &#125; for literal braces, e.g., C[Substitute &#123;params&#125;].",
+          length: len
+        };
+      }
       {
         const caret0 = Math.max(0, column - 1);
         const openIdx = lineStr.lastIndexOf("[", caret0);
@@ -307363,9 +309609,20 @@ function mapFlowchartParserError(err, text) {
               length: len
             };
           }
+          if (seg.includes("{") || seg.includes("}")) {
+            return {
+              line,
+              column,
+              severity: "error",
+              code: "FL-LABEL-CURLY-IN-UNQUOTED",
+              message: "Curly braces are not supported inside unquoted node labels.",
+              hint: "Use &#123; and &#125; for literal braces, e.g., C[Substitute &#123;params&#125;].",
+              length: len
+            };
+          }
         }
       }
-      if (tokType === "QuotedString" || tokType === "SquareOpen" || tokType === "SquareClose") {
+      if (tokType === "QuotedString") {
         return {
           line,
           column,
@@ -307376,6 +309633,17 @@ function mapFlowchartParserError(err, text) {
           length: len
         };
       }
+      if (tokType === "SquareOpen" || tokType === "SquareClose") {
+        return {
+          line,
+          column,
+          severity: "error",
+          code: "FL-LABEL-BRACKET-IN-UNQUOTED",
+          message: "Square brackets are not supported inside unquoted node labels.",
+          hint: 'Use &#91; and &#93; for literal brackets or wrap the label in quotes, e.g., C["bind_paths[]"]',
+          length: len
+        };
+      }
       const q = findInnerQuoteIssue("[");
       if (q?.kind === "escaped") {
         return { line, column: q.column, severity: "error", code: "FL-LABEL-ESCAPED-QUOTE", message: 'Escaped quotes (\\") in node labels are not supported by Mermaid. Use &quot; instead.', hint: 'Prefer "He said &quot;Hi&quot;".', length: 2 };
@@ -307386,7 +309654,7 @@ function mapFlowchartParserError(err, text) {
       return { line, column, severity: "error", code: "FL-NODE-UNCLOSED-BRACKET", message: "Unclosed '['. Add a matching ']' before the arrow or newline.", hint: "Example: A[Label] --> B", length: 1 };
     }
     if (expecting(err, "RoundClose")) {
-      if (tokType === "QuotedString" || tokType === "SquareOpen" || tokType === "SquareClose") {
+      if (tokType === "QuotedString") {
         return {
           line,
           column,
@@ -307397,6 +309665,17 @@ function mapFlowchartParserError(err, text) {
           length: len
         };
       }
+      if (tokType === "SquareOpen" || tokType === "SquareClose") {
+        return {
+          line,
+          column,
+          severity: "error",
+          code: "FL-LABEL-BRACKET-IN-UNQUOTED",
+          message: "Square brackets are not supported inside unquoted node labels.",
+          hint: 'Use &#91; and &#93; for literal brackets or wrap the label in quotes, e.g., C["bind_paths[]"]',
+          length: len
+        };
+      }
       {
         const caret0 = Math.max(0, column - 1);
         const openIdx = lineStr.lastIndexOf("(", caret0);
@@ -307425,7 +309704,7 @@ function mapFlowchartParserError(err, text) {
       return { line, column, severity: "error", code: "FL-NODE-UNCLOSED-BRACKET", message: "Unclosed '('. Add a matching ')'.", hint: "Example: B(Label)", length: 1 };
     }
     if (expecting(err, "DiamondClose")) {
-      if (tokType === "QuotedString" || tokType === "SquareOpen" || tokType === "SquareClose") {
+      if (tokType === "QuotedString") {
         return {
           line,
           column,
@@ -307436,6 +309715,17 @@ function mapFlowchartParserError(err, text) {
           length: len
         };
       }
+      if (tokType === "SquareOpen" || tokType === "SquareClose") {
+        return {
+          line,
+          column,
+          severity: "error",
+          code: "FL-LABEL-BRACKET-IN-UNQUOTED",
+          message: "Square brackets are not supported inside unquoted node labels.",
+          hint: 'Use &#91; and &#93; for literal brackets or wrap the label in quotes, e.g., C["bind_paths[]"]',
+          length: len
+        };
+      }
       {
         const caret0 = Math.max(0, column - 1);
         const openIdx = lineStr.lastIndexOf("{", caret0);
@@ -308278,7 +310568,7 @@ function validateFlowchart(text, options = {}) {
         const byLine = /* @__PURE__ */ new Map();
         const collect = (arr) => {
           for (const e of arr || []) {
-            if (e && (e.code === "FL-LABEL-PARENS-UNQUOTED" || e.code === "FL-LABEL-AT-IN-UNQUOTED" || e.code === "FL-LABEL-QUOTE-IN-UNQUOTED" || e.code === "FL-LABEL-SLASH-UNQUOTED")) {
+            if (e && (e.code === "FL-LABEL-PARENS-UNQUOTED" || e.code === "FL-LABEL-AT-IN-UNQUOTED" || e.code === "FL-LABEL-QUOTE-IN-UNQUOTED" || e.code === "FL-LABEL-SLASH-UNQUOTED" || e.code === "FL-LABEL-CURLY-IN-UNQUOTED" || e.code === "FL-LABEL-BRACKET-IN-UNQUOTED")) {
               const ln = e.line ?? 0;
               const col = e.column ?? 1;
               const list = byLine.get(ln) || [];
@@ -308360,6 +310650,9 @@ function validateFlowchart(text, options = {}) {
                 const hasParens = seg.includes("(") || seg.includes(")");
                 const hasAt = seg.includes("@");
                 const hasQuote = seg.includes('"');
+                const hasCurly = seg.includes("{") || seg.includes("}");
+                const hasBracket = seg.includes("[") || seg.includes("]");
+                const isDoubleSquare = raw.slice(i, i + 2) === "[[" && raw.slice(j - 2, j) === "]]";
                 const isSingleQuoted = /^'[^]*'$/.test(trimmed);
                 const hasLeadingSlash = lsp === "/" || lsp === "\\";
                 if (!covered && !isQuoted && !isParenWrapped && hasParens) {
@@ -308377,6 +310670,16 @@ function validateFlowchart(text, options = {}) {
                   existing.push({ start: startCol, end: endCol });
                   byLine.set(ln, existing);
                 }
+                if (!covered && !isQuoted && !isSlashPair && hasCurly) {
+                  errs.push({ line: ln, column: startCol, severity: "error", code: "FL-LABEL-CURLY-IN-UNQUOTED", message: "Curly braces are not supported inside unquoted node labels.", hint: "Use &#123; and &#125; for literal braces, e.g., C[Substitute &#123;params&#125;]." });
+                  existing.push({ start: startCol, end: endCol });
+                  byLine.set(ln, existing);
+                }
+                if (!covered && !isQuoted && !isSlashPair && !isDoubleSquare && hasBracket) {
+                  errs.push({ line: ln, column: startCol, severity: "error", code: "FL-LABEL-BRACKET-IN-UNQUOTED", message: "Square brackets are not supported inside unquoted node labels.", hint: 'Use &#91; and &#93; for literal brackets or wrap the label in quotes, e.g., C["bind_paths[]"]' });
+                  existing.push({ start: startCol, end: endCol });
+                  byLine.set(ln, existing);
+                }
                 if (!covered && !isQuoted && !isSlashPair && hasQuote && !isSingleQuoted) {
                   errs.push({ line: ln, column: startCol, severity: "error", code: "FL-LABEL-QUOTE-IN-UNQUOTED", message: "Quotes are not allowed inside unquoted node labels. Use &quot; for quotes or wrap the entire label in quotes.", hint: 'Example: C["HTML Output: data-trigger-visibility=&quot;true&quot;"]' });
                   existing.push({ start: startCol, end: endCol });
@@ -310737,7 +313040,7 @@ function computeFixes(text, errors, level = "safe") {
       }
       continue;
     }
-    if (is("FL-EDGE-LABEL-BRACKET", e)) {
+    if (is("FL-EDGE-LABEL-BRACKET", e) || is("FL-EDGE-LABEL-CURLY-IN-PIPES", e)) {
       const lineText = lineTextAt(text, e.line);
       const firstBar = lineText.indexOf("|");
       const secondBar = firstBar >= 0 ? lineText.indexOf("|", firstBar + 1) : -1;
@@ -310745,7 +313048,8 @@ function computeFixes(text, errors, level = "safe") {
         const before = lineText.slice(0, firstBar + 1);
         const label = lineText.slice(firstBar + 1, secondBar);
         const after = lineText.slice(secondBar);
-        const fixedLabel = label.replace(/\[/g, "&#91;").replace(/\]/g, "&#93;");
+        let fixedLabel = label.replace(/\[/g, "&#91;").replace(/\]/g, "&#93;");
+        fixedLabel = fixedLabel.replace(/\{/g, "&#123;").replace(/\}/g, "&#125;");
         const fixedLine = before + fixedLabel + after;
         const finalLine = fixedLine.replace(/\[([^\]]*)\]/g, (m, seg) => "[" + String(seg).replace(/`/g, "") + "]");
         edits.push({ start: { line: e.line, column: 1 }, end: { line: e.line, column: lineText.length + 1 }, newText: finalLine });
@@ -311385,7 +313689,7 @@ function computeFixes(text, errors, level = "safe") {
       }
       continue;
     }
-    if (is("FL-LABEL-PARENS-UNQUOTED", e) || is("FL-LABEL-AT-IN-UNQUOTED", e) || is("FL-LABEL-SLASH-UNQUOTED", e)) {
+    if (is("FL-LABEL-PARENS-UNQUOTED", e) || is("FL-LABEL-AT-IN-UNQUOTED", e) || is("FL-LABEL-SLASH-UNQUOTED", e) || is("FL-LABEL-CURLY-IN-UNQUOTED", e) || is("FL-LABEL-BRACKET-IN-UNQUOTED", e)) {
       if (level === "safe" || level === "all") {
         if (patchedLines.has(e.line))
           continue;
@@ -311426,7 +313730,7 @@ function computeFixes(text, errors, level = "safe") {
             if (openIdx === -1)
               break;
             const contentStart = openIdx + shape.open.length;
-            const closeIdx = shape.open === "(" && shape.close === ")" ? findMatchingCloser(lineText, openIdx, shape.open, shape.close) : lineText.indexOf(shape.close, contentStart);
+            const closeIdx = shape.open === "(" && shape.close === ")" || shape.open === "[" && shape.close === "]" ? findMatchingCloser(lineText, openIdx, shape.open, shape.close) : lineText.indexOf(shape.close, contentStart);
             if (closeIdx === -1)
               break;
             if (openIdx <= caret0 && caret0 < closeIdx) {
@@ -311446,11 +313750,21 @@ function computeFixes(text, errors, level = "safe") {
               const isSlashPair = (l, r) => l === "/" && r === "/" || l === "\\" && r === "\\" || l === "/" && r === "\\" || l === "\\" && r === "/";
               const isParallelogramShape = core.length >= 2 && isSlashPair(left, right);
               let replaced;
-              if (!isParallelogramShape) {
-                const escaped = inner.replace(/`/g, "").replace(/\"/g, "&quot;").replace(/"/g, "&quot;");
+              if (is("FL-LABEL-BRACKET-IN-UNQUOTED", e) && !isParallelogramShape) {
+                const hasOtherHazards = /[(){}@]/.test(inner) || inner.includes('"') || inner.includes('\\"');
+                if (hasOtherHazards) {
+                  const escaped = inner.replace(/`/g, "").replace(/\\"/g, "&quot;").replace(/"/g, "&quot;");
+                  replaced = '"' + escaped + '"';
+                } else {
+                  replaced = inner.replace(/\[/g, "&#91;").replace(/\]/g, "&#93;");
+                }
+              } else if (is("FL-LABEL-CURLY-IN-UNQUOTED", e)) {
+                replaced = inner.replace(/\{/g, "&#123;").replace(/\}/g, "&#125;");
+              } else if (!isParallelogramShape) {
+                const escaped = inner.replace(/`/g, "").replace(/\\"/g, "&quot;").replace(/"/g, "&quot;");
                 replaced = '"' + escaped + '"';
               } else {
-                replaced = inner.replace(/`/g, "").replace(/\(/g, "&#40;").replace(/\)/g, "&#41;").replace(/\"/g, "&quot;").replace(/"/g, "&quot;");
+                replaced = inner.replace(/`/g, "").replace(/\(/g, "&#40;").replace(/\)/g, "&#41;").replace(/\[/g, "&#91;").replace(/\]/g, "&#93;").replace(/\\"/g, "&quot;").replace(/"/g, "&quot;");
               }
               if (replaced !== inner) {
                 edits.push({ start: { line: e.line, column: contentStart + 1 }, end: { line: e.line, column: closeIdx + 1 }, newText: replaced });
@@ -332239,26 +334553,46 @@ var init_prompts = __esm({
 CRITICAL - You are READ-ONLY:
 You must NEVER create, modify, delete, or write files. You are strictly an exploration and analysis tool. If asked to make changes, implement features, fix bugs, or modify a PR, refuse and explain that file modifications must be done by the engineer tool \u2014 your role is only to investigate code and answer questions. Do not attempt workarounds using bash commands (echo, cat, tee, sed, etc.) to write files.
 
+CRITICAL - ALWAYS search before answering:
+You must NEVER answer questions about the codebase from memory or general knowledge. ALWAYS use the search and extract tools first to find the actual code, then base your answer ONLY on what you found. Even if you think you know the answer, you MUST verify it against the actual code. Your answers must be grounded in code evidence, not assumptions.
+
 When exploring code:
 - Provide clear, concise explanations based on user request
 - Find and highlight the most relevant code snippets, if required
-- Trace function calls and data flow through the system
+- Trace function calls and data flow through the system \u2014 follow the FULL call chain, not just the entry point
 - Try to understand the user's intent and provide relevant information
 - Understand high level picture
 - Balance detail with clarity in your explanations
+- Search using SYNONYMS and alternative terms \u2014 code naming often differs from the concept name (e.g., "authentication" might be named verify_credentials, check_token, validate_session)
+- When you find a key function, look at what it CALLS and what CALLS it to discover the complete picture
+- Before answering, ask yourself: "Did I cover all the major components? Are there related subsystems I missed?" If yes, do one more search round.
 
 When providing answers:
+- Be EXHAUSTIVE: cover ALL components you discovered, not just the main ones. If you found 10 related files, discuss all 10, not just the top 3. Users want the complete picture.
+- After drafting your answer, do a self-check: "What did I find in my searches that I haven't mentioned yet?" Add any missing components.
+- Include data structures, configuration options, and error handling \u2014 not just the happy path.
 - Always include a "References" section at the end of your response
 - List all relevant source code locations you found during exploration
 - Use the format: file_path:line_number or file_path#symbol_name
 - Group references by file when multiple locations are from the same file
 - Include brief descriptions of what each reference contains`,
-      "code-searcher": `You are ProbeChat Code Searcher, a specialized AI assistant focused ONLY on locating relevant code. Your sole job is to find and return ALL relevant code locations. Do NOT answer questions or explain anything.
+      "code-searcher": `You are ProbeChat Code Explorer & Searcher. Your job is to EXPLORE the codebase to find ALL relevant code locations for the query, then return them as JSON targets.
+
+You think like a code explorer \u2014 you understand that codebases have layers:
+- Core implementations (algorithms, data structures)
+- Middleware/integration layers (request handlers, interceptors)
+- Configuration and storage backends
+- Scoping mechanisms (per-user, per-org, per-tenant, global)
+- Supporting utilities and helpers
 
 When searching:
-- Use only the search tool
-- Run additional searches only if needed to capture all relevant locations
-- Prefer specific, focused queries
+- Search for the MAIN concept first, then think: "what RELATED subsystems would a real codebase have?"
+- Use extract to READ the code you find \u2014 look for function calls, type references, and imports that point to OTHER relevant code
+- If you find middleware, check: are there org-level or tenant-level variants?
+- If you find algorithms, check: are there different storage backends?
+- Search results are paginated \u2014 if results look relevant, call nextPage=true to check for more files
+- Stop paginating when results become irrelevant or you see "All results retrieved"
+- Search using SYNONYMS \u2014 code naming differs from concepts (e.g., "rate limiting" \u2192 throttle, quota, limiter, bucket)
 
 Output format (MANDATORY):
 - Return ONLY valid JSON with a single top-level key: "targets"
@@ -332268,7 +334602,8 @@ Output format (MANDATORY):
   - "path/to/file.ext:line"
   - "path/to/file.ext:start-end"
 - Prefer #SymbolName when a function/class name is clear; otherwise use line numbers
-- Deduplicate targets and keep them concise`,
+- Deduplicate targets and keep them concise
+- Aim for 5-15 targets covering ALL aspects of the query`,
       "architect": `You are ProbeChat Architect, a specialized AI assistant focused on software architecture and design. Your primary function is to help users understand, analyze, and design software systems using the provided code analysis tools.
 
 When analyzing code:
@@ -357922,9 +360257,9 @@ Workspace: ${this.allowedFolders.join(", ")}`;
 Follow these instructions carefully:
 1. Analyze the user's request.
 2. Use the available tools step-by-step to fulfill the request.
-3. You should always prefer the search tool for code-related questions.${this.searchDelegate ? " Ask natural language questions \u2014 the search subagent handles keyword formulation and returns extracted code blocks. Use extract only to expand context or read full files." : " Search handles stemming and case variations automatically \u2014 do NOT try keyword variations manually. Read full files only if really necessary."}
-4. Ensure to get really deep and understand the full picture before answering.
-5. Once the task is fully completed, provide your final answer directly as text.
+3. You MUST use the search tool before answering ANY code-related question. NEVER answer from memory or general knowledge \u2014 your answers must be grounded in actual code found via search/extract.${this.searchDelegate ? " Ask natural language questions \u2014 the search subagent handles keyword formulation and returns extracted code blocks. Use extract only to expand context or read full files." : " Search handles stemming and case variations automatically \u2014 do NOT try keyword variations manually. Read full files only if really necessary."}
+4. Ensure to get really deep and understand the full picture before answering. Follow call chains \u2014 if function A calls B, search for B too. Look for related subsystems (e.g., if asked about rate limiting, also check for quota, throttling, smoothing).
+5. Once the task is fully completed, provide your final answer directly as text. Always cite specific files and line numbers as evidence. Do NOT output planning or thinking text \u2014 go straight to the answer.
 6. ${this.searchDelegate ? "Ask clear, specific questions when searching. Each search should target a distinct concept or question." : "Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results."}
 7. NEVER use bash for code exploration (no grep, cat, find, head, tail, awk, sed) \u2014 always use search and extract tools instead. Bash is only for system operations like building, running tests, or git commands.${this.allowEdit ? `
 7. When modifying files, choose the appropriate tool:
@@ -358310,6 +360645,22 @@ You are working with a workspace. Available paths: ${workspaceDesc}
                     if (recentTexts.every((t) => t && t === recentTexts[0])) return true;
                     if (recentTexts.every((t) => detectStuckResponse(t))) return true;
                   }
+                  if (steps.length >= 3) {
+                    const last3 = steps.slice(-3);
+                    const allHaveTools = last3.every((s) => s.toolCalls?.length === 1);
+                    if (allHaveTools) {
+                      const signatures = last3.map((s) => {
+                        const tc = s.toolCalls[0];
+                        return `${tc.toolName}::${JSON.stringify(tc.args ?? tc.input)}`;
+                      });
+                      if (signatures[0] === signatures[1] && signatures[1] === signatures[2]) {
+                        if (this.debug) {
+                          console.log(`[DEBUG] Circuit breaker: 3 consecutive identical tool calls detected (${last3[0].toolCalls[0].toolName}), forcing stop`);
+                        }
+                        return true;
+                      }
+                    }
+                  }
                   return false;
                 },
                 prepareStep: ({ steps, stepNumber }) => {
@@ -358318,6 +360669,22 @@ You are working with a workspace. Available paths: ${workspaceDesc}
                       toolChoice: "none"
                     };
                   }
+                  if (steps.length >= 2) {
+                    const last2 = steps.slice(-2);
+                    if (last2.every((s) => s.toolCalls?.length === 1)) {
+                      const tc1 = last2[0].toolCalls[0];
+                      const tc2 = last2[1].toolCalls[0];
+                      const sig1 = `${tc1.toolName}::${JSON.stringify(tc1.args ?? tc1.input)}`;
+                      const sig2 = `${tc2.toolName}::${JSON.stringify(tc2.args ?? tc2.input)}`;
+                      if (sig1 === sig2) {
+                        if (this.debug) {
+                          console.log(`[DEBUG] prepareStep: 2 consecutive identical tool calls (${tc1.toolName}), forcing toolChoice=none`);
+                          console.log(`[DEBUG]   sig: ${sig1.substring(0, 200)}`);
+                        }
+                        return { toolChoice: "none" };
+                      }
+                    }
+                  }
                   const lastStep = steps[steps.length - 1];
                   const modelJustStopped = lastStep?.finishReason === "stop" && (!lastStep?.toolCalls || lastStep.toolCalls.length === 0);
                   if (modelJustStopped) {
@@ -358348,7 +360715,9 @@ ${resultToReview}
 
 Double-check your response based on the criteria above. If everything looks good, respond with your previous answer exactly as-is. If something needs to be fixed or is missing, do it now, then respond with the COMPLETE updated answer (everything you did in total, not just the fix).`;
                       return {
-                        userMessage: completionPromptMessage
+                        userMessage: completionPromptMessage,
+                        toolChoice: "none"
+                        // Force text-only review — no tool calls
                       };
                     }
                   }
@@ -358390,7 +360759,11 @@ Double-check your response based on the criteria above. If everything looks good
                     options.onStream(text);
                   }
                   if (this.debug) {
-                    console.log(`[DEBUG] Step ${currentIteration}/${maxIterations} finished (reason: ${finishReason}, tools: ${toolResults?.length || 0})`);
+                    const toolSummary = toolCalls?.length ? toolCalls.map((tc) => {
+                      const args = tc.args ? JSON.stringify(tc.args) : "";
+                      return args ? `${tc.toolName}(${debugTruncate(args, 120)})` : tc.toolName;
+                    }).join(", ") : "none";
+                    console.log(`[DEBUG] Step ${currentIteration}/${maxIterations} finished (reason: ${finishReason}, tools: [${toolSummary}])`);
                     if (text) {
                       console.log(`[DEBUG]   model text: ${debugTruncate(text)}`);
                     }
@@ -358423,9 +360796,15 @@ Double-check your response based on the criteria above. If everything looks good
               }
               const executeAIRequest = async () => {
                 const result = await this.streamTextWithRetryAndFallback(streamOptions);
-                const finalText = await result.text;
+                const steps = await result.steps;
+                let finalText;
+                if (steps && steps.length > 1) {
+                  const lastStepText = steps[steps.length - 1].text;
+                  finalText = lastStepText || await result.text;
+                } else {
+                  finalText = await result.text;
+                }
                 if (this.debug) {
-                  const steps = await result.steps;
                   console.log(`[DEBUG] streamText completed: ${steps?.length || 0} steps, finalText=${finalText?.length || 0} chars`);
                 }
                 const usage = await result.usage;
@@ -358495,12 +360874,12 @@ ${finalResult}
 
 Double-check your response based on the criteria above. If everything looks good, respond with your previous answer exactly as-is. If something needs to be fixed or is missing, do it now, then respond with the COMPLETE updated answer (everything you did in total, not just the fix).`;
                 currentMessages.push({ role: "user", content: completionPromptMessage });
-                const completionMaxIterations = 5;
                 const completionStreamOptions = {
                   model: this.provider ? this.provider(this.model) : this.model,
                   messages: this.prepareMessagesWithImages(currentMessages),
                   tools: tools2,
-                  stopWhen: (0, import_ai4.stepCountIs)(completionMaxIterations),
+                  toolChoice: "none",
+                  // Force text-only response — no tool calls during review
                   maxTokens: maxResponseTokens,
                   temperature: 0.3,
                   onStepFinish: ({ toolResults, text, finishReason, usage }) => {
@@ -360169,11 +362548,9 @@ function autoQuoteSearchTerms(query2) {
   const result = tokens.map((token) => {
     if (token.startsWith('"')) return token;
     if (operators.has(token)) return token;
-    const hasUpper = /[A-Z]/.test(token);
-    const hasLower = /[a-z]/.test(token);
     const hasUnderscore = token.includes("_");
-    const hasMixedCase = hasUpper && hasLower;
-    if (hasMixedCase || hasUnderscore) {
+    const hasCaseTransition = /[a-z][A-Z]/.test(token) || /[A-Z]{2,}[a-z]/.test(token);
+    if (hasCaseTransition || hasUnderscore) {
       return `"${token}"`;
     }
     return token;
@@ -360188,11 +362565,24 @@ function normalizeTargets(targets) {
     if (typeof target !== "string") continue;
     const trimmed = target.trim();
     if (!trimmed || seen.has(trimmed)) continue;
-    seen.add(trimmed);
-    normalized.push(trimmed);
+    const subTargets = splitSpaceSeparatedPaths(trimmed);
+    for (const sub of subTargets) {
+      if (!seen.has(sub)) {
+        seen.add(sub);
+        normalized.push(sub);
+      }
+    }
   }
   return normalized;
 }
+function splitSpaceSeparatedPaths(target) {
+  if (!/\s/.test(target)) return [target];
+  const parts = target.split(/\s+/).filter(Boolean);
+  if (parts.length <= 1) return [target];
+  const allLookLikePaths = parts.every((p) => /[/\\]/.test(p) || /\.\w+/.test(p));
+  if (allLookLikePaths) return parts;
+  return [target];
+}
 function extractJsonSnippet(text) {
   const jsonBlockMatch = text.match(/```json\s*([\s\S]*?)```/i);
   if (jsonBlockMatch) {
@@ -360275,7 +362665,7 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     "Break down complex queries into multiple searches to cover all aspects.",
     "",
     "Available tools:",
-    "- search: Find code matching keywords or patterns. Run multiple searches for different aspects of complex queries.",
+    "- search: Find code matching keywords or patterns. Results are paginated \u2014 use nextPage=true when results are relevant to get more. Run multiple searches for different aspects.",
     "- extract: Verify code snippets to ensure targets are actually relevant before including them.",
     "- listFiles: Understand directory structure to find where relevant code might live.",
     "",
@@ -360296,13 +362686,14 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     "",
     "Combining searches with OR:",
     '- Multiple unquoted words use OR logic: rate limit matches files containing EITHER "rate" OR "limit".',
-    `- For known symbol names, quote each term to prevent splitting: '"limitDRL" "limitRedis"' matches either exact symbol.`,
+    `- IMPORTANT: Multiple quoted terms use AND logic by default: '"RateLimit" "middleware"' requires BOTH in the same file.`,
+    `- To search for ANY of several quoted symbols, use the explicit OR operator: '"ForwardMessage" OR "SessionLimiter"'.`,
     '- Without quotes, camelCase like limitDRL gets split into "limit" + "DRL" \u2014 not what you want for symbol lookup.',
     "- Use OR to search for multiple related symbols in ONE search instead of separate searches.",
     "- This is much faster than running separate searches sequentially.",
-    `- Example: search '"ForwardMessage" "SessionLimiter"' finds files with either exact symbol in one call.`,
-    `- Example: search '"limitDRL" "doRollingWindowWrite"' finds both rate limiting functions at once.`,
-    '- Use AND only when you need both terms to appear in the same file: "rate AND limit".',
+    `- Example: search '"ForwardMessage" OR "SessionLimiter"' finds files with either exact symbol in one call.`,
+    `- Example: search '"limitDRL" OR "doRollingWindowWrite"' finds both rate limiting functions at once.`,
+    "- Use AND (or just put quoted terms together) when you need both terms in the same file.",
     "",
     "Parallel tool calls:",
     "- When you need to search for INDEPENDENT concepts, call multiple search tools IN PARALLEL (same response).",
@@ -360316,10 +362707,10 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     '  Query: "Find the IP allowlist middleware"',
     '  \u2192 search "allowlist middleware" (one search, probe handles IP/ip/Ip variations)',
     '  Query: "Find ForwardMessage and SessionLimiter"',
-    `  \u2192 search '"ForwardMessage" "SessionLimiter"' (one OR search finds both exact symbols)`,
+    `  \u2192 search '"ForwardMessage" OR "SessionLimiter"' (one OR search finds both exact symbols)`,
     '  OR: search exact=true "ForwardMessage" + search exact=true "SessionLimiter" IN PARALLEL',
     '  Query: "Find limitDRL and limitRedis functions"',
-    `  \u2192 search '"limitDRL" "limitRedis"' (one OR search, quoted to prevent camelCase splitting)`,
+    `  \u2192 search '"limitDRL" OR "limitRedis"' (one OR search, quoted to prevent camelCase splitting)`,
     '  Query: "Find ThrottleRetryLimit usage"',
     '  \u2192 search exact=true "ThrottleRetryLimit" (one search, if no results the symbol does not exist \u2014 stop)',
     '  Query: "How does BM25 scoring work with SIMD optimization?"',
@@ -360327,7 +362718,7 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     "",
     "BAD search strategy (never do this):",
     '  \u2192 search "AllowedIPs" \u2192 search "allowedIps" \u2192 search "allowed_ips" (WRONG: case/style variations, probe handles them)',
-    `  \u2192 search "limitDRL" \u2192 search "LimitDRL" (WRONG: case variation \u2014 combine with OR: '"limitDRL" "limitRedis"')`,
+    `  \u2192 search "limitDRL" \u2192 search "LimitDRL" (WRONG: case variation \u2014 combine with OR: '"limitDRL" OR "limitRedis"')`,
     '  \u2192 search "throttle_retry_limit" after searching "ThrottleRetryLimit" (WRONG: snake_case variation, probe handles it)',
     '  \u2192 search "ThrottleRetryLimit" path=tyk \u2192 search "ThrottleRetryLimit" path=gateway \u2192 search "ThrottleRetryLimit" path=apidef (WRONG: same query on different paths \u2014 probe searches recursively)',
     '  \u2192 search "func (k *RateLimitAndQuotaCheck) handleRateLimitFailure" (WRONG: do not search full function signatures, just use exact=true "handleRateLimitFailure")',
@@ -360340,15 +362731,34 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     '- To bypass stopword filtering: wrap terms in quotes ("return", "struct") or set exact=true. Both disable stemming and splitting too.',
     '- camelCase terms are split: getUserData becomes "get", "user", "data" \u2014 so one search covers all naming styles.',
     '- Do NOT search for full function signatures like "func (r *Type) Method(args)". Just search for the method name with exact=true.',
+    '- Do NOT search for file names (e.g., "sliding_log.go"). Use listFiles to discover files by name.',
+    "",
+    "PAGINATION:",
+    "- Search results are paginated (~20k tokens per page).",
+    "- If your search returned relevant files, call the same query with nextPage=true to check for more.",
+    '- Keep paginating while results stay relevant. Stop when results are off-topic or "All results retrieved".',
+    "",
+    "WHEN TO STOP:",
+    "- After you have explored the main concept AND related subsystems.",
+    "- Once you have 5-15 targets covering different aspects of the query.",
+    '- If you get a "DUPLICATE SEARCH BLOCKED" message, move on.',
     "",
     "Strategy:",
-    "1. Analyze the query - identify key concepts and group related symbols",
-    `2. Combine related symbols into OR searches: '"symbolA" "symbolB"' finds files with either (quote to prevent splitting)`,
-    "3. Run INDEPENDENT searches in PARALLEL \u2014 do not wait for one to finish before starting another",
+    "1. Analyze the query \u2014 identify key concepts, then brainstorm SYNONYMS and alternative terms for each.",
+    '   Code naming often differs from the concept: "authentication" \u2192 verify, credentials, login, auth;',
+    '   "rate limiting" \u2192 throttle, quota, limiter, bucket; "error handling" \u2192 catch, recover, panic.',
+    "   Think about what a developer would NAME the function/struct/variable, not just the concept.",
+    "2. Run INDEPENDENT searches in PARALLEL \u2014 search for the main concept AND synonyms simultaneously.",
+    "   After each search, check if results are relevant. If yes, call nextPage=true for more results.",
+    `3. Combine related symbols into OR searches: '"symbolA" OR "symbolB"' finds files with either.`,
     "4. For known symbol names use exact=true. For concepts use default (exact=false).",
-    "5. If a search returns results, use extract to verify relevance. Run multiple extracts in parallel too.",
-    "6. If a search returns NO results, the term does not exist. Do NOT retry with variations, different paths, or longer strings. Move on.",
-    "7. Combine all relevant targets in your final response",
+    "5. After your first round of searches, READ the extracted code and look for connected code:",
+    "   - Function calls to other important functions \u2192 include those targets.",
+    "   - Type references and imports \u2192 include type definitions.",
+    "   - Registered handlers/middleware \u2192 include all registered items.",
+    "6. If a search returns results, use extract to verify relevance. Run multiple extracts in parallel too.",
+    "7. If a search returns NO results, the term does not exist. Do NOT retry with variations. Move on.",
+    "8. Once you have enough targets (typically 5-15), output your final JSON answer immediately.",
     "",
     `Query: ${searchQuery}`,
     `Search path(s): ${searchPath}`,
@@ -360357,7 +362767,9 @@ function buildSearchDelegateTask({ searchQuery, searchPath, exact, language, all
     'Return ONLY valid JSON: {"targets": ["path/to/file.ext#Symbol", "path/to/file.ext:line", "path/to/file.ext:start-end"]}',
     'IMPORTANT: Use ABSOLUTE file paths in targets (e.g., "/full/path/to/file.ext#Symbol"). If you only have relative paths, make them relative to the search path above.',
     "Prefer #Symbol when a function/class name is clear; otherwise use line numbers.",
-    "Deduplicate targets. Do NOT explain or answer - ONLY return the JSON targets."
+    "Deduplicate targets. Do NOT explain or answer - ONLY return the JSON targets.",
+    "",
+    "Remember: if your search returned relevant results, use nextPage=true to check for more before outputting."
   ].join("\n");
 }
 var import_ai5, import_fs11, CODE_SEARCH_SCHEMA, searchTool, queryTool, extractTool, delegateTool, analyzeAllTool;
@@ -360402,6 +362814,7 @@ var init_vercel = __esm({
         return result;
       };
       const previousSearches = /* @__PURE__ */ new Set();
+      let consecutiveDupBlocks = 0;
       const paginationCounts = /* @__PURE__ */ new Map();
       const MAX_PAGES_PER_QUERY = 3;
       return (0, import_ai5.tool)({
@@ -360454,12 +362867,17 @@ var init_vercel = __esm({
             const searchKey = `${searchQuery}::${exact || false}`;
             if (!nextPage) {
               if (previousSearches.has(searchKey)) {
+                consecutiveDupBlocks++;
                 if (debug) {
-                  console.error(`[DEDUP] Blocked duplicate search: "${searchQuery}" (path: "${searchPath}")`);
+                  console.error(`[DEDUP] Blocked duplicate search (${consecutiveDupBlocks}x): "${searchQuery}" (path: "${searchPath}")`);
+                }
+                if (consecutiveDupBlocks >= 3) {
+                  return "STOP. You have been blocked " + consecutiveDupBlocks + " times for repeating searches. You MUST output your final JSON answer NOW with whatever targets you have found. Do NOT call any more tools.";
                 }
-                return "DUPLICATE SEARCH BLOCKED: You already searched for this exact query. Changing the path does NOT give different results \u2014 probe searches recursively. Do NOT repeat the same search. Try a genuinely different keyword, use extract to examine results you already found, or provide your final answer if you have enough information.";
+                return "DUPLICATE SEARCH BLOCKED (" + consecutiveDupBlocks + "x). You already searched for this. Do NOT repeat \u2014 probe searches recursively across all paths. Either: (1) use extract on results you already found, (2) try a COMPLETELY different keyword, or (3) output your final answer NOW.";
               }
               previousSearches.add(searchKey);
+              consecutiveDupBlocks = 0;
               paginationCounts.set(searchKey, 0);
             } else {
               const pageCount = (paginationCounts.get(searchKey) || 0) + 1;
@@ -398050,7 +400468,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"100":"Continue","101":"Switching Pro
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.170","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc286","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc290","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","ignore":"^7.0.5","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","minimatch":"^10.2.2","node-cron":"^3.0.3","open":"^9.1.0","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
 
 /***/ })