@probelabs/visor 0.1.177-ee → 0.1.178

package/dist/sdk/sdk.js

@@ -704,7 +704,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@probelabs/visor",
-      version: "0.1.42",
+      version: "0.1.178",
       main: "dist/index.js",
       bin: {
         visor: "./dist/index.js"
@@ -823,7 +823,7 @@ var require_package = __commonJS({
         "@opentelemetry/sdk-node": "^0.203.0",
         "@opentelemetry/sdk-trace-base": "^1.30.1",
         "@opentelemetry/semantic-conventions": "^1.30.1",
-        "@probelabs/probe": "^0.6.0-rc292",
+        "@probelabs/probe": "^0.6.0-rc293",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
         acorn: "^8.16.0",
@@ -1152,11 +1152,11 @@ function getTracer() {
 }
 async function withActiveSpan(name, attrs, fn) {
   const tracer = getTracer();
-  return await new Promise((resolve19, reject) => {
+  return await new Promise((resolve15, reject) => {
     const callback = async (span) => {
       try {
         const res = await fn(span);
-        resolve19(res);
+        resolve15(res);
       } catch (err) {
         try {
           if (err instanceof Error) span.recordException(err);
@@ -1281,19 +1281,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path33 = require("path");
-    const fs29 = require("fs");
+    const path29 = require("path");
+    const fs25 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path33.dirname(__ndjsonPath);
-      if (!fs29.existsSync(dir)) fs29.mkdirSync(dir, { recursive: true });
+      const dir = path29.dirname(__ndjsonPath);
+      if (!fs25.existsSync(dir)) fs25.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path33.join(process.cwd(), "output", "traces");
-    if (!fs29.existsSync(outDir)) fs29.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path29.join(process.cwd(), "output", "traces");
+    if (!fs25.existsSync(outDir)) fs25.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path33.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path29.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -1302,11 +1302,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs29 = require("fs");
+    const fs25 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs29.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs25.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -3393,7 +3393,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context2) {
         try {
-          const normalize8 = (expr) => {
+          const normalize4 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -3551,7 +3551,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec2 = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize8(condition);
+            const normalizedExpr = normalize4(condition);
             exec2 = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec2(scope).run();
@@ -3934,9 +3934,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path33 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path33) return obj;
-    const parts = path33.split(".");
+    const path29 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path29) return obj;
+    const parts = path29.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -4055,9 +4055,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path33) => {
-          if (!obj || !path33) return void 0;
-          const parts = path33.split(".");
+        const getNested = (obj, path29) => {
+          if (!obj || !path29) return void 0;
+          const parts = path29.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6609,8 +6609,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs29 = await import("fs/promises");
-    const path33 = await import("path");
+    const fs25 = await import("fs/promises");
+    const path29 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6618,24 +6618,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path33.resolve(process.cwd(), file);
-      templateContent = await fs29.readFile(resolved, "utf-8");
+      const resolved = path29.resolve(process.cwd(), file);
+      templateContent = await fs25.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path33.join(__dirname, "output", sanitized, "template.liquid"),
+          path29.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs29.readFile(p, "utf-8");
+            templateContent = await fs25.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -7040,7 +7040,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs29 = require("fs");
+    const fs25 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -7051,7 +7051,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs29.existsSync(candidatePath)) {
+      if (fs25.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -7158,7 +7158,7 @@ async function renderMermaidToPng(mermaidCode) {
     if (chromiumPath) {
       env.PUPPETEER_EXECUTABLE_PATH = chromiumPath;
     }
-    const result = await new Promise((resolve19) => {
+    const result = await new Promise((resolve15) => {
       const proc = (0, import_child_process.spawn)(
         "npx",
         [
@@ -7188,13 +7188,13 @@ async function renderMermaidToPng(mermaidCode) {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve19({ success: true });
+          resolve15({ success: true });
         } else {
-          resolve19({ success: false, error: stderr || `Exit code ${code}` });
+          resolve15({ success: false, error: stderr || `Exit code ${code}` });
         }
       });
       proc.on("error", (err) => {
-        resolve19({ success: false, error: err.message });
+        resolve15({ success: false, error: err.message });
       });
     });
     if (!result.success) {
@@ -8392,8 +8392,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
+              const fs25 = require("fs");
+              const path29 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8507,20 +8507,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
-              if (!fs29.existsSync(debugArtifactsDir)) {
-                fs29.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              if (!fs25.existsSync(debugArtifactsDir)) {
+                fs25.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path33.join(
+              const debugFile = path29.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs29.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path33.join(
+              fs25.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path29.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs29.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs25.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8558,8 +8558,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
+              const fs25 = require("fs");
+              const path29 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8570,8 +8570,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path33.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path29.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8583,7 +8583,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8610,7 +8610,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8619,11 +8619,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
+              const fs25 = require("fs");
+              const path29 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
-              const responseFile = path33.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const responseFile = path29.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8656,7 +8656,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs29.writeFileSync(responseFile, responseContent, "utf-8");
+              fs25.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8672,9 +8672,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs29 = require("fs");
-                  if (fs29.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs29.statSync(agentAny._traceFilePath);
+                  const fs25 = require("fs");
+                  if (fs25.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs25.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8887,9 +8887,9 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
-              const os3 = require("os");
+              const fs25 = require("fs");
+              const path29 = require("path");
+              const os2 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
                 timestamp,
@@ -8961,19 +8961,19 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const tempDir = os3.tmpdir();
-              const promptFile = path33.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs29.writeFileSync(promptFile, prompt, "utf-8");
+              const tempDir = os2.tmpdir();
+              const promptFile = path29.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs25.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path33.join(
+                const base = path29.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs29.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs29.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs25.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs25.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -9023,8 +9023,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
+              const fs25 = require("fs");
+              const path29 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -9035,8 +9035,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path33.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path29.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -9048,7 +9048,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -9075,7 +9075,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -9084,11 +9084,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs29 = require("fs");
-              const path33 = require("path");
+              const fs25 = require("fs");
+              const path29 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
-              const responseFile = path33.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const responseFile = path29.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -9121,7 +9121,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs29.writeFileSync(responseFile, responseContent, "utf-8");
+              fs25.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -9139,9 +9139,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs29 = require("fs");
-                  if (fs29.existsSync(traceFilePath)) {
-                    const stats = fs29.statSync(traceFilePath);
+                  const fs25 = require("fs");
+                  if (fs25.existsSync(traceFilePath)) {
+                    const stats = fs25.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -9179,8 +9179,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs29 = require("fs").promises;
-        const path33 = require("path");
+        const fs25 = require("fs").promises;
+        const path29 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -9193,14 +9193,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path33.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path29.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path33.resolve(process.cwd(), schema);
+            const schemaPath = path29.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -9214,22 +9214,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path33.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path29.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path33.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path29.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -9471,7 +9471,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt, _checkName, _schema) {
-        await new Promise((resolve19) => setTimeout(resolve19, 500));
+        await new Promise((resolve15) => setTimeout(resolve15, 500));
         const name = (_checkName || "").toLowerCase();
         if (name.includes("extract-facts")) {
           const arr = Array.from({ length: 6 }, (_, i) => ({
@@ -9832,7 +9832,7 @@ var init_command_executor = __esm({
        * Execute command with stdin input
        */
       executeWithStdin(command, options) {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           const childProcess = (0, import_child_process2.exec)(
             command,
             {
@@ -9844,7 +9844,7 @@ var init_command_executor = __esm({
               if (error && error.killed && (error.code === "ETIMEDOUT" || error.signal === "SIGTERM")) {
                 reject(new Error(`Command timed out after ${options.timeout || 3e4}ms`));
               } else {
-                resolve19({
+                resolve15({
                   stdout: stdout || "",
                   stderr: stderr || "",
                   exitCode: error ? error.code || 1 : 0
@@ -9912,6 +9912,162 @@ var init_command_executor = __esm({
   }
 });
 
+// src/utils/rate-limiter.ts
+function windowToMs(per) {
+  switch (per) {
+    case "second":
+      return 1e3;
+    case "minute":
+      return 6e4;
+    case "hour":
+      return 36e5;
+  }
+}
+function resolveRateLimitKey(config, fallbackUrl) {
+  if (config.key) {
+    return config.key;
+  }
+  if (fallbackUrl) {
+    try {
+      const url = new URL(fallbackUrl);
+      return url.origin;
+    } catch {
+      return fallbackUrl;
+    }
+  }
+  return "__default__";
+}
+async function rateLimitedFetch(url, options, rateLimitConfig) {
+  if (!rateLimitConfig) {
+    return fetch(url, options);
+  }
+  const key = resolveRateLimitKey(rateLimitConfig, url);
+  const registry = RateLimiterRegistry.getInstance();
+  const bucket = registry.getOrCreate(key, rateLimitConfig);
+  const maxRetries = rateLimitConfig.max_retries ?? 3;
+  const backoff = rateLimitConfig.backoff ?? "exponential";
+  const initialDelay = rateLimitConfig.initial_delay_ms ?? 1e3;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    await bucket.acquire();
+    const response = await fetch(url, options);
+    if (response.status !== 429) {
+      return response;
+    }
+    if (attempt === maxRetries) {
+      logger.warn(`[rate-limiter] Exhausted ${maxRetries} retries for ${url} (bucket: ${key})`);
+      return response;
+    }
+    let delayMs;
+    const retryAfter = response.headers.get("retry-after");
+    if (retryAfter) {
+      const parsed = Number(retryAfter);
+      if (!isNaN(parsed)) {
+        delayMs = parsed * 1e3;
+      } else {
+        const date = new Date(retryAfter).getTime();
+        delayMs = Math.max(0, date - Date.now());
+      }
+    } else {
+      delayMs = backoff === "exponential" ? initialDelay * Math.pow(2, attempt) : initialDelay;
+    }
+    logger.verbose(
+      `[rate-limiter] 429 on ${url} (bucket: ${key}), retry ${attempt + 1}/${maxRetries} in ${delayMs}ms`
+    );
+    await new Promise((resolve15) => setTimeout(resolve15, delayMs));
+  }
+  return fetch(url, options);
+}
+var TokenBucket, REGISTRY_KEY, RateLimiterRegistry;
+var init_rate_limiter = __esm({
+  "src/utils/rate-limiter.ts"() {
+    "use strict";
+    init_logger();
+    TokenBucket = class {
+      tokens;
+      capacity;
+      refillRate;
+      // tokens per ms
+      lastRefill;
+      waitQueue = [];
+      constructor(capacity, windowMs) {
+        this.capacity = capacity;
+        this.tokens = capacity;
+        this.refillRate = capacity / windowMs;
+        this.lastRefill = Date.now();
+      }
+      refill() {
+        const now = Date.now();
+        const elapsed = now - this.lastRefill;
+        const newTokens = elapsed * this.refillRate;
+        this.tokens = Math.min(this.capacity, this.tokens + newTokens);
+        this.lastRefill = now;
+      }
+      /**
+       * Non-blocking: try to consume one token.
+       */
+      tryConsume() {
+        this.refill();
+        if (this.tokens >= 1) {
+          this.tokens -= 1;
+          return true;
+        }
+        return false;
+      }
+      /**
+       * Blocking: wait until a token is available, then consume it.
+       * Requests are served FIFO.
+       */
+      async acquire() {
+        if (this.tryConsume()) {
+          return;
+        }
+        const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
+        return new Promise((resolve15) => {
+          const entry = { resolve: resolve15 };
+          this.waitQueue.push(entry);
+          setTimeout(() => {
+            const idx = this.waitQueue.indexOf(entry);
+            if (idx >= 0) {
+              this.waitQueue.splice(idx, 1);
+            }
+            this.refill();
+            if (this.tokens >= 1) {
+              this.tokens -= 1;
+            }
+            resolve15();
+          }, waitMs);
+        });
+      }
+    };
+    REGISTRY_KEY = Symbol.for("visor.rateLimiterRegistry");
+    RateLimiterRegistry = class _RateLimiterRegistry {
+      buckets = /* @__PURE__ */ new Map();
+      static getInstance() {
+        const g = globalThis;
+        if (!g[REGISTRY_KEY]) {
+          g[REGISTRY_KEY] = new _RateLimiterRegistry();
+        }
+        return g[REGISTRY_KEY];
+      }
+      getOrCreate(key, config) {
+        let bucket = this.buckets.get(key);
+        if (!bucket) {
+          const windowMs = windowToMs(config.per);
+          bucket = new TokenBucket(config.requests, windowMs);
+          this.buckets.set(key, bucket);
+          logger.verbose(
+            `[rate-limiter] Created bucket "${key}": ${config.requests} req/${config.per}`
+          );
+        }
+        return bucket;
+      }
+      cleanup() {
+        this.buckets.clear();
+      }
+    };
+  }
+});
+
 // src/providers/api-tool-executor.ts
 function isHttpUrl(value) {
   return value.startsWith("http://") || value.startsWith("https://");
@@ -10140,7 +10296,8 @@ function getApiToolConfig(tool) {
     apiKey: tool.apiKey ?? tool.api_key,
     securitySchemeName: tool.securitySchemeName ?? tool.security_scheme_name,
     securityCredentials: tool.securityCredentials || tool.security_credentials || {},
-    requestTimeoutMs: tool.requestTimeoutMs ?? tool.request_timeout_ms ?? tool.timeout ?? 3e4
+    requestTimeoutMs: tool.requestTimeoutMs ?? tool.request_timeout_ms ?? tool.timeout ?? 3e4,
+    rateLimitConfig: tool.rate_limit
   };
 }
 function buildOutputSchema(operation) {
@@ -10572,12 +10729,16 @@ async function executeMappedApiTool(mappedTool, args) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), apiToolConfig.requestTimeoutMs);
   try {
-    const response = await fetch(endpoint.toString(), {
-      method,
-      headers,
-      body: requestBodyValue === void 0 ? void 0 : headers["Content-Type"]?.includes("application/json") ? JSON.stringify(requestBodyValue) : String(requestBodyValue),
-      signal: controller.signal
-    });
+    const response = await rateLimitedFetch(
+      endpoint.toString(),
+      {
+        method,
+        headers,
+        body: requestBodyValue === void 0 ? void 0 : headers["Content-Type"]?.includes("application/json") ? JSON.stringify(requestBodyValue) : String(requestBodyValue),
+        signal: controller.signal
+      },
+      apiToolConfig.rateLimitConfig
+    );
     const raw = await response.text();
     let body = raw;
     const contentType = response.headers.get("content-type") || "";
@@ -10621,6 +10782,7 @@ var init_api_tool_executor = __esm({
     import_jsonpath_plus = require("jsonpath-plus");
     import_minimatch = require("minimatch");
     init_logger();
+    init_rate_limiter();
     HTTP_METHODS = /* @__PURE__ */ new Set(["get", "put", "post", "delete", "options", "head", "patch", "trace"]);
     ApiToolRegistry = class {
       bundleCache = /* @__PURE__ */ new Map();
@@ -12978,6 +13140,10 @@ var init_config_schema = __esm({
                 "^x-": {}
               }
             },
+            rate_limit: {
+              $ref: "#/definitions/RateLimitConfig",
+              description: "Rate limiting configuration for HTTP/API tools"
+            },
             workflow: {
               type: "string",
               description: "Workflow ID (registry lookup) or file path (for type: 'workflow')"
@@ -13014,6 +13180,43 @@ var init_config_schema = __esm({
             type: "string"
           }
         },
+        RateLimitConfig: {
+          type: "object",
+          properties: {
+            key: {
+              type: "string",
+              description: "Shared bucket name; defaults to URL origin"
+            },
+            requests: {
+              type: "number",
+              description: "Max requests per window"
+            },
+            per: {
+              type: "string",
+              enum: ["second", "minute", "hour"],
+              description: "Time window unit"
+            },
+            max_retries: {
+              type: "number",
+              description: "Max retries on 429 (default: 3)"
+            },
+            backoff: {
+              type: "string",
+              enum: ["fixed", "exponential"],
+              description: "Backoff strategy (default: exponential)"
+            },
+            initial_delay_ms: {
+              type: "number",
+              description: "Base delay for backoff in ms (default: 1000)"
+            }
+          },
+          required: ["requests", "per"],
+          additionalProperties: false,
+          description: "Rate limit configuration for HTTP/API requests.",
+          patternProperties: {
+            "^x-": {}
+          }
+        },
         WorkflowInput: {
           type: "object",
           properties: {
@@ -13116,6 +13319,10 @@ var init_config_schema = __esm({
               $ref: "#/definitions/Record%3Cstring%2Cstring%3E",
               description: "HTTP headers"
             },
+            rate_limit: {
+              $ref: "#/definitions/RateLimitConfig",
+              description: "Rate limiting configuration for http_client checks"
+            },
             endpoint: {
               type: "string",
               description: "HTTP endpoint path - required for http_input checks"
@@ -13517,7 +13724,7 @@ var init_config_schema = __esm({
               description: "Arguments/inputs for the workflow"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E",
               description: "Override specific step configurations in the workflow"
             },
             output_mapping: {
@@ -13533,7 +13740,7 @@ var init_config_schema = __esm({
               description: "Config file path - alternative to workflow ID (loads a Visor config file as workflow)"
             },
             workflow_overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E",
               description: "Alias for overrides - workflow step overrides (backward compatibility)"
             },
             ref: {
@@ -14235,7 +14442,7 @@ var init_config_schema = __esm({
               description: "Custom output name (defaults to workflow name)"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E",
               description: "Step overrides"
             },
             output_mapping: {
@@ -14250,13 +14457,13 @@ var init_config_schema = __esm({
             "^x-": {}
           }
         },
-        "Record<string,Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>>": {
+        "Record<string,Partial<interface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785>>": {
           type: "object",
           additionalProperties: {
-            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E"
+            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E"
           }
         },
-        "Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>": {
+        "Partial<interface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785>": {
           type: "object",
           additionalProperties: false
         },
@@ -18316,6 +18523,14 @@ var init_workflow_check_provider = __esm({
           inputs,
           config.checkName || workflow.id
         );
+        const parentTimeout = config.timeout || config.ai?.timeout;
+        if (parentTimeout && workflowConfig.checks) {
+          for (const stepCfg of Object.values(workflowConfig.checks)) {
+            if (!stepCfg.timeout && !stepCfg.ai?.timeout) {
+              stepCfg.timeout = parentTimeout;
+            }
+          }
+        }
         const parentMemoryCfg = parentContext?.memory && parentContext.memory.getConfig && parentContext.memory.getConfig() || parentContext?.config?.memory;
         const childJournal = new ExecutionJournal2();
         const childMemory = MemoryStore2.createIsolated(parentMemoryCfg);
@@ -18636,17 +18851,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path33 = require("path");
-        const fs29 = require("fs");
+        const path29 = require("path");
+        const fs25 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path33.isAbsolute(sourcePath) ? sourcePath : path33.resolve(baseDir, sourcePath);
-        if (!fs29.existsSync(resolved)) {
+        const resolved = path29.isAbsolute(sourcePath) ? sourcePath : path29.resolve(baseDir, sourcePath);
+        if (!fs25.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs29.readFileSync(resolved, "utf8");
+        const rawContent = fs25.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path33.dirname(resolved);
+          const configDir = path29.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -18676,8 +18891,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path33.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path33.basename(resolved)}`;
+        const id = path29.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path29.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -19486,8 +19701,8 @@ async function createStoreBackend(storageConfig, haConfig) {
     case "mssql": {
       try {
         const loaderPath = "../../enterprise/loader";
-        const { loadEnterpriseStoreBackend: loadEnterpriseStoreBackend2 } = await import(loaderPath);
-        return await loadEnterpriseStoreBackend2(driver, storageConfig, haConfig);
+        const { loadEnterpriseStoreBackend } = await import(loaderPath);
+        return await loadEnterpriseStoreBackend(driver, storageConfig, haConfig);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error(`[StoreFactory] Failed to load enterprise ${driver} backend: ${msg}`);
@@ -22121,6 +22336,7 @@ var init_mcp_custom_sse_server = __esm({
     init_schedule_tool();
     init_schedule_tool_handler();
     init_env_resolver();
+    init_rate_limiter();
     CustomToolsSSEServer = class _CustomToolsSSEServer {
       server = null;
       port = 0;
@@ -22181,7 +22397,7 @@ var init_mcp_custom_sse_server = __esm({
        * Returns the actual bound port number
        */
       async start() {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           try {
             this.server = import_http.default.createServer((req, res) => {
               this.handleRequest(req, res).catch((error) => {
@@ -22215,7 +22431,7 @@ var init_mcp_custom_sse_server = __esm({
                 );
               }
               this.startKeepalive();
-              resolve19(this.port);
+              resolve15(this.port);
             });
           } catch (error) {
             reject(error);
@@ -22278,7 +22494,7 @@ var init_mcp_custom_sse_server = __esm({
             logger.debug(
               `[CustomToolsSSEServer:${this.sessionId}] Grace period before stop: ${waitMs}ms (activeToolCalls=${this.activeToolCalls})`
             );
-            await new Promise((resolve19) => setTimeout(resolve19, waitMs));
+            await new Promise((resolve15) => setTimeout(resolve15, waitMs));
           }
         }
         if (this.activeToolCalls > 0) {
@@ -22287,7 +22503,7 @@ var init_mcp_custom_sse_server = __esm({
             `[CustomToolsSSEServer:${this.sessionId}] Waiting for ${this.activeToolCalls} active tool call(s) before stop`
           );
           while (this.activeToolCalls > 0 && Date.now() - startedAt < effectiveDrainTimeoutMs) {
-            await new Promise((resolve19) => setTimeout(resolve19, 250));
+            await new Promise((resolve15) => setTimeout(resolve15, 250));
           }
           if (this.activeToolCalls > 0) {
             logger.warn(
@@ -22312,21 +22528,21 @@ var init_mcp_custom_sse_server = __esm({
         }
         this.connections.clear();
         if (this.server) {
-          await new Promise((resolve19, reject) => {
+          await new Promise((resolve15, reject) => {
             const timeout = setTimeout(() => {
               if (this.debug) {
                 logger.debug(
                   `[CustomToolsSSEServer:${this.sessionId}] Force closing server after timeout`
                 );
               }
-              this.server?.close(() => resolve19());
+              this.server?.close(() => resolve15());
             }, 5e3);
             this.server.close((error) => {
               clearTimeout(timeout);
               if (error) {
                 reject(error);
               } else {
-                resolve19();
+                resolve15();
               }
             });
           });
@@ -22783,7 +22999,7 @@ var init_mcp_custom_sse_server = __esm({
               logger.warn(
                 `[CustomToolsSSEServer:${this.sessionId}] Tool ${toolName} failed (attempt ${attempt + 1}/${retryCount + 1}): ${errorMsg}. Retrying in ${delay}ms`
               );
-              await new Promise((resolve19) => setTimeout(resolve19, delay));
+              await new Promise((resolve15) => setTimeout(resolve15, delay));
               attempt++;
             }
           }
@@ -22877,7 +23093,8 @@ var init_mcp_custom_sse_server = __esm({
               resolvedHeaders["Content-Type"] = "application/json";
             }
           }
-          const response = await fetch(url, requestOptions);
+          const rateLimitConfig = tool.rate_limit;
+          const response = await rateLimitedFetch(url, requestOptions, rateLimitConfig);
           clearTimeout(timeoutId);
           if (!response.ok) {
             let errorBody = "";
@@ -23255,9 +23472,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path8.default.resolve(process.cwd(), str);
           }
-          const fs29 = require("fs").promises;
+          const fs25 = require("fs").promises;
           try {
-            const stat2 = await fs29.stat(resolvedPath);
+            const stat2 = await fs25.stat(resolvedPath);
             return stat2.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -25520,6 +25737,7 @@ var init_http_client_provider = __esm({
     init_template_context();
     init_oauth2_token_cache();
     init_logger();
+    init_rate_limiter();
     fs15 = __toESM(require("fs"));
     path19 = __toESM(require("path"));
     HttpClientProvider = class extends CheckProvider {
@@ -25676,6 +25894,7 @@ var init_http_client_provider = __esm({
               `[http_client] Body: ${requestBody.substring(0, 500)}${requestBody.length > 500 ? "..." : ""}`
             );
           }
+          const rateLimitConfig = config.rate_limit;
           if (resolvedOutputFile) {
             const fileResult = await this.downloadToFile(
               renderedUrl,
@@ -25683,11 +25902,19 @@ var init_http_client_provider = __esm({
               resolvedHeaders,
               requestBody,
               timeout,
-              resolvedOutputFile
+              resolvedOutputFile,
+              rateLimitConfig
             );
             return fileResult;
           }
-          const data = await this.fetchData(renderedUrl, method, resolvedHeaders, requestBody, timeout);
+          const data = await this.fetchData(
+            renderedUrl,
+            method,
+            resolvedHeaders,
+            requestBody,
+            timeout,
+            rateLimitConfig
+          );
           let processedData = data;
           if (transform) {
             try {
@@ -25770,7 +25997,7 @@ var init_http_client_provider = __esm({
           };
         }
       }
-      async fetchData(url, method, headers, body, timeout = 3e4) {
+      async fetchData(url, method, headers, body, timeout = 3e4, rateLimitConfig) {
         if (typeof fetch === "undefined") {
           throw new Error("HTTP client provider requires Node.js 18+ or node-fetch package");
         }
@@ -25793,7 +26020,7 @@ var init_http_client_provider = __esm({
               };
             }
           }
-          const response = await fetch(url, requestOptions);
+          const response = await rateLimitedFetch(url, requestOptions, rateLimitConfig);
           clearTimeout(timeoutId);
           logger.verbose(`[http_client] Response: ${response.status} ${response.statusText}`);
           if (!response.ok) {
@@ -25825,7 +26052,7 @@ var init_http_client_provider = __esm({
           throw error;
         }
       }
-      async downloadToFile(url, method, headers, body, timeout, outputFile) {
+      async downloadToFile(url, method, headers, body, timeout, outputFile, rateLimitConfig) {
         if (typeof fetch === "undefined") {
           throw new Error("HTTP client provider requires Node.js 18+ or node-fetch package");
         }
@@ -25846,7 +26073,7 @@ var init_http_client_provider = __esm({
               };
             }
           }
-          const response = await fetch(url, requestOptions);
+          const response = await rateLimitedFetch(url, requestOptions, rateLimitConfig);
           clearTimeout(timeoutId);
           if (!response.ok) {
             return {
@@ -29408,14 +29635,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path33 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path29 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path33 && !path33.startsWith("/")) {
-          path33 = `/${path33}`;
+        if (path29 && !path29.startsWith("/")) {
+          path29 = `/${path29}`;
         }
-        url = new URL(origin + path33);
+        url = new URL(origin + path29);
       }
       return url;
     }
@@ -31029,20 +31256,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path33) {
-      if (typeof path33 !== "string") {
+    module2.exports = function basename4(path29) {
+      if (typeof path29 !== "string") {
         return "";
       }
-      for (var i = path33.length - 1; i >= 0; --i) {
-        switch (path33.charCodeAt(i)) {
+      for (var i = path29.length - 1; i >= 0; --i) {
+        switch (path29.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path33 = path33.slice(i + 1);
-            return path33 === ".." || path33 === "." ? "" : path33;
+            path29 = path29.slice(i + 1);
+            return path29 === ".." || path29 === "." ? "" : path29;
         }
       }
-      return path33 === ".." || path33 === "." ? "" : path33;
+      return path29 === ".." || path29 === "." ? "" : path29;
     };
   }
 });
@@ -32046,11 +32273,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto9;
+    var crypto7;
     try {
-      crypto9 = require("crypto");
+      crypto7 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto9.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto7.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -32327,7 +32554,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto9 === void 0) {
+      if (crypto7 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -32342,7 +32569,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto9.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto7.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -32435,8 +32662,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve19, reject) => {
-        res = resolve19;
+      const promise = new Promise((resolve15, reject) => {
+        res = resolve15;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -33689,8 +33916,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto9 = require("crypto");
-      random = (max) => crypto9.randomInt(0, max);
+      const crypto7 = require("crypto");
+      random = (max) => crypto7.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -33941,8 +34168,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
                 });
               }
             });
-            const busboyResolve = new Promise((resolve19, reject) => {
-              busboy.on("finish", resolve19);
+            const busboyResolve = new Promise((resolve15, reject) => {
+              busboy.on("finish", resolve15);
               busboy.on("error", (err) => reject(new TypeError(err)));
             });
             if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk);
@@ -34073,7 +34300,7 @@ var require_request = __commonJS({
     }
     var Request2 = class _Request {
       constructor(origin, {
-        path: path33,
+        path: path29,
         method,
         body,
         headers,
@@ -34087,11 +34314,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path33 !== "string") {
+        if (typeof path29 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path33[0] !== "/" && !(path33.startsWith("http://") || path33.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path29[0] !== "/" && !(path29.startsWith("http://") || path29.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path33) !== null) {
+        } else if (invalidPathRegex.exec(path29) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -34154,7 +34381,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path33, query) : path33;
+        this.path = query ? util.buildURL(path29, query) : path29;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -34476,9 +34703,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve19, reject) => {
+          return new Promise((resolve15, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve19(data);
+              return err ? reject(err) : resolve15(data);
             });
           });
         }
@@ -34516,12 +34743,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve19, reject) => {
+          return new Promise((resolve15, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve19(data);
+              ) : resolve15(data);
             });
           });
         }
@@ -35162,9 +35389,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path33 = search ? `${pathname}${search}` : pathname;
+        const path29 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path33;
+        this.opts.path = path29;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -35583,16 +35810,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve19) => {
+        return new Promise((resolve15) => {
           if (!this[kSize]) {
-            resolve19(null);
+            resolve15(null);
           } else {
-            this[kClosedResolve] = resolve19;
+            this[kClosedResolve] = resolve15;
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve19) => {
+        return new Promise((resolve15) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request = requests[i];
@@ -35603,7 +35830,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve19();
+            resolve15();
           };
           if (this[kHTTP2Session] != null) {
             util.destroy(this[kHTTP2Session], err);
@@ -36183,7 +36410,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve19, reject) => {
+        const socket = await new Promise((resolve15, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -36195,7 +36422,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve19(socket2);
+              resolve15(socket2);
             }
           });
         });
@@ -36406,7 +36633,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path33, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path29, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -36456,7 +36683,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path33} HTTP/1.1\r
+      let header = `${method} ${path29} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -36519,7 +36746,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path33, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path29, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request2[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -36562,7 +36789,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path33;
+      headers[HTTP2_HEADER_PATH] = path29;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -36819,12 +37046,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve19, reject) => {
+      const waitForDrain = () => new Promise((resolve15, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve19;
+          callback = resolve15;
         }
       });
       if (client[kHTTPConnVersion] === "h2") {
@@ -37170,8 +37397,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           return Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          return new Promise((resolve19) => {
-            this[kClosedResolve] = resolve19;
+          return new Promise((resolve15) => {
+            this[kClosedResolve] = resolve15;
           });
         }
       }
@@ -37749,7 +37976,7 @@ var require_readable = __commonJS({
         if (this.closed) {
           return Promise.resolve(null);
         }
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           const signalListenerCleanup = signal ? util.addAbortListener(signal, () => {
             this.destroy();
           }) : noop;
@@ -37758,7 +37985,7 @@ var require_readable = __commonJS({
             if (signal && signal.aborted) {
               reject(signal.reason || Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
             } else {
-              resolve19(null);
+              resolve15(null);
             }
           }).on("error", noop).on("data", function(chunk) {
             limit -= chunk.length;
@@ -37780,11 +38007,11 @@ var require_readable = __commonJS({
         throw new TypeError("unusable");
       }
       assert(!stream[kConsume]);
-      return new Promise((resolve19, reject) => {
+      return new Promise((resolve15, reject) => {
         stream[kConsume] = {
           type,
           stream,
-          resolve: resolve19,
+          resolve: resolve15,
           reject,
           length: 0,
           body: []
@@ -37819,12 +38046,12 @@ var require_readable = __commonJS({
       }
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve19, stream, length } = consume2;
+      const { type, body, resolve: resolve15, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve19(toUSVString(Buffer.concat(body)));
+          resolve15(toUSVString(Buffer.concat(body)));
         } else if (type === "json") {
-          resolve19(JSON.parse(Buffer.concat(body)));
+          resolve15(JSON.parse(Buffer.concat(body)));
         } else if (type === "arrayBuffer") {
           const dst = new Uint8Array(length);
           let pos = 0;
@@ -37832,12 +38059,12 @@ var require_readable = __commonJS({
             dst.set(buf, pos);
             pos += buf.byteLength;
           }
-          resolve19(dst.buffer);
+          resolve15(dst.buffer);
         } else if (type === "blob") {
           if (!Blob2) {
             Blob2 = require("buffer").Blob;
           }
-          resolve19(new Blob2(body, { type: stream[kContentType] }));
+          resolve15(new Blob2(body, { type: stream[kContentType] }));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -38094,9 +38321,9 @@ var require_api_request = __commonJS({
     };
     function request(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           request.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve19(data);
+            return err ? reject(err) : resolve15(data);
           });
         });
       }
@@ -38269,9 +38496,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve19(data);
+            return err ? reject(err) : resolve15(data);
           });
         });
       }
@@ -38552,9 +38779,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve19(data);
+            return err ? reject(err) : resolve15(data);
           });
         });
       }
@@ -38643,9 +38870,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve19, reject) => {
+        return new Promise((resolve15, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve19(data);
+            return err ? reject(err) : resolve15(data);
           });
         });
       }
@@ -38805,20 +39032,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path33) {
-      if (typeof path33 !== "string") {
-        return path33;
+    function safeUrl(path29) {
+      if (typeof path29 !== "string") {
+        return path29;
       }
-      const pathSegments = path33.split("?");
+      const pathSegments = path29.split("?");
       if (pathSegments.length !== 2) {
-        return path33;
+        return path29;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path33, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path33);
+    function matchKey(mockDispatch2, { path: path29, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path29);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -38836,7 +39063,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path33 }) => matchValue(safeUrl(path33), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path29 }) => matchValue(safeUrl(path29), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -38873,9 +39100,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path33, method, body, headers, query } = opts;
+      const { path: path29, method, body, headers, query } = opts;
       return {
-        path: path33,
+        path: path29,
         method,
         body,
         headers,
@@ -39324,10 +39551,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path33, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path29, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path33,
+            Path: path29,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -42268,7 +42495,7 @@ var require_fetch = __commonJS({
       async function dispatch({ body }) {
         const url = requestCurrentURL(request);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve19, reject) => agent.dispatch(
+        return new Promise((resolve15, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -42344,7 +42571,7 @@ var require_fetch = __commonJS({
                   }
                 }
               }
-              resolve19({
+              resolve15({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
@@ -42387,7 +42614,7 @@ var require_fetch = __commonJS({
                 const val = headersList[n + 1].toString("latin1");
                 headers[kHeadersList].append(key, val);
               }
-              resolve19({
+              resolve15({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList: headers[kHeadersList],
@@ -43948,8 +44175,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path33) {
-      for (const char of path33) {
+    function validateCookiePath(path29) {
+      for (const char of path29) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -44746,9 +44973,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto9;
+    var crypto7;
     try {
-      crypto9 = require("crypto");
+      crypto7 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -44767,7 +44994,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto9.randomBytes(16).toString("base64");
+      const keyValue = crypto7.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -44796,7 +45023,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto9.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto7.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -44876,9 +45103,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto9;
+    var crypto7;
     try {
-      crypto9 = require("crypto");
+      crypto7 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -44887,7 +45114,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto9.randomBytes(4);
+        this.maskKey = crypto7.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -45629,11 +45856,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path33 = opts.path;
+          let path29 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path33 = `/${path33}`;
+            path29 = `/${path29}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path33);
+          url = new URL(util.parseOrigin(url).origin + path29);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -46202,7 +46429,7 @@ var init_mcp_check_provider = __esm({
             logger.warn(
               `MCP ${transportName} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying in ${delay}ms: ${error instanceof Error ? error.message : String(error)}`
             );
-            await new Promise((resolve19) => setTimeout(resolve19, delay));
+            await new Promise((resolve15) => setTimeout(resolve15, delay));
             attempt += 1;
           } finally {
             try {
@@ -46495,7 +46722,7 @@ async function acquirePromptLock() {
     );
   }, 1e4);
   try {
-    await new Promise((resolve19) => waiters.push(resolve19));
+    await new Promise((resolve15) => waiters.push(resolve15));
   } finally {
     clearInterval(reminder);
     const waitedMs = Date.now() - queuedAt;
@@ -46514,7 +46741,7 @@ function releasePromptLock() {
 }
 async function interactivePrompt(options) {
   await acquirePromptLock();
-  return new Promise((resolve19, reject) => {
+  return new Promise((resolve15, reject) => {
     const dbg = process.env.VISOR_DEBUG === "true";
     try {
       if (dbg) {
@@ -46601,12 +46828,12 @@ async function interactivePrompt(options) {
     };
     const finish = (value) => {
       cleanup();
-      resolve19(value);
+      resolve15(value);
     };
     if (options.timeout && options.timeout > 0) {
       timeoutId = setTimeout(() => {
         cleanup();
-        if (defaultValue !== void 0) return resolve19(defaultValue);
+        if (defaultValue !== void 0) return resolve15(defaultValue);
         return reject(new Error("Input timeout"));
       }, options.timeout);
     }
@@ -46738,7 +46965,7 @@ async function interactivePrompt(options) {
   });
 }
 async function simplePrompt(prompt) {
-  return new Promise((resolve19) => {
+  return new Promise((resolve15) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
@@ -46754,7 +46981,7 @@ async function simplePrompt(prompt) {
     rl.question(`${prompt}
 > `, (answer) => {
       rl.close();
-      resolve19(answer.trim());
+      resolve15(answer.trim());
     });
   });
 }
@@ -46922,7 +47149,7 @@ function isStdinAvailable() {
   return !process.stdin.isTTY;
 }
 async function readStdin(timeout, maxSize = 1024 * 1024) {
-  return new Promise((resolve19, reject) => {
+  return new Promise((resolve15, reject) => {
     let data = "";
     let timeoutId;
     if (timeout) {
@@ -46949,7 +47176,7 @@ async function readStdin(timeout, maxSize = 1024 * 1024) {
     };
     const onEnd = () => {
       cleanup();
-      resolve19(data.trim());
+      resolve15(data.trim());
     };
     const onError = (err) => {
       cleanup();
@@ -51668,23 +51895,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs29 = await import("fs/promises");
-    const path33 = await import("path");
+    const fs25 = await import("fs/promises");
+    const path29 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path33.join(__dirname, "output", sanitized, "schema.json"),
+      path29.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path33.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path29.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path33.join(process.cwd(), "output", sanitized, "schema.json"),
+      path29.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path33.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path29.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs29.readFile(p, "utf-8");
+        const raw = await fs25.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -52371,11 +52598,12 @@ async function executeCheckWithForEachItems2(checkId, forEachParent, forEachItem
       };
       {
         const assumeExpr = checkConfig?.assume;
-        if (assumeExpr) {
+        if (assumeExpr !== void 0 && assumeExpr !== null) {
           let ok = true;
           try {
             const evaluator = new FailureConditionEvaluator();
-            const exprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+            const rawExprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+            const exprs = rawExprs.map((e) => typeof e === "string" ? e : String(e));
             const conversation = context2.executionContext?.conversation || providerConfig?.eventContext?.conversation;
             for (const ex of exprs) {
               const res = await evaluator.evaluateIfCondition(checkId, ex, {
@@ -53443,11 +53671,12 @@ async function executeSingleCheck2(checkId, context2, state, emitEvent, transiti
     };
     {
       const assumeExpr = checkConfig2?.assume;
-      if (assumeExpr) {
+      if (assumeExpr !== void 0 && assumeExpr !== null) {
         let ok = true;
         try {
           const evaluator = new FailureConditionEvaluator();
-          const exprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+          const rawExprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+          const exprs = rawExprs.map((e) => typeof e === "string" ? e : String(e));
           const conversation = context2.executionContext?.conversation || providerConfig?.eventContext?.conversation;
           for (const ex of exprs) {
             const res = await evaluator.evaluateIfCondition(checkId, ex, {
@@ -54134,8 +54363,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs29 = await import("fs/promises");
-    const path33 = await import("path");
+    const fs25 = await import("fs/promises");
+    const path29 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -54144,27 +54373,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path33.resolve(process.cwd(), file);
-      templateContent = await fs29.readFile(resolved, "utf-8");
+      const resolved = path29.resolve(process.cwd(), file);
+      templateContent = await fs25.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path33.join(__dirname, "output", sanitized, "template.liquid"),
+          path29.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path33.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path29.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs29.readFile(p, "utf-8");
+            templateContent = await fs25.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -56304,8 +56533,8 @@ var init_workspace_manager = __esm({
         );
         if (this.cleanupRequested && this.activeOperations === 0) {
           logger.debug(`[Workspace] All references released, proceeding with deferred cleanup`);
-          for (const resolve19 of this.cleanupResolvers) {
-            resolve19();
+          for (const resolve15 of this.cleanupResolvers) {
+            resolve15();
           }
           this.cleanupResolvers = [];
         }
@@ -56484,19 +56713,19 @@ var init_workspace_manager = __esm({
           );
           this.cleanupRequested = true;
           await Promise.race([
-            new Promise((resolve19) => {
+            new Promise((resolve15) => {
               if (this.activeOperations === 0) {
-                resolve19();
+                resolve15();
               } else {
-                this.cleanupResolvers.push(resolve19);
+                this.cleanupResolvers.push(resolve15);
               }
             }),
-            new Promise((resolve19) => {
+            new Promise((resolve15) => {
               setTimeout(() => {
                 logger.warn(
                   `[Workspace] Cleanup timeout after ${timeout}ms, proceeding anyway (${this.activeOperations} operations still active)`
                 );
-                resolve19();
+                resolve15();
               }, timeout);
             })
           ]);
@@ -56911,8 +57140,8 @@ var init_fair_concurrency_limiter = __esm({
         );
         const queuedAt = Date.now();
         const effectiveTimeout = queueTimeout ?? 12e4;
-        return new Promise((resolve19, reject) => {
-          const entry = { resolve: resolve19, reject, queuedAt };
+        return new Promise((resolve15, reject) => {
+          const entry = { resolve: resolve15, reject, queuedAt };
           entry.reminder = setInterval(() => {
             const waited = Math.round((Date.now() - queuedAt) / 1e3);
             const curQueued = this._totalQueued();
@@ -57126,7 +57355,8 @@ function buildEngineContextForRun(workingDirectory, config, prInfo, debug, maxPa
     sharedConcurrencyLimiter = {
       async acquire(parentSessionId, _dbg, queueTimeout) {
         const sid = parentSessionId || sessionId;
-        return fairLimiter.acquire(sid, _dbg, queueTimeout);
+        const effectiveQueueTimeout = queueTimeout ?? 0;
+        return fairLimiter.acquire(sid, _dbg, effectiveQueueTimeout);
       },
       release(parentSessionId, _dbg) {
         const sid = parentSessionId || sessionId;
@@ -57219,1380 +57449,6 @@ var init_build_engine_context = __esm({
   }
 });
 
-// src/policy/default-engine.ts
-var DefaultPolicyEngine;
-var init_default_engine = __esm({
-  "src/policy/default-engine.ts"() {
-    "use strict";
-    DefaultPolicyEngine = class {
-      async initialize(_config) {
-      }
-      async evaluateCheckExecution(_checkId, _checkConfig) {
-        return { allowed: true };
-      }
-      async evaluateToolInvocation(_serverName, _methodName, _transport) {
-        return { allowed: true };
-      }
-      async evaluateCapabilities(_checkId, _capabilities) {
-        return { allowed: true };
-      }
-      async shutdown() {
-      }
-    };
-  }
-});
-
-// src/enterprise/license/validator.ts
-var validator_exports = {};
-__export(validator_exports, {
-  LicenseValidator: () => LicenseValidator
-});
-var crypto3, fs21, path26, LicenseValidator;
-var init_validator = __esm({
-  "src/enterprise/license/validator.ts"() {
-    "use strict";
-    crypto3 = __toESM(require("crypto"));
-    fs21 = __toESM(require("fs"));
-    path26 = __toESM(require("path"));
-    LicenseValidator = class _LicenseValidator {
-      /** Ed25519 public key for license verification (PEM format). */
-      static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
-      cache = null;
-      static CACHE_TTL = 5 * 60 * 1e3;
-      // 5 minutes
-      static GRACE_PERIOD = 72 * 3600 * 1e3;
-      // 72 hours after expiry
-      /**
-       * Load and validate license from environment or file.
-       *
-       * Resolution order:
-       * 1. VISOR_LICENSE env var (JWT string)
-       * 2. VISOR_LICENSE_FILE env var (path to file)
-       * 3. .visor-license in project root (cwd)
-       * 4. .visor-license in ~/.config/visor/
-       */
-      async loadAndValidate() {
-        if (this.cache && Date.now() - this.cache.validatedAt < _LicenseValidator.CACHE_TTL) {
-          return this.cache.payload;
-        }
-        const token = this.resolveToken();
-        if (!token) return null;
-        const payload = this.verifyAndDecode(token);
-        if (!payload) return null;
-        this.cache = { payload, validatedAt: Date.now() };
-        return payload;
-      }
-      /** Check if a specific feature is licensed */
-      hasFeature(feature) {
-        if (!this.cache) return false;
-        return this.cache.payload.features.includes(feature);
-      }
-      /** Check if license is valid (with grace period) */
-      isValid() {
-        if (!this.cache) return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1e3;
-        return now < expiryMs + _LicenseValidator.GRACE_PERIOD;
-      }
-      /** Check if the license is within its grace period (expired but still valid) */
-      isInGracePeriod() {
-        if (!this.cache) return false;
-        const now = Date.now();
-        const expiryMs = this.cache.payload.exp * 1e3;
-        return now >= expiryMs && now < expiryMs + _LicenseValidator.GRACE_PERIOD;
-      }
-      resolveToken() {
-        if (process.env.VISOR_LICENSE) {
-          return process.env.VISOR_LICENSE.trim();
-        }
-        if (process.env.VISOR_LICENSE_FILE) {
-          const resolved = path26.resolve(process.env.VISOR_LICENSE_FILE);
-          const home2 = process.env.HOME || process.env.USERPROFILE || "";
-          const allowedPrefixes = [path26.normalize(process.cwd())];
-          if (home2) allowedPrefixes.push(path26.normalize(path26.join(home2, ".config", "visor")));
-          let realPath;
-          try {
-            realPath = fs21.realpathSync(resolved);
-          } catch {
-            return null;
-          }
-          const isSafe = allowedPrefixes.some(
-            (prefix) => realPath === prefix || realPath.startsWith(prefix + path26.sep)
-          );
-          if (!isSafe) return null;
-          return this.readFile(realPath);
-        }
-        const cwdPath = path26.join(process.cwd(), ".visor-license");
-        const cwdToken = this.readFile(cwdPath);
-        if (cwdToken) return cwdToken;
-        const home = process.env.HOME || process.env.USERPROFILE || "";
-        if (home) {
-          const configPath = path26.join(home, ".config", "visor", ".visor-license");
-          const configToken = this.readFile(configPath);
-          if (configToken) return configToken;
-        }
-        return null;
-      }
-      readFile(filePath) {
-        try {
-          return fs21.readFileSync(filePath, "utf-8").trim();
-        } catch {
-          return null;
-        }
-      }
-      verifyAndDecode(token) {
-        try {
-          const parts = token.split(".");
-          if (parts.length !== 3) return null;
-          const [headerB64, payloadB64, signatureB64] = parts;
-          const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
-          if (header.alg !== "EdDSA") return null;
-          const data = `${headerB64}.${payloadB64}`;
-          const signature = Buffer.from(signatureB64, "base64url");
-          const publicKey = crypto3.createPublicKey(_LicenseValidator.PUBLIC_KEY);
-          if (publicKey.asymmetricKeyType !== "ed25519") {
-            return null;
-          }
-          const isValid = crypto3.verify(null, Buffer.from(data), publicKey, signature);
-          if (!isValid) return null;
-          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
-          if (!payload.org || !Array.isArray(payload.features) || typeof payload.exp !== "number" || typeof payload.iat !== "number" || !payload.sub) {
-            return null;
-          }
-          const now = Date.now();
-          const expiryMs = payload.exp * 1e3;
-          if (now >= expiryMs + _LicenseValidator.GRACE_PERIOD) {
-            return null;
-          }
-          return payload;
-        } catch {
-          return null;
-        }
-      }
-    };
-  }
-});
-
-// src/enterprise/policy/opa-compiler.ts
-var fs22, path27, os2, crypto4, import_child_process8, OpaCompiler;
-var init_opa_compiler = __esm({
-  "src/enterprise/policy/opa-compiler.ts"() {
-    "use strict";
-    fs22 = __toESM(require("fs"));
-    path27 = __toESM(require("path"));
-    os2 = __toESM(require("os"));
-    crypto4 = __toESM(require("crypto"));
-    import_child_process8 = require("child_process");
-    OpaCompiler = class _OpaCompiler {
-      static CACHE_DIR = path27.join(os2.tmpdir(), "visor-opa-cache");
-      /**
-       * Resolve the input paths to WASM bytes.
-       *
-       * Strategy:
-       * 1. If any path is a .wasm file, read it directly
-       * 2. If a directory contains policy.wasm, read it
-       * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
-       */
-      async resolveWasmBytes(paths) {
-        const regoFiles = [];
-        for (const p of paths) {
-          const resolved = path27.resolve(p);
-          if (path27.normalize(resolved).includes("..")) {
-            throw new Error(`Policy path contains traversal sequences: ${p}`);
-          }
-          if (resolved.endsWith(".wasm") && fs22.existsSync(resolved)) {
-            return fs22.readFileSync(resolved);
-          }
-          if (!fs22.existsSync(resolved)) continue;
-          const stat2 = fs22.statSync(resolved);
-          if (stat2.isDirectory()) {
-            const wasmCandidate = path27.join(resolved, "policy.wasm");
-            if (fs22.existsSync(wasmCandidate)) {
-              return fs22.readFileSync(wasmCandidate);
-            }
-            const files = fs22.readdirSync(resolved);
-            for (const f of files) {
-              if (f.endsWith(".rego")) {
-                regoFiles.push(path27.join(resolved, f));
-              }
-            }
-          } else if (resolved.endsWith(".rego")) {
-            regoFiles.push(resolved);
-          }
-        }
-        if (regoFiles.length === 0) {
-          throw new Error(
-            `OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(", ")}`
-          );
-        }
-        return this.compileRego(regoFiles);
-      }
-      /**
-       * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
-       *
-       * Caches the compiled bundle based on a content hash of all input .rego files
-       * so subsequent runs skip compilation if policies haven't changed.
-       */
-      compileRego(regoFiles) {
-        try {
-          (0, import_child_process8.execFileSync)("opa", ["version"], { stdio: "pipe" });
-        } catch {
-          throw new Error(
-            "OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\nOr pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz " + regoFiles.join(" ")
-          );
-        }
-        const hash = crypto4.createHash("sha256");
-        for (const f of regoFiles.sort()) {
-          hash.update(fs22.readFileSync(f));
-          hash.update(f);
-        }
-        const cacheKey = hash.digest("hex").slice(0, 16);
-        const cacheDir = _OpaCompiler.CACHE_DIR;
-        const cachedWasm = path27.join(cacheDir, `${cacheKey}.wasm`);
-        if (fs22.existsSync(cachedWasm)) {
-          return fs22.readFileSync(cachedWasm);
-        }
-        fs22.mkdirSync(cacheDir, { recursive: true });
-        const bundleTar = path27.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
-        try {
-          const args = [
-            "build",
-            "-t",
-            "wasm",
-            "-e",
-            "visor",
-            // entrypoint: the visor package tree
-            "-o",
-            bundleTar,
-            ...regoFiles
-          ];
-          (0, import_child_process8.execFileSync)("opa", args, {
-            stdio: "pipe",
-            timeout: 3e4
-          });
-        } catch (err) {
-          const stderr = err?.stderr?.toString() || "";
-          throw new Error(
-            `Failed to compile .rego files to WASM:
-${stderr}
-Ensure your .rego files are valid and the \`opa\` CLI is installed.`
-          );
-        }
-        try {
-          (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
-            stdio: "pipe"
-          });
-          const extractedWasm = path27.join(cacheDir, "policy.wasm");
-          if (fs22.existsSync(extractedWasm)) {
-            fs22.renameSync(extractedWasm, cachedWasm);
-          }
-        } catch {
-          try {
-            (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
-              stdio: "pipe"
-            });
-            const extractedWasm = path27.join(cacheDir, "policy.wasm");
-            if (fs22.existsSync(extractedWasm)) {
-              fs22.renameSync(extractedWasm, cachedWasm);
-            }
-          } catch (err2) {
-            throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
-          }
-        }
-        try {
-          fs22.unlinkSync(bundleTar);
-        } catch {
-        }
-        if (!fs22.existsSync(cachedWasm)) {
-          throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
-        }
-        return fs22.readFileSync(cachedWasm);
-      }
-    };
-  }
-});
-
-// src/enterprise/policy/opa-wasm-evaluator.ts
-var fs23, path28, OpaWasmEvaluator;
-var init_opa_wasm_evaluator = __esm({
-  "src/enterprise/policy/opa-wasm-evaluator.ts"() {
-    "use strict";
-    fs23 = __toESM(require("fs"));
-    path28 = __toESM(require("path"));
-    init_opa_compiler();
-    OpaWasmEvaluator = class {
-      policy = null;
-      dataDocument = {};
-      compiler = new OpaCompiler();
-      async initialize(rulesPath) {
-        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
-        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
-        try {
-          const { createRequire } = require("module");
-          const runtimeRequire = createRequire(__filename);
-          const opaWasm = runtimeRequire("@open-policy-agent/opa-wasm");
-          const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
-          if (!loadPolicy) {
-            throw new Error("loadPolicy not found in @open-policy-agent/opa-wasm");
-          }
-          this.policy = await loadPolicy(wasmBytes);
-        } catch (err) {
-          if (err?.code === "MODULE_NOT_FOUND" || err?.code === "ERR_MODULE_NOT_FOUND") {
-            throw new Error(
-              "OPA WASM evaluator requires @open-policy-agent/opa-wasm. Install it with: npm install @open-policy-agent/opa-wasm"
-            );
-          }
-          throw err;
-        }
-      }
-      /**
-       * Load external data from a JSON file to use as the OPA data document.
-       * The loaded data will be passed to `policy.setData()` during evaluation,
-       * making it available in Rego via `data.<key>`.
-       */
-      loadData(dataPath) {
-        const resolved = path28.resolve(dataPath);
-        if (path28.normalize(resolved).includes("..")) {
-          throw new Error(`Data path contains traversal sequences: ${dataPath}`);
-        }
-        if (!fs23.existsSync(resolved)) {
-          throw new Error(`OPA data file not found: ${resolved}`);
-        }
-        const stat2 = fs23.statSync(resolved);
-        if (stat2.size > 10 * 1024 * 1024) {
-          throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat2.size} bytes)`);
-        }
-        const raw = fs23.readFileSync(resolved, "utf-8");
-        try {
-          const parsed = JSON.parse(raw);
-          if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-            throw new Error("OPA data file must contain a JSON object (not an array or primitive)");
-          }
-          this.dataDocument = parsed;
-        } catch (err) {
-          if (err.message.startsWith("OPA data file must")) {
-            throw err;
-          }
-          throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
-        }
-      }
-      async evaluate(input) {
-        if (!this.policy) {
-          throw new Error("OPA WASM evaluator not initialized");
-        }
-        this.policy.setData(this.dataDocument);
-        const resultSet = this.policy.evaluate(input);
-        if (Array.isArray(resultSet) && resultSet.length > 0) {
-          return resultSet[0].result;
-        }
-        return void 0;
-      }
-      async shutdown() {
-        if (this.policy) {
-          if (typeof this.policy.close === "function") {
-            try {
-              this.policy.close();
-            } catch {
-            }
-          } else if (typeof this.policy.free === "function") {
-            try {
-              this.policy.free();
-            } catch {
-            }
-          }
-        }
-        this.policy = null;
-      }
-    };
-  }
-});
-
-// src/enterprise/policy/opa-http-evaluator.ts
-var OpaHttpEvaluator;
-var init_opa_http_evaluator = __esm({
-  "src/enterprise/policy/opa-http-evaluator.ts"() {
-    "use strict";
-    OpaHttpEvaluator = class {
-      baseUrl;
-      timeout;
-      constructor(baseUrl, timeout = 5e3) {
-        let parsed;
-        try {
-          parsed = new URL(baseUrl);
-        } catch {
-          throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
-        }
-        if (!["http:", "https:"].includes(parsed.protocol)) {
-          throw new Error(
-            `OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`
-          );
-        }
-        const hostname = parsed.hostname;
-        if (this.isBlockedHostname(hostname)) {
-          throw new Error(
-            `OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`
-          );
-        }
-        this.baseUrl = baseUrl.replace(/\/+$/, "");
-        this.timeout = timeout;
-      }
-      /**
-       * Check if a hostname is blocked due to SSRF concerns.
-       *
-       * Blocks:
-       * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
-       * - Link-local addresses (169.254.x.x)
-       * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
-       * - IPv6 unique local addresses (fd00::/8)
-       * - Cloud metadata services (*.internal)
-       */
-      isBlockedHostname(hostname) {
-        if (!hostname) return true;
-        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
-        if (normalized === "metadata.google.internal" || normalized.endsWith(".internal")) {
-          return true;
-        }
-        if (normalized === "localhost" || normalized === "localhost.localdomain") {
-          return true;
-        }
-        if (normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
-          return true;
-        }
-        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-        const ipv4Match = normalized.match(ipv4Pattern);
-        if (ipv4Match) {
-          const octets = ipv4Match.slice(1, 5).map(Number);
-          if (octets.some((octet) => octet > 255)) {
-            return false;
-          }
-          const [a, b] = octets;
-          if (a === 127) {
-            return true;
-          }
-          if (a === 0) {
-            return true;
-          }
-          if (a === 169 && b === 254) {
-            return true;
-          }
-          if (a === 10) {
-            return true;
-          }
-          if (a === 172 && b >= 16 && b <= 31) {
-            return true;
-          }
-          if (a === 192 && b === 168) {
-            return true;
-          }
-        }
-        if (normalized.startsWith("fd") || normalized.startsWith("fc")) {
-          return true;
-        }
-        if (normalized.startsWith("fe80:")) {
-          return true;
-        }
-        return false;
-      }
-      /**
-       * Evaluate a policy rule against an input document via OPA REST API.
-       *
-       * @param input - The input document to evaluate
-       * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
-       * @returns The result object from OPA, or undefined on error
-       */
-      async evaluate(input, rulePath) {
-        const encodedPath = rulePath.split("/").map((s) => encodeURIComponent(s)).join("/");
-        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), this.timeout);
-        try {
-          const response = await fetch(url, {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({ input }),
-            signal: controller.signal
-          });
-          if (!response.ok) {
-            throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
-          }
-          let body;
-          try {
-            body = await response.json();
-          } catch (jsonErr) {
-            throw new Error(
-              `OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`
-            );
-          }
-          return body?.result;
-        } finally {
-          clearTimeout(timer);
-        }
-      }
-      async shutdown() {
-      }
-    };
-  }
-});
-
-// src/enterprise/policy/policy-input-builder.ts
-var PolicyInputBuilder;
-var init_policy_input_builder = __esm({
-  "src/enterprise/policy/policy-input-builder.ts"() {
-    "use strict";
-    PolicyInputBuilder = class {
-      roles;
-      actor;
-      repository;
-      pullRequest;
-      constructor(policyConfig, actor, repository, pullRequest) {
-        this.roles = policyConfig.roles || {};
-        this.actor = actor;
-        this.repository = repository;
-        this.pullRequest = pullRequest;
-      }
-      /** Resolve which roles apply to the current actor. */
-      resolveRoles() {
-        const matched = [];
-        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
-          let identityMatch = false;
-          if (roleConfig.author_association && this.actor.authorAssociation && roleConfig.author_association.includes(this.actor.authorAssociation)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.users && this.actor.login && roleConfig.users.includes(this.actor.login)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.slack_users && this.actor.slack?.userId && roleConfig.slack_users.includes(this.actor.slack.userId)) {
-            identityMatch = true;
-          }
-          if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
-            const actorEmail = this.actor.slack.email.toLowerCase();
-            if (roleConfig.emails.some((e) => e.toLowerCase() === actorEmail)) {
-              identityMatch = true;
-            }
-          }
-          if (!identityMatch) continue;
-          if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
-            if (!this.actor.slack?.channelId || !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
-              continue;
-            }
-          }
-          matched.push(roleName);
-        }
-        return matched;
-      }
-      buildActor() {
-        return {
-          authorAssociation: this.actor.authorAssociation,
-          login: this.actor.login,
-          roles: this.resolveRoles(),
-          isLocalMode: this.actor.isLocalMode,
-          ...this.actor.slack && { slack: this.actor.slack }
-        };
-      }
-      forCheckExecution(check) {
-        return {
-          scope: "check.execute",
-          check: {
-            id: check.id,
-            type: check.type,
-            group: check.group,
-            tags: check.tags,
-            criticality: check.criticality,
-            sandbox: check.sandbox,
-            policy: check.policy
-          },
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-      forToolInvocation(serverName, methodName, transport) {
-        return {
-          scope: "tool.invoke",
-          tool: { serverName, methodName, transport },
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-      forCapabilityResolve(checkId, capabilities) {
-        return {
-          scope: "capability.resolve",
-          check: { id: checkId, type: "ai" },
-          capability: capabilities,
-          actor: this.buildActor(),
-          repository: this.repository,
-          pullRequest: this.pullRequest
-        };
-      }
-    };
-  }
-});
-
-// src/enterprise/policy/opa-policy-engine.ts
-var opa_policy_engine_exports = {};
-__export(opa_policy_engine_exports, {
-  OpaPolicyEngine: () => OpaPolicyEngine
-});
-var OpaPolicyEngine;
-var init_opa_policy_engine = __esm({
-  "src/enterprise/policy/opa-policy-engine.ts"() {
-    "use strict";
-    init_opa_wasm_evaluator();
-    init_opa_http_evaluator();
-    init_policy_input_builder();
-    OpaPolicyEngine = class {
-      evaluator = null;
-      fallback;
-      timeout;
-      config;
-      inputBuilder = null;
-      logger = null;
-      constructor(config) {
-        this.config = config;
-        this.fallback = config.fallback || "deny";
-        this.timeout = config.timeout || 5e3;
-      }
-      async initialize(config) {
-        try {
-          this.logger = (init_logger(), __toCommonJS(logger_exports)).logger;
-        } catch {
-        }
-        const actor = {
-          authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
-          login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
-          isLocalMode: !process.env.GITHUB_ACTIONS
-        };
-        const repo = {
-          owner: process.env.GITHUB_REPOSITORY_OWNER,
-          name: process.env.GITHUB_REPOSITORY?.split("/")[1],
-          branch: process.env.GITHUB_HEAD_REF,
-          baseBranch: process.env.GITHUB_BASE_REF,
-          event: process.env.GITHUB_EVENT_NAME
-        };
-        const prNum = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER, 10) : void 0;
-        const pullRequest = {
-          number: prNum !== void 0 && Number.isFinite(prNum) ? prNum : void 0
-        };
-        this.inputBuilder = new PolicyInputBuilder(config, actor, repo, pullRequest);
-        if (config.engine === "local") {
-          if (!config.rules) {
-            throw new Error("OPA local mode requires `policy.rules` path to .wasm or .rego files");
-          }
-          const wasm = new OpaWasmEvaluator();
-          await wasm.initialize(config.rules);
-          if (config.data) {
-            wasm.loadData(config.data);
-          }
-          this.evaluator = wasm;
-        } else if (config.engine === "remote") {
-          if (!config.url) {
-            throw new Error("OPA remote mode requires `policy.url` pointing to OPA server");
-          }
-          this.evaluator = new OpaHttpEvaluator(config.url, this.timeout);
-        } else {
-          this.evaluator = null;
-        }
-      }
-      /**
-       * Update actor/repo/PR context (e.g., after PR info becomes available).
-       * Called by the enterprise loader when engine context is enriched.
-       */
-      setActorContext(actor, repo, pullRequest) {
-        this.inputBuilder = new PolicyInputBuilder(this.config, actor, repo, pullRequest);
-      }
-      async evaluateCheckExecution(checkId, checkConfig) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const cfg = checkConfig && typeof checkConfig === "object" ? checkConfig : {};
-        const policyOverride = cfg.policy;
-        const input = this.inputBuilder.forCheckExecution({
-          id: checkId,
-          type: cfg.type || "ai",
-          group: cfg.group,
-          tags: cfg.tags,
-          criticality: cfg.criticality,
-          sandbox: cfg.sandbox,
-          policy: policyOverride
-        });
-        return this.doEvaluate(input, this.resolveRulePath("check.execute", policyOverride?.rule));
-      }
-      async evaluateToolInvocation(serverName, methodName, transport) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
-        return this.doEvaluate(input, "visor/tool/invoke");
-      }
-      async evaluateCapabilities(checkId, capabilities) {
-        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
-        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
-        return this.doEvaluate(input, "visor/capability/resolve");
-      }
-      async shutdown() {
-        if (this.evaluator && "shutdown" in this.evaluator) {
-          await this.evaluator.shutdown();
-        }
-        this.evaluator = null;
-        this.inputBuilder = null;
-      }
-      resolveRulePath(defaultScope, override) {
-        if (override) {
-          return override.startsWith("visor/") ? override : `visor/${override}`;
-        }
-        return `visor/${defaultScope.replace(/\./g, "/")}`;
-      }
-      async doEvaluate(input, rulePath) {
-        try {
-          this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
-          let timer;
-          const timeoutPromise = new Promise((_resolve, reject) => {
-            timer = setTimeout(() => reject(new Error("policy evaluation timeout")), this.timeout);
-          });
-          try {
-            const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
-            const decision = this.parseDecision(result);
-            if (!decision.allowed && this.fallback === "warn") {
-              decision.allowed = true;
-              decision.warn = true;
-              decision.reason = `audit: ${decision.reason || "policy denied"}`;
-            }
-            this.logger?.debug(
-              `[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || "none"}`
-            );
-            return decision;
-          } finally {
-            if (timer) clearTimeout(timer);
-          }
-        } catch (err) {
-          const msg = err instanceof Error ? err.message : String(err);
-          this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
-          return {
-            allowed: this.fallback === "allow" || this.fallback === "warn",
-            warn: this.fallback === "warn" ? true : void 0,
-            reason: `policy evaluation failed, fallback=${this.fallback}`
-          };
-        }
-      }
-      async rawEvaluate(input, rulePath) {
-        if (this.evaluator instanceof OpaWasmEvaluator) {
-          const result = await this.evaluator.evaluate(input);
-          return this.navigateWasmResult(result, rulePath);
-        }
-        return this.evaluator.evaluate(input, rulePath);
-      }
-      /**
-       * Navigate nested OPA WASM result tree to reach the specific rule's output.
-       * The WASM entrypoint `-e visor` means the result root IS the visor package,
-       * so we strip the `visor/` prefix and walk the remaining segments.
-       */
-      navigateWasmResult(result, rulePath) {
-        if (!result || typeof result !== "object") return result;
-        const segments = rulePath.replace(/^visor\//, "").split("/");
-        let current = result;
-        for (const seg of segments) {
-          if (current && typeof current === "object" && seg in current) {
-            current = current[seg];
-          } else {
-            return void 0;
-          }
-        }
-        return current;
-      }
-      parseDecision(result) {
-        if (result === void 0 || result === null) {
-          return {
-            allowed: this.fallback === "allow" || this.fallback === "warn",
-            warn: this.fallback === "warn" ? true : void 0,
-            reason: this.fallback === "warn" ? "audit: no policy result" : "no policy result"
-          };
-        }
-        const allowed = result.allowed !== false;
-        const decision = {
-          allowed,
-          reason: result.reason
-        };
-        if (result.capabilities) {
-          decision.capabilities = result.capabilities;
-        }
-        return decision;
-      }
-    };
-  }
-});
-
-// src/enterprise/scheduler/knex-store.ts
-var knex_store_exports = {};
-__export(knex_store_exports, {
-  KnexStoreBackend: () => KnexStoreBackend
-});
-function toNum(val) {
-  if (val === null || val === void 0) return void 0;
-  return typeof val === "string" ? parseInt(val, 10) : val;
-}
-function safeJsonParse2(value) {
-  if (!value) return void 0;
-  try {
-    return JSON.parse(value);
-  } catch {
-    return void 0;
-  }
-}
-function fromTriggerRow2(row) {
-  return {
-    id: row.id,
-    creatorId: row.creator_id,
-    creatorContext: row.creator_context ?? void 0,
-    creatorName: row.creator_name ?? void 0,
-    description: row.description ?? void 0,
-    channels: safeJsonParse2(row.channels),
-    fromUsers: safeJsonParse2(row.from_users),
-    fromBots: row.from_bots === true || row.from_bots === 1,
-    contains: safeJsonParse2(row.contains),
-    matchPattern: row.match_pattern ?? void 0,
-    threads: row.threads,
-    workflow: row.workflow,
-    inputs: safeJsonParse2(row.inputs),
-    outputContext: safeJsonParse2(row.output_context),
-    status: row.status,
-    enabled: row.enabled === true || row.enabled === 1,
-    createdAt: toNum(row.created_at)
-  };
-}
-function toTriggerInsertRow(trigger) {
-  return {
-    id: trigger.id,
-    creator_id: trigger.creatorId,
-    creator_context: trigger.creatorContext ?? null,
-    creator_name: trigger.creatorName ?? null,
-    description: trigger.description ?? null,
-    channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
-    from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
-    from_bots: trigger.fromBots,
-    contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
-    match_pattern: trigger.matchPattern ?? null,
-    threads: trigger.threads,
-    workflow: trigger.workflow,
-    inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
-    output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
-    status: trigger.status,
-    enabled: trigger.enabled,
-    created_at: trigger.createdAt
-  };
-}
-function fromDbRow2(row) {
-  return {
-    id: row.id,
-    creatorId: row.creator_id,
-    creatorContext: row.creator_context ?? void 0,
-    creatorName: row.creator_name ?? void 0,
-    timezone: row.timezone,
-    schedule: row.schedule_expr,
-    runAt: toNum(row.run_at),
-    isRecurring: row.is_recurring === true || row.is_recurring === 1,
-    originalExpression: row.original_expression,
-    workflow: row.workflow ?? void 0,
-    workflowInputs: safeJsonParse2(row.workflow_inputs),
-    outputContext: safeJsonParse2(row.output_context),
-    status: row.status,
-    createdAt: toNum(row.created_at),
-    lastRunAt: toNum(row.last_run_at),
-    nextRunAt: toNum(row.next_run_at),
-    runCount: row.run_count,
-    failureCount: row.failure_count,
-    lastError: row.last_error ?? void 0,
-    previousResponse: row.previous_response ?? void 0
-  };
-}
-function toInsertRow(schedule) {
-  return {
-    id: schedule.id,
-    creator_id: schedule.creatorId,
-    creator_context: schedule.creatorContext ?? null,
-    creator_name: schedule.creatorName ?? null,
-    timezone: schedule.timezone,
-    schedule_expr: schedule.schedule,
-    run_at: schedule.runAt ?? null,
-    is_recurring: schedule.isRecurring,
-    original_expression: schedule.originalExpression,
-    workflow: schedule.workflow ?? null,
-    workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
-    output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
-    status: schedule.status,
-    created_at: schedule.createdAt,
-    last_run_at: schedule.lastRunAt ?? null,
-    next_run_at: schedule.nextRunAt ?? null,
-    run_count: schedule.runCount,
-    failure_count: schedule.failureCount,
-    last_error: schedule.lastError ?? null,
-    previous_response: schedule.previousResponse ?? null
-  };
-}
-var fs24, path29, import_uuid2, KnexStoreBackend;
-var init_knex_store = __esm({
-  "src/enterprise/scheduler/knex-store.ts"() {
-    "use strict";
-    fs24 = __toESM(require("fs"));
-    path29 = __toESM(require("path"));
-    import_uuid2 = require("uuid");
-    init_logger();
-    KnexStoreBackend = class {
-      knex = null;
-      driver;
-      connection;
-      constructor(driver, storageConfig, _haConfig) {
-        this.driver = driver;
-        this.connection = storageConfig.connection || {};
-      }
-      async initialize() {
-        const { createRequire } = require("module");
-        const runtimeRequire = createRequire(__filename);
-        let knexFactory;
-        try {
-          knexFactory = runtimeRequire("knex");
-        } catch (err) {
-          const code = err?.code;
-          if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
-            throw new Error(
-              "knex is required for PostgreSQL/MySQL/MSSQL schedule storage. Install it with: npm install knex"
-            );
-          }
-          throw err;
-        }
-        const clientMap = {
-          postgresql: "pg",
-          mysql: "mysql2",
-          mssql: "tedious"
-        };
-        const client = clientMap[this.driver];
-        let connection;
-        if (this.connection.connection_string) {
-          connection = this.connection.connection_string;
-        } else if (this.driver === "mssql") {
-          connection = this.buildMssqlConnection();
-        } else {
-          connection = this.buildStandardConnection();
-        }
-        this.knex = knexFactory({
-          client,
-          connection,
-          pool: {
-            min: this.connection.pool?.min ?? 0,
-            max: this.connection.pool?.max ?? 10
-          }
-        });
-        await this.migrateSchema();
-        logger.info(`[KnexStore] Initialized (${this.driver})`);
-      }
-      buildStandardConnection() {
-        return {
-          host: this.connection.host || "localhost",
-          port: this.connection.port,
-          database: this.connection.database || "visor",
-          user: this.connection.user,
-          password: this.connection.password,
-          ssl: this.resolveSslConfig()
-        };
-      }
-      buildMssqlConnection() {
-        const ssl = this.connection.ssl;
-        const sslEnabled = ssl === true || typeof ssl === "object" && ssl.enabled !== false;
-        return {
-          server: this.connection.host || "localhost",
-          port: this.connection.port,
-          database: this.connection.database || "visor",
-          user: this.connection.user,
-          password: this.connection.password,
-          options: {
-            encrypt: sslEnabled,
-            trustServerCertificate: typeof ssl === "object" ? ssl.reject_unauthorized === false : !sslEnabled
-          }
-        };
-      }
-      resolveSslConfig() {
-        const ssl = this.connection.ssl;
-        if (ssl === false || ssl === void 0) return false;
-        if (ssl === true) return { rejectUnauthorized: true };
-        if (ssl.enabled === false) return false;
-        const result = {
-          rejectUnauthorized: ssl.reject_unauthorized !== false
-        };
-        if (ssl.ca) {
-          const caPath = this.validateSslPath(ssl.ca, "CA certificate");
-          result.ca = fs24.readFileSync(caPath, "utf8");
-        }
-        if (ssl.cert) {
-          const certPath = this.validateSslPath(ssl.cert, "client certificate");
-          result.cert = fs24.readFileSync(certPath, "utf8");
-        }
-        if (ssl.key) {
-          const keyPath = this.validateSslPath(ssl.key, "client key");
-          result.key = fs24.readFileSync(keyPath, "utf8");
-        }
-        return result;
-      }
-      validateSslPath(filePath, label) {
-        const resolved = path29.resolve(filePath);
-        if (resolved !== path29.normalize(resolved)) {
-          throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
-        }
-        if (!fs24.existsSync(resolved)) {
-          throw new Error(`SSL ${label} not found: ${filePath}`);
-        }
-        return resolved;
-      }
-      async shutdown() {
-        if (this.knex) {
-          await this.knex.destroy();
-          this.knex = null;
-        }
-      }
-      async migrateSchema() {
-        const knex = this.getKnex();
-        const exists = await knex.schema.hasTable("schedules");
-        if (!exists) {
-          await knex.schema.createTable("schedules", (table) => {
-            table.string("id", 36).primary();
-            table.string("creator_id", 255).notNullable().index();
-            table.string("creator_context", 255);
-            table.string("creator_name", 255);
-            table.string("timezone", 64).notNullable().defaultTo("UTC");
-            table.string("schedule_expr", 255);
-            table.bigInteger("run_at");
-            table.boolean("is_recurring").notNullable();
-            table.text("original_expression");
-            table.string("workflow", 255);
-            table.text("workflow_inputs");
-            table.text("output_context");
-            table.string("status", 20).notNullable().index();
-            table.bigInteger("created_at").notNullable();
-            table.bigInteger("last_run_at");
-            table.bigInteger("next_run_at");
-            table.integer("run_count").notNullable().defaultTo(0);
-            table.integer("failure_count").notNullable().defaultTo(0);
-            table.text("last_error");
-            table.text("previous_response");
-            table.index(["status", "next_run_at"]);
-          });
-        }
-        const triggersExist = await knex.schema.hasTable("message_triggers");
-        if (!triggersExist) {
-          await knex.schema.createTable("message_triggers", (table) => {
-            table.string("id", 36).primary();
-            table.string("creator_id", 255).notNullable().index();
-            table.string("creator_context", 255);
-            table.string("creator_name", 255);
-            table.text("description");
-            table.text("channels");
-            table.text("from_users");
-            table.boolean("from_bots").notNullable().defaultTo(false);
-            table.text("contains");
-            table.text("match_pattern");
-            table.string("threads", 20).notNullable().defaultTo("any");
-            table.string("workflow", 255).notNullable();
-            table.text("inputs");
-            table.text("output_context");
-            table.string("status", 20).notNullable().defaultTo("active").index();
-            table.boolean("enabled").notNullable().defaultTo(true);
-            table.bigInteger("created_at").notNullable();
-          });
-        }
-        const locksExist = await knex.schema.hasTable("scheduler_locks");
-        if (!locksExist) {
-          await knex.schema.createTable("scheduler_locks", (table) => {
-            table.string("lock_id", 255).primary();
-            table.string("node_id", 255).notNullable();
-            table.string("lock_token", 36).notNullable();
-            table.bigInteger("acquired_at").notNullable();
-            table.bigInteger("expires_at").notNullable();
-          });
-        }
-      }
-      getKnex() {
-        if (!this.knex) {
-          throw new Error("[KnexStore] Not initialized. Call initialize() first.");
-        }
-        return this.knex;
-      }
-      // --- CRUD ---
-      async create(schedule) {
-        const knex = this.getKnex();
-        const newSchedule = {
-          ...schedule,
-          id: (0, import_uuid2.v4)(),
-          createdAt: Date.now(),
-          runCount: 0,
-          failureCount: 0,
-          status: "active"
-        };
-        await knex("schedules").insert(toInsertRow(newSchedule));
-        logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
-        return newSchedule;
-      }
-      async importSchedule(schedule) {
-        const knex = this.getKnex();
-        const existing = await knex("schedules").where("id", schedule.id).first();
-        if (existing) return;
-        await knex("schedules").insert(toInsertRow(schedule));
-      }
-      async get(id) {
-        const knex = this.getKnex();
-        const row = await knex("schedules").where("id", id).first();
-        return row ? fromDbRow2(row) : void 0;
-      }
-      async update(id, patch) {
-        const knex = this.getKnex();
-        const existing = await knex("schedules").where("id", id).first();
-        if (!existing) return void 0;
-        const current = fromDbRow2(existing);
-        const updated = { ...current, ...patch, id: current.id };
-        const row = toInsertRow(updated);
-        delete row.id;
-        await knex("schedules").where("id", id).update(row);
-        return updated;
-      }
-      async delete(id) {
-        const knex = this.getKnex();
-        const deleted = await knex("schedules").where("id", id).del();
-        if (deleted > 0) {
-          logger.info(`[KnexStore] Deleted schedule ${id}`);
-          return true;
-        }
-        return false;
-      }
-      // --- Queries ---
-      async getByCreator(creatorId) {
-        const knex = this.getKnex();
-        const rows = await knex("schedules").where("creator_id", creatorId);
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getActiveSchedules() {
-        const knex = this.getKnex();
-        const rows = await knex("schedules").where("status", "active");
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getDueSchedules(now) {
-        const ts = now ?? Date.now();
-        const knex = this.getKnex();
-        const bFalse = this.driver === "mssql" ? 0 : false;
-        const bTrue = this.driver === "mssql" ? 1 : true;
-        const rows = await knex("schedules").where("status", "active").andWhere(function() {
-          this.where(function() {
-            this.where("is_recurring", bFalse).whereNotNull("run_at").where("run_at", "<=", ts);
-          }).orWhere(function() {
-            this.where("is_recurring", bTrue).whereNotNull("next_run_at").where("next_run_at", "<=", ts);
-          });
-        });
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async findByWorkflow(creatorId, workflowName) {
-        const knex = this.getKnex();
-        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, "\\$&");
-        const pattern = `%${escaped}%`;
-        const rows = await knex("schedules").where("creator_id", creatorId).where("status", "active").whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getAll() {
-        const knex = this.getKnex();
-        const rows = await knex("schedules");
-        return rows.map((r) => fromDbRow2(r));
-      }
-      async getStats() {
-        const knex = this.getKnex();
-        const boolTrue = this.driver === "mssql" ? "1" : "true";
-        const boolFalse = this.driver === "mssql" ? "0" : "false";
-        const result = await knex("schedules").select(
-          knex.raw("COUNT(*) as total"),
-          knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"),
-          knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"),
-          knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"),
-          knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"),
-          knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`),
-          knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`)
-        ).first();
-        return {
-          total: Number(result.total) || 0,
-          active: Number(result.active) || 0,
-          paused: Number(result.paused) || 0,
-          completed: Number(result.completed) || 0,
-          failed: Number(result.failed) || 0,
-          recurring: Number(result.recurring) || 0,
-          oneTime: Number(result.one_time) || 0
-        };
-      }
-      async validateLimits(creatorId, isRecurring, limits) {
-        const knex = this.getKnex();
-        if (limits.maxGlobal) {
-          const result = await knex("schedules").count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxGlobal) {
-            throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
-          }
-        }
-        if (limits.maxPerUser) {
-          const result = await knex("schedules").where("creator_id", creatorId).count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxPerUser) {
-            throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
-          }
-        }
-        if (isRecurring && limits.maxRecurringPerUser) {
-          const bTrue = this.driver === "mssql" ? 1 : true;
-          const result = await knex("schedules").where("creator_id", creatorId).where("is_recurring", bTrue).count("* as cnt").first();
-          if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
-            throw new Error(
-              `You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`
-            );
-          }
-        }
-      }
-      // --- HA Distributed Locking (via scheduler_locks table) ---
-      async tryAcquireLock(lockId, nodeId, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1e3;
-        const token = (0, import_uuid2.v4)();
-        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("expires_at", "<", now).update({
-          node_id: nodeId,
-          lock_token: token,
-          acquired_at: now,
-          expires_at: expiresAt
-        });
-        if (updated > 0) return token;
-        try {
-          await knex("scheduler_locks").insert({
-            lock_id: lockId,
-            node_id: nodeId,
-            lock_token: token,
-            acquired_at: now,
-            expires_at: expiresAt
-          });
-          return token;
-        } catch {
-          return null;
-        }
-      }
-      async releaseLock(lockId, lockToken) {
-        const knex = this.getKnex();
-        await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).del();
-      }
-      async renewLock(lockId, lockToken, ttlSeconds) {
-        const knex = this.getKnex();
-        const now = Date.now();
-        const expiresAt = now + ttlSeconds * 1e3;
-        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).update({ acquired_at: now, expires_at: expiresAt });
-        return updated > 0;
-      }
-      async flush() {
-      }
-      // --- Message Trigger CRUD ---
-      async createTrigger(trigger) {
-        const knex = this.getKnex();
-        const newTrigger = {
-          ...trigger,
-          id: (0, import_uuid2.v4)(),
-          createdAt: Date.now()
-        };
-        await knex("message_triggers").insert(toTriggerInsertRow(newTrigger));
-        logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
-        return newTrigger;
-      }
-      async getTrigger(id) {
-        const knex = this.getKnex();
-        const row = await knex("message_triggers").where("id", id).first();
-        return row ? fromTriggerRow2(row) : void 0;
-      }
-      async updateTrigger(id, patch) {
-        const knex = this.getKnex();
-        const existing = await knex("message_triggers").where("id", id).first();
-        if (!existing) return void 0;
-        const current = fromTriggerRow2(existing);
-        const updated = {
-          ...current,
-          ...patch,
-          id: current.id,
-          createdAt: current.createdAt
-        };
-        const row = toTriggerInsertRow(updated);
-        delete row.id;
-        await knex("message_triggers").where("id", id).update(row);
-        return updated;
-      }
-      async deleteTrigger(id) {
-        const knex = this.getKnex();
-        const deleted = await knex("message_triggers").where("id", id).del();
-        if (deleted > 0) {
-          logger.info(`[KnexStore] Deleted trigger ${id}`);
-          return true;
-        }
-        return false;
-      }
-      async getTriggersByCreator(creatorId) {
-        const knex = this.getKnex();
-        const rows = await knex("message_triggers").where("creator_id", creatorId);
-        return rows.map((r) => fromTriggerRow2(r));
-      }
-      async getActiveTriggers() {
-        const knex = this.getKnex();
-        const rows = await knex("message_triggers").where("status", "active").where("enabled", this.driver === "mssql" ? 1 : true);
-        return rows.map((r) => fromTriggerRow2(r));
-      }
-    };
-  }
-});
-
-// src/enterprise/loader.ts
-var loader_exports = {};
-__export(loader_exports, {
-  loadEnterprisePolicyEngine: () => loadEnterprisePolicyEngine,
-  loadEnterpriseStoreBackend: () => loadEnterpriseStoreBackend
-});
-async function loadEnterprisePolicyEngine(config) {
-  try {
-    const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
-    const validator = new LicenseValidator2();
-    const license = await validator.loadAndValidate();
-    if (!license || !validator.hasFeature("policy")) {
-      return new DefaultPolicyEngine();
-    }
-    if (validator.isInGracePeriod()) {
-      console.warn(
-        "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
-      );
-    }
-    const { OpaPolicyEngine: OpaPolicyEngine2 } = await Promise.resolve().then(() => (init_opa_policy_engine(), opa_policy_engine_exports));
-    const engine = new OpaPolicyEngine2(config);
-    await engine.initialize(config);
-    return engine;
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    try {
-      const { logger: logger2 } = (init_logger(), __toCommonJS(logger_exports));
-      logger2.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
-    } catch {
-    }
-    return new DefaultPolicyEngine();
-  }
-}
-async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
-  const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
-  const validator = new LicenseValidator2();
-  const license = await validator.loadAndValidate();
-  if (!license || !validator.hasFeature("scheduler-sql")) {
-    throw new Error(
-      `The ${driver} schedule storage driver requires a Visor Enterprise license with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`
-    );
-  }
-  if (validator.isInGracePeriod()) {
-    console.warn(
-      "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
-    );
-  }
-  const { KnexStoreBackend: KnexStoreBackend2 } = await Promise.resolve().then(() => (init_knex_store(), knex_store_exports));
-  return new KnexStoreBackend2(driver, storageConfig, haConfig);
-}
-var init_loader = __esm({
-  "src/enterprise/loader.ts"() {
-    "use strict";
-    init_default_engine();
-  }
-});
-
 // src/event-bus/event-bus.ts
 var event_bus_exports = {};
 __export(event_bus_exports, {
@@ -59250,6 +58106,9 @@ var init_github_comments = __esm({
     CommentManager = class {
       octokit;
       retryConfig;
+      // Serial write queue: chains all updateOrCreateComment calls so only one
+      // GitHub comment write is in-flight at a time within a job.
+      _writeQueue = Promise.resolve();
       constructor(octokit, retryConfig) {
         this.octokit = octokit;
         this.retryConfig = {
@@ -59292,6 +58151,11 @@ var init_github_comments = __esm({
        * Update existing comment or create new one with collision detection
        */
       async updateOrCreateComment(owner, repo, prNumber, content, options = {}) {
+        return new Promise((resolve15, reject) => {
+          this._writeQueue = this._writeQueue.then(() => this._doUpdateOrCreate(owner, repo, prNumber, content, options)).then(resolve15, reject);
+        });
+      }
+      async _doUpdateOrCreate(owner, repo, prNumber, content, options = {}) {
         const {
           commentId = this.generateCommentId(),
           triggeredBy = "unknown",
@@ -59499,8 +58363,8 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve19) => {
-          const t = setTimeout(resolve19, ms);
+        return new Promise((resolve15) => {
+          const t = setTimeout(resolve15, ms);
           if (typeof t.unref === "function") {
             try {
               t.unref();
@@ -59785,8 +58649,8 @@ ${end}`);
       async updateGroupedComment(ctx, comments, group, changedIds) {
         const existingLock = this.updateLocks.get(group);
         let resolveLock;
-        const ourLock = new Promise((resolve19) => {
-          resolveLock = resolve19;
+        const ourLock = new Promise((resolve15) => {
+          resolveLock = resolve15;
         });
         this.updateLocks.set(group, ourLock);
         try {
@@ -60117,7 +58981,7 @@ ${blocks}
        * Sleep utility for enforcing delays
        */
       sleep(ms) {
-        return new Promise((resolve19) => setTimeout(resolve19, ms));
+        return new Promise((resolve15) => setTimeout(resolve15, ms));
       }
     };
   }
@@ -61979,11 +60843,11 @@ var require_request3 = __commonJS({
     "use strict";
     var __awaiter = exports2 && exports2.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve19) {
-          resolve19(value);
+        return value instanceof P ? value : new P(function(resolve15) {
+          resolve15(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve19, reject) {
+      return new (P || (P = Promise))(function(resolve15, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -61999,7 +60863,7 @@ var require_request3 = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve19(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve15(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -62023,9 +60887,9 @@ var require_request3 = __commonJS({
       HttpMethod2["PATCH"] = "PATCH";
     })(HttpMethod = exports2.HttpMethod || (exports2.HttpMethod = {}));
     var SvixRequest = class {
-      constructor(method, path33) {
+      constructor(method, path29) {
         this.method = method;
-        this.path = path33;
+        this.path = path29;
         this.queryParams = {};
         this.headerParams = {};
       }
@@ -62128,7 +60992,7 @@ var require_request3 = __commonJS({
     }
     function sendWithRetry(url, init, retryScheduleInMs, nextInterval = 50, triesLeft = 2, fetchImpl = fetch, retryCount = 1) {
       return __awaiter(this, void 0, void 0, function* () {
-        const sleep = (interval) => new Promise((resolve19) => setTimeout(resolve19, interval));
+        const sleep = (interval) => new Promise((resolve15) => setTimeout(resolve15, interval));
         try {
           const response = yield fetchImpl(url, init);
           if (triesLeft <= 0 || response.status < 500) {
@@ -71202,7 +70066,7 @@ ${message}`;
 });
 
 // src/agent-protocol/task-store.ts
-function safeJsonParse3(value) {
+function safeJsonParse2(value) {
   if (!value) return void 0;
   try {
     return JSON.parse(value);
@@ -71219,12 +70083,12 @@ function taskRowToAgentTask(row) {
     context_id: row.context_id,
     status: {
       state: row.state,
-      message: safeJsonParse3(row.status_message),
+      message: safeJsonParse2(row.status_message),
       timestamp: row.updated_at
     },
-    artifacts: safeJsonParse3(row.artifacts) ?? [],
-    history: safeJsonParse3(row.history) ?? [],
-    metadata: safeJsonParse3(row.request_metadata),
+    artifacts: safeJsonParse2(row.artifacts) ?? [],
+    history: safeJsonParse2(row.history) ?? [],
+    metadata: safeJsonParse2(row.request_metadata),
     workflow_id: row.workflow_id ?? void 0
   };
 }
@@ -71461,7 +70325,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT artifacts FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const artifacts = safeJsonParse3(row.artifacts) ?? [];
+        const artifacts = safeJsonParse2(row.artifacts) ?? [];
         artifacts.push(artifact);
         db.prepare("UPDATE agent_tasks SET artifacts = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(artifacts),
@@ -71473,7 +70337,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT history FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const history = safeJsonParse3(row.history) ?? [];
+        const history = safeJsonParse2(row.history) ?? [];
         history.push(message);
         db.prepare("UPDATE agent_tasks SET history = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(history),
@@ -71985,13 +70849,13 @@ __export(a2a_frontend_exports, {
   resultToArtifacts: () => resultToArtifacts
 });
 function readJsonBody(req) {
-  return new Promise((resolve19, reject) => {
+  return new Promise((resolve15, reject) => {
     const chunks = [];
     req.on("data", (chunk) => chunks.push(chunk));
     req.on("end", () => {
       try {
         const body = Buffer.concat(chunks).toString("utf8");
-        resolve19(body ? JSON.parse(body) : {});
+        resolve15(body ? JSON.parse(body) : {});
       } catch {
         reject(new ParseError("Malformed JSON body"));
       }
@@ -72234,12 +71098,12 @@ var init_a2a_frontend = __esm({
         }
         const port = this.config.port ?? 9e3;
         const host = this.config.host ?? "0.0.0.0";
-        await new Promise((resolve19) => {
+        await new Promise((resolve15) => {
           this.server.listen(port, host, () => {
             const addr = this.server.address();
             this._boundPort = typeof addr === "object" && addr ? addr.port : port;
             logger.info(`A2A server listening on ${host}:${this._boundPort}`);
-            resolve19();
+            resolve15();
           });
         });
         if (this.agentCard) {
@@ -72263,8 +71127,8 @@ var init_a2a_frontend = __esm({
         }
         this.streamManager.shutdown();
         if (this.server) {
-          await new Promise((resolve19, reject) => {
-            this.server.close((err) => err ? reject(err) : resolve19());
+          await new Promise((resolve15, reject) => {
+            this.server.close((err) => err ? reject(err) : resolve15());
           });
           this.server = null;
         }
@@ -72981,15 +71845,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path32, fs28, StateMachineExecutionEngine;
+var path28, fs24, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path32 = __toESM(require("path"));
-    fs28 = __toESM(require("fs"));
+    path28 = __toESM(require("path"));
+    fs24 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -73221,8 +72085,8 @@ var init_state_machine_execution_engine = __esm({
             logger.debug(
               `[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`
             );
-            const { loadEnterprisePolicyEngine: loadEnterprisePolicyEngine2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
-            context2.policyEngine = await loadEnterprisePolicyEngine2(configWithTagFilter.policy);
+            const { loadEnterprisePolicyEngine } = await import("./enterprise/loader");
+            context2.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
             logger.debug(
               `[PolicyEngine] Initialized: ${context2.policyEngine?.constructor?.name || "unknown"}`
             );
@@ -73376,9 +72240,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path32.resolve(process.cwd(), ".visor", "snapshots");
-                  fs28.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path32.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path28.resolve(process.cwd(), ".visor", "snapshots");
+                  fs24.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path28.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -73519,7 +72383,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs29 = await import("fs/promises");
+        const fs25 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -73539,14 +72403,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs29.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs25.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs29 = await import("fs/promises");
-        const raw = await fs29.readFile(filePath, "utf8");
+        const fs25 = await import("fs/promises");
+        const raw = await fs25.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**