@probelabs/visor 0.1.177 → 0.1.178-ee

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.177';
-process.env.PROBE_VERSION = '0.6.0-rc292';
-process.env.VISOR_COMMIT_SHA = '5ceed041c645b4c6f1ed2b2cf327a7f376437656';
-process.env.VISOR_COMMIT_SHORT = '5ceed041';
+process.env.VISOR_VERSION = '0.1.178';
+process.env.PROBE_VERSION = '0.6.0-rc293';
+process.env.VISOR_COMMIT_SHA = '79fcc6344e1ab954501ff6a7f9614a0372019b2b';
+process.env.VISOR_COMMIT_SHORT = '79fcc63';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -302997,7 +302997,7 @@ async function handleDumpPolicyInput(checkId, argv) {
     let PolicyInputBuilder;
     try {
         // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(71370)));
+        const mod = await Promise.resolve().then(() => __importStar(__nccwpck_require__(17117)));
         PolicyInputBuilder = mod.PolicyInputBuilder;
     }
     catch {
@@ -303229,7 +303229,7 @@ steps:
         You are a senior software engineer. Use the provided tools to explore
         the codebase. Always verify your assumptions by reading actual code.
         Be concise and cite file paths in your response.
-      max_iterations: 20
+      max_iterations: 50
     ai_custom_tools: [search-code, list-files, read-file]
     enable_bash: true       # also allow direct shell commands
     tags: [agent]
@@ -311069,6 +311069,1810 @@ class EmailPollingRunner {
 exports.EmailPollingRunner = EmailPollingRunner;
 
 
+/***/ }),
+
+/***/ 50069:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.LicenseValidator = void 0;
+const crypto = __importStar(__nccwpck_require__(76982));
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+class LicenseValidator {
+    /** Ed25519 public key for license verification (PEM format). */
+    static PUBLIC_KEY = '-----BEGIN PUBLIC KEY-----\n' +
+        'MCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n' +
+        '-----END PUBLIC KEY-----\n';
+    cache = null;
+    static CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    static GRACE_PERIOD = 72 * 3600 * 1000; // 72 hours after expiry
+    /**
+     * Load and validate license from environment or file.
+     *
+     * Resolution order:
+     * 1. VISOR_LICENSE env var (JWT string)
+     * 2. VISOR_LICENSE_FILE env var (path to file)
+     * 3. .visor-license in project root (cwd)
+     * 4. .visor-license in ~/.config/visor/
+     */
+    async loadAndValidate() {
+        // Return cached result if still fresh
+        if (this.cache && Date.now() - this.cache.validatedAt < LicenseValidator.CACHE_TTL) {
+            return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token)
+            return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload)
+            return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+    }
+    /** Check if a specific feature is licensed */
+    hasFeature(feature) {
+        if (!this.cache)
+            return false;
+        return this.cache.payload.features.includes(feature);
+    }
+    /** Check if license is valid (with grace period) */
+    isValid() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    /** Check if the license is within its grace period (expired but still valid) */
+    isInGracePeriod() {
+        if (!this.cache)
+            return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1000;
+        return now >= expiryMs && now < expiryMs + LicenseValidator.GRACE_PERIOD;
+    }
+    resolveToken() {
+        // 1. Direct env var
+        if (process.env.VISOR_LICENSE) {
+            return process.env.VISOR_LICENSE.trim();
+        }
+        // 2. File path from env (validate against path traversal)
+        if (process.env.VISOR_LICENSE_FILE) {
+            // path.resolve() produces an absolute path with all '..' segments resolved,
+            // so a separate resolved.includes('..') check is unnecessary.
+            const resolved = path.resolve(process.env.VISOR_LICENSE_FILE);
+            const home = process.env.HOME || process.env.USERPROFILE || '';
+            const allowedPrefixes = [path.normalize(process.cwd())];
+            if (home)
+                allowedPrefixes.push(path.normalize(path.join(home, '.config', 'visor')));
+            // Resolve symlinks so an attacker cannot create a symlink inside an
+            // allowed prefix that points to an arbitrary file outside it.
+            let realPath;
+            try {
+                realPath = fs.realpathSync(resolved);
+            }
+            catch {
+                return null; // File doesn't exist or isn't accessible
+            }
+            const isSafe = allowedPrefixes.some(prefix => realPath === prefix || realPath.startsWith(prefix + path.sep));
+            if (!isSafe)
+                return null;
+            return this.readFile(realPath);
+        }
+        // 3. .visor-license in cwd
+        const cwdPath = path.join(process.cwd(), '.visor-license');
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken)
+            return cwdToken;
+        // 4. ~/.config/visor/.visor-license
+        const home = process.env.HOME || process.env.USERPROFILE || '';
+        if (home) {
+            const configPath = path.join(home, '.config', 'visor', '.visor-license');
+            const configToken = this.readFile(configPath);
+            if (configToken)
+                return configToken;
+        }
+        return null;
+    }
+    readFile(filePath) {
+        try {
+            return fs.readFileSync(filePath, 'utf-8').trim();
+        }
+        catch {
+            return null;
+        }
+    }
+    verifyAndDecode(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [headerB64, payloadB64, signatureB64] = parts;
+            // Decode header to verify algorithm
+            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+            if (header.alg !== 'EdDSA')
+                return null;
+            // Verify signature
+            const data = `${headerB64}.${payloadB64}`;
+            const signature = Buffer.from(signatureB64, 'base64url');
+            const publicKey = crypto.createPublicKey(LicenseValidator.PUBLIC_KEY);
+            // Validate that the loaded public key is actually Ed25519 (OID 1.3.101.112).
+            // This prevents algorithm-confusion attacks if the embedded key were ever
+            // swapped to a different type.
+            if (publicKey.asymmetricKeyType !== 'ed25519') {
+                return null;
+            }
+            // Ed25519 verification: algorithm must be null because EdDSA performs its
+            // own internal hashing (SHA-512) — passing a digest algorithm here would
+            // cause Node.js to throw. The key type is validated above.
+            const isValid = crypto.verify(null, Buffer.from(data), publicKey, signature);
+            if (!isValid)
+                return null;
+            // Decode payload
+            const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+            // Validate required fields
+            if (!payload.org ||
+                !Array.isArray(payload.features) ||
+                typeof payload.exp !== 'number' ||
+                typeof payload.iat !== 'number' ||
+                !payload.sub) {
+                return null;
+            }
+            // Check expiry (with grace period)
+            const now = Date.now();
+            const expiryMs = payload.exp * 1000;
+            if (now >= expiryMs + LicenseValidator.GRACE_PERIOD) {
+                return null;
+            }
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.LicenseValidator = LicenseValidator;
+
+
+/***/ }),
+
+/***/ 87068:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.loadEnterprisePolicyEngine = loadEnterprisePolicyEngine;
+exports.loadEnterpriseStoreBackend = loadEnterpriseStoreBackend;
+const default_engine_1 = __nccwpck_require__(93866);
+/**
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
+ *
+ * This is the sole import boundary between OSS and enterprise code. Core code
+ * must only import from this module (via dynamic `await import()`), never from
+ * individual enterprise submodules.
+ */
+async function loadEnterprisePolicyEngine(config) {
+    try {
+        const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+        const validator = new LicenseValidator();
+        const license = await validator.loadAndValidate();
+        if (!license || !validator.hasFeature('policy')) {
+            return new default_engine_1.DefaultPolicyEngine();
+        }
+        if (validator.isInGracePeriod()) {
+            // eslint-disable-next-line no-console
+            console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+                'Please renew your license.');
+        }
+        const { OpaPolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(39530)));
+        const engine = new OpaPolicyEngine(config);
+        await engine.initialize(config);
+        return engine;
+    }
+    catch (err) {
+        // Enterprise code not available or initialization failed
+        const msg = err instanceof Error ? err.message : String(err);
+        try {
+            const { logger } = __nccwpck_require__(86999);
+            logger.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+        }
+        catch {
+            // silent
+        }
+        return new default_engine_1.DefaultPolicyEngine();
+    }
+}
+/**
+ * Load the enterprise schedule store backend if licensed.
+ *
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
+ * @param storageConfig Storage configuration with connection details
+ * @param haConfig Optional HA configuration
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
+ */
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+    const { LicenseValidator } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(50069)));
+    const validator = new LicenseValidator();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature('scheduler-sql')) {
+        throw new Error(`The ${driver} schedule storage driver requires a Visor Enterprise license ` +
+            `with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`);
+    }
+    if (validator.isInGracePeriod()) {
+        // eslint-disable-next-line no-console
+        console.warn('[visor:enterprise] License has expired but is within the 72-hour grace period. ' +
+            'Please renew your license.');
+    }
+    const { KnexStoreBackend } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(63737)));
+    return new KnexStoreBackend(driver, storageConfig, haConfig);
+}
+
+
+/***/ }),
+
+/***/ 628:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaCompiler = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const os = __importStar(__nccwpck_require__(70857));
+const crypto = __importStar(__nccwpck_require__(76982));
+const child_process_1 = __nccwpck_require__(35317);
+/**
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
+ *
+ * Handles:
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
+ * - Compiling .rego files to WASM via `opa build`
+ * - Caching compiled bundles based on content hashes
+ * - Extracting policy.wasm from OPA tar.gz bundles
+ *
+ * Requires:
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaCompiler {
+    static CACHE_DIR = path.join(os.tmpdir(), 'visor-opa-cache');
+    /**
+     * Resolve the input paths to WASM bytes.
+     *
+     * Strategy:
+     * 1. If any path is a .wasm file, read it directly
+     * 2. If a directory contains policy.wasm, read it
+     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+     */
+    async resolveWasmBytes(paths) {
+        // Collect .rego files and check for existing .wasm
+        const regoFiles = [];
+        for (const p of paths) {
+            const resolved = path.resolve(p);
+            // Reject paths containing '..' after resolution (path traversal)
+            if (path.normalize(resolved).includes('..')) {
+                throw new Error(`Policy path contains traversal sequences: ${p}`);
+            }
+            // Direct .wasm file
+            if (resolved.endsWith('.wasm') && fs.existsSync(resolved)) {
+                return fs.readFileSync(resolved);
+            }
+            if (!fs.existsSync(resolved))
+                continue;
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                // Check for pre-compiled policy.wasm in directory
+                const wasmCandidate = path.join(resolved, 'policy.wasm');
+                if (fs.existsSync(wasmCandidate)) {
+                    return fs.readFileSync(wasmCandidate);
+                }
+                // Collect all .rego files from directory
+                const files = fs.readdirSync(resolved);
+                for (const f of files) {
+                    if (f.endsWith('.rego')) {
+                        regoFiles.push(path.join(resolved, f));
+                    }
+                }
+            }
+            else if (resolved.endsWith('.rego')) {
+                regoFiles.push(resolved);
+            }
+        }
+        if (regoFiles.length === 0) {
+            throw new Error(`OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(', ')}`);
+        }
+        // Auto-compile .rego -> .wasm
+        return this.compileRego(regoFiles);
+    }
+    /**
+     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+     *
+     * Caches the compiled bundle based on a content hash of all input .rego files
+     * so subsequent runs skip compilation if policies haven't changed.
+     */
+    compileRego(regoFiles) {
+        // Check that `opa` CLI is available
+        try {
+            (0, child_process_1.execFileSync)('opa', ['version'], { stdio: 'pipe' });
+        }
+        catch {
+            throw new Error('OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\n' +
+                'Or pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz ' +
+                regoFiles.join(' '));
+        }
+        // Compute content hash for cache key
+        const hash = crypto.createHash('sha256');
+        for (const f of regoFiles.sort()) {
+            hash.update(fs.readFileSync(f));
+            hash.update(f); // include filename for disambiguation
+        }
+        const cacheKey = hash.digest('hex').slice(0, 16);
+        const cacheDir = OpaCompiler.CACHE_DIR;
+        const cachedWasm = path.join(cacheDir, `${cacheKey}.wasm`);
+        // Return cached bundle if still valid
+        if (fs.existsSync(cachedWasm)) {
+            return fs.readFileSync(cachedWasm);
+        }
+        // Compile to WASM via opa build
+        fs.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+            const args = [
+                'build',
+                '-t',
+                'wasm',
+                '-e',
+                'visor', // entrypoint: the visor package tree
+                '-o',
+                bundleTar,
+                ...regoFiles,
+            ];
+            (0, child_process_1.execFileSync)('opa', args, {
+                stdio: 'pipe',
+                timeout: 30000,
+            });
+        }
+        catch (err) {
+            const stderr = err?.stderr?.toString() || '';
+            throw new Error(`Failed to compile .rego files to WASM:\n${stderr}\n` +
+                'Ensure your .rego files are valid and the `opa` CLI is installed.');
+        }
+        // Extract policy.wasm from the tar.gz bundle
+        // OPA bundles are tar.gz with /policy.wasm inside
+        try {
+            (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, '/policy.wasm'], {
+                stdio: 'pipe',
+            });
+            const extractedWasm = path.join(cacheDir, 'policy.wasm');
+            if (fs.existsSync(extractedWasm)) {
+                // Move to cache-key named file
+                fs.renameSync(extractedWasm, cachedWasm);
+            }
+        }
+        catch {
+            // Some tar implementations don't like leading /
+            try {
+                (0, child_process_1.execFileSync)('tar', ['-xzf', bundleTar, '-C', cacheDir, 'policy.wasm'], {
+                    stdio: 'pipe',
+                });
+                const extractedWasm = path.join(cacheDir, 'policy.wasm');
+                if (fs.existsSync(extractedWasm)) {
+                    fs.renameSync(extractedWasm, cachedWasm);
+                }
+            }
+            catch (err2) {
+                throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+            }
+        }
+        // Clean up tar
+        try {
+            fs.unlinkSync(bundleTar);
+        }
+        catch { }
+        if (!fs.existsSync(cachedWasm)) {
+            throw new Error('OPA build succeeded but policy.wasm was not found in the bundle');
+        }
+        return fs.readFileSync(cachedWasm);
+    }
+}
+exports.OpaCompiler = OpaCompiler;
+
+
+/***/ }),
+
+/***/ 44693:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaHttpEvaluator = void 0;
+/**
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
+ *
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
+ */
+class OpaHttpEvaluator {
+    baseUrl;
+    timeout;
+    constructor(baseUrl, timeout = 5000) {
+        // Validate URL format and protocol
+        let parsed;
+        try {
+            parsed = new URL(baseUrl);
+        }
+        catch {
+            throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error(`OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`);
+        }
+        // Block cloud metadata, loopback, link-local, and private network addresses
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+            throw new Error(`OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`);
+        }
+        // Normalize: strip trailing slash
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.timeout = timeout;
+    }
+    /**
+     * Check if a hostname is blocked due to SSRF concerns.
+     *
+     * Blocks:
+     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+     * - Link-local addresses (169.254.x.x)
+     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+     * - IPv6 unique local addresses (fd00::/8)
+     * - Cloud metadata services (*.internal)
+     */
+    isBlockedHostname(hostname) {
+        if (!hostname)
+            return true; // block empty hostnames
+        // Normalize hostname: lowercase and remove brackets for IPv6
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, '');
+        // Block .internal domains (cloud metadata services)
+        if (normalized === 'metadata.google.internal' || normalized.endsWith('.internal')) {
+            return true;
+        }
+        // Block localhost variants
+        if (normalized === 'localhost' || normalized === 'localhost.localdomain') {
+            return true;
+        }
+        // Block IPv6 loopback
+        if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1') {
+            return true;
+        }
+        // Check IPv4 patterns
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+            const octets = ipv4Match.slice(1, 5).map(Number);
+            // Validate octets are in range [0, 255]
+            if (octets.some(octet => octet > 255)) {
+                return false;
+            }
+            const [a, b] = octets;
+            // Block loopback: 127.0.0.0/8
+            if (a === 127) {
+                return true;
+            }
+            // Block 0.0.0.0/8 (this host)
+            if (a === 0) {
+                return true;
+            }
+            // Block link-local: 169.254.0.0/16
+            if (a === 169 && b === 254) {
+                return true;
+            }
+            // Block private networks
+            // 10.0.0.0/8
+            if (a === 10) {
+                return true;
+            }
+            // 172.16.0.0/12 (172.16.x.x through 172.31.x.x)
+            if (a === 172 && b >= 16 && b <= 31) {
+                return true;
+            }
+            // 192.168.0.0/16
+            if (a === 192 && b === 168) {
+                return true;
+            }
+        }
+        // Check IPv6 patterns
+        // Block unique local addresses: fd00::/8
+        if (normalized.startsWith('fd') || normalized.startsWith('fc')) {
+            return true;
+        }
+        // Block link-local: fe80::/10
+        if (normalized.startsWith('fe80:')) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Evaluate a policy rule against an input document via OPA REST API.
+     *
+     * @param input - The input document to evaluate
+     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+     * @returns The result object from OPA, or undefined on error
+     */
+    async evaluate(input, rulePath) {
+        // OPA Data API: POST /v1/data/<path>
+        const encodedPath = rulePath
+            .split('/')
+            .map(s => encodeURIComponent(s))
+            .join('/');
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ input }),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+            }
+            let body;
+            try {
+                body = await response.json();
+            }
+            catch (jsonErr) {
+                throw new Error(`OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`);
+            }
+            // OPA returns { result: { ... } }
+            return body?.result;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async shutdown() {
+        // No persistent connections to close
+    }
+}
+exports.OpaHttpEvaluator = OpaHttpEvaluator;
+
+
+/***/ }),
+
+/***/ 39530:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaPolicyEngine = void 0;
+const opa_wasm_evaluator_1 = __nccwpck_require__(8613);
+const opa_http_evaluator_1 = __nccwpck_require__(44693);
+const policy_input_builder_1 = __nccwpck_require__(17117);
+/**
+ * Enterprise OPA Policy Engine.
+ *
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
+ * OSS PolicyEngine interface. All OPA input building and role resolution
+ * is handled internally — the OSS call sites pass only plain types.
+ */
+class OpaPolicyEngine {
+    evaluator = null;
+    fallback;
+    timeout;
+    config;
+    inputBuilder = null;
+    logger = null;
+    constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || 'deny';
+        this.timeout = config.timeout || 5000;
+    }
+    async initialize(config) {
+        // Resolve logger once at initialization
+        try {
+            this.logger = (__nccwpck_require__(86999).logger);
+        }
+        catch {
+            // logger not available in this context
+        }
+        // Build actor/repo context from environment (available at engine init time)
+        const actor = {
+            authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+            login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+            isLocalMode: !process.env.GITHUB_ACTIONS,
+        };
+        const repo = {
+            owner: process.env.GITHUB_REPOSITORY_OWNER,
+            name: process.env.GITHUB_REPOSITORY?.split('/')[1],
+            branch: process.env.GITHUB_HEAD_REF,
+            baseBranch: process.env.GITHUB_BASE_REF,
+            event: process.env.GITHUB_EVENT_NAME,
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER
+            ? parseInt(process.env.GITHUB_PR_NUMBER, 10)
+            : undefined;
+        const pullRequest = {
+            number: prNum !== undefined && Number.isFinite(prNum) ? prNum : undefined,
+        };
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === 'local') {
+            if (!config.rules) {
+                throw new Error('OPA local mode requires `policy.rules` path to .wasm or .rego files');
+            }
+            const wasm = new opa_wasm_evaluator_1.OpaWasmEvaluator();
+            await wasm.initialize(config.rules);
+            if (config.data) {
+                wasm.loadData(config.data);
+            }
+            this.evaluator = wasm;
+        }
+        else if (config.engine === 'remote') {
+            if (!config.url) {
+                throw new Error('OPA remote mode requires `policy.url` pointing to OPA server');
+            }
+            this.evaluator = new opa_http_evaluator_1.OpaHttpEvaluator(config.url, this.timeout);
+        }
+        else {
+            this.evaluator = null;
+        }
+    }
+    /**
+     * Update actor/repo/PR context (e.g., after PR info becomes available).
+     * Called by the enterprise loader when engine context is enriched.
+     */
+    setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new policy_input_builder_1.PolicyInputBuilder(this.config, actor, repo, pullRequest);
+    }
+    async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === 'object'
+            ? checkConfig
+            : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+            id: checkId,
+            type: cfg.type || 'ai',
+            group: cfg.group,
+            tags: cfg.tags,
+            criticality: cfg.criticality,
+            sandbox: cfg.sandbox,
+            policy: policyOverride,
+        });
+        return this.doEvaluate(input, this.resolveRulePath('check.execute', policyOverride?.rule));
+    }
+    async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, 'visor/tool/invoke');
+    }
+    async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder)
+            return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, 'visor/capability/resolve');
+    }
+    async shutdown() {
+        if (this.evaluator && 'shutdown' in this.evaluator) {
+            await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+    }
+    resolveRulePath(defaultScope, override) {
+        if (override) {
+            return override.startsWith('visor/') ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, '/')}`;
+    }
+    async doEvaluate(input, rulePath) {
+        try {
+            this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+            let timer;
+            const timeoutPromise = new Promise((_resolve, reject) => {
+                timer = setTimeout(() => reject(new Error('policy evaluation timeout')), this.timeout);
+            });
+            try {
+                const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+                const decision = this.parseDecision(result);
+                // In warn mode, override denied decisions to allowed but flag as warn
+                if (!decision.allowed && this.fallback === 'warn') {
+                    decision.allowed = true;
+                    decision.warn = true;
+                    decision.reason = `audit: ${decision.reason || 'policy denied'}`;
+                }
+                this.logger?.debug(`[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || 'none'}`);
+                return decision;
+            }
+            finally {
+                if (timer)
+                    clearTimeout(timer);
+            }
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: `policy evaluation failed, fallback=${this.fallback}`,
+            };
+        }
+    }
+    async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof opa_wasm_evaluator_1.OpaWasmEvaluator) {
+            const result = await this.evaluator.evaluate(input);
+            // WASM compiled with `-e visor` entrypoint returns the full visor package tree.
+            // Navigate to the specific rule subtree using rulePath segments.
+            // e.g., 'visor/check/execute' → result.check.execute
+            return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+    }
+    /**
+     * Navigate nested OPA WASM result tree to reach the specific rule's output.
+     * The WASM entrypoint `-e visor` means the result root IS the visor package,
+     * so we strip the `visor/` prefix and walk the remaining segments.
+     */
+    navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== 'object')
+            return result;
+        // Strip the 'visor/' prefix (matches our compilation entrypoint)
+        const segments = rulePath.replace(/^visor\//, '').split('/');
+        let current = result;
+        for (const seg of segments) {
+            if (current && typeof current === 'object' && seg in current) {
+                current = current[seg];
+            }
+            else {
+                return undefined; // path not found in result tree
+            }
+        }
+        return current;
+    }
+    parseDecision(result) {
+        if (result === undefined || result === null) {
+            return {
+                allowed: this.fallback === 'allow' || this.fallback === 'warn',
+                warn: this.fallback === 'warn' ? true : undefined,
+                reason: this.fallback === 'warn' ? 'audit: no policy result' : 'no policy result',
+            };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+            allowed,
+            reason: result.reason,
+        };
+        if (result.capabilities) {
+            decision.capabilities = result.capabilities;
+        }
+        return decision;
+    }
+}
+exports.OpaPolicyEngine = OpaPolicyEngine;
+
+
+/***/ }),
+
+/***/ 8613:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.OpaWasmEvaluator = void 0;
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const opa_compiler_1 = __nccwpck_require__(628);
+/**
+ * OPA WASM Evaluator - loads and evaluates OPA policies locally.
+ *
+ * Supports three input formats:
+ * 1. Pre-compiled `.wasm` bundle — loaded directly (fastest startup)
+ * 2. `.rego` files or directory — auto-compiled to WASM via `opa build` CLI
+ * 3. Directory with `policy.wasm` inside — loaded directly
+ *
+ * Compilation and caching of .rego files is delegated to {@link OpaCompiler}.
+ *
+ * Requires:
+ * - `@open-policy-agent/opa-wasm` npm package (optional dep)
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+class OpaWasmEvaluator {
+    policy = null;
+    dataDocument = {};
+    compiler = new opa_compiler_1.OpaCompiler();
+    async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+            // Use createRequire to load the optional dep at runtime without ncc bundling it.
+            // `new Function('id', 'return require(id)')` fails in ncc bundles because
+            // `require` is not in the `new Function` scope. `createRequire` works correctly
+            // because it creates a real Node.js require rooted at the given path.
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const { createRequire } = __nccwpck_require__(73339);
+            const runtimeRequire = createRequire(__filename);
+            const opaWasm = runtimeRequire('@open-policy-agent/opa-wasm');
+            const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+            if (!loadPolicy) {
+                throw new Error('loadPolicy not found in @open-policy-agent/opa-wasm');
+            }
+            this.policy = await loadPolicy(wasmBytes);
+        }
+        catch (err) {
+            if (err?.code === 'MODULE_NOT_FOUND' || err?.code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('OPA WASM evaluator requires @open-policy-agent/opa-wasm. ' +
+                    'Install it with: npm install @open-policy-agent/opa-wasm');
+            }
+            throw err;
+        }
+    }
+    /**
+     * Load external data from a JSON file to use as the OPA data document.
+     * The loaded data will be passed to `policy.setData()` during evaluation,
+     * making it available in Rego via `data.<key>`.
+     */
+    loadData(dataPath) {
+        const resolved = path.resolve(dataPath);
+        if (path.normalize(resolved).includes('..')) {
+            throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat = fs.statSync(resolved);
+        if (stat.size > 10 * 1024 * 1024) {
+            throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat.size} bytes)`);
+        }
+        const raw = fs.readFileSync(resolved, 'utf-8');
+        try {
+            const parsed = JSON.parse(raw);
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                throw new Error('OPA data file must contain a JSON object (not an array or primitive)');
+            }
+            this.dataDocument = parsed;
+        }
+        catch (err) {
+            if (err.message.startsWith('OPA data file must')) {
+                throw err;
+            }
+            throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+    }
+    async evaluate(input) {
+        if (!this.policy) {
+            throw new Error('OPA WASM evaluator not initialized');
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+            return resultSet[0].result;
+        }
+        return undefined;
+    }
+    async shutdown() {
+        if (this.policy) {
+            // opa-wasm policy objects may have a close/free method for WASM cleanup
+            if (typeof this.policy.close === 'function') {
+                try {
+                    this.policy.close();
+                }
+                catch { }
+            }
+            else if (typeof this.policy.free === 'function') {
+                try {
+                    this.policy.free();
+                }
+                catch { }
+            }
+        }
+        this.policy = null;
+    }
+}
+exports.OpaWasmEvaluator = OpaWasmEvaluator;
+
+
+/***/ }),
+
+/***/ 17117:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.PolicyInputBuilder = void 0;
+/**
+ * Builds OPA-compatible input documents from engine context.
+ *
+ * Resolves actor roles from the `policy.roles` config section by matching
+ * the actor's authorAssociation and login against role definitions.
+ */
+class PolicyInputBuilder {
+    roles;
+    actor;
+    repository;
+    pullRequest;
+    constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+    }
+    /** Resolve which roles apply to the current actor. */
+    resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+            let identityMatch = false;
+            if (roleConfig.author_association &&
+                this.actor.authorAssociation &&
+                roleConfig.author_association.includes(this.actor.authorAssociation)) {
+                identityMatch = true;
+            }
+            if (!identityMatch &&
+                roleConfig.users &&
+                this.actor.login &&
+                roleConfig.users.includes(this.actor.login)) {
+                identityMatch = true;
+            }
+            // Slack user ID match
+            if (!identityMatch &&
+                roleConfig.slack_users &&
+                this.actor.slack?.userId &&
+                roleConfig.slack_users.includes(this.actor.slack.userId)) {
+                identityMatch = true;
+            }
+            // Email match (case-insensitive)
+            if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+                const actorEmail = this.actor.slack.email.toLowerCase();
+                if (roleConfig.emails.some(e => e.toLowerCase() === actorEmail)) {
+                    identityMatch = true;
+                }
+            }
+            // Note: teams-based role resolution requires GitHub API access (read:org scope)
+            // and is not yet implemented. If configured, the role will not match via teams.
+            if (!identityMatch)
+                continue;
+            // slack_channels gate: if set, the role only applies when triggered from one of these channels
+            if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+                if (!this.actor.slack?.channelId ||
+                    !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+                    continue;
+                }
+            }
+            matched.push(roleName);
+        }
+        return matched;
+    }
+    buildActor() {
+        return {
+            authorAssociation: this.actor.authorAssociation,
+            login: this.actor.login,
+            roles: this.resolveRoles(),
+            isLocalMode: this.actor.isLocalMode,
+            ...(this.actor.slack && { slack: this.actor.slack }),
+        };
+    }
+    forCheckExecution(check) {
+        return {
+            scope: 'check.execute',
+            check: {
+                id: check.id,
+                type: check.type,
+                group: check.group,
+                tags: check.tags,
+                criticality: check.criticality,
+                sandbox: check.sandbox,
+                policy: check.policy,
+            },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forToolInvocation(serverName, methodName, transport) {
+        return {
+            scope: 'tool.invoke',
+            tool: { serverName, methodName, transport },
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+    forCapabilityResolve(checkId, capabilities) {
+        return {
+            scope: 'capability.resolve',
+            check: { id: checkId, type: 'ai' },
+            capability: capabilities,
+            actor: this.buildActor(),
+            repository: this.repository,
+            pullRequest: this.pullRequest,
+        };
+    }
+}
+exports.PolicyInputBuilder = PolicyInputBuilder;
+
+
+/***/ }),
+
+/***/ 63737:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.KnexStoreBackend = void 0;
+/**
+ * Knex-backed schedule store for PostgreSQL, MySQL, and MSSQL (Enterprise)
+ *
+ * Uses Knex query builder for database-agnostic SQL. Same schema as SQLite backend
+ * but with real distributed locking via row-level claims (claimed_by/claimed_at/lock_token).
+ */
+const fs = __importStar(__nccwpck_require__(79896));
+const path = __importStar(__nccwpck_require__(16928));
+const uuid_1 = __nccwpck_require__(31914);
+const logger_1 = __nccwpck_require__(86999);
+function toNum(val) {
+    if (val === null || val === undefined)
+        return undefined;
+    return typeof val === 'string' ? parseInt(val, 10) : val;
+}
+function safeJsonParse(value) {
+    if (!value)
+        return undefined;
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+function fromTriggerRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        description: row.description ?? undefined,
+        channels: safeJsonParse(row.channels),
+        fromUsers: safeJsonParse(row.from_users),
+        fromBots: row.from_bots === true || row.from_bots === 1,
+        contains: safeJsonParse(row.contains),
+        matchPattern: row.match_pattern ?? undefined,
+        threads: row.threads,
+        workflow: row.workflow,
+        inputs: safeJsonParse(row.inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        enabled: row.enabled === true || row.enabled === 1,
+        createdAt: toNum(row.created_at),
+    };
+}
+function toTriggerInsertRow(trigger) {
+    return {
+        id: trigger.id,
+        creator_id: trigger.creatorId,
+        creator_context: trigger.creatorContext ?? null,
+        creator_name: trigger.creatorName ?? null,
+        description: trigger.description ?? null,
+        channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+        from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+        from_bots: trigger.fromBots,
+        contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+        match_pattern: trigger.matchPattern ?? null,
+        threads: trigger.threads,
+        workflow: trigger.workflow,
+        inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+        output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+        status: trigger.status,
+        enabled: trigger.enabled,
+        created_at: trigger.createdAt,
+    };
+}
+function fromDbRow(row) {
+    return {
+        id: row.id,
+        creatorId: row.creator_id,
+        creatorContext: row.creator_context ?? undefined,
+        creatorName: row.creator_name ?? undefined,
+        timezone: row.timezone,
+        schedule: row.schedule_expr,
+        runAt: toNum(row.run_at),
+        isRecurring: row.is_recurring === true || row.is_recurring === 1,
+        originalExpression: row.original_expression,
+        workflow: row.workflow ?? undefined,
+        workflowInputs: safeJsonParse(row.workflow_inputs),
+        outputContext: safeJsonParse(row.output_context),
+        status: row.status,
+        createdAt: toNum(row.created_at),
+        lastRunAt: toNum(row.last_run_at),
+        nextRunAt: toNum(row.next_run_at),
+        runCount: row.run_count,
+        failureCount: row.failure_count,
+        lastError: row.last_error ?? undefined,
+        previousResponse: row.previous_response ?? undefined,
+    };
+}
+function toInsertRow(schedule) {
+    return {
+        id: schedule.id,
+        creator_id: schedule.creatorId,
+        creator_context: schedule.creatorContext ?? null,
+        creator_name: schedule.creatorName ?? null,
+        timezone: schedule.timezone,
+        schedule_expr: schedule.schedule,
+        run_at: schedule.runAt ?? null,
+        is_recurring: schedule.isRecurring,
+        original_expression: schedule.originalExpression,
+        workflow: schedule.workflow ?? null,
+        workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+        output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+        status: schedule.status,
+        created_at: schedule.createdAt,
+        last_run_at: schedule.lastRunAt ?? null,
+        next_run_at: schedule.nextRunAt ?? null,
+        run_count: schedule.runCount,
+        failure_count: schedule.failureCount,
+        last_error: schedule.lastError ?? null,
+        previous_response: schedule.previousResponse ?? null,
+    };
+}
+/**
+ * Enterprise Knex-backed store for PostgreSQL, MySQL, and MSSQL
+ */
+class KnexStoreBackend {
+    knex = null;
+    driver;
+    connection;
+    constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = (storageConfig.connection || {});
+    }
+    async initialize() {
+        // Load knex dynamically
+        const { createRequire } = __nccwpck_require__(73339);
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+            knexFactory = runtimeRequire('knex');
+        }
+        catch (err) {
+            const code = err?.code;
+            if (code === 'MODULE_NOT_FOUND' || code === 'ERR_MODULE_NOT_FOUND') {
+                throw new Error('knex is required for PostgreSQL/MySQL/MSSQL schedule storage. ' +
+                    'Install it with: npm install knex');
+            }
+            throw err;
+        }
+        const clientMap = {
+            postgresql: 'pg',
+            mysql: 'mysql2',
+            mssql: 'tedious',
+        };
+        const client = clientMap[this.driver];
+        // Build connection config
+        let connection;
+        if (this.connection.connection_string) {
+            connection = this.connection.connection_string;
+        }
+        else if (this.driver === 'mssql') {
+            connection = this.buildMssqlConnection();
+        }
+        else {
+            connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+            client,
+            connection,
+            pool: {
+                min: this.connection.pool?.min ?? 0,
+                max: this.connection.pool?.max ?? 10,
+            },
+        });
+        // Run schema migration
+        await this.migrateSchema();
+        logger_1.logger.info(`[KnexStore] Initialized (${this.driver})`);
+    }
+    buildStandardConnection() {
+        return {
+            host: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            ssl: this.resolveSslConfig(),
+        };
+    }
+    buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || (typeof ssl === 'object' && ssl.enabled !== false);
+        return {
+            server: this.connection.host || 'localhost',
+            port: this.connection.port,
+            database: this.connection.database || 'visor',
+            user: this.connection.user,
+            password: this.connection.password,
+            options: {
+                encrypt: sslEnabled,
+                trustServerCertificate: typeof ssl === 'object' ? ssl.reject_unauthorized === false : !sslEnabled,
+            },
+        };
+    }
+    resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === undefined)
+            return false;
+        if (ssl === true)
+            return { rejectUnauthorized: true };
+        // Object config
+        if (ssl.enabled === false)
+            return false;
+        const result = {
+            rejectUnauthorized: ssl.reject_unauthorized !== false,
+        };
+        if (ssl.ca) {
+            const caPath = this.validateSslPath(ssl.ca, 'CA certificate');
+            result.ca = fs.readFileSync(caPath, 'utf8');
+        }
+        if (ssl.cert) {
+            const certPath = this.validateSslPath(ssl.cert, 'client certificate');
+            result.cert = fs.readFileSync(certPath, 'utf8');
+        }
+        if (ssl.key) {
+            const keyPath = this.validateSslPath(ssl.key, 'client key');
+            result.key = fs.readFileSync(keyPath, 'utf8');
+        }
+        return result;
+    }
+    validateSslPath(filePath, label) {
+        const resolved = path.resolve(filePath);
+        if (resolved !== path.normalize(resolved)) {
+            throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs.existsSync(resolved)) {
+            throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+    }
+    async shutdown() {
+        if (this.knex) {
+            await this.knex.destroy();
+            this.knex = null;
+        }
+    }
+    async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable('schedules');
+        if (!exists) {
+            await knex.schema.createTable('schedules', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.string('timezone', 64).notNullable().defaultTo('UTC');
+                table.string('schedule_expr', 255);
+                table.bigInteger('run_at');
+                table.boolean('is_recurring').notNullable();
+                table.text('original_expression');
+                table.string('workflow', 255);
+                table.text('workflow_inputs');
+                table.text('output_context');
+                table.string('status', 20).notNullable().index();
+                table.bigInteger('created_at').notNullable();
+                table.bigInteger('last_run_at');
+                table.bigInteger('next_run_at');
+                table.integer('run_count').notNullable().defaultTo(0);
+                table.integer('failure_count').notNullable().defaultTo(0);
+                table.text('last_error');
+                table.text('previous_response');
+                table.index(['status', 'next_run_at']);
+            });
+        }
+        // Create message_triggers table
+        const triggersExist = await knex.schema.hasTable('message_triggers');
+        if (!triggersExist) {
+            await knex.schema.createTable('message_triggers', table => {
+                table.string('id', 36).primary();
+                table.string('creator_id', 255).notNullable().index();
+                table.string('creator_context', 255);
+                table.string('creator_name', 255);
+                table.text('description');
+                table.text('channels'); // JSON array
+                table.text('from_users'); // JSON array
+                table.boolean('from_bots').notNullable().defaultTo(false);
+                table.text('contains'); // JSON array
+                table.text('match_pattern');
+                table.string('threads', 20).notNullable().defaultTo('any');
+                table.string('workflow', 255).notNullable();
+                table.text('inputs'); // JSON
+                table.text('output_context'); // JSON
+                table.string('status', 20).notNullable().defaultTo('active').index();
+                table.boolean('enabled').notNullable().defaultTo(true);
+                table.bigInteger('created_at').notNullable();
+            });
+        }
+        // Create scheduler_locks table for distributed locking
+        const locksExist = await knex.schema.hasTable('scheduler_locks');
+        if (!locksExist) {
+            await knex.schema.createTable('scheduler_locks', table => {
+                table.string('lock_id', 255).primary();
+                table.string('node_id', 255).notNullable();
+                table.string('lock_token', 36).notNullable();
+                table.bigInteger('acquired_at').notNullable();
+                table.bigInteger('expires_at').notNullable();
+            });
+        }
+    }
+    getKnex() {
+        if (!this.knex) {
+            throw new Error('[KnexStore] Not initialized. Call initialize() first.');
+        }
+        return this.knex;
+    }
+    // --- CRUD ---
+    async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+            ...schedule,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+            runCount: 0,
+            failureCount: 0,
+            status: 'active',
+        };
+        await knex('schedules').insert(toInsertRow(newSchedule));
+        logger_1.logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+    }
+    async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', schedule.id).first();
+        if (existing)
+            return; // Already imported (idempotent)
+        await knex('schedules').insert(toInsertRow(schedule));
+    }
+    async get(id) {
+        const knex = this.getKnex();
+        const row = await knex('schedules').where('id', id).first();
+        return row ? fromDbRow(row) : undefined;
+    }
+    async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('schedules').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromDbRow(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        // Remove id from update (PK cannot change)
+        delete row.id;
+        await knex('schedules').where('id', id).update(row);
+        return updated;
+    }
+    async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('schedules').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted schedule ${id}`);
+            return true;
+        }
+        return false;
+    }
+    // --- Queries ---
+    async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('creator_id', creatorId);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules').where('status', 'active');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans
+        const bFalse = this.driver === 'mssql' ? 0 : false;
+        const bTrue = this.driver === 'mssql' ? 1 : true;
+        const rows = await knex('schedules')
+            .where('status', 'active')
+            .andWhere(function () {
+            this.where(function () {
+                this.where('is_recurring', bFalse)
+                    .whereNotNull('run_at')
+                    .where('run_at', '<=', ts);
+            }).orWhere(function () {
+                this.where('is_recurring', bTrue)
+                    .whereNotNull('next_run_at')
+                    .where('next_run_at', '<=', ts);
+            });
+        });
+        return rows.map((r) => fromDbRow(r));
+    }
+    async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, '\\$&');
+        const pattern = `%${escaped}%`;
+        const rows = await knex('schedules')
+            .where('creator_id', creatorId)
+            .where('status', 'active')
+            .whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex('schedules');
+        return rows.map((r) => fromDbRow(r));
+    }
+    async getStats() {
+        const knex = this.getKnex();
+        // MSSQL uses 1/0 for booleans; PostgreSQL/MySQL accept both true/1
+        const boolTrue = this.driver === 'mssql' ? '1' : 'true';
+        const boolFalse = this.driver === 'mssql' ? '0' : 'false';
+        const result = await knex('schedules')
+            .select(knex.raw('COUNT(*) as total'), knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"), knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"), knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"), knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"), knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`), knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`))
+            .first();
+        return {
+            total: Number(result.total) || 0,
+            active: Number(result.active) || 0,
+            paused: Number(result.paused) || 0,
+            completed: Number(result.completed) || 0,
+            failed: Number(result.failed) || 0,
+            recurring: Number(result.recurring) || 0,
+            oneTime: Number(result.one_time) || 0,
+        };
+    }
+    async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+            const result = await knex('schedules').count('* as cnt').first();
+            if (Number(result?.cnt) >= limits.maxGlobal) {
+                throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+            }
+        }
+        if (limits.maxPerUser) {
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxPerUser) {
+                throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+            }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+            const bTrue = this.driver === 'mssql' ? 1 : true;
+            const result = await knex('schedules')
+                .where('creator_id', creatorId)
+                .where('is_recurring', bTrue)
+                .count('* as cnt')
+                .first();
+            if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+                throw new Error(`You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`);
+            }
+        }
+    }
+    // --- HA Distributed Locking (via scheduler_locks table) ---
+    async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const token = (0, uuid_1.v4)();
+        // Step 1: Try to claim an existing expired lock
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('expires_at', '<', now)
+            .update({
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt,
+        });
+        if (updated > 0)
+            return token;
+        // Step 2: Try to INSERT a new lock row
+        try {
+            await knex('scheduler_locks').insert({
+                lock_id: lockId,
+                node_id: nodeId,
+                lock_token: token,
+                acquired_at: now,
+                expires_at: expiresAt,
+            });
+            return token;
+        }
+        catch {
+            // Unique constraint violation — another node holds the lock
+            return null;
+        }
+    }
+    async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex('scheduler_locks').where('lock_id', lockId).where('lock_token', lockToken).del();
+    }
+    async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1000;
+        const updated = await knex('scheduler_locks')
+            .where('lock_id', lockId)
+            .where('lock_token', lockToken)
+            .update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+    }
+    async flush() {
+        // No-op for server-based backends
+    }
+    // --- Message Trigger CRUD ---
+    async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+            ...trigger,
+            id: (0, uuid_1.v4)(),
+            createdAt: Date.now(),
+        };
+        await knex('message_triggers').insert(toTriggerInsertRow(newTrigger));
+        logger_1.logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+    }
+    async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex('message_triggers').where('id', id).first();
+        return row ? fromTriggerRow(row) : undefined;
+    }
+    async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex('message_triggers').where('id', id).first();
+        if (!existing)
+            return undefined;
+        const current = fromTriggerRow(existing);
+        const updated = {
+            ...current,
+            ...patch,
+            id: current.id,
+            createdAt: current.createdAt,
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex('message_triggers').where('id', id).update(row);
+        return updated;
+    }
+    async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex('message_triggers').where('id', id).del();
+        if (deleted > 0) {
+            logger_1.logger.info(`[KnexStore] Deleted trigger ${id}`);
+            return true;
+        }
+        return false;
+    }
+    async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers').where('creator_id', creatorId);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+    async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex('message_triggers')
+            .where('status', 'active')
+            .where('enabled', this.driver === 'mssql' ? 1 : true);
+        return rows.map((r) => fromTriggerRow(r));
+    }
+}
+exports.KnexStoreBackend = KnexStoreBackend;
+
+
 /***/ }),
 
 /***/ 83864:
@@ -314610,6 +316414,10 @@ exports.configSchema = {
                         '^x-': {},
                     },
                 },
+                rate_limit: {
+                    $ref: '#/definitions/RateLimitConfig',
+                    description: 'Rate limiting configuration for HTTP/API tools',
+                },
                 workflow: {
                     type: 'string',
                     description: "Workflow ID (registry lookup) or file path (for type: 'workflow')",
@@ -314646,6 +316454,43 @@ exports.configSchema = {
                 type: 'string',
             },
         },
+        RateLimitConfig: {
+            type: 'object',
+            properties: {
+                key: {
+                    type: 'string',
+                    description: 'Shared bucket name; defaults to URL origin',
+                },
+                requests: {
+                    type: 'number',
+                    description: 'Max requests per window',
+                },
+                per: {
+                    type: 'string',
+                    enum: ['second', 'minute', 'hour'],
+                    description: 'Time window unit',
+                },
+                max_retries: {
+                    type: 'number',
+                    description: 'Max retries on 429 (default: 3)',
+                },
+                backoff: {
+                    type: 'string',
+                    enum: ['fixed', 'exponential'],
+                    description: 'Backoff strategy (default: exponential)',
+                },
+                initial_delay_ms: {
+                    type: 'number',
+                    description: 'Base delay for backoff in ms (default: 1000)',
+                },
+            },
+            required: ['requests', 'per'],
+            additionalProperties: false,
+            description: 'Rate limit configuration for HTTP/API requests.',
+            patternProperties: {
+                '^x-': {},
+            },
+        },
         WorkflowInput: {
             type: 'object',
             properties: {
@@ -314748,6 +316593,10 @@ exports.configSchema = {
                     $ref: '#/definitions/Record%3Cstring%2Cstring%3E',
                     description: 'HTTP headers',
                 },
+                rate_limit: {
+                    $ref: '#/definitions/RateLimitConfig',
+                    description: 'Rate limiting configuration for http_client checks',
+                },
                 endpoint: {
                     type: 'string',
                     description: 'HTTP endpoint path - required for http_input checks',
@@ -315149,7 +316998,7 @@ exports.configSchema = {
                     description: 'Arguments/inputs for the workflow',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E',
                     description: 'Override specific step configurations in the workflow',
                 },
                 output_mapping: {
@@ -315165,7 +317014,7 @@ exports.configSchema = {
                     description: 'Config file path - alternative to workflow ID (loads a Visor config file as workflow)',
                 },
                 workflow_overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E',
                     description: 'Alias for overrides - workflow step overrides (backward compatibility)',
                 },
                 ref: {
@@ -315867,7 +317716,7 @@ exports.configSchema = {
                     description: 'Custom output name (defaults to workflow name)',
                 },
                 overrides: {
-                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E%3E',
+                    $ref: '#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E%3E',
                     description: 'Step overrides',
                 },
                 output_mapping: {
@@ -315882,13 +317731,13 @@ exports.configSchema = {
                 '^x-': {},
             },
         },
-        'Record<string,Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>>': {
+        'Record<string,Partial<interface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785>>': {
             type: 'object',
             additionalProperties: {
-                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090%3E',
+                $ref: '#/definitions/Partial%3Cinterface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785%3E',
             },
         },
-        'Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-57090>': {
+        'Partial<interface-src_types_config.ts-14532-29218-src_types_config.ts-0-57785>': {
             type: 'object',
             additionalProperties: false,
         },
@@ -319052,11 +320901,16 @@ const human_id_1 = __nccwpck_require__(30920);
 const logger_1 = __nccwpck_require__(86999);
 const footer_1 = __nccwpck_require__(6924);
 /**
- * Manages GitHub PR comments with dynamic updating capabilities
+ * Manages GitHub PR comments with dynamic updating capabilities.
+ * All write operations are serialized through an internal queue to prevent
+ * concurrent GitHub API calls from racing against each other.
  */
 class CommentManager {
     octokit;
     retryConfig;
+    // Serial write queue: chains all updateOrCreateComment calls so only one
+    // GitHub comment write is in-flight at a time within a job.
+    _writeQueue = Promise.resolve();
     constructor(octokit, retryConfig) {
         this.octokit = octokit;
         this.retryConfig = {
@@ -319097,6 +320951,16 @@ class CommentManager {
      * Update existing comment or create new one with collision detection
      */
     async updateOrCreateComment(owner, repo, prNumber, content, options = {}) {
+        // Serialize all comment writes through a single queue so only one
+        // GitHub API write is in-flight at a time, preventing races between
+        // concurrent checks updating the same or different comments.
+        return new Promise((resolve, reject) => {
+            this._writeQueue = this._writeQueue
+                .then(() => this._doUpdateOrCreate(owner, repo, prNumber, content, options))
+                .then(resolve, reject);
+        });
+    }
+    async _doUpdateOrCreate(owner, repo, prNumber, content, options = {}) {
         const { commentId = this.generateCommentId(), triggeredBy = 'unknown', allowConcurrentUpdates = false, commitSha, cachedGithubCommentId, } = options;
         return this.withRetry(async () => {
             // First try to find the comment via listComments API
@@ -323617,6 +325481,35 @@ class OutputFormatters {
 exports.OutputFormatters = OutputFormatters;
 
 
+/***/ }),
+
+/***/ 93866:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.DefaultPolicyEngine = void 0;
+/**
+ * Default (no-op) policy engine — always allows everything.
+ * Used when no enterprise license is present or policy is disabled.
+ */
+class DefaultPolicyEngine {
+    async initialize(_config) { }
+    async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+    }
+    async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+    }
+    async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+    }
+    async shutdown() { }
+}
+exports.DefaultPolicyEngine = DefaultPolicyEngine;
+
+
 /***/ }),
 
 /***/ 96611:
@@ -326853,6 +328746,7 @@ const deepmerge_1 = __importDefault(__nccwpck_require__(2569));
 const jsonpath_plus_1 = __nccwpck_require__(55464);
 const minimatch_1 = __nccwpck_require__(46507);
 const logger_1 = __nccwpck_require__(86999);
+const rate_limiter_1 = __nccwpck_require__(56898);
 const HTTP_METHODS = new Set(['get', 'put', 'post', 'delete', 'options', 'head', 'patch', 'trace']);
 function isHttpUrl(value) {
     return value.startsWith('http://') || value.startsWith('https://');
@@ -327118,6 +329012,7 @@ function getApiToolConfig(tool) {
         securitySchemeName: tool.securitySchemeName ?? tool.security_scheme_name,
         securityCredentials: tool.securityCredentials || tool.security_credentials || {},
         requestTimeoutMs: tool.requestTimeoutMs ?? tool.request_timeout_ms ?? tool.timeout ?? 30000,
+        rateLimitConfig: tool.rate_limit,
     };
 }
 function buildOutputSchema(operation) {
@@ -327592,7 +329487,7 @@ async function executeMappedApiTool(mappedTool, args) {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), apiToolConfig.requestTimeoutMs);
     try {
-        const response = await fetch(endpoint.toString(), {
+        const response = await (0, rate_limiter_1.rateLimitedFetch)(endpoint.toString(), {
             method,
             headers,
             body: requestBodyValue === undefined
@@ -327601,7 +329496,7 @@ async function executeMappedApiTool(mappedTool, args) {
                     ? JSON.stringify(requestBodyValue)
                     : String(requestBodyValue),
             signal: controller.signal,
-        });
+        }, apiToolConfig.rateLimitConfig);
         const raw = await response.text();
         let body = raw;
         const contentType = response.headers.get('content-type') || '';
@@ -331581,6 +333476,7 @@ const sandbox_1 = __nccwpck_require__(12630);
 const template_context_1 = __nccwpck_require__(1581);
 const oauth2_token_cache_1 = __nccwpck_require__(34713);
 const logger_1 = __nccwpck_require__(86999);
+const rate_limiter_1 = __nccwpck_require__(56898);
 const fs = __importStar(__nccwpck_require__(79896));
 const path = __importStar(__nccwpck_require__(16928));
 /**
@@ -331758,12 +333654,13 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
             if (requestBody) {
                 logger_1.logger.verbose(`[http_client] Body: ${requestBody.substring(0, 500)}${requestBody.length > 500 ? '...' : ''}`);
             }
+            const rateLimitConfig = config.rate_limit;
             // If output_file is specified, download to file instead of returning data
             if (resolvedOutputFile) {
-                const fileResult = await this.downloadToFile(renderedUrl, method, resolvedHeaders, requestBody, timeout, resolvedOutputFile);
+                const fileResult = await this.downloadToFile(renderedUrl, method, resolvedHeaders, requestBody, timeout, resolvedOutputFile, rateLimitConfig);
                 return fileResult;
             }
-            const data = await this.fetchData(renderedUrl, method, resolvedHeaders, requestBody, timeout);
+            const data = await this.fetchData(renderedUrl, method, resolvedHeaders, requestBody, timeout, rateLimitConfig);
             // Apply Liquid transformation if specified
             let processedData = data;
             if (transform) {
@@ -331854,7 +333751,7 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
             };
         }
     }
-    async fetchData(url, method, headers, body, timeout = 30000) {
+    async fetchData(url, method, headers, body, timeout = 30000, rateLimitConfig) {
         // Check if fetch is available (Node 18+)
         if (typeof fetch === 'undefined') {
             throw new Error('HTTP client provider requires Node.js 18+ or node-fetch package');
@@ -331880,7 +333777,7 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
                     };
                 }
             }
-            const response = await fetch(url, requestOptions);
+            const response = await (0, rate_limiter_1.rateLimitedFetch)(url, requestOptions, rateLimitConfig);
             clearTimeout(timeoutId);
             logger_1.logger.verbose(`[http_client] Response: ${response.status} ${response.statusText}`);
             if (!response.ok) {
@@ -331919,7 +333816,7 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
             throw error;
         }
     }
-    async downloadToFile(url, method, headers, body, timeout, outputFile) {
+    async downloadToFile(url, method, headers, body, timeout, outputFile, rateLimitConfig) {
         // Check if fetch is available (Node 18+)
         if (typeof fetch === 'undefined') {
             throw new Error('HTTP client provider requires Node.js 18+ or node-fetch package');
@@ -331942,7 +333839,7 @@ class HttpClientProvider extends check_provider_interface_1.CheckProvider {
                     };
                 }
             }
-            const response = await fetch(url, requestOptions);
+            const response = await (0, rate_limiter_1.rateLimitedFetch)(url, requestOptions, rateLimitConfig);
             clearTimeout(timeoutId);
             if (!response.ok) {
                 return {
@@ -333883,6 +335780,7 @@ const schedule_tool_1 = __nccwpck_require__(13395);
 // Legacy Slack-specific imports for backwards compatibility
 const schedule_tool_handler_1 = __nccwpck_require__(28883);
 const env_resolver_1 = __nccwpck_require__(58749);
+const rate_limiter_1 = __nccwpck_require__(56898);
 /**
  * Check if a tool definition is an http_client tool
  */
@@ -334655,7 +336553,8 @@ class CustomToolsSSEServer {
                     resolvedHeaders['Content-Type'] = 'application/json';
                 }
             }
-            const response = await fetch(url, requestOptions);
+            const rateLimitConfig = tool.rate_limit;
+            const response = await (0, rate_limiter_1.rateLimitedFetch)(url, requestOptions, rateLimitConfig);
             clearTimeout(timeoutId);
             if (!response.ok) {
                 let errorBody = '';
@@ -336175,6 +338074,17 @@ class WorkflowCheckProvider extends check_provider_interface_1.CheckProvider {
         validateWorkflowDepth(currentDepth, maxDepth, workflow.id);
         // Project workflow to dependency graph
         const { config: workflowConfig, checks: checksMetadata } = projectWorkflowToGraph(workflow, inputs, config.checkName || workflow.id);
+        // Propagate parent check's timeout to nested workflow steps that don't define their own.
+        // This ensures that a parent `timeout: 120000` caps nested AI steps instead of them
+        // falling back to the 30-minute default.
+        const parentTimeout = config.timeout || config.ai?.timeout;
+        if (parentTimeout && workflowConfig.checks) {
+            for (const stepCfg of Object.values(workflowConfig.checks)) {
+                if (!stepCfg.timeout && !stepCfg.ai?.timeout) {
+                    stepCfg.timeout = parentTimeout;
+                }
+            }
+        }
         // Build isolated child engine context (separate journal/memory to avoid state contamination)
         // Reuse parent's memory config if available, but never the instance
         const parentMemoryCfg = (parentContext?.memory &&
@@ -346769,7 +348679,7 @@ class StateMachineExecutionEngine {
             try {
                 logger_1.logger.debug(`[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`);
                 // @ts-ignore — enterprise/ may not exist in OSS builds (caught at runtime)
-                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(7065)));
+                const { loadEnterprisePolicyEngine } = await Promise.resolve().then(() => __importStar(__nccwpck_require__(87068)));
                 context.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
                 logger_1.logger.debug(`[PolicyEngine] Initialized: ${context.policyEngine?.constructor?.name || 'unknown'}`);
             }
@@ -347803,7 +349713,12 @@ function buildEngineContextForRun(workingDirectory, config, prInfo, debug, maxPa
             async acquire(parentSessionId, _dbg, queueTimeout) {
                 // Use visor session ID if probe didn't provide one
                 const sid = parentSessionId || sessionId;
-                return fairLimiter.acquire(sid, _dbg, queueTimeout);
+                // ProbeAgent calls acquire(null) without queueTimeout, which defaults
+                // to 120s in FairConcurrencyLimiter — too short when AI checks take
+                // 5-30+ min and slots are occupied. Override to 0 (disabled) so the
+                // step/AI timeout governs cancellation instead.
+                const effectiveQueueTimeout = queueTimeout ?? 0;
+                return fairLimiter.acquire(sid, _dbg, effectiveQueueTimeout);
             },
             release(parentSessionId, _dbg) {
                 const sid = parentSessionId || sessionId;
@@ -351671,11 +353586,14 @@ async function executeCheckWithForEachItems(checkId, forEachParent, forEachItems
             // Evaluate assume contract for this iteration (design-by-contract)
             {
                 const assumeExpr = checkConfig?.assume;
-                if (assumeExpr) {
+                if (assumeExpr !== undefined && assumeExpr !== null) {
                     let ok = true;
                     try {
                         const evaluator = new failure_condition_evaluator_1.FailureConditionEvaluator();
-                        const exprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+                        const rawExprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+                        // Coerce non-string values (e.g., YAML boolean `true`) to strings
+                        // so they can be safely evaluated as JavaScript expressions.
+                        const exprs = rawExprs.map((e) => (typeof e === 'string' ? e : String(e)));
                         // Get conversation from execution context (TUI/CLI) or provider event context (Slack)
                         const conversation = context.executionContext?.conversation ||
                             providerConfig?.eventContext?.conversation;
@@ -352843,11 +354761,14 @@ async function executeSingleCheck(checkId, context, state, emitEvent, transition
         // Evaluate assume contract (design-by-contract) before executing
         {
             const assumeExpr = checkConfig?.assume;
-            if (assumeExpr) {
+            if (assumeExpr !== undefined && assumeExpr !== null) {
                 let ok = true;
                 try {
                     const evaluator = new failure_condition_evaluator_1.FailureConditionEvaluator();
-                    const exprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+                    const rawExprs = Array.isArray(assumeExpr) ? assumeExpr : [assumeExpr];
+                    // Coerce non-string values (e.g., YAML boolean `true`) to strings
+                    // so they can be safely evaluated as JavaScript expressions.
+                    const exprs = rawExprs.map((e) => (typeof e === 'string' ? e : String(e)));
                     // Get conversation from execution context (TUI/CLI) or provider event context (Slack)
                     const conversation = context.executionContext?.conversation ||
                         providerConfig?.eventContext?.conversation;
@@ -358513,7 +360434,7 @@ async function initTelemetry(opts = {}) {
                 const path = __nccwpck_require__(16928);
                 const outDir = opts.file?.dir ||
                     process.env.VISOR_TRACE_DIR ||
-                    __nccwpck_require__.ab + "traces";
+                    path.join(process.cwd(), 'output', 'traces');
                 fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
                 process.env.VISOR_FALLBACK_TRACE_FILE = path.join(outDir, `run-${ts}.ndjson`);
@@ -358763,7 +360684,7 @@ async function shutdownTelemetry() {
             if (process.env.VISOR_TRACE_REPORT === 'true') {
                 const fs = __nccwpck_require__(79896);
                 const path = __nccwpck_require__(16928);
-                const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+                const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
                 if (!fs.existsSync(outDir))
                     fs.mkdirSync(outDir, { recursive: true });
                 const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -359314,7 +361235,7 @@ function __getOrCreateNdjsonPath() {
                 fs.mkdirSync(dir, { recursive: true });
             return __ndjsonPath;
         }
-        const outDir = process.env.VISOR_TRACE_DIR || __nccwpck_require__.ab + "traces";
+        const outDir = process.env.VISOR_TRACE_DIR || path.join(process.cwd(), 'output', 'traces');
         if (!fs.existsSync(outDir))
             fs.mkdirSync(outDir, { recursive: true });
         if (!__ndjsonPath) {
@@ -359794,7 +361715,7 @@ function expandConversationToFlow(testCase) {
                     transport,
                     thread: { id: threadId },
                     messages: [...currentMessages],
-                    current: { role: 'user', text: turn.text },
+                    current: { role: 'user', text: turn.text, ...(turn.user ? { user: turn.user } : {}) },
                 },
             },
             ...(turn.mocks ? { mocks: turn.mocks } : {}),
@@ -364260,6 +366181,7 @@ const schema = {
             properties: {
                 role: { type: 'string', enum: ['user', 'assistant'] },
                 text: { type: 'string' },
+                user: { type: 'string' },
                 mocks: {
                     type: 'object',
                     additionalProperties: {
@@ -370607,6 +372529,193 @@ class OAuth2TokenCache {
 exports.OAuth2TokenCache = OAuth2TokenCache;
 
 
+/***/ }),
+
+/***/ 56898:
+/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.RateLimiterRegistry = exports.TokenBucket = void 0;
+exports.resolveRateLimitKey = resolveRateLimitKey;
+exports.rateLimitedFetch = rateLimitedFetch;
+const logger_1 = __nccwpck_require__(86999);
+/**
+ * Token bucket rate limiter with FIFO wait queue.
+ */
+class TokenBucket {
+    tokens;
+    capacity;
+    refillRate; // tokens per ms
+    lastRefill;
+    waitQueue = [];
+    constructor(capacity, windowMs) {
+        this.capacity = capacity;
+        this.tokens = capacity;
+        this.refillRate = capacity / windowMs;
+        this.lastRefill = Date.now();
+    }
+    refill() {
+        const now = Date.now();
+        const elapsed = now - this.lastRefill;
+        const newTokens = elapsed * this.refillRate;
+        this.tokens = Math.min(this.capacity, this.tokens + newTokens);
+        this.lastRefill = now;
+    }
+    /**
+     * Non-blocking: try to consume one token.
+     */
+    tryConsume() {
+        this.refill();
+        if (this.tokens >= 1) {
+            this.tokens -= 1;
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Blocking: wait until a token is available, then consume it.
+     * Requests are served FIFO.
+     */
+    async acquire() {
+        if (this.tryConsume()) {
+            return;
+        }
+        // Calculate wait time for next token
+        const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
+        return new Promise(resolve => {
+            const entry = { resolve };
+            this.waitQueue.push(entry);
+            setTimeout(() => {
+                // Remove from queue
+                const idx = this.waitQueue.indexOf(entry);
+                if (idx >= 0) {
+                    this.waitQueue.splice(idx, 1);
+                }
+                this.refill();
+                if (this.tokens >= 1) {
+                    this.tokens -= 1;
+                }
+                resolve();
+            }, waitMs);
+        });
+    }
+}
+exports.TokenBucket = TokenBucket;
+function windowToMs(per) {
+    switch (per) {
+        case 'second':
+            return 1000;
+        case 'minute':
+            return 60_000;
+        case 'hour':
+            return 3_600_000;
+    }
+}
+const REGISTRY_KEY = Symbol.for('visor.rateLimiterRegistry');
+/**
+ * Global singleton registry of named token buckets.
+ */
+class RateLimiterRegistry {
+    buckets = new Map();
+    static getInstance() {
+        const g = globalThis;
+        if (!g[REGISTRY_KEY]) {
+            g[REGISTRY_KEY] = new RateLimiterRegistry();
+        }
+        return g[REGISTRY_KEY];
+    }
+    getOrCreate(key, config) {
+        let bucket = this.buckets.get(key);
+        if (!bucket) {
+            const windowMs = windowToMs(config.per);
+            bucket = new TokenBucket(config.requests, windowMs);
+            this.buckets.set(key, bucket);
+            logger_1.logger.verbose(`[rate-limiter] Created bucket "${key}": ${config.requests} req/${config.per}`);
+        }
+        return bucket;
+    }
+    cleanup() {
+        this.buckets.clear();
+    }
+}
+exports.RateLimiterRegistry = RateLimiterRegistry;
+/**
+ * Resolve the rate limit key from config and optional fallback URL.
+ */
+function resolveRateLimitKey(config, fallbackUrl) {
+    if (config.key) {
+        return config.key;
+    }
+    if (fallbackUrl) {
+        try {
+            const url = new URL(fallbackUrl);
+            return url.origin;
+        }
+        catch {
+            // not a valid URL, use as-is
+            return fallbackUrl;
+        }
+    }
+    return '__default__';
+}
+/**
+ * Rate-limited fetch wrapper.
+ *
+ * If rateLimitConfig is provided, acquires a token before making the request
+ * and retries on 429 responses with backoff.
+ *
+ * If no config is provided, behaves exactly like native fetch().
+ */
+async function rateLimitedFetch(url, options, rateLimitConfig) {
+    if (!rateLimitConfig) {
+        return fetch(url, options);
+    }
+    const key = resolveRateLimitKey(rateLimitConfig, url);
+    const registry = RateLimiterRegistry.getInstance();
+    const bucket = registry.getOrCreate(key, rateLimitConfig);
+    const maxRetries = rateLimitConfig.max_retries ?? 3;
+    const backoff = rateLimitConfig.backoff ?? 'exponential';
+    const initialDelay = rateLimitConfig.initial_delay_ms ?? 1000;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        // Acquire a token (waits if bucket is empty)
+        await bucket.acquire();
+        const response = await fetch(url, options);
+        if (response.status !== 429) {
+            return response;
+        }
+        // 429 — rate limited by server
+        if (attempt === maxRetries) {
+            logger_1.logger.warn(`[rate-limiter] Exhausted ${maxRetries} retries for ${url} (bucket: ${key})`);
+            return response;
+        }
+        // Calculate delay: respect Retry-After header if present
+        let delayMs;
+        const retryAfter = response.headers.get('retry-after');
+        if (retryAfter) {
+            const parsed = Number(retryAfter);
+            if (!isNaN(parsed)) {
+                // Retry-After in seconds
+                delayMs = parsed * 1000;
+            }
+            else {
+                // Retry-After as HTTP date
+                const date = new Date(retryAfter).getTime();
+                delayMs = Math.max(0, date - Date.now());
+            }
+        }
+        else {
+            delayMs = backoff === 'exponential' ? initialDelay * Math.pow(2, attempt) : initialDelay;
+        }
+        logger_1.logger.verbose(`[rate-limiter] 429 on ${url} (bucket: ${key}), retry ${attempt + 1}/${maxRetries} in ${delayMs}ms`);
+        await new Promise(resolve => setTimeout(resolve, delayMs));
+    }
+    // Should not reach here, but satisfy TypeScript
+    return fetch(url, options);
+}
+
+
 /***/ }),
 
 /***/ 12630:
@@ -375434,22 +377543,6 @@ class WorkflowRegistry {
 exports.WorkflowRegistry = WorkflowRegistry;
 
 
-/***/ }),
-
-/***/ 7065:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/loader");
-
-
-/***/ }),
-
-/***/ 71370:
-/***/ ((module) => {
-
-module.exports = eval("require")("./enterprise/policy/policy-input-builder");
-
-
 /***/ }),
 
 /***/ 18327:
@@ -475346,6 +477439,10 @@ var init_symbolEdit = __esm({
 });
 
 // src/tools/fileTracker.js
+function normalizePath(filePath) {
+  if (!filePath) return filePath;
+  return (0, import_path6.resolve)(filePath);
+}
 function computeContentHash(content) {
   const normalized = (content || "").split("\n").map((l) => l.trimEnd()).join("\n");
   return (0, import_crypto2.createHash)("sha256").update(normalized).digest("hex").slice(0, 16);
@@ -475408,10 +477505,11 @@ var init_fileTracker = __esm({
        * @param {string} resolvedPath - Absolute path to the file
        */
       markFileSeen(resolvedPath) {
-        this._seenFiles.add(resolvedPath);
-        this._textEditCounts.set(resolvedPath, 0);
+        const normalized = normalizePath(resolvedPath);
+        this._seenFiles.add(normalized);
+        this._textEditCounts.set(normalized, 0);
         if (this.debug) {
-          console.error(`[FileTracker] Marked as seen: ${resolvedPath}`);
+          console.error(`[FileTracker] Marked as seen: ${normalized}`);
         }
       }
       /**
@@ -475420,7 +477518,7 @@ var init_fileTracker = __esm({
        * @returns {boolean}
        */
       isFileSeen(resolvedPath) {
-        return this._seenFiles.has(resolvedPath);
+        return this._seenFiles.has(normalizePath(resolvedPath));
       }
       /**
        * Store a content hash for a symbol in a file.
@@ -475432,7 +477530,7 @@ var init_fileTracker = __esm({
        * @param {string} [source='extract'] - How the content was obtained
        */
       trackSymbolContent(resolvedPath, symbolName, code, startLine, endLine, source = "extract") {
-        const key = `${resolvedPath}#${symbolName}`;
+        const key = `${normalizePath(resolvedPath)}#${symbolName}`;
         const contentHash = computeContentHash(code);
         this._contentRecords.set(key, {
           contentHash,
@@ -475453,7 +477551,7 @@ var init_fileTracker = __esm({
        * @returns {Object|null} The stored record or null
        */
       getSymbolRecord(resolvedPath, symbolName) {
-        return this._contentRecords.get(`${resolvedPath}#${symbolName}`) || null;
+        return this._contentRecords.get(`${normalizePath(resolvedPath)}#${symbolName}`) || null;
       }
       /**
        * Check if a symbol's current content matches what was stored.
@@ -475463,7 +477561,7 @@ var init_fileTracker = __esm({
        * @returns {{ok: boolean, reason?: string, message?: string}}
        */
       checkSymbolContent(resolvedPath, symbolName, currentCode) {
-        const key = `${resolvedPath}#${symbolName}`;
+        const key = `${normalizePath(resolvedPath)}#${symbolName}`;
         const record2 = this._contentRecords.get(key);
         if (!record2) {
           return { ok: true };
@@ -475540,7 +477638,7 @@ var init_fileTracker = __esm({
        * @returns {{ok: boolean, reason?: string, message?: string}}
        */
       checkBeforeEdit(resolvedPath) {
-        if (!this._seenFiles.has(resolvedPath)) {
+        if (!this._seenFiles.has(normalizePath(resolvedPath))) {
           return {
             ok: false,
             reason: "untracked",
@@ -475555,8 +477653,9 @@ var init_fileTracker = __esm({
        * @param {string} resolvedPath - Absolute path to the file
        */
       async trackFileAfterWrite(resolvedPath) {
-        this._seenFiles.add(resolvedPath);
-        this.invalidateFileRecords(resolvedPath);
+        const normalized = normalizePath(resolvedPath);
+        this._seenFiles.add(normalized);
+        this.invalidateFileRecords(normalized);
       }
       /**
        * Record a text-mode edit (old_string/new_string) to a file.
@@ -475564,10 +477663,11 @@ var init_fileTracker = __esm({
        * @param {string} resolvedPath - Absolute path to the file
        */
       recordTextEdit(resolvedPath) {
-        const count = (this._textEditCounts.get(resolvedPath) || 0) + 1;
-        this._textEditCounts.set(resolvedPath, count);
+        const normalized = normalizePath(resolvedPath);
+        const count = (this._textEditCounts.get(normalized) || 0) + 1;
+        this._textEditCounts.set(normalized, count);
         if (this.debug) {
-          console.error(`[FileTracker] Text edit #${count} for ${resolvedPath}`);
+          console.error(`[FileTracker] Text edit #${count} for ${normalized}`);
         }
       }
       /**
@@ -475576,7 +477676,7 @@ var init_fileTracker = __esm({
        * @returns {{ok: boolean, editCount?: number, message?: string}}
        */
       checkTextEditStaleness(resolvedPath) {
-        const count = this._textEditCounts.get(resolvedPath) || 0;
+        const count = this._textEditCounts.get(normalizePath(resolvedPath)) || 0;
         if (count >= this.maxConsecutiveTextEdits) {
           return {
             ok: false,
@@ -475605,7 +477705,7 @@ var init_fileTracker = __esm({
        * @param {string} resolvedPath - Absolute path to the file
        */
       invalidateFileRecords(resolvedPath) {
-        const prefix = resolvedPath + "#";
+        const prefix = normalizePath(resolvedPath) + "#";
         for (const key of this._contentRecords.keys()) {
           if (key.startsWith(prefix)) {
             this._contentRecords.delete(key);
@@ -475621,7 +477721,7 @@ var init_fileTracker = __esm({
        * @returns {boolean}
        */
       isTracked(resolvedPath) {
-        return this.isFileSeen(resolvedPath);
+        return this.isFileSeen(normalizePath(resolvedPath));
       }
       /**
        * Clear all tracking state.
@@ -479674,7 +481774,7 @@ var init_esm3 = __esm({
 });
 
 // node_modules/path-scurry/dist/esm/index.js
-var import_node_path, import_node_url, import_fs4, actualFS, import_promises, realpathSync2, defaultFS, fsFromOption, uncDriveRegexp, uncToDrive, eitherSep, UNKNOWN, IFIFO, IFCHR, IFDIR, IFBLK, IFREG, IFLNK, IFSOCK, IFMT, IFMT_UNKNOWN, READDIR_CALLED, LSTAT_CALLED, ENOTDIR, ENOENT, ENOREADLINK, ENOREALPATH, ENOCHILD, TYPEMASK, entToType, normalizeCache, normalize, normalizeNocaseCache, normalizeNocase, ResolveCache, ChildrenCache, setAsCwd, PathBase, PathWin32, PathPosix, PathScurryBase, PathScurryWin32, PathScurryPosix, PathScurryDarwin, Path, PathScurry;
+var import_node_path, import_node_url, import_fs4, actualFS, import_promises, realpathSync2, defaultFS, fsFromOption, uncDriveRegexp, uncToDrive, eitherSep, UNKNOWN, IFIFO, IFCHR, IFDIR, IFBLK, IFREG, IFLNK, IFSOCK, IFMT, IFMT_UNKNOWN, READDIR_CALLED, LSTAT_CALLED, ENOTDIR, ENOENT, ENOREADLINK, ENOREALPATH, ENOCHILD, TYPEMASK, entToType, normalizeCache, normalize2, normalizeNocaseCache, normalizeNocase, ResolveCache, ChildrenCache, setAsCwd, PathBase, PathWin32, PathPosix, PathScurryBase, PathScurryWin32, PathScurryPosix, PathScurryDarwin, Path, PathScurry;
 var init_esm4 = __esm({
   "node_modules/path-scurry/dist/esm/index.js"() {
     init_esm2();
@@ -479729,7 +481829,7 @@ var init_esm4 = __esm({
     TYPEMASK = 1023;
     entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
     normalizeCache = /* @__PURE__ */ new Map();
-    normalize = (s) => {
+    normalize2 = (s) => {
       const c = normalizeCache.get(s);
       if (c)
         return c;
@@ -479742,7 +481842,7 @@ var init_esm4 = __esm({
       const c = normalizeNocaseCache.get(s);
       if (c)
         return c;
-      const n = normalize(s.toLowerCase());
+      const n = normalize2(s.toLowerCase());
       normalizeNocaseCache.set(s, n);
       return n;
     };
@@ -479909,7 +482009,7 @@ var init_esm4 = __esm({
        */
       constructor(name15, type = UNKNOWN, root2, roots, nocase, children, opts) {
         this.name = name15;
-        this.#matchName = nocase ? normalizeNocase(name15) : normalize(name15);
+        this.#matchName = nocase ? normalizeNocase(name15) : normalize2(name15);
         this.#type = type & TYPEMASK;
         this.nocase = nocase;
         this.roots = roots;
@@ -480002,7 +482102,7 @@ var init_esm4 = __esm({
           return this.parent || this;
         }
         const children = this.children();
-        const name15 = this.nocase ? normalizeNocase(pathPart) : normalize(pathPart);
+        const name15 = this.nocase ? normalizeNocase(pathPart) : normalize2(pathPart);
         for (const p of children) {
           if (p.#matchName === name15) {
             return p;
@@ -480247,7 +482347,7 @@ var init_esm4 = __esm({
        * directly.
        */
       isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize2(n) : this.#matchName === normalizeNocase(n);
       }
       /**
        * Return the Path object corresponding to the target of a symbolic link.
@@ -480386,7 +482486,7 @@ var init_esm4 = __esm({
       #readdirMaybePromoteChild(e, c) {
         for (let p = c.provisional; p < c.length; p++) {
           const pchild = c[p];
-          const name15 = this.nocase ? normalizeNocase(e.name) : normalize(e.name);
+          const name15 = this.nocase ? normalizeNocase(e.name) : normalize2(e.name);
           if (name15 !== pchild.#matchName) {
             continue;
           }
@@ -501703,7 +503803,7 @@ var init_graph_builder = __esm({
       applyLinkStyles() {
         if (!this.pendingLinkStyles.length || !this.edges.length)
           return;
-        const normalize3 = (s) => {
+        const normalize4 = (s) => {
           const out = {};
           for (const [kRaw, vRaw] of Object.entries(s)) {
             const k = kRaw.trim().toLowerCase();
@@ -501724,7 +503824,7 @@ var init_graph_builder = __esm({
           return out;
         };
         for (const cmd of this.pendingLinkStyles) {
-          const style = normalize3(cmd.props);
+          const style = normalize4(cmd.props);
           for (const idx of cmd.indices) {
             if (idx >= 0 && idx < this.edges.length) {
               const e = this.edges[idx];
@@ -508991,7 +511091,7 @@ var require_layout = __commonJS({
     "use strict";
     var _ = require_lodash2();
     var acyclic = require_acyclic();
-    var normalize3 = require_normalize();
+    var normalize4 = require_normalize();
     var rank = require_rank();
     var normalizeRanks = require_util().normalizeRanks;
     var parentDummyChains = require_parent_dummy_chains();
@@ -509053,7 +511153,7 @@ var require_layout = __commonJS({
         removeEdgeLabelProxies(g);
       });
       time3("    normalize.run", function() {
-        normalize3.run(g);
+        normalize4.run(g);
       });
       time3("    parentDummyChains", function() {
         parentDummyChains(g);
@@ -509080,7 +511180,7 @@ var require_layout = __commonJS({
         removeBorderNodes(g);
       });
       time3("    normalize.undo", function() {
-        normalize3.undo(g);
+        normalize4.undo(g);
       });
       time3("    fixupEdgeLabelCoords", function() {
         fixupEdgeLabelCoords(g);
@@ -515451,8 +517551,8 @@ var require_resolve = __commonJS({
       }
       return count;
     }
-    function getFullPath(resolver, id = "", normalize3) {
-      if (normalize3 !== false)
+    function getFullPath(resolver, id = "", normalize4) {
+      if (normalize4 !== false)
         id = normalizeId(id);
       const p = resolver.parse(id);
       return _getFullPath(resolver, p);
@@ -516792,7 +518892,7 @@ var require_fast_uri = __commonJS({
     "use strict";
     var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require_utils();
     var { SCHEMES, getSchemeHandler } = require_schemes();
-    function normalize3(uri, options) {
+    function normalize4(uri, options) {
       if (typeof uri === "string") {
         uri = /** @type {T} */
         serialize(parse11(uri, options), options);
@@ -517028,7 +519128,7 @@ var require_fast_uri = __commonJS({
     }
     var fastUri = {
       SCHEMES,
-      normalize: normalize3,
+      normalize: normalize4,
       resolve: resolve9,
       resolveComponent,
       equal,
@@ -521235,9 +523335,9 @@ If the solution is clear, you can jump to implementation right away. If not, ask
 - Do not add code comments unless the logic is genuinely complex and non-obvious.
 
 # Before Implementation
-- Focus on high-level design patterns and system organization
-- Identify architectural patterns and component relationships
-- Evaluate system structure and suggest architectural improvements
+- Read tests first \u2014 find existing test files for the module you're changing. They reveal expected behavior, edge cases, and the project's testing patterns.
+- Read neighboring files \u2014 understand naming conventions, error handling patterns, import style, and existing utilities before creating new ones.
+- Trace the call chain \u2014 follow how the code you're changing is called and what depends on it. Check interfaces, types, and consumers.
 - Focus on backward compatibility
 - Consider scalability, maintainability, and extensibility in your analysis
 
@@ -521262,6 +523362,20 @@ Before building or testing, determine the project's toolchain:
 - Read README for build/test instructions if the above are unclear
 - Common patterns: \`make build\`/\`make test\`, \`npm run build\`/\`npm test\`, \`cargo build\`/\`cargo test\`, \`go build ./...\`/\`go test ./...\`, \`python -m pytest\`
 
+# File Editing Rules
+You have access to the \`edit\`, \`create\`, and \`multi_edit\` tools for modifying files. You MUST use these tools for ALL code changes. They are purpose-built, atomic, and safe.
+
+DO NOT use sed, awk, echo/cat redirection, or heredocs to modify source code. These commands cause real damage in practice: truncated lines, duplicate code blocks, broken syntax. Every bad edit wastes iterations on fix-up commits.
+
+Use the right tool:
+1. To MODIFY existing code \u2192 \`edit\` tool (old_string \u2192 new_string, or start_line/end_line)
+2. To CREATE a new file \u2192 \`create\` tool
+3. To CHANGE multiple files at once \u2192 \`multi_edit\` tool
+4. To READ code \u2192 \`extract\` or \`search\` tools
+5. If \`edit\` fails with "file has not been read yet" \u2192 use \`extract\` with the EXACT same file path you will pass to \`edit\`. Relative vs absolute path mismatch causes this error. Use the same path format consistently. If it still fails, use bash \`cat\` to read the file, then use \`create\` to write the entire modified file. Do NOT fall back to sed.
+
+Bash is fine for: formatters (gofmt, prettier, black), build/test/lint commands, git operations, and read-only file inspection (cat, head, tail). sed/awk should ONLY be used for trivial non-code tasks (e.g., config file tweaks) where the replacement is a simple literal string swap.
+
 # During Implementation
 - Always create a new branch before making changes to the codebase.
 - Fix problems at the root cause, not with surface-level patches. Prefer general solutions over special cases.
@@ -521288,6 +523402,22 @@ Before committing or creating a PR, run through this checklist:
 
 Do NOT skip verification. Do NOT proceed to PR creation with a broken build or failing tests.
 
+# Output Integrity
+Your final output MUST accurately reflect what ACTUALLY happened. Do NOT fabricate, hallucinate, or report aspirational results.
+
+- Only report PR URLs you actually created or updated with \`gh pr create\` or \`git push\`. If you checked out an existing PR but did NOT push changes to it, do NOT claim you updated it.
+- Describe what you ACTUALLY DID, not what you planned or intended to do. If you ran out of iterations, say so. If tests failed, say so.
+- Only list files you actually modified AND committed.
+- If you could not complete the task \u2014 ran out of iterations, tests failed, build broken, push rejected \u2014 report the real reason honestly.
+
+NEVER claim success when:
+- You did not run \`git push\` successfully
+- Tests failed and you did not fix them
+- You hit the iteration limit before completing the work
+- You only analyzed/investigated but did not implement changes
+
+A false success report is WORSE than an honest failure \u2014 it misleads the user into thinking work is done when it is not.
+
 # GitHub Integration
 - Use the \`gh\` CLI for all GitHub operations: issues, pull requests, checks, releases.
 - To view issues or PRs: \`gh issue view <number>\`, \`gh pr view <number>\`.
@@ -549490,7 +551620,7 @@ var init_vercel = __esm({
         name: "search",
         description: searchDelegate ? searchDelegateDescription : searchDescription,
         inputSchema: searchSchema,
-        execute: async ({ query: searchQuery, path: path9, allow_tests, exact, maxTokens: paramMaxTokens, language, session, nextPage }) => {
+        execute: async ({ query: searchQuery, path: path9, allow_tests, exact, maxTokens: paramMaxTokens, language, session, nextPage, workingDirectory }) => {
           if (!exact && searchQuery) {
             const originalQuery = searchQuery;
             searchQuery = autoQuoteSearchTerms(searchQuery);
@@ -549499,18 +551629,19 @@ var init_vercel = __esm({
             }
           }
           const effectiveMaxTokens = paramMaxTokens || maxTokens;
+          const effectiveSearchCwd = workingDirectory || options.cwd || ".";
           let searchPaths;
           if (path9) {
-            searchPaths = parseAndResolvePaths(path9, options.cwd);
+            searchPaths = parseAndResolvePaths(path9, effectiveSearchCwd);
           }
           if (!searchPaths || searchPaths.length === 0) {
-            searchPaths = [options.cwd || "."];
+            searchPaths = [effectiveSearchCwd];
           }
           const searchPath = searchPaths.join(" ");
           const searchOptions = {
             query: searchQuery,
             path: searchPath,
-            cwd: options.cwd,
+            cwd: effectiveSearchCwd,
             // Working directory for resolving relative paths
             allowTests: allow_tests ?? true,
             exact,
@@ -549561,7 +551692,7 @@ var init_vercel = __esm({
             try {
               const result = maybeAnnotate(await runRawSearch());
               if (options.fileTracker && typeof result === "string") {
-                options.fileTracker.trackFilesFromOutput(result, options.cwd || ".").catch(() => {
+                options.fileTracker.trackFilesFromOutput(result, effectiveSearchCwd).catch(() => {
                 });
               }
               return result;
@@ -549614,7 +551745,7 @@ var init_vercel = __esm({
               }
               const fallbackResult = maybeAnnotate(await runRawSearch());
               if (options.fileTracker && typeof fallbackResult === "string") {
-                options.fileTracker.trackFilesFromOutput(fallbackResult, options.cwd || ".").catch(() => {
+                options.fileTracker.trackFilesFromOutput(fallbackResult, effectiveSearchCwd).catch(() => {
                 });
               }
               return fallbackResult;
@@ -549677,7 +551808,7 @@ var init_vercel = __esm({
             try {
               const fallbackResult2 = maybeAnnotate(await runRawSearch());
               if (options.fileTracker && typeof fallbackResult2 === "string") {
-                options.fileTracker.trackFilesFromOutput(fallbackResult2, options.cwd || ".").catch(() => {
+                options.fileTracker.trackFilesFromOutput(fallbackResult2, effectiveSearchCwd).catch(() => {
                 });
               }
               return fallbackResult2;
@@ -549731,9 +551862,9 @@ var init_vercel = __esm({
         name: "extract",
         description: extractDescription,
         inputSchema: extractSchema,
-        execute: async ({ targets, input_content, line, end_line, allow_tests, context_lines, format }) => {
+        execute: async ({ targets, input_content, line, end_line, allow_tests, context_lines, format, workingDirectory }) => {
           try {
-            const effectiveCwd = options.cwd || ".";
+            const effectiveCwd = workingDirectory || options.cwd || ".";
             if (debug) {
               if (targets) {
                 console.error(`Executing extract with targets: "${targets}", cwd: "${effectiveCwd}", context lines: ${context_lines || 10}`);
@@ -608863,7 +610994,7 @@ module.exports = /*#__PURE__*/JSON.parse('["aaa","aarp","abb","abbott","abbvie",
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.177","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@grammyjs/runner":"^2.0.3","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#23c4bb611f7d05f3cb8c523917b5f57103e48108","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/api-logs":"^0.203.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-logs-otlp-http":"^0.203.0","@opentelemetry/exporter-metrics-otlp-http":"^0.203.0","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-logs":"^0.203.0","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc292","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","botbuilder":"^4.23.3","botframework-connector":"^4.23.3","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","grammy":"^1.41.1","ignore":"^7.0.5","imapflow":"^1.2.12","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","mailparser":"^3.9.3","minimatch":"^10.2.2","node-cron":"^3.0.3","nodemailer":"^8.0.1","open":"^9.1.0","resend":"^6.9.3","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/mailparser":"^3.4.6","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/nodemailer":"^7.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@probelabs/visor","version":"0.1.42","main":"dist/index.js","bin":{"visor":"./dist/index.js"},"exports":{".":{"require":"./dist/index.js","import":"./dist/index.js"},"./sdk":{"types":"./dist/sdk/sdk.d.ts","import":"./dist/sdk/sdk.mjs","require":"./dist/sdk/sdk.js"},"./cli":{"require":"./dist/index.js"}},"files":["dist/","defaults/","action.yml","README.md","LICENSE"],"publishConfig":{"access":"public","registry":"https://registry.npmjs.org/"},"scripts":{"build:cli":"ncc build src/index.ts -o dist && cp -r defaults dist/ && cp -r output dist/ && cp -r docs dist/ && cp -r examples dist/ && cp -r src/debug-visualizer/ui dist/debug-visualizer/ && node scripts/inject-version.js && echo \'#!/usr/bin/env node\' | cat - dist/index.js > temp && mv temp dist/index.js && chmod +x dist/index.js","build:sdk":"tsup src/sdk.ts --dts --sourcemap --format esm,cjs --out-dir dist/sdk","build":"./scripts/build-oss.sh","build:ee":"npm run build:cli && npm run build:sdk","test":"jest && npm run test:yaml","test:unit":"jest","prepublishOnly":"npm run build","test:watch":"jest --watch","test:coverage":"jest --coverage","test:ee":"jest --testPathPatterns=\'tests/ee\' --testPathIgnorePatterns=\'/node_modules/\' --no-coverage","test:manual:bash":"RUN_MANUAL_TESTS=true jest tests/manual/bash-config-manual.test.ts","lint":"eslint src tests --ext .ts","lint:fix":"eslint src tests --ext .ts --fix","format":"prettier --write src tests","format:check":"prettier --check src tests","clean":"","clean:traces":"node scripts/clean-traces.js","prebuild":"npm run clean && node scripts/generate-config-schema.js","pretest":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","pretest:unit":"npm run clean:traces && node scripts/generate-config-schema.js && npm run build:cli","test:with-build":"npm run build:cli && jest","test:yaml":"node dist/index.js test --progress compact","test:yaml:parallel":"node dist/index.js test --progress compact --max-parallel 4","prepare":"husky","pre-commit":"lint-staged","deploy:site":"cd site && npx wrangler pages deploy . --project-name=visor-site --commit-dirty=true","deploy:worker":"npx wrangler deploy","deploy":"npm run deploy:site && npm run deploy:worker","publish:ee":"./scripts/publish-ee.sh","release":"./scripts/release.sh","release:patch":"./scripts/release.sh patch","release:minor":"./scripts/release.sh minor","release:major":"./scripts/release.sh major","release:prerelease":"./scripts/release.sh prerelease","docs:validate":"node scripts/validate-readme-links.js","workshop:setup":"npm install -D reveal-md@6.1.2","workshop:serve":"cd workshop && reveal-md slides.md -w","workshop:export":"reveal-md workshop/slides.md --static workshop/build","workshop:pdf":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter","workshop:pdf:ci":"reveal-md workshop/slides.md --print workshop/Visor-Workshop.pdf --print-size letter --puppeteer-launch-args=\\"--no-sandbox --disable-dev-shm-usage\\"","workshop:pdf:a4":"reveal-md workshop/slides.md --print workshop/Visor-Workshop-A4.pdf --print-size A4","workshop:build":"npm run workshop:export && npm run workshop:pdf","simulate:issue":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issues --action opened --debug","simulate:comment":"TS_NODE_TRANSPILE_ONLY=1 ts-node scripts/simulate-gh-run.ts --event issue_comment --action created --debug"},"keywords":["code-review","ai","github-action","cli","pr-review","visor"],"author":"Probe Labs","license":"MIT","description":"AI workflow engine for code review, assistants, and automation — orchestrate checks, MCP tools, and AI providers with YAML-driven pipelines","repository":{"type":"git","url":"git+https://github.com/probelabs/visor.git"},"bugs":{"url":"https://github.com/probelabs/visor/issues"},"homepage":"https://github.com/probelabs/visor#readme","dependencies":{"@actions/core":"^1.11.1","@apidevtools/swagger-parser":"^12.1.0","@grammyjs/runner":"^2.0.3","@modelcontextprotocol/sdk":"^1.25.3","@nyariv/sandboxjs":"github:probelabs/SandboxJS#23c4bb611f7d05f3cb8c523917b5f57103e48108","@octokit/action":"^8.0.2","@octokit/auth-app":"^8.1.0","@octokit/core":"^7.0.3","@octokit/rest":"^22.0.0","@opentelemetry/api":"^1.9.0","@opentelemetry/api-logs":"^0.203.0","@opentelemetry/core":"^1.30.1","@opentelemetry/exporter-logs-otlp-http":"^0.203.0","@opentelemetry/exporter-metrics-otlp-http":"^0.203.0","@opentelemetry/exporter-trace-otlp-grpc":"^0.203.0","@opentelemetry/exporter-trace-otlp-http":"^0.203.0","@opentelemetry/instrumentation":"^0.203.0","@opentelemetry/resources":"^1.30.1","@opentelemetry/sdk-logs":"^0.203.0","@opentelemetry/sdk-metrics":"^1.30.1","@opentelemetry/sdk-node":"^0.203.0","@opentelemetry/sdk-trace-base":"^1.30.1","@opentelemetry/semantic-conventions":"^1.30.1","@probelabs/probe":"^0.6.0-rc293","@types/commander":"^2.12.0","@types/uuid":"^10.0.0","acorn":"^8.16.0","acorn-walk":"^8.3.5","ajv":"^8.17.1","ajv-formats":"^3.0.1","better-sqlite3":"^11.0.0","blessed":"^0.1.81","botbuilder":"^4.23.3","botframework-connector":"^4.23.3","cli-table3":"^0.6.5","commander":"^14.0.0","deepmerge":"^4.3.1","dotenv":"^17.2.3","grammy":"^1.41.1","ignore":"^7.0.5","imapflow":"^1.2.12","js-yaml":"^4.1.0","jsonpath-plus":"^10.4.0","liquidjs":"^10.21.1","mailparser":"^3.9.3","minimatch":"^10.2.2","node-cron":"^3.0.3","nodemailer":"^8.0.1","open":"^9.1.0","resend":"^6.9.3","simple-git":"^3.28.0","uuid":"^11.1.0","ws":"^8.18.3"},"optionalDependencies":{"@anthropic/claude-code-sdk":"npm:null@*","@open-policy-agent/opa-wasm":"^1.10.0","knex":"^3.1.0","mysql2":"^3.11.0","pg":"^8.13.0","tedious":"^19.0.0"},"devDependencies":{"@eslint/js":"^9.34.0","@kie/act-js":"^2.6.2","@kie/mock-github":"^2.0.1","@swc/core":"^1.13.2","@swc/jest":"^0.2.37","@types/better-sqlite3":"^7.6.0","@types/blessed":"^0.1.27","@types/jest":"^30.0.0","@types/js-yaml":"^4.0.9","@types/mailparser":"^3.4.6","@types/node":"^24.3.0","@types/node-cron":"^3.0.11","@types/nodemailer":"^7.0.11","@types/ws":"^8.18.1","@typescript-eslint/eslint-plugin":"^8.42.0","@typescript-eslint/parser":"^8.42.0","@vercel/ncc":"^0.38.4","eslint":"^9.34.0","eslint-config-prettier":"^10.1.8","eslint-plugin-prettier":"^5.5.4","husky":"^9.1.7","jest":"^30.1.3","lint-staged":"^16.1.6","prettier":"^3.6.2","reveal-md":"^6.1.2","ts-json-schema-generator":"^1.5.1","ts-node":"^10.9.2","tsup":"^8.5.0","typescript":"^5.9.2","wrangler":"^3.0.0"},"peerDependenciesMeta":{"@anthropic/claude-code-sdk":{"optional":true}},"directories":{"test":"tests"},"lint-staged":{"src/**/*.{ts,js}":["eslint --fix","prettier --write"],"tests/**/*.{ts,js}":["eslint --fix","prettier --write"],"*.{json,md,yml,yaml}":["prettier --write"]}}');
 
 /***/ })