@probelabs/visor 0.1.174-ee → 0.1.175

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.174';
+process.env.VISOR_VERSION = '0.1.175';
 process.env.PROBE_VERSION = '0.6.0-rc291';
-process.env.VISOR_COMMIT_SHA = 'e8809d0dd7ef9584a6c687826df911bbc12d7fbd';
-process.env.VISOR_COMMIT_SHORT = 'e8809d0';
+process.env.VISOR_COMMIT_SHA = '5b303b06870720f90057ff3f58f0e72f34bf80cb';
+process.env.VISOR_COMMIT_SHORT = '5b303b06';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -302951,7 +302951,7 @@ async function handleDumpPolicyInput(checkId, argv) {
     let PolicyInputBuilder;
     try {
         // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
+        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
         PolicyInputBuilder = mod.PolicyInputBuilder;
     }
     catch {
@@ -303441,6 +303441,7 @@ async function handleTestCommand(argv) {
         const flagsWithValues = new Set([
             '--config',
             '--only',
+            '--case',
             '--json',
             '--report',
             '--summary',
@@ -303470,7 +303471,7 @@ async function handleTestCommand(argv) {
             break;
         }
     }
-    const only = getArg('--only');
+    const only = getArg('--only') || getArg('--case');
     const bail = hasFlag('--bail');
     const noMocks = hasFlag('--no-mocks');
     const noMocksForRaw = getArg('--no-mocks-for');
@@ -311018,1810 +311019,6 @@ class EmailPollingRunner {
 exports.EmailPollingRunner = EmailPollingRunner;
 
 
-/***/ }),
-
-/***/ 50069:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.LicenseValidator = void 0;
-const crypto = __importStar(__nccwpck_require__(76982));
-const fs = __importStar(__nccwpck_require__(79896));
-const path = __importStar(__nccwpck_require__(16928));
-class LicenseValidator {
-    /** Ed25519 public key for license verification (PEM format). */
-    static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
-        'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
-        '-----END PUBLIC KEY-----\n';
-    cache = null;
-    static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
-    static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
-    /**
-     * Load and validate license from environment or file.
-     *
-     * Resolution order:
-     * 1. VISOR_LICENSE env var (JWT string)
-     * 2. VISOR_LICENSE_FILE env var (path to file)
-     * 3. .visor-license in project root (cwd)
-     * 4. .visor-license in ~/.config/visor/
-     */
-    async loadAndValidate() {
-        // Return cached result if still fresh
-        if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
-            return this.cache.payload;
-        }
-        const token = this.resolveToken();
-        if (!token)
-            return null;
-        const payload = this.verifyAndDecode(token);
-        if (!payload)
-            return null;
-        this.cache = { payload, validatedAt: Date.now() };
-        return payload;
-    }
-    /** Check if a specific feature is licensed */
-    hasFeature(feature) {
-        if (!this.cache)
-            return false;
-        return this.cache.payload.features.includes(feature);
-    }
-    /** Check if license is valid (with grace period) */
-    isValid() {
-        if (!this.cache)
-            return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1000;
-        return now < expiryMs + LicenseValidator.GRACE_PERIOD;
-    }
-    /** Check if the license is within its grace period (expired but still valid) */
-    isInGracePeriod() {
-        if (!this.cache)
-            return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1000;
-        return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
-    }
-    resolveToken() {
-        // 1. Direct env var
-        if (process.env.VISOR_LICENSE) {
-            return process.env.VISOR_LICENSE.trim();
-        }
-        // 2. File path from env (validate against path traversal)
-        if (process.env.VISOR_LICENSE_FILE) {
-            // path.resolve() produces an absolute path with all '..' segments resolved,
-            // so a separate resolved.includes('..') check is unnecessary.
-            const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
-            const home = process.env.HOME || process.env.USERPROFILE || '';
-            const allowedPrefixes = [path.normalize(process.cwd())];
-            if (home)
-                allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
-            // Resolve symlinks so an attacker cannot create a symlink inside an
-            // allowed prefix that points to an arbitrary file outside it.
-            let realPath;
-            try {
-                realPath = fs.realpathSync(resolved);
-            }
-            catch {
-                return null; // File doesn't exist or isn't accessible
-            }
-            const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
-            if (!isSafe)
-                return null;
-            return this.readFile(realPath);
-        }
-        // 3. .visor-license in cwd
-        const cwdPath = path.join(process.cwd(), '.visor-license');
-        const cwdToken = this.readFile(cwdPath);
-        if (cwdToken)
-            return cwdToken;
-        // 4. ~/.config/visor/.visor-license
-        const home = process.env.HOME || process.env.USERPROFILE || '';
-        if (home) {
-            const configPath = path.join(home, '.config', 'visor', '.visor-license');
-            const configToken = this.readFile(configPath);
-            if (configToken)
-                return configToken;
-        }
-        return null;
-    }
-    readFile(filePath) {
-        try {
-            return fs.readFileSync(filePath, 'utf-8').trim();
-        }
-        catch {
-            return null;
-        }
-    }
-    verifyAndDecode(token) {
-        try {
-            const parts = token.split('.');
-            if (parts.length !== 3)
-                return null;
-            const [headerB64, payloadB64, signatureB64] = parts;
-            // Decode header to verify algorithm
-            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
-            if (header.alg !== 'EdDSA')
-                return null;
-            // Verify signature
-            const data = `${headerB64}.${payloadB64}`;
-            const signature = Buffer.from(signatureB64, 'base64url');
-            const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
-            // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
-            // This prevents algorithm-confusion attacks if the embedded key were ever
-            // swapped to a different type.
-            if (publicKey.asymmetricKeyType !== 'ed25519') {
-                return null;
-            }
-            // Ed25519 verification: algorithm must be null because EdDSA performs its
-            // own internal hashing (SHA-512) — passing a digest algorithm here would
-            // cause Node.js to throw. The key type is validated above.
-            const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
-            if (!isValid)
-                return null;
-            // Decode payload
-            const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
-            // Validate required fields
-            if (!payload.org ||
-                !Array.isArray(payload.features) ||
-                typeof payload.exp !== 'number' ||
-                typeof payload.iat !== 'number' ||
-                !payload.sub) {
-                return null;
-            }
-            // Check expiry (with grace period)
-            const now = Date.now();
-            const expiryMs = payload.exp * 1000;
-            if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
-                return null;
-            }
-            return payload;
-        }
-        catch {
-            return null;
-        }
-    }
-}
-exports.LicenseValidator = LicenseValidator;
-
-
-/***/ }),
-
-/***/ 87068:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
-exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
-const default_engine_1 = __nccwpck_require__(93866);
-/**
- * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
- *
- * This is the sole import boundary between OSS and enterprise code. Core code
- * must only import from this module (via dynamic `await import()`), never from
- * individual enterprise submodules.
- */
-async function loadEnterprisePolicyEngine(config) {
-    try {
-        const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
-        const validator = new LicenseValidator();
-        const license = await validator.loadAndValidate();
-        if (!license || !validator.hasFeature('policy')) {
-            return new default_engine_1.DefaultPolicyEngine();
-        }
-        if (validator.isInGracePeriod()) {
-            // eslint-disable-next-line no-console
-            console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
-                'Please renew your license.');
-        }
-        const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
-        const engine = new OpaPolicyEngine(config);
-        await engine.initialize(config);
-        return engine;
-    }
-    catch (err) {
-        // Enterprise code not available or initialization failed
-        const msg = err instanceof Error ? err.message : String(err);
-        try {
-            const { logger } = __nccwpck_require__(86999);
-            logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
-        }
-        catch {
-            // silent
-        }
-        return new default_engine_1.DefaultPolicyEngine();
-    }
-}
-/**
- * Load the enterprise schedule store backend if licensed.
- *
- * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
- * @param storageConfig Storage configuration with connection details
- * @param haConfig Optional HA configuration
- * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
- */
-async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
-    const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
-    const validator = new LicenseValidator();
-    const license = await validator.loadAndValidate();
-    if (!license || !validator.hasFeature('scheduler-sql')) {
-        throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
-            `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
-    }
-    if (validator.isInGracePeriod()) {
-        // eslint-disable-next-line no-console
-        console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
-            'Please renew your license.');
-    }
-    const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
-    return new KnexStoreBackend(driver, storageConfig, haConfig);
-}
-
-
-/***/ }),
-
-/***/ 628:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.OpaCompiler = void 0;
-const fs = __importStar(__nccwpck_require__(79896));
-const path = __importStar(__nccwpck_require__(16928));
-const os = __importStar(__nccwpck_require__(70857));
-const crypto = __importStar(__nccwpck_require__(76982));
-const child_process_1 = __nccwpck_require__(35317);
-/**
- * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
- *
- * Handles:
- * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
- * - Compiling .rego files to WASM via `opa build`
- * - Caching compiled bundles based on content hashes
- * - Extracting policy.wasm from OPA tar.gz bundles
- *
- * Requires:
- * - `opa` CLI on PATH (only when auto-compiling .rego files)
- */
-class OpaCompiler {
-    static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
-    /**
-     * Resolve the input paths to WASM bytes.
-     *
-     * Strategy:
-     * 1. If any path is a .wasm file, read it directly
-     * 2. If a directory contains policy.wasm, read it
-     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
-     */
-    async resolveWasmBytes(paths) {
-        // Collect .rego files and check for existing .wasm
-        const regoFiles = [];
-        for (const p of paths) {
-            const resolved = path.resolve(p);
-            // Reject paths containing '..' after resolution (path traversal)
-            if (path.normalize(resolved).includes('..')) {
-                throw new Error(`Policy path contains traversal sequences: ${p}`);
-            }
-            // Direct .wasm file
-            if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
-                return fs.readFileSync(resolved);
-            }
-            if (!fs.existsSync(resolved))
-                continue;
-            const stat = fs.statSync(resolved);
-            if (stat.isDirectory()) {
-                // Check for pre-compiled policy.wasm in directory
-                const wasmCandidate = path.join(resolved, 'policy.wasm');
-                if (fs.existsSync(wasmCandidate)) {
-                    return fs.readFileSync(wasmCandidate);
-                }
-                // Collect all .rego files from directory
-                const files = fs.readdirSync(resolved);
-                for (const f of files) {
-                    if (f.endsWith('.rego')) {
-                        regoFiles.push(path.join(resolved, f));
-                    }
-                }
-            }
-            else if (resolved.endsWith('.rego')) {
-                regoFiles.push(resolved);
-            }
-        }
-        if (regoFiles.length === 0) {
-            throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
-        }
-        // Auto-compile .rego -> .wasm
-        return this.compileRego(regoFiles);
-    }
-    /**
-     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
-     *
-     * Caches the compiled bundle based on a content hash of all input .rego files
-     * so subsequent runs skip compilation if policies haven't changed.
-     */
-    compileRego(regoFiles) {
-        // Check that `opa` CLI is available
-        try {
-            (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
-        }
-        catch {
-            throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
-                'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
-                regoFiles.join(' '));
-        }
-        // Compute content hash for cache key
-        const hash = crypto.createHash('sha256');
-        for (const f of regoFiles.sort()) {
-            hash.update(fs.readFileSync(f));
-            hash.update(f); // include filename for disambiguation
-        }
-        const cacheKey = hash.digest('hex').slice(0, 16);
-        const cacheDir = OpaCompiler.CACHE_DIR;
-        const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
-        // Return cached bundle if still valid
-        if (fs.existsSync(cachedWasm)) {
-            return fs.readFileSync(cachedWasm);
-        }
-        // Compile to WASM via opa build
-        fs.mkdirSync(cacheDir, { recursive: true });
-        const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
-        try {
-            const args = [
-                'build',
-                '-t',
-                'wasm',
-                '-e',
-                'visor', // entrypoint: the visor package tree
-                '-o',
-                bundleTar,
-                ...regoFiles,
-            ];
-            (0, child_process_1.execFileSync)('opa', args, {
-                stdio: 'pipe',
-                timeout: 30000,
-            });
-        }
-        catch (err) {
-            const stderr = err?.stderr?.toString() || '';
-            throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
-                'Ensure your .rego files are valid and the `opa` CLI is installed.');
-        }
-        // Extract policy.wasm from the tar.gz bundle
-        // OPA bundles are tar.gz with /policy.wasm inside
-        try {
-            (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
-                stdio: 'pipe',
-            });
-            const extractedWasm = path.join(cacheDir, 'policy.wasm');
-            if (fs.existsSync(extractedWasm)) {
-                // Move to cache-key named file
-                fs.renameSync(extractedWasm, cachedWasm);
-            }
-        }
-        catch {
-            // Some tar implementations don't like leading /
-            try {
-                (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
-                    stdio: 'pipe',
-                });
-                const extractedWasm = path.join(cacheDir, 'policy.wasm');
-                if (fs.existsSync(extractedWasm)) {
-                    fs.renameSync(extractedWasm, cachedWasm);
-                }
-            }
-            catch (err2) {
-                throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
-            }
-        }
-        // Clean up tar
-        try {
-            fs.unlinkSync(bundleTar);
-        }
-        catch { }
-        if (!fs.existsSync(cachedWasm)) {
-            throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
-        }
-        return fs.readFileSync(cachedWasm);
-    }
-}
-exports.OpaCompiler = OpaCompiler;
-
-
-/***/ }),
-
-/***/ 44693:
-/***/ ((__unused_webpack_module, exports) => {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.OpaHttpEvaluator = void 0;
-/**
- * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
- *
- * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
- */
-class OpaHttpEvaluator {
-    baseUrl;
-    timeout;
-    constructor(baseUrl, timeout = 5000) {
-        // Validate URL format and protocol
-        let parsed;
-        try {
-            parsed = new URL(baseUrl);
-        }
-        catch {
-            throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
-        }
-        if (!['http:', 'https:'].includes(parsed.protocol)) {
-            throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
-        }
-        // Block cloud metadata, loopback, link-local, and private network addresses
-        const hostname = parsed.hostname;
-        if (this.isBlockedHostname(hostname)) {
-            throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
-        }
-        // Normalize: strip trailing slash
-        this.baseUrl = baseUrl.replace(/\/+$/, '');
-        this.timeout = timeout;
-    }
-    /**
-     * Check if a hostname is blocked due to SSRF concerns.
-     *
-     * Blocks:
-     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
-     * - Link-local addresses (169.254.x.x)
-     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
-     * - IPv6 unique local addresses (fd00::/8)
-     * - Cloud metadata services (*.internal)
-     */
-    isBlockedHostname(hostname) {
-        if (!hostname)
-            return true; // block empty hostnames
-        // Normalize hostname: lowercase and remove brackets for IPv6
-        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
-        // Block .internal domains (cloud metadata services)
-        if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
-            return true;
-        }
-        // Block localhost variants
-        if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
-            return true;
-        }
-        // Block IPv6 loopback
-        if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
-            return true;
-        }
-        // Check IPv4 patterns
-        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-        const ipv4Match = normalized.match(ipv4Pattern);
-        if (ipv4Match) {
-            const octets = ipv4Match.slice(1, 5).map(Number);
-            // Validate octets are in range [0, 255]
-            if (octets.some(octet => octet > 255)) {
-                return false;
-            }
-            const [a, b] = octets;
-            // Block loopback: 127.0.0.0/8
-            if (a === 127) {
-                return true;
-            }
-            // Block 0.0.0.0/8 (this host)
-            if (a === 0) {
-                return true;
-            }
-            // Block link-local: 169.254.0.0/16
-            if (a === 169 && b === 254) {
-                return true;
-            }
-            // Block private networks
-            // 10.0.0.0/8
-            if (a === 10) {
-                return true;
-            }
-            // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
-            if (a === 172 && b >= 16 && b <= 31) {
-                return true;
-            }
-            // 192.168.0.0/16
-            if (a === 192 && b === 168) {
-                return true;
-            }
-        }
-        // Check IPv6 patterns
-        // Block unique local addresses: fd00::/8
-        if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
-            return true;
-        }
-        // Block link-local: fe80::/10
-        if (normalized.startsWith('fe80:')) {
-            return true;
-        }
-        return false;
-    }
-    /**
-     * Evaluate a policy rule against an input document via OPA REST API.
-     *
-     * @param input - The input document to evaluate
-     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
-     * @returns The result object from OPA, or undefined on error
-     */
-    async evaluate(input, rulePath) {
-        // OPA Data API: POST /v1/data/<path>
-        const encodedPath = rulePath
-            .split('/')
-            .map(s => encodeURIComponent(s))
-            .join('/');
-        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), this.timeout);
-        try {
-            const response = await fetch(url, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ input }),
-                signal: controller.signal,
-            });
-            if (!response.ok) {
-                throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
-            }
-            let body;
-            try {
-                body = await response.json();
-            }
-            catch (jsonErr) {
-                throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
-            }
-            // OPA returns { result: { ... } }
-            return body?.result;
-        }
-        finally {
-            clearTimeout(timer);
-        }
-    }
-    async shutdown() {
-        // No persistent connections to close
-    }
-}
-exports.OpaHttpEvaluator = OpaHttpEvaluator;
-
-
-/***/ }),
-
-/***/ 39530:
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.OpaPolicyEngine = void 0;
-const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
-const opa_http_evaluator_1 = __nccwpck_require__(44693);
-const policy_input_builder_1 = __nccwpck_require__(17117);
-/**
- * Enterprise OPA Policy Engine.
- *
- * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
- * OSS PolicyEngine interface. All OPA input building and role resolution
- * is handled internally — the OSS call sites pass only plain types.
- */
-class OpaPolicyEngine {
-    evaluator = null;
-    fallback;
-    timeout;
-    config;
-    inputBuilder = null;
-    logger = null;
-    constructor(config) {
-        this.config = config;
-        this.fallback = config.fallback || 'deny';
-        this.timeout = config.timeout || 5000;
-    }
-    async initialize(config) {
-        // Resolve logger once at initialization
-        try {
-            this.logger = (__nccwpck_require__(86999).logger);
-        }
-        catch {
-            // logger not available in this context
-        }
-        // Build actor/repo context from environment (available at engine init time)
-        const actor = {
-            authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
-            login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
-            isLocalMode: !process.env.GITHUB_ACTIONS,
-        };
-        const repo = {
-            owner: process.env.GITHUB_REPOSITORY_OWNER,
-            name: process.env.GITHUB_REPOSITORY?.split('/')[1],
-            branch: process.env.GITHUB_HEAD_REF,
-            baseBranch: process.env.GITHUB_BASE_REF,
-            event: process.env.GITHUB_EVENT_NAME,
-        };
-        const prNum = process.env.GITHUB_PR_NUMBER
-            ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
-            : undefined;
-        const pullRequest = {
-            number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
-        };
-        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
-        if (config.engine === 'local') {
-            if (!config.rules) {
-                throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
-            }
-            const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
-            await wasm.initialize(config.rules);
-            if (config.data) {
-                wasm.loadData(config.data);
-            }
-            this.evaluator = wasm;
-        }
-        else if (config.engine === 'remote') {
-            if (!config.url) {
-                throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
-            }
-            this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
-        }
-        else {
-            this.evaluator = null;
-        }
-    }
-    /**
-     * Update actor/repo/PR context (e.g., after PR info becomes available).
-     * Called by the enterprise loader when engine context is enriched.
-     */
-    setActorContext(actor, repo, pullRequest) {
-        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
-    }
-    async evaluateCheckExecution(checkId, checkConfig) {
-        if (!this.evaluator || !this.inputBuilder)
-            return { allowed: true };
-        const cfg = checkConfig && typeof checkConfig === 'object'
-            ? checkConfig
-            : {};
-        const policyOverride = cfg.policy;
-        const input = this.inputBuilder.forCheckExecution({
-            id: checkId,
-            type: cfg.type || 'ai',
-            group: cfg.group,
-            tags: cfg.tags,
-            criticality: cfg.criticality,
-            sandbox: cfg.sandbox,
-            policy: policyOverride,
-        });
-        return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
-    }
-    async evaluateToolInvocation(serverName, methodName, transport) {
-        if (!this.evaluator || !this.inputBuilder)
-            return { allowed: true };
-        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
-        return this.doEvaluate(input, 'visor/tool/invoke');
-    }
-    async evaluateCapabilities(checkId, capabilities) {
-        if (!this.evaluator || !this.inputBuilder)
-            return { allowed: true };
-        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
-        return this.doEvaluate(input, 'visor/capability/resolve');
-    }
-    async shutdown() {
-        if (this.evaluator && 'shutdown' in this.evaluator) {
-            await this.evaluator.shutdown();
-        }
-        this.evaluator = null;
-        this.inputBuilder = null;
-    }
-    resolveRulePath(defaultScope, override) {
-        if (override) {
-            return override.startsWith('visor/') ? override : `visor/${override}`;
-        }
-        return `visor/${defaultScope.replace(/\./g, '/')}`;
-    }
-    async doEvaluate(input, rulePath) {
-        try {
-            this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
-            let timer;
-            const timeoutPromise = new Promise((_resolve, reject) => {
-                timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
-            });
-            try {
-                const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
-                const decision = this.parseDecision(result);
-                // In warn mode, override denied decisions to allowed but flag as warn
-                if (!decision.allowed && this.fallback === 'warn') {
-                    decision.allowed = true;
-                    decision.warn = true;
-                    decision.reason = `audit: ${decision.reason || 'policy denied'}`;
-                }
-                this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
-                return decision;
-            }
-            finally {
-                if (timer)
-                    clearTimeout(timer);
-            }
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
-            this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
-            return {
-                allowed: this.fallback === 'allow' || this.fallback === 'warn',
-                warn: this.fallback === 'warn' ? true : undefined,
-                reason: `policy evaluation failed, fallback=${this.fallback}`,
-            };
-        }
-    }
-    async rawEvaluate(input, rulePath) {
-        if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
-            const result = await this.evaluator.evaluate(input);
-            // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
-            // Navigate to the specific rule subtree using rulePath segments.
-            // e.g., 'visor/check/execute' → result.check.execute
-            return this.navigateWasmResult(result, rulePath);
-        }
-        return this.evaluator.evaluate(input, rulePath);
-    }
-    /**
-     * Navigate nested OPA WASM result tree to reach the specific rule's output.
-     * The WASM entrypoint `-e visor` means the result root IS the visor package,
-     * so we strip the `visor/` prefix and walk the remaining segments.
-     */
-    navigateWasmResult(result, rulePath) {
-        if (!result || typeof result !== 'object')
-            return result;
-        // Strip the 'visor/' prefix (matches our compilation entrypoint)
-        const segments = rulePath.replace(/^visor\//, '').split('/');
-        let current = result;
-        for (const seg of segments) {
-            if (current && typeof current === 'object' && seg in current) {
-                current = current[seg];
-            }
-            else {
-                return undefined; // path not found in result tree
-            }
-        }
-        return current;
-    }
-    parseDecision(result) {
-        if (result === undefined || result === null) {
-            return {
-                allowed: this.fallback === 'allow' || this.fallback === 'warn',
-                warn: this.fallback === 'warn' ? true : undefined,
-                reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
-            };
-        }
-        const allowed = result.allowed !== false;
-        const decision = {
-            allowed,
-            reason: result.reason,
-        };
-        if (result.capabilities) {
-            decision.capabilities = result.capabilities;
-        }
-        return decision;
-    }
-}
-exports.OpaPolicyEngine = OpaPolicyEngine;
-
-
-/***/ }),
-
-/***/ 8613:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.OpaWasmEvaluator = void 0;
-const fs = __importStar(__nccwpck_require__(79896));
-const path = __importStar(__nccwpck_require__(16928));
-const opa_compiler_1 = __nccwpck_require__(628);
-/**
- * OPA WASM Evaluator - loads and evaluates OPA policies locally.
- *
- * Supports three input formats:
- * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
- * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
- * 3. Directory with `policy.wasm` inside — loaded directly
- *
- * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
- *
- * Requires:
- * - `@open-policy-agent/opa-wasm` npm package (optional dep)
- * - `opa` CLI on PATH (only when auto-compiling .rego files)
- */
-class OpaWasmEvaluator {
-    policy = null;
-    dataDocument = {};
-    compiler = new opa_compiler_1.OpaCompiler();
-    async initialize(rulesPath) {
-        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
-        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
-        try {
-            // Use createRequire to load the optional dep at runtime without ncc bundling it.
-            // `new Function('id', 'return require(id)')` fails in ncc bundles because
-            // `require` is not in the `new Function` scope. `createRequire` works correctly
-            // because it creates a real Node.js require rooted at the given path.
-            // eslint-disable-next-line @typescript-eslint/no-var-requires
-            const { createRequire } = __nccwpck_require__(73339);
-            const runtimeRequire = createRequire(__filename);
-            const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
-            const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
-            if (!loadPolicy) {
-                throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
-            }
-            this.policy = await loadPolicy(wasmBytes);
-        }
-        catch (err) {
-            if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
-                throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
-                    'Install it with: npm install @open-policy-agent/opa-wasm');
-            }
-            throw err;
-        }
-    }
-    /**
-     * Load external data from a JSON file to use as the OPA data document.
-     * The loaded data will be passed to `policy.setData()` during evaluation,
-     * making it available in Rego via `data.<key>`.
-     */
-    loadData(dataPath) {
-        const resolved = path.resolve(dataPath);
-        if (path.normalize(resolved).includes('..')) {
-            throw new Error(`Data path contains traversal sequences: ${dataPath}`);
-        }
-        if (!fs.existsSync(resolved)) {
-            throw new Error(`OPA data file not found: ${resolved}`);
-        }
-        const stat = fs.statSync(resolved);
-        if (stat.size > 10 * 1024 * 1024) {
-            throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
-        }
-        const raw = fs.readFileSync(resolved, 'utf-8');
-        try {
-            const parsed = JSON.parse(raw);
-            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
-                throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
-            }
-            this.dataDocument = parsed;
-        }
-        catch (err) {
-            if (err.message.startsWith('OPA data file must')) {
-                throw err;
-            }
-            throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
-        }
-    }
-    async evaluate(input) {
-        if (!this.policy) {
-            throw new Error('OPA WASM evaluator not initialized');
-        }
-        this.policy.setData(this.dataDocument);
-        const resultSet = this.policy.evaluate(input);
-        if (Array.isArray(resultSet) && resultSet.length > 0) {
-            return resultSet[0].result;
-        }
-        return undefined;
-    }
-    async shutdown() {
-        if (this.policy) {
-            // opa-wasm policy objects may have a close/free method for WASM cleanup
-            if (typeof this.policy.close === 'function') {
-                try {
-                    this.policy.close();
-                }
-                catch { }
-            }
-            else if (typeof this.policy.free === 'function') {
-                try {
-                    this.policy.free();
-                }
-                catch { }
-            }
-        }
-        this.policy = null;
-    }
-}
-exports.OpaWasmEvaluator = OpaWasmEvaluator;
-
-
-/***/ }),
-
-/***/ 17117:
-/***/ ((__unused_webpack_module, exports) => {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.PolicyInputBuilder = void 0;
-/**
- * Builds OPA-compatible input documents from engine context.
- *
- * Resolves actor roles from the `policy.roles` config section by matching
- * the actor's authorAssociation and login against role definitions.
- */
-class PolicyInputBuilder {
-    roles;
-    actor;
-    repository;
-    pullRequest;
-    constructor(policyConfig, actor, repository, pullRequest) {
-        this.roles = policyConfig.roles || {};
-        this.actor = actor;
-        this.repository = repository;
-        this.pullRequest = pullRequest;
-    }
-    /** Resolve which roles apply to the current actor. */
-    resolveRoles() {
-        const matched = [];
-        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
-            let identityMatch = false;
-            if (roleConfig.author_association &&
-                this.actor.authorAssociation &&
-                roleConfig.author_association.includes(this.actor.authorAssociation)) {
-                identityMatch = true;
-            }
-            if (!identityMatch &&
-                roleConfig.users &&
-                this.actor.login &&
-                roleConfig.users.includes(this.actor.login)) {
-                identityMatch = true;
-            }
-            // Slack user ID match
-            if (!identityMatch &&
-                roleConfig.slack_users &&
-                this.actor.slack?.userId &&
-                roleConfig.slack_users.includes(this.actor.slack.userId)) {
-                identityMatch = true;
-            }
-            // Email match (case-insensitive)
-            if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
-                const actorEmail = this.actor.slack.email.toLowerCase();
-                if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
-                    identityMatch = true;
-                }
-            }
-            // Note: teams-based role resolution requires GitHub API access (read:org scope)
-            // and is not yet implemented. If configured, the role will not match via teams.
-            if (!identityMatch)
-                continue;
-            // slack_channels gate: if set, the role only applies when triggered from one of these channels
-            if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
-                if (!this.actor.slack?.channelId ||
-                    !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
-                    continue;
-                }
-            }
-            matched.push(roleName);
-        }
-        return matched;
-    }
-    buildActor() {
-        return {
-            authorAssociation: this.actor.authorAssociation,
-            login: this.actor.login,
-            roles: this.resolveRoles(),
-            isLocalMode: this.actor.isLocalMode,
-            ...(this.actor.slack && { slack: this.actor.slack }),
-        };
-    }
-    forCheckExecution(check) {
-        return {
-            scope: 'check.execute',
-            check: {
-                id: check.id,
-                type: check.type,
-                group: check.group,
-                tags: check.tags,
-                criticality: check.criticality,
-                sandbox: check.sandbox,
-                policy: check.policy,
-            },
-            actor: this.buildActor(),
-            repository: this.repository,
-            pullRequest: this.pullRequest,
-        };
-    }
-    forToolInvocation(serverName, methodName, transport) {
-        return {
-            scope: 'tool.invoke',
-            tool: { serverName, methodName, transport },
-            actor: this.buildActor(),
-            repository: this.repository,
-            pullRequest: this.pullRequest,
-        };
-    }
-    forCapabilityResolve(checkId, capabilities) {
-        return {
-            scope: 'capability.resolve',
-            check: { id: checkId, type: 'ai' },
-            capability: capabilities,
-            actor: this.buildActor(),
-            repository: this.repository,
-            pullRequest: this.pullRequest,
-        };
-    }
-}
-exports.PolicyInputBuilder = PolicyInputBuilder;
-
-
-/***/ }),
-
-/***/ 63737:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-/**
- * Copyright (c) ProbeLabs. All rights reserved.
- * Licensed under the Elastic License 2.0; you may not use this file except
- * in compliance with the Elastic License 2.0.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.KnexStoreBackend = void 0;
-/**
- * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
- *
- * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
- * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
- */
-const fs = __importStar(__nccwpck_require__(79896));
-const path = __importStar(__nccwpck_require__(16928));
-const uuid_1 = __nccwpck_require__(31914);
-const logger_1 = __nccwpck_require__(86999);
-function toNum(val) {
-    if (val === null || val === undefined)
-        return undefined;
-    return typeof val === 'string' ? parseInt(val, 10) : val;
-}
-function safeJsonParse(value) {
-    if (!value)
-        return undefined;
-    try {
-        return JSON.parse(value);
-    }
-    catch {
-        return undefined;
-    }
-}
-function fromTriggerRow(row) {
-    return {
-        id: row.id,
-        creatorId: row.creator_id,
-        creatorContext: row.creator_context ?? undefined,
-        creatorName: row.creator_name ?? undefined,
-        description: row.description ?? undefined,
-        channels: safeJsonParse(row.channels),
-        fromUsers: safeJsonParse(row.from_users),
-        fromBots: row.from_bots === true || row.from_bots === 1,
-        contains: safeJsonParse(row.contains),
-        matchPattern: row.match_pattern ?? undefined,
-        threads: row.threads,
-        workflow: row.workflow,
-        inputs: safeJsonParse(row.inputs),
-        outputContext: safeJsonParse(row.output_context),
-        status: row.status,
-        enabled: row.enabled === true || row.enabled === 1,
-        createdAt: toNum(row.created_at),
-    };
-}
-function toTriggerInsertRow(trigger) {
-    return {
-        id: trigger.id,
-        creator_id: trigger.creatorId,
-        creator_context: trigger.creatorContext ?? null,
-        creator_name: trigger.creatorName ?? null,
-        description: trigger.description ?? null,
-        channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
-        from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
-        from_bots: trigger.fromBots,
-        contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
-        match_pattern: trigger.matchPattern ?? null,
-        threads: trigger.threads,
-        workflow: trigger.workflow,
-        inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
-        output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
-        status: trigger.status,
-        enabled: trigger.enabled,
-        created_at: trigger.createdAt,
-    };
-}
-function fromDbRow(row) {
-    return {
-        id: row.id,
-        creatorId: row.creator_id,
-        creatorContext: row.creator_context ?? undefined,
-        creatorName: row.creator_name ?? undefined,
-        timezone: row.timezone,
-        schedule: row.schedule_expr,
-        runAt: toNum(row.run_at),
-        isRecurring: row.is_recurring === true || row.is_recurring === 1,
-        originalExpression: row.original_expression,
-        workflow: row.workflow ?? undefined,
-        workflowInputs: safeJsonParse(row.workflow_inputs),
-        outputContext: safeJsonParse(row.output_context),
-        status: row.status,
-        createdAt: toNum(row.created_at),
-        lastRunAt: toNum(row.last_run_at),
-        nextRunAt: toNum(row.next_run_at),
-        runCount: row.run_count,
-        failureCount: row.failure_count,
-        lastError: row.last_error ?? undefined,
-        previousResponse: row.previous_response ?? undefined,
-    };
-}
-function toInsertRow(schedule) {
-    return {
-        id: schedule.id,
-        creator_id: schedule.creatorId,
-        creator_context: schedule.creatorContext ?? null,
-        creator_name: schedule.creatorName ?? null,
-        timezone: schedule.timezone,
-        schedule_expr: schedule.schedule,
-        run_at: schedule.runAt ?? null,
-        is_recurring: schedule.isRecurring,
-        original_expression: schedule.originalExpression,
-        workflow: schedule.workflow ?? null,
-        workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
-        output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
-        status: schedule.status,
-        created_at: schedule.createdAt,
-        last_run_at: schedule.lastRunAt ?? null,
-        next_run_at: schedule.nextRunAt ?? null,
-        run_count: schedule.runCount,
-        failure_count: schedule.failureCount,
-        last_error: schedule.lastError ?? null,
-        previous_response: schedule.previousResponse ?? null,
-    };
-}
-/**
- * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
- */
-class KnexStoreBackend {
-    knex = null;
-    driver;
-    connection;
-    constructor(driver, storageConfig, _haConfig) {
-        this.driver = driver;
-        this.connection = (storageConfig.connection || {});
-    }
-    async initialize() {
-        // Load knex dynamically
-        const { createRequire } = __nccwpck_require__(73339);
-        const runtimeRequire = createRequire(__filename);
-        let knexFactory;
-        try {
-            knexFactory = runtimeRequire('knex');
-        }
-        catch (err) {
-            const code = err?.code;
-            if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
-                throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
-                    'Install it with: npm install knex');
-            }
-            throw err;
-        }
-        const clientMap = {
-            postgresql: 'pg',
-            mysql: 'mysql2',
-            mssql: 'tedious',
-        };
-        const client = clientMap[this.driver];
-        // Build connection config
-        let connection;
-        if (this.connection.connection_string) {
-            connection = this.connection.connection_string;
-        }
-        else if (this.driver === 'mssql') {
-            connection = this.buildMssqlConnection();
-        }
-        else {
-            connection = this.buildStandardConnection();
-        }
-        this.knex = knexFactory({
-            client,
-            connection,
-            pool: {
-                min: this.connection.pool?.min ?? 0,
-                max: this.connection.pool?.max ?? 10,
-            },
-        });
-        // Run schema migration
-        await this.migrateSchema();
-        logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
-    }
-    buildStandardConnection() {
-        return {
-            host: this.connection.host || 'localhost',
-            port: this.connection.port,
-            database: this.connection.database || 'visor',
-            user: this.connection.user,
-            password: this.connection.password,
-            ssl: this.resolveSslConfig(),
-        };
-    }
-    buildMssqlConnection() {
-        const ssl = this.connection.ssl;
-        const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
-        return {
-            server: this.connection.host || 'localhost',
-            port: this.connection.port,
-            database: this.connection.database || 'visor',
-            user: this.connection.user,
-            password: this.connection.password,
-            options: {
-                encrypt: sslEnabled,
-                trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
-            },
-        };
-    }
-    resolveSslConfig() {
-        const ssl = this.connection.ssl;
-        if (ssl === false || ssl === undefined)
-            return false;
-        if (ssl === true)
-            return { rejectUnauthorized: true };
-        // Object config
-        if (ssl.enabled === false)
-            return false;
-        const result = {
-            rejectUnauthorized: ssl.reject_unauthorized !== false,
-        };
-        if (ssl.ca) {
-            const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
-            result.ca = fs.readFileSync(caPath, 'utf8');
-        }
-        if (ssl.cert) {
-            const certPath = this.validateSslPath(ssl.cert, 'client certificate');
-            result.cert = fs.readFileSync(certPath, 'utf8');
-        }
-        if (ssl.key) {
-            const keyPath = this.validateSslPath(ssl.key, 'client key');
-            result.key = fs.readFileSync(keyPath, 'utf8');
-        }
-        return result;
-    }
-    validateSslPath(filePath, label) {
-        const resolved = path.resolve(filePath);
-        if (resolved !== path.normalize(resolved)) {
-            throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
-        }
-        if (!fs.existsSync(resolved)) {
-            throw new Error(`SSL ${label} not found: ${filePath}`);
-        }
-        return resolved;
-    }
-    async shutdown() {
-        if (this.knex) {
-            await this.knex.destroy();
-            this.knex = null;
-        }
-    }
-    async migrateSchema() {
-        const knex = this.getKnex();
-        const exists = await knex.schema.hasTable('schedules');
-        if (!exists) {
-            await knex.schema.createTable('schedules', table => {
-                table.string('id', 36).primary();
-                table.string('creator_id', 255).notNullable().index();
-                table.string('creator_context', 255);
-                table.string('creator_name', 255);
-                table.string('timezone', 64).notNullable().defaultTo('UTC');
-                table.string('schedule_expr', 255);
-                table.bigInteger('run_at');
-                table.boolean('is_recurring').notNullable();
-                table.text('original_expression');
-                table.string('workflow', 255);
-                table.text('workflow_inputs');
-                table.text('output_context');
-                table.string('status', 20).notNullable().index();
-                table.bigInteger('created_at').notNullable();
-                table.bigInteger('last_run_at');
-                table.bigInteger('next_run_at');
-                table.integer('run_count').notNullable().defaultTo(0);
-                table.integer('failure_count').notNullable().defaultTo(0);
-                table.text('last_error');
-                table.text('previous_response');
-                table.index(['status', 'next_run_at']);
-            });
-        }
-        // Create message_triggers table
-        const triggersExist = await knex.schema.hasTable('message_triggers');
-        if (!triggersExist) {
-            await knex.schema.createTable('message_triggers', table => {
-                table.string('id', 36).primary();
-                table.string('creator_id', 255).notNullable().index();
-                table.string('creator_context', 255);
-                table.string('creator_name', 255);
-                table.text('description');
-                table.text('channels'); // JSON array
-                table.text('from_users'); // JSON array
-                table.boolean('from_bots').notNullable().defaultTo(false);
-                table.text('contains'); // JSON array
-                table.text('match_pattern');
-                table.string('threads', 20).notNullable().defaultTo('any');
-                table.string('workflow', 255).notNullable();
-                table.text('inputs'); // JSON
-                table.text('output_context'); // JSON
-                table.string('status', 20).notNullable().defaultTo('active').index();
-                table.boolean('enabled').notNullable().defaultTo(true);
-                table.bigInteger('created_at').notNullable();
-            });
-        }
-        // Create scheduler_locks table for distributed locking
-        const locksExist = await knex.schema.hasTable('scheduler_locks');
-        if (!locksExist) {
-            await knex.schema.createTable('scheduler_locks', table => {
-                table.string('lock_id', 255).primary();
-                table.string('node_id', 255).notNullable();
-                table.string('lock_token', 36).notNullable();
-                table.bigInteger('acquired_at').notNullable();
-                table.bigInteger('expires_at').notNullable();
-            });
-        }
-    }
-    getKnex() {
-        if (!this.knex) {
-            throw new Error('[KnexStore] Not initialized. Call initialize() first.');
-        }
-        return this.knex;
-    }
-    // --- CRUD ---
-    async create(schedule) {
-        const knex = this.getKnex();
-        const newSchedule = {
-            ...schedule,
-            id: (0, uuid_1.v4)(),
-            createdAt: Date.now(),
-            runCount: 0,
-            failureCount: 0,
-            status: 'active',
-        };
-        await knex('schedules').insert(toInsertRow(newSchedule));
-        logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
-        return newSchedule;
-    }
-    async importSchedule(schedule) {
-        const knex = this.getKnex();
-        const existing = await knex('schedules').where('id', schedule.id).first();
-        if (existing)
-            return; // Already imported (idempotent)
-        await knex('schedules').insert(toInsertRow(schedule));
-    }
-    async get(id) {
-        const knex = this.getKnex();
-        const row = await knex('schedules').where('id', id).first();
-        return row ? fromDbRow(row) : undefined;
-    }
-    async update(id, patch) {
-        const knex = this.getKnex();
-        const existing = await knex('schedules').where('id', id).first();
-        if (!existing)
-            return undefined;
-        const current = fromDbRow(existing);
-        const updated = { ...current, ...patch, id: current.id };
-        const row = toInsertRow(updated);
-        // Remove id from update (PK cannot change)
-        delete row.id;
-        await knex('schedules').where('id', id).update(row);
-        return updated;
-    }
-    async delete(id) {
-        const knex = this.getKnex();
-        const deleted = await knex('schedules').where('id', id).del();
-        if (deleted > 0) {
-            logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
-            return true;
-        }
-        return false;
-    }
-    // --- Queries ---
-    async getByCreator(creatorId) {
-        const knex = this.getKnex();
-        const rows = await knex('schedules').where('creator_id', creatorId);
-        return rows.map((r) => fromDbRow(r));
-    }
-    async getActiveSchedules() {
-        const knex = this.getKnex();
-        const rows = await knex('schedules').where('status', 'active');
-        return rows.map((r) => fromDbRow(r));
-    }
-    async getDueSchedules(now) {
-        const ts = now ?? Date.now();
-        const knex = this.getKnex();
-        // MSSQL uses 1/0 for booleans
-        const bFalse = this.driver === 'mssql' ? 0 : false;
-        const bTrue = this.driver === 'mssql' ? 1 : true;
-        const rows = await knex('schedules')
-            .where('status', 'active')
-            .andWhere(function () {
-            this.where(function () {
-                this.where('is_recurring', bFalse)
-                    .whereNotNull('run_at')
-                    .where('run_at', '<=', ts);
-            }).orWhere(function () {
-                this.where('is_recurring', bTrue)
-                    .whereNotNull('next_run_at')
-                    .where('next_run_at', '<=', ts);
-            });
-        });
-        return rows.map((r) => fromDbRow(r));
-    }
-    async findByWorkflow(creatorId, workflowName) {
-        const knex = this.getKnex();
-        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
-        const pattern = `%${escaped}%`;
-        const rows = await knex('schedules')
-            .where('creator_id', creatorId)
-            .where('status', 'active')
-            .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
-        return rows.map((r) => fromDbRow(r));
-    }
-    async getAll() {
-        const knex = this.getKnex();
-        const rows = await knex('schedules');
-        return rows.map((r) => fromDbRow(r));
-    }
-    async getStats() {
-        const knex = this.getKnex();
-        // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
-        const boolTrue = this.driver === 'mssql' ? '1' : 'true';
-        const boolFalse = this.driver === 'mssql' ? '0' : 'false';
-        const result = await knex('schedules')
-            .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
-            .first();
-        return {
-            total: Number(result.total) || 0,
-            active: Number(result.active) || 0,
-            paused: Number(result.paused) || 0,
-            completed: Number(result.completed) || 0,
-            failed: Number(result.failed) || 0,
-            recurring: Number(result.recurring) || 0,
-            oneTime: Number(result.one_time) || 0,
-        };
-    }
-    async validateLimits(creatorId, isRecurring, limits) {
-        const knex = this.getKnex();
-        if (limits.maxGlobal) {
-            const result = await knex('schedules').count('* as cnt').first();
-            if (Number(result?.cnt) >= limits.maxGlobal) {
-                throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
-            }
-        }
-        if (limits.maxPerUser) {
-            const result = await knex('schedules')
-                .where('creator_id', creatorId)
-                .count('* as cnt')
-                .first();
-            if (Number(result?.cnt) >= limits.maxPerUser) {
-                throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
-            }
-        }
-        if (isRecurring && limits.maxRecurringPerUser) {
-            const bTrue = this.driver === 'mssql' ? 1 : true;
-            const result = await knex('schedules')
-                .where('creator_id', creatorId)
-                .where('is_recurring', bTrue)
-                .count('* as cnt')
-                .first();
-            if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
-                throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
-            }
-        }
-    }
-    // --- HA Distributed Locking (via scheduler_locks table) ---
-    async tryAcquireLock(lockId, nodeId, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1000;
-        const token = (0, uuid_1.v4)();
-        // Step 1: Try to claim an existing expired lock
-        const updated = await knex('scheduler_locks')
-            .where('lock_id', lockId)
-            .where('expires_at', '<', now)
-            .update({
-            node_id: nodeId,
-            lock_token: token,
-            acquired_at: now,
-            expires_at: expiresAt,
-        });
-        if (updated > 0)
-            return token;
-        // Step 2: Try to INSERT a new lock row
-        try {
-            await knex('scheduler_locks').insert({
-                lock_id: lockId,
-                node_id: nodeId,
-                lock_token: token,
-                acquired_at: now,
-                expires_at: expiresAt,
-            });
-            return token;
-        }
-        catch {
-            // Unique constraint violation — another node holds the lock
-            return null;
-        }
-    }
-    async releaseLock(lockId, lockToken) {
-        const knex = this.getKnex();
-        await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
-    }
-    async renewLock(lockId, lockToken, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1000;
-        const updated = await knex('scheduler_locks')
-            .where('lock_id', lockId)
-            .where('lock_token', lockToken)
-            .update({ acquired_at: now, expires_at: expiresAt });
-        return updated > 0;
-    }
-    async flush() {
-        // No-op for server-based backends
-    }
-    // --- Message Trigger CRUD ---
-    async createTrigger(trigger) {
-        const knex = this.getKnex();
-        const newTrigger = {
-            ...trigger,
-            id: (0, uuid_1.v4)(),
-            createdAt: Date.now(),
-        };
-        await knex('message_triggers').insert(toTriggerInsertRow(newTrigger));
-        logger_1.logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
-        return newTrigger;
-    }
-    async getTrigger(id) {
-        const knex = this.getKnex();
-        const row = await knex('message_triggers').where('id', id).first();
-        return row ? fromTriggerRow(row) : undefined;
-    }
-    async updateTrigger(id, patch) {
-        const knex = this.getKnex();
-        const existing = await knex('message_triggers').where('id', id).first();
-        if (!existing)
-            return undefined;
-        const current = fromTriggerRow(existing);
-        const updated = {
-            ...current,
-            ...patch,
-            id: current.id,
-            createdAt: current.createdAt,
-        };
-        const row = toTriggerInsertRow(updated);
-        delete row.id;
-        await knex('message_triggers').where('id', id).update(row);
-        return updated;
-    }
-    async deleteTrigger(id) {
-        const knex = this.getKnex();
-        const deleted = await knex('message_triggers').where('id', id).del();
-        if (deleted > 0) {
-            logger_1.logger.info(`[KnexStore] Deleted trigger ${id}`);
-            return true;
-        }
-        return false;
-    }
-    async getTriggersByCreator(creatorId) {
-        const knex = this.getKnex();
-        const rows = await knex('message_triggers').where('creator_id', creatorId);
-        return rows.map((r) => fromTriggerRow(r));
-    }
-    async getActiveTriggers() {
-        const knex = this.getKnex();
-        const rows = await knex('message_triggers')
-            .where('status', 'active')
-            .where('enabled', this.driver === 'mssql' ? 1 : true);
-        return rows.map((r) => fromTriggerRow(r));
-    }
-}
-exports.KnexStoreBackend = KnexStoreBackend;
-
-
 /***/ }),
 
 /***/ 83864:
@@ -316131,7 +314328,7 @@ exports.configSchema = {
             properties: {
                 type: {
                     type: 'string',
-                    enum: ['command', 'api', 'workflow'],
+                    enum: ['command', 'api', 'workflow', 'http_client'],
                     description: "Tool implementation type (defaults to 'command')",
                 },
                 name: {
@@ -316328,6 +314525,27 @@ exports.configSchema = {
                     type: 'number',
                     description: 'Alias for requestTimeoutMs (snake_case)',
                 },
+                base_url: {
+                    type: 'string',
+                    description: 'Base URL for HTTP client tools',
+                },
+                auth: {
+                    type: 'object',
+                    properties: {
+                        type: {
+                            type: 'string',
+                        },
+                        token: {
+                            type: 'string',
+                        },
+                    },
+                    required: ['type'],
+                    additionalProperties: {},
+                    description: 'Authentication config for HTTP client tools',
+                    patternProperties: {
+                        '^x-': {},
+                    },
+                },
                 workflow: {
                     type: 'string',
                     description: "Workflow ID (registry lookup) or file path (for type: 'workflow')",
@@ -316867,7 +315085,7 @@ exports.configSchema = {
                     description: 'Arguments/inputs for the workflow',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
                     description: 'Override specific step configurations in the workflow',
                 },
                 output_mapping: {
@@ -316883,7 +315101,7 @@ exports.configSchema = {
                     description: 'Config file path - alternative to workflow ID (loads a Visor config file as workflow)',
                 },
                 workflow_overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
                     description: 'Alias for overrides - workflow step overrides (backward compatibility)',
                 },
                 ref: {
@@ -317585,7 +315803,7 @@ exports.configSchema = {
                     description: 'Custom output name (defaults to workflow name)',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
                     description: 'Step overrides',
                 },
                 output_mapping: {
@@ -317600,13 +315818,13 @@ exports.configSchema = {
                 '^x-': {},
             },
         },
-        'Record<string,Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833>>': {
+        'Record<string,Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>>': {
             type: 'object',
             additionalProperties: {
-                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E',
+                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E',
             },
         },
-        'Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833>': {
+        'Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>': {
             type: 'object',
             additionalProperties: false,
         },
@@ -325335,35 +323553,6 @@ class OutputFormatters {
 exports.OutputFormatters = OutputFormatters;
 
 
-/***/ }),
-
-/***/ 93866:
-/***/ ((__unused_webpack_module, exports) => {
-
-"use strict";
-
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.DefaultPolicyEngine = void 0;
-/**
- * Default (no-op) policy engine — always allows everything.
- * Used when no enterprise license is present or policy is disabled.
- */
-class DefaultPolicyEngine {
-    async initialize(_config) { }
-    async evaluateCheckExecution(_checkId, _checkConfig) {
-        return { allowed: true };
-    }
-    async evaluateToolInvocation(_serverName, _methodName, _transport) {
-        return { allowed: true };
-    }
-    async evaluateCapabilities(_checkId, _capabilities) {
-        return { allowed: true };
-    }
-    async shutdown() { }
-}
-exports.DefaultPolicyEngine = DefaultPolicyEngine;
-
-
 /***/ }),
 
 /***/ 96611:
@@ -327614,12 +325803,14 @@ class AICheckProvider extends check_provider_interface_1.CheckProvider {
                 break; // Only support one custom tools server per check
             }
         }
-        // Option 4: Extract workflow and tool entries from ai_mcp_servers/ai_mcp_servers_js
+        // Option 4: Extract workflow, tool, and http_client entries from ai_mcp_servers/ai_mcp_servers_js
         // Unified format:
         //   { workflow: 'name', inputs: {...} } → workflow tool
         //   { tool: 'name' } → custom tool from tools: section or built-in (e.g., 'schedule')
+        //   { type: 'http_client', base_url: '...', ... } → HTTP client tool (REST API proxy)
         const workflowEntriesFromMcp = [];
         const toolEntriesFromMcp = [];
+        const httpClientEntriesFromMcp = [];
         const mcpEntriesToRemove = [];
         for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
             const cfg = serverConfig;
@@ -327634,6 +325825,12 @@ class AICheckProvider extends check_provider_interface_1.CheckProvider {
                 mcpEntriesToRemove.push(serverName);
                 logger_1.logger.debug(`[AICheckProvider] Extracted workflow tool '${serverName}' (workflow=${cfg.workflow}) from ai_mcp_servers`);
             }
+            else if (cfg.type === 'http_client' && (cfg.base_url || cfg.url)) {
+                // HTTP client tool entry — REST API proxy exposed as an MCP tool
+                httpClientEntriesFromMcp.push({ name: serverName, config: cfg });
+                mcpEntriesToRemove.push(serverName);
+                logger_1.logger.debug(`[AICheckProvider] Extracted http_client tool '${serverName}' (base_url=${cfg.base_url || cfg.url}) from ai_mcp_servers`);
+            }
             else if (cfg.tool && typeof cfg.tool === 'string') {
                 // Custom tool or built-in tool entry
                 toolEntriesFromMcp.push(cfg.tool);
@@ -327692,8 +325889,10 @@ class AICheckProvider extends check_provider_interface_1.CheckProvider {
         }
         // Legacy support: enable_scheduler: true also enables the schedule tool
         const scheduleToolEnabled = scheduleToolRequested || (config.ai?.enable_scheduler === true && !config.ai?.disableTools);
-        if ((customToolsToLoad.length > 0 || scheduleToolEnabled) &&
-            (customToolsServerName || scheduleToolEnabled) &&
+        if ((customToolsToLoad.length > 0 ||
+            scheduleToolEnabled ||
+            httpClientEntriesFromMcp.length > 0) &&
+            (customToolsServerName || scheduleToolEnabled || httpClientEntriesFromMcp.length > 0) &&
             !config.ai?.disableTools) {
             if (!customToolsServerName) {
                 customToolsServerName = '__tools__';
@@ -327729,6 +325928,49 @@ class AICheckProvider extends check_provider_interface_1.CheckProvider {
                     customTools.set(scheduleTool.name, scheduleTool);
                     logger_1.logger.debug(`[AICheckProvider] Added built-in schedule tool`);
                 }
+                // Add http_client tools extracted from ai_mcp_servers
+                for (const entry of httpClientEntriesFromMcp) {
+                    const httpTool = {
+                        name: entry.name,
+                        type: 'http_client',
+                        description: entry.config.description ||
+                            `Call ${entry.name} HTTP API (base: ${entry.config.base_url || entry.config.url})`,
+                        base_url: (entry.config.base_url || entry.config.url),
+                        auth: entry.config.auth,
+                        headers: entry.config.headers,
+                        timeout: entry.config.timeout || 30000,
+                        inputSchema: {
+                            type: 'object',
+                            properties: {
+                                path: {
+                                    type: 'string',
+                                    description: 'API path (e.g. /jobs, /candidates/{id})',
+                                },
+                                method: {
+                                    type: 'string',
+                                    description: 'HTTP method (default: GET)',
+                                    enum: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
+                                },
+                                query: {
+                                    type: 'object',
+                                    description: 'Query string parameters',
+                                    additionalProperties: { type: 'string' },
+                                },
+                                body: {
+                                    type: 'object',
+                                    description: 'Request body for POST/PUT/PATCH',
+                                },
+                            },
+                            required: ['path'],
+                        },
+                    };
+                    customTools.set(entry.name, httpTool);
+                    logger_1.logger.debug(`[AICheckProvider] Added http_client tool '${entry.name}' (base_url=${httpTool.base_url})`);
+                }
+                // Ensure SSE server is created when http_client tools are present
+                if (httpClientEntriesFromMcp.length > 0 && !customToolsServerName) {
+                    customToolsServerName = '__tools__';
+                }
                 if (customTools.size > 0) {
                     const sessionId = config.checkName || `ai-check-${Date.now()}`;
                     const debug = aiConfig.debug || process.env.VISOR_DEBUG === 'true';
@@ -335570,6 +333812,13 @@ const workflow_registry_1 = __nccwpck_require__(82824);
 const schedule_tool_1 = __nccwpck_require__(13395);
 // Legacy Slack-specific imports for backwards compatibility
 const schedule_tool_handler_1 = __nccwpck_require__(28883);
+const env_resolver_1 = __nccwpck_require__(58749);
+/**
+ * Check if a tool definition is an http_client tool
+ */
+function isHttpClientTool(tool) {
+    return Boolean(tool && tool.type === 'http_client' && (tool.base_url || tool.url));
+}
 /**
  * SSE-based MCP server that exposes custom tools from YAML configuration
  * Implements the Model Context Protocol over Server-Sent Events
@@ -335608,14 +333857,16 @@ class CustomToolsSSEServer {
                 }
             }
         }
-        // Second pass: separate workflow tools from regular tools
+        // Second pass: separate workflow and http_client tools from regular tools
         for (const [name, tool] of this.tools.entries()) {
-            // Skip workflow tools - they're handled separately
-            if (!(0, workflow_tool_executor_1.isWorkflowTool)(tool)) {
-                toolsRecord[name] = tool;
+            // Skip workflow and http_client tools - they're handled separately
+            if ((0, workflow_tool_executor_1.isWorkflowTool)(tool) || isHttpClientTool(tool)) {
+                if ((0, workflow_tool_executor_1.isWorkflowTool)(tool)) {
+                    workflowToolNames.push(name);
+                }
             }
             else {
-                workflowToolNames.push(name);
+                toolsRecord[name] = tool;
             }
         }
         // Warn if workflow tools are present but no context is provided
@@ -336089,7 +334340,14 @@ class CustomToolsSSEServer {
             description: tool.description || `Execute ${tool.name}`,
             inputSchema: normalizeInputSchema(tool.inputSchema),
         }));
-        const allTools = [...regularTools, ...workflowTools];
+        const httpClientTools = Array.from(this.tools.values())
+            .filter(isHttpClientTool)
+            .map(tool => ({
+            name: tool.name,
+            description: tool.description || `Call ${tool.name} HTTP API`,
+            inputSchema: normalizeInputSchema(tool.inputSchema),
+        }));
+        const allTools = [...regularTools, ...workflowTools, ...httpClientTools];
         if (this.debug) {
             logger_1.logger.debug(`[CustomToolsSSEServer:${this.sessionId}] Listing ${allTools.length} tools: ${allTools.map(t => t.name).join(', ')}`);
         }
@@ -336211,6 +334469,10 @@ class CustomToolsSSEServer {
                         const workflowTool = tool;
                         result = await (0, workflow_tool_executor_1.executeWorkflowAsTool)(workflowTool.__workflowId, args, this.workflowContext, workflowTool.__argsOverrides);
                     }
+                    else if (tool && isHttpClientTool(tool)) {
+                        // Execute HTTP client tool — proxy REST API calls
+                        result = await this.executeHttpClientTool(tool, args);
+                    }
                     else {
                         // Execute regular custom tool
                         result = await this.toolExecutor.execute(toolName, args);
@@ -336275,6 +334537,88 @@ class CustomToolsSSEServer {
             }
         }
     }
+    /**
+     * Execute an http_client tool — proxy REST API calls through the configured base URL.
+     */
+    async executeHttpClientTool(tool, args) {
+        const baseUrl = (tool.base_url || tool.url).replace(/\/+$/, '');
+        const apiPath = args.path || '';
+        const method = (args.method || 'GET').toUpperCase();
+        const queryParams = args.query || {};
+        const body = args.body;
+        const toolHeaders = tool.headers || {};
+        const timeout = tool.timeout || 30000;
+        // Build full URL
+        let url = apiPath.startsWith('http') ? apiPath : `${baseUrl}/${apiPath.replace(/^\/+/, '')}`;
+        // Append query parameters
+        if (Object.keys(queryParams).length > 0) {
+            const qs = new URLSearchParams(queryParams).toString();
+            url += `${url.includes('?') ? '&' : '?'}${qs}`;
+        }
+        // Resolve environment variables in headers
+        const resolvedHeaders = {};
+        for (const [key, value] of Object.entries(toolHeaders)) {
+            resolvedHeaders[key] = String(env_resolver_1.EnvironmentResolver.resolveValue(value));
+        }
+        // Handle auth
+        if (tool.auth) {
+            const authType = tool.auth.type;
+            if (authType === 'bearer' && tool.auth.token) {
+                const token = String(env_resolver_1.EnvironmentResolver.resolveValue(tool.auth.token));
+                resolvedHeaders['Authorization'] = `Bearer ${token}`;
+            }
+        }
+        if (this.debug) {
+            logger_1.logger.debug(`[CustomToolsSSEServer:${this.sessionId}] HTTP client: ${method} ${url}`);
+        }
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
+        try {
+            const requestOptions = {
+                method,
+                headers: resolvedHeaders,
+                signal: controller.signal,
+            };
+            if (method !== 'GET' && body) {
+                requestOptions.body = typeof body === 'string' ? body : JSON.stringify(body);
+                if (!resolvedHeaders['Content-Type'] && !resolvedHeaders['content-type']) {
+                    resolvedHeaders['Content-Type'] = 'application/json';
+                }
+            }
+            const response = await fetch(url, requestOptions);
+            clearTimeout(timeoutId);
+            if (!response.ok) {
+                let errorBody = '';
+                try {
+                    errorBody = await response.text();
+                }
+                catch { }
+                throw new Error(`HTTP ${response.status}: ${response.statusText}${errorBody ? ` - ${errorBody.substring(0, 500)}` : ''}`);
+            }
+            // Parse response
+            const contentType = response.headers.get('content-type');
+            if (contentType && contentType.includes('application/json')) {
+                return await response.json();
+            }
+            const text = await response.text();
+            if (text.trim().startsWith('{') || text.trim().startsWith('[')) {
+                try {
+                    return JSON.parse(text);
+                }
+                catch {
+                    return text;
+                }
+            }
+            return text;
+        }
+        catch (error) {
+            clearTimeout(timeoutId);
+            if (error instanceof Error && error.name === 'AbortError') {
+                throw new Error(`HTTP client request timed out after ${timeout}ms`);
+            }
+            throw error;
+        }
+    }
     /**
      * Convert a type: 'workflow' tool definition into a WorkflowToolDefinition marker.
      *
@@ -348355,7 +346699,7 @@ class StateMachineExecutionEngine {
             try {
                 logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
                 // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
+                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
                 context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
                 logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
             }
@@ -360094,7 +358438,7 @@ async function initTelemetry(opts = {}) {
                 const path = __nccwpck_require__(16928);
                 const outDir = opts.file?.dir ||
                     process.env.VISOR_TRACE_DIR ||
-                    path.join(process.cwd(), 'output', 'traces');
+                    __nccwpck_require__.ab + "traces";
                 fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
                 process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -360344,7 +358688,7 @@ async function shutdownTelemetry() {
             if (process.env.VISOR_TRACE_REPORT === 'true') {
                 const fs = __nccwpck_require__(79896);
                 const path = __nccwpck_require__(16928);
-                const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
+                const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
                 if (!fs.existsSync(outDir))
                     fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -360895,7 +359239,7 @@ function __getOrCreateNdjsonPath() {
                 fs.mkdirSync(dir, { recursive: true });
             return __ndjsonPath;
         }
-        const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
+        const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
         if (!fs.existsSync(outDir))
             fs.mkdirSync(outDir, { recursive: true });
         if (!__ndjsonPath) {
@@ -361384,9 +359728,11 @@ function expandConversationToFlow(testCase) {
         flow.push(stage);
         // After this stage, add user message + assumed assistant response to history
         messageHistory.push({ role: 'user', text: turn.text });
-        // Look for mock response text to add as assistant message for next turn
+        // Look for mock response text to add as assistant message for next turn.
+        // Record the index so the runner can replace it with the real response in --no-mocks mode.
         const assistantText = extractMockResponseText(turn.mocks);
         if (assistantText) {
+            stage._mockAssistantMsgIndex = messageHistory.length; // index of the assistant msg about to be pushed
             messageHistory.push({ role: 'assistant', text: assistantText });
         }
     }
@@ -363514,6 +361860,31 @@ class VisorTestRunner {
         const pad = Math.max(1, width - title.length - 2);
         return `${char.repeat(2)} ${title} ${char.repeat(pad)}`;
     }
+    /**
+     * Execute a lifecycle hook (shell command). Returns true on success, false on failure.
+     */
+    async runHook(hook, label, cwd) {
+        if (!hook)
+            return { ok: true };
+        const timeoutMs = hook.timeout || 30_000;
+        console.log(this.gray(`  ⚙ ${label}: ${hook.exec}`));
+        try {
+            const { execSync } = __nccwpck_require__(35317);
+            execSync(hook.exec, {
+                cwd,
+                stdio: ['ignore', 'pipe', 'pipe'],
+                timeout: timeoutMs,
+                env: { ...process.env },
+            });
+            return { ok: true };
+        }
+        catch (err) {
+            const stderr = err.stderr ? err.stderr.toString().trim() : '';
+            const msg = stderr || err.message || String(err);
+            console.log(this.color(`  ✖ ${label} failed: ${msg}`, '31'));
+            return { ok: false, error: `${label} failed: ${msg}` };
+        }
+    }
     // Extracted helper: prepare engine/recorder, prompts/mocks, env, and checksToRun for a single-event case
     setupTestCase(_case, cfg, defaultStrict, defaultPromptCap, ghRec, defaultIncludeTags, defaultExcludeTags, noMocks, noMocksFor) {
         const name = _case.name || '(unnamed)';
@@ -363915,6 +362286,7 @@ class VisorTestRunner {
             extends: doc.extends,
             tests: {
                 defaults: tests.defaults || {},
+                hooks: tests.hooks || undefined,
                 fixtures: tests.fixtures || [],
                 cases: tests.cases,
             },
@@ -364104,6 +362476,18 @@ class VisorTestRunner {
             }
         }
         catch { }
+        // Lifecycle hooks
+        const suiteHooks = suite.tests.hooks || {};
+        const suiteCwd = path_1.default.dirname(testsPath);
+        const beforeAllResult = await this.runHook(suiteHooks.before_all, 'before_all', suiteCwd);
+        if (!beforeAllResult.ok) {
+            // Skip all cases when before_all fails
+            for (const c of selected) {
+                caseResults.push({ name: c.name, passed: false, errors: [beforeAllResult.error] });
+            }
+            clearInterval(__keepAlive);
+            return { failures: selected.length, results: caseResults };
+        }
         const runOne = async (_caseOrig) => {
             // Expand conversation sugar to flow stages before any processing
             const { expandConversationToFlow } = __nccwpck_require__(15921);
@@ -364123,11 +362507,32 @@ class VisorTestRunner {
                 caseResults.push({ name: _case.name, passed: true, errors: [] });
                 return { name: _case.name, failed: 0 };
             }
+            // Run before_each (suite-level) and before (case-level) hooks
+            const caseHooks = _case.hooks || {};
+            const beforeEachRes = await this.runHook(suiteHooks.before_each, 'before_each', suiteCwd);
+            if (!beforeEachRes.ok) {
+                caseResults.push({ name: _case.name, passed: false, errors: [beforeEachRes.error] });
+                return { name: _case.name, failed: 1 };
+            }
+            const beforeRes = await this.runHook(caseHooks.before, `before (${_case.name})`, suiteCwd);
+            if (!beforeRes.ok) {
+                // after_each still runs even if before fails
+                await this.runHook(suiteHooks.after_each, 'after_each', suiteCwd);
+                caseResults.push({ name: _case.name, passed: false, errors: [beforeRes.error] });
+                return { name: _case.name, failed: 1 };
+            }
             if (Array.isArray(_case.flow) && _case.flow.length > 0) {
-                const flowRes = await this.runFlowCase(_case, cfg, defaultStrict, options.bail || false, defaultPromptCap, stageFilter, noMocksMode);
-                const failed = flowRes.failures;
-                caseResults.push({ name: _case.name, passed: failed === 0, stages: flowRes.stages });
-                return { name: _case.name, failed };
+                try {
+                    const flowRes = await this.runFlowCase(_case, cfg, defaultStrict, options.bail || false, defaultPromptCap, stageFilter, noMocksMode);
+                    const failed = flowRes.failures;
+                    caseResults.push({ name: _case.name, passed: failed === 0, stages: flowRes.stages });
+                    return { name: _case.name, failed };
+                }
+                finally {
+                    // after (case-level) and after_each (suite-level) always run
+                    await this.runHook(caseHooks.after, `after (${_case.name})`, suiteCwd);
+                    await this.runHook(suiteHooks.after_each, 'after_each', suiteCwd);
+                }
             }
             // Per-case AI override: include code context when requested
             const suiteDefaults = this.suiteDefaults || {};
@@ -364356,6 +362761,9 @@ class VisorTestRunner {
                 return { name: _case.name, failed: 1 };
             }
             finally {
+                // after (case-level) and after_each (suite-level) always run
+                await this.runHook(caseHooks.after, `after (${_case.name})`, suiteCwd);
+                await this.runHook(suiteHooks.after_each, 'after_each', suiteCwd);
                 try {
                     // Restore env for this case using original setup
                     setup.restoreEnv();
@@ -364386,6 +362794,8 @@ class VisorTestRunner {
             };
             await Promise.all(Array.from({ length: workers }, runWorker));
         }
+        // after_all always runs (like finally), even if tests failed
+        await this.runHook(suiteHooks.after_all, 'after_all', suiteCwd);
         // Summary (suppressible for embedded runs)
         const failedCases = caseResults.filter(r => !r.passed);
         const passedCases = caseResults.filter(r => r.passed);
@@ -364594,6 +363004,24 @@ class VisorTestRunner {
                 const defaultExcludeTags = parseTags(suiteDefaults?.exclude_tags);
                 const stageRunner = new flow_stage_1.FlowStage(flowName, engine, recorder, cfg, prompts, promptCap, this.mapEventFromFixtureName.bind(this), this.computeChecksToRun.bind(this), this.printStageHeader.bind(this), this.printSelectedChecks.bind(this), this.warnUnmockedProviders.bind(this), defaultIncludeTags, defaultExcludeTags, (suiteDefaults.frontends || undefined), noMocks, suiteDefaults.llm_judge || undefined, cumulativeOutputHistory);
                 const outcome = await stageRunner.run(stage, flowCase, strict);
+                // In conversation sugar + --no-mocks: replace mock assistant text in
+                // subsequent stages' message history with the real AI response.
+                if (noMocks &&
+                    flowCase._conversationSugar &&
+                    typeof stage._mockAssistantMsgIndex === 'number') {
+                    const realText = this.extractLastResponseText(cumulativeOutputHistory);
+                    if (realText) {
+                        for (let j = i + 1; j < flowCase.flow.length; j++) {
+                            const nextMsgs = flowCase.flow[j]?.execution_context?.conversation?.messages;
+                            if (Array.isArray(nextMsgs) && nextMsgs[stage._mockAssistantMsgIndex]) {
+                                nextMsgs[stage._mockAssistantMsgIndex] = {
+                                    ...nextMsgs[stage._mockAssistantMsgIndex],
+                                    text: realText,
+                                };
+                            }
+                        }
+                    }
+                }
                 const expect = stage.expect || {};
                 if (outcome.stats)
                     this.printCoverage(outcome.name, outcome.stats, expect);
@@ -364638,6 +363066,21 @@ class VisorTestRunner {
             console.log(`${this.tagFail ? this.tagFail() : '❌ FAIL'} ${flowName} (${failures} stage error${failures > 1 ? 's' : ''})`);
         return { failures, stages: stagesSummary };
     }
+    /**
+     * Extract the last response text from cumulative output history (for conversation sugar).
+     * Looks for 'chat' step outputs with a 'text' field.
+     */
+    extractLastResponseText(history) {
+        // The assistant workflow emits output on the 'chat' step with a 'text' field
+        const chatOutputs = history['chat'];
+        if (!Array.isArray(chatOutputs) || chatOutputs.length === 0)
+            return undefined;
+        const last = chatOutputs[chatOutputs.length - 1];
+        if (last && typeof last === 'object' && typeof last.text === 'string') {
+            return last.text;
+        }
+        return undefined;
+    }
     mapEventFromFixtureName(name) {
         if (!name)
             return 'manual';
@@ -365495,6 +363938,7 @@ const schema = {
                         },
                     },
                 },
+                hooks: { $ref: '#/$defs/suiteHooks' },
                 fixtures: { type: 'array' },
                 cases: {
                     type: 'array',
@@ -365506,6 +363950,33 @@ const schema = {
     },
     required: ['tests'],
     $defs: {
+        hookDef: {
+            type: 'object',
+            additionalProperties: false,
+            properties: {
+                exec: { type: 'string' },
+                timeout: { type: 'number' },
+            },
+            required: ['exec'],
+        },
+        suiteHooks: {
+            type: 'object',
+            additionalProperties: false,
+            properties: {
+                before_all: { $ref: '#/$defs/hookDef' },
+                after_all: { $ref: '#/$defs/hookDef' },
+                before_each: { $ref: '#/$defs/hookDef' },
+                after_each: { $ref: '#/$defs/hookDef' },
+            },
+        },
+        caseHooks: {
+            type: 'object',
+            additionalProperties: false,
+            properties: {
+                before: { $ref: '#/$defs/hookDef' },
+                after: { $ref: '#/$defs/hookDef' },
+            },
+        },
         fixtureRef: {
             oneOf: [
                 { type: 'string' },
@@ -365584,6 +364055,7 @@ const schema = {
                 },
                 // Workflow testing: input values to pass to the workflow
                 workflow_input: { type: 'object' },
+                hooks: { $ref: '#/$defs/caseHooks' },
                 expect: { $ref: '#/$defs/expectBlock' },
                 // Flow cases
                 flow: {
@@ -376821,6 +375293,22 @@ class WorkflowRegistry {
 exports.WorkflowRegistry = WorkflowRegistry;
 
 
+/***/ }),
+
+/***/ 7065:
+/***/ ((module) => {
+
+module.exports = eval("require")("./enterprise/loader");
+
+
+/***/ }),
+
+/***/ 71370:
+/***/ ((module) => {
+
+module.exports = eval("require")("./enterprise/policy/policy-input-builder");
+
+
 /***/ }),
 
 /***/ 18327:
@@ -610187,7 +608675,7 @@ module.exports = /*#__PURE__*/JSON.parse('["aaa","aarp","abb","abbott","abbvie",
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@grammyjs/runner":"^2.0.3","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#23c4bb611f7d05f3cb8c523917b5f57103e48108","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/api-logs":"^0.203.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-logs-otlp-http":"^0.203.0","@opentelemetry/exporter-metrics-otlp-http":"^0.203.0","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-logs":"^0.203.0","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc291","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","botbuilder":"^4.23.3","botframework-connector":"^4.23.3","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","grammy":"^1.41.1","ignore":"^7.0.5","imapflow":"^1.2.12","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","mailparser":"^3.9.3","minimatch":"^10.2.2","node-cron":"^3.0.3","nodemailer":"^8.0.1","open":"^9.1.0","resend":"^6.9.3","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/mailparser":"^3.4.6","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/nodemailer":"^7.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.175","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@grammyjs/runner":"^2.0.3","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#23c4bb611f7d05f3cb8c523917b5f57103e48108","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/api-logs":"^0.203.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-logs-otlp-http":"^0.203.0","@opentelemetry/exporter-metrics-otlp-http":"^0.203.0","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-logs":"^0.203.0","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc291","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","botbuilder":"^4.23.3","botframework-connector":"^4.23.3","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","grammy":"^1.41.1","ignore":"^7.0.5","imapflow":"^1.2.12","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","mailparser":"^3.9.3","minimatch":"^10.2.2","node-cron":"^3.0.3","nodemailer":"^8.0.1","open":"^9.1.0","resend":"^6.9.3","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/mailparser":"^3.4.6","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/nodemailer":"^7.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
 
 /***/ })