npm - @probelabs/visor - Versions diffs - 0.1.178 → 0.1.179-ee - Mend

@probelabs/visor 0.1.178 → 0.1.179-ee

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/dist/sdk/sdk.js CHANGED Viewed

@@ -704,7 +704,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@probelabs/visor",
-      version: "0.1.178",
+      version: "0.1.42",
       main: "dist/index.js",
       bin: {
         visor: "./dist/index.js"
@@ -823,7 +823,7 @@ var require_package = __commonJS({
         "@opentelemetry/sdk-node": "^0.203.0",
         "@opentelemetry/sdk-trace-base": "^1.30.1",
         "@opentelemetry/semantic-conventions": "^1.30.1",
-        "@probelabs/probe": "^0.6.0-rc293",
+        "@probelabs/probe": "^0.6.0-rc294",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
         acorn: "^8.16.0",
@@ -1152,11 +1152,11 @@ function getTracer() {
 }
 async function withActiveSpan(name, attrs, fn) {
   const tracer = getTracer();
-  return await new Promise((resolve15, reject) => {
+  return await new Promise((resolve20, reject) => {
     const callback = async (span) => {
       try {
         const res = await fn(span);
-        resolve15(res);
+        resolve20(res);
       } catch (err) {
         try {
           if (err instanceof Error) span.recordException(err);
@@ -1281,19 +1281,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path29 = require("path");
-    const fs25 = require("fs");
+    const path33 = require("path");
+    const fs29 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path29.dirname(__ndjsonPath);
-      if (!fs25.existsSync(dir)) fs25.mkdirSync(dir, { recursive: true });
+      const dir = path33.dirname(__ndjsonPath);
+      if (!fs29.existsSync(dir)) fs29.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path29.join(process.cwd(), "output", "traces");
-    if (!fs25.existsSync(outDir)) fs25.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path33.join(process.cwd(), "output", "traces");
+    if (!fs29.existsSync(outDir)) fs29.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path29.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path33.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -1302,11 +1302,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs25 = require("fs");
+    const fs29 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs25.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs29.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -3393,7 +3393,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context2) {
         try {
-          const normalize4 = (expr) => {
+          const normalize8 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -3551,7 +3551,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec2 = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize4(condition);
+            const normalizedExpr = normalize8(condition);
             exec2 = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec2(scope).run();
@@ -3934,9 +3934,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path29 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path29) return obj;
-    const parts = path29.split(".");
+    const path33 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path33) return obj;
+    const parts = path33.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -4055,9 +4055,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path29) => {
-          if (!obj || !path29) return void 0;
-          const parts = path29.split(".");
+        const getNested = (obj, path33) => {
+          if (!obj || !path33) return void 0;
+          const parts = path33.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6609,8 +6609,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6618,24 +6618,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path33.resolve(process.cwd(), file);
+      templateContent = await fs29.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs29.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -7040,7 +7040,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs25 = require("fs");
+    const fs29 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -7051,7 +7051,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs25.existsSync(candidatePath)) {
+      if (fs29.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -7158,7 +7158,7 @@ async function renderMermaidToPng(mermaidCode) {
     if (chromiumPath) {
       env.PUPPETEER_EXECUTABLE_PATH = chromiumPath;
     }
-    const result = await new Promise((resolve15) => {
+    const result = await new Promise((resolve20) => {
       const proc = (0, import_child_process.spawn)(
         "npx",
         [
@@ -7188,13 +7188,13 @@ async function renderMermaidToPng(mermaidCode) {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve15({ success: true });
+          resolve20({ success: true });
         } else {
-          resolve15({ success: false, error: stderr || `Exit code ${code}` });
+          resolve20({ success: false, error: stderr || `Exit code ${code}` });
         }
       });
       proc.on("error", (err) => {
-        resolve15({ success: false, error: err.message });
+        resolve20({ success: false, error: err.message });
       });
     });
     if (!result.success) {
@@ -8392,8 +8392,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8507,20 +8507,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              if (!fs25.existsSync(debugArtifactsDir)) {
-                fs25.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              if (!fs29.existsSync(debugArtifactsDir)) {
+                fs29.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path29.join(
+              const debugFile = path33.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs25.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path29.join(
+              fs29.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path33.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs25.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs29.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8558,8 +8558,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8570,8 +8570,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path33.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8583,7 +8583,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8610,7 +8610,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8619,11 +8619,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const responseFile = path33.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8656,7 +8656,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs29.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8672,9 +8672,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs25.statSync(agentAny._traceFilePath);
+                  const fs29 = require("fs");
+                  if (fs29.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs29.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8887,9 +8887,9 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
-              const os2 = require("os");
+              const fs29 = require("fs");
+              const path33 = require("path");
+              const os3 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
                 timestamp,
@@ -8961,19 +8961,19 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const tempDir = os2.tmpdir();
-              const promptFile = path29.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs25.writeFileSync(promptFile, prompt, "utf-8");
+              const tempDir = os3.tmpdir();
+              const promptFile = path33.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs29.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path29.join(
+                const base = path33.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs25.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs25.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs29.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs29.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -9023,8 +9023,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -9035,8 +9035,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path33.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -9048,7 +9048,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -9075,7 +9075,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -9084,11 +9084,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const responseFile = path33.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -9121,7 +9121,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs29.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -9139,9 +9139,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(traceFilePath)) {
-                    const stats = fs25.statSync(traceFilePath);
+                  const fs29 = require("fs");
+                  if (fs29.existsSync(traceFilePath)) {
+                    const stats = fs29.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -9179,8 +9179,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs25 = require("fs").promises;
-        const path29 = require("path");
+        const fs29 = require("fs").promises;
+        const path33 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -9193,14 +9193,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path29.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path33.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path29.resolve(process.cwd(), schema);
+            const schemaPath = path33.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -9214,22 +9214,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path29.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path33.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path29.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path33.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -9471,7 +9471,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt, _checkName, _schema) {
-        await new Promise((resolve15) => setTimeout(resolve15, 500));
+        await new Promise((resolve20) => setTimeout(resolve20, 500));
         const name = (_checkName || "").toLowerCase();
         if (name.includes("extract-facts")) {
           const arr = Array.from({ length: 6 }, (_, i) => ({
@@ -9832,7 +9832,7 @@ var init_command_executor = __esm({
        * Execute command with stdin input
        */
       executeWithStdin(command, options) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           const childProcess = (0, import_child_process2.exec)(
             command,
             {
@@ -9844,7 +9844,7 @@ var init_command_executor = __esm({
               if (error && error.killed && (error.code === "ETIMEDOUT" || error.signal === "SIGTERM")) {
                 reject(new Error(`Command timed out after ${options.timeout || 3e4}ms`));
               } else {
-                resolve15({
+                resolve20({
                   stdout: stdout || "",
                   stderr: stderr || "",
                   exitCode: error ? error.code || 1 : 0
@@ -9973,7 +9973,7 @@ async function rateLimitedFetch(url, options, rateLimitConfig) {
     logger.verbose(
       `[rate-limiter] 429 on ${url} (bucket: ${key}), retry ${attempt + 1}/${maxRetries} in ${delayMs}ms`
     );
-    await new Promise((resolve15) => setTimeout(resolve15, delayMs));
+    await new Promise((resolve20) => setTimeout(resolve20, delayMs));
   }
   return fetch(url, options);
 }
@@ -10022,8 +10022,8 @@ var init_rate_limiter = __esm({
           return;
         }
         const waitMs = Math.ceil((1 - this.tokens) / this.refillRate);
-        return new Promise((resolve15) => {
-          const entry = { resolve: resolve15 };
+        return new Promise((resolve20) => {
+          const entry = { resolve: resolve20 };
           this.waitQueue.push(entry);
           setTimeout(() => {
             const idx = this.waitQueue.indexOf(entry);
@@ -10034,7 +10034,7 @@ var init_rate_limiter = __esm({
             if (this.tokens >= 1) {
               this.tokens -= 1;
             }
-            resolve15();
+            resolve20();
           }, waitMs);
         });
       }
@@ -18851,17 +18851,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path29 = require("path");
-        const fs25 = require("fs");
+        const path33 = require("path");
+        const fs29 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path29.isAbsolute(sourcePath) ? sourcePath : path29.resolve(baseDir, sourcePath);
-        if (!fs25.existsSync(resolved)) {
+        const resolved = path33.isAbsolute(sourcePath) ? sourcePath : path33.resolve(baseDir, sourcePath);
+        if (!fs29.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs25.readFileSync(resolved, "utf8");
+        const rawContent = fs29.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path29.dirname(resolved);
+          const configDir = path33.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -18891,8 +18891,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path29.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path29.basename(resolved)}`;
+        const id = path33.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path33.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -19701,8 +19701,8 @@ async function createStoreBackend(storageConfig, haConfig) {
     case "mssql": {
       try {
         const loaderPath = "../../enterprise/loader";
-        const { loadEnterpriseStoreBackend } = await import(loaderPath);
-        return await loadEnterpriseStoreBackend(driver, storageConfig, haConfig);
+        const { loadEnterpriseStoreBackend: loadEnterpriseStoreBackend2 } = await import(loaderPath);
+        return await loadEnterpriseStoreBackend2(driver, storageConfig, haConfig);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error(`[StoreFactory] Failed to load enterprise ${driver} backend: ${msg}`);
@@ -20341,10 +20341,28 @@ async function trackExecution(opts, executor) {
   );
   try {
     const result = await executor();
+    let responseText = "Execution completed";
+    try {
+      const history = result?.reviewSummary?.history;
+      if (history) {
+        for (const outputs of Object.values(history)) {
+          if (!Array.isArray(outputs)) continue;
+          for (const out of outputs) {
+            const text = out?.text;
+            if (typeof text === "string" && text.trim().length > 0) {
+              responseText = text.trim();
+              break;
+            }
+          }
+          if (responseText !== "Execution completed") break;
+        }
+      }
+    } catch {
+    }
     const completedMsg = {
       message_id: import_crypto2.default.randomUUID(),
       role: "agent",
-      parts: [{ text: "Execution completed" }]
+      parts: [{ text: responseText }]
     };
     taskStore.updateTaskState(task.id, "completed", completedMsg);
     logger.info(`[TaskTracking] Task ${task.id} completed`);
@@ -22397,7 +22415,7 @@ var init_mcp_custom_sse_server = __esm({
        * Returns the actual bound port number
        */
       async start() {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           try {
             this.server = import_http.default.createServer((req, res) => {
               this.handleRequest(req, res).catch((error) => {
@@ -22431,7 +22449,7 @@ var init_mcp_custom_sse_server = __esm({
                 );
               }
               this.startKeepalive();
-              resolve15(this.port);
+              resolve20(this.port);
             });
           } catch (error) {
             reject(error);
@@ -22494,7 +22512,7 @@ var init_mcp_custom_sse_server = __esm({
             logger.debug(
               `[CustomToolsSSEServer:${this.sessionId}] Grace period before stop: ${waitMs}ms (activeToolCalls=${this.activeToolCalls})`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, waitMs));
+            await new Promise((resolve20) => setTimeout(resolve20, waitMs));
           }
         }
         if (this.activeToolCalls > 0) {
@@ -22503,7 +22521,7 @@ var init_mcp_custom_sse_server = __esm({
             `[CustomToolsSSEServer:${this.sessionId}] Waiting for ${this.activeToolCalls} active tool call(s) before stop`
           );
           while (this.activeToolCalls > 0 && Date.now() - startedAt < effectiveDrainTimeoutMs) {
-            await new Promise((resolve15) => setTimeout(resolve15, 250));
+            await new Promise((resolve20) => setTimeout(resolve20, 250));
           }
           if (this.activeToolCalls > 0) {
             logger.warn(
@@ -22528,21 +22546,21 @@ var init_mcp_custom_sse_server = __esm({
         }
         this.connections.clear();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
+          await new Promise((resolve20, reject) => {
             const timeout = setTimeout(() => {
               if (this.debug) {
                 logger.debug(
                   `[CustomToolsSSEServer:${this.sessionId}] Force closing server after timeout`
                 );
               }
-              this.server?.close(() => resolve15());
+              this.server?.close(() => resolve20());
             }, 5e3);
             this.server.close((error) => {
               clearTimeout(timeout);
               if (error) {
                 reject(error);
               } else {
-                resolve15();
+                resolve20();
               }
             });
           });
@@ -22999,7 +23017,7 @@ var init_mcp_custom_sse_server = __esm({
               logger.warn(
                 `[CustomToolsSSEServer:${this.sessionId}] Tool ${toolName} failed (attempt ${attempt + 1}/${retryCount + 1}): ${errorMsg}. Retrying in ${delay}ms`
               );
-              await new Promise((resolve15) => setTimeout(resolve15, delay));
+              await new Promise((resolve20) => setTimeout(resolve20, delay));
               attempt++;
             }
           }
@@ -23472,9 +23490,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path8.default.resolve(process.cwd(), str);
           }
-          const fs25 = require("fs").promises;
+          const fs29 = require("fs").promises;
           try {
-            const stat2 = await fs25.stat(resolvedPath);
+            const stat2 = await fs29.stat(resolvedPath);
             return stat2.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -23858,45 +23876,44 @@ ${preview}`);
         const aiConfig = {};
         if (config.ai) {
           const aiAny2 = config.ai;
+          const resolveLiquid = async (val) => {
+            if (typeof val !== "string" || !val.includes("{{")) return void 0;
+            try {
+              return (await this.liquidEngine.parseAndRender(val, {
+                inputs: config.workflowInputs || {},
+                env: process.env
+              })).trim();
+            } catch {
+              return void 0;
+            }
+          };
+          const resolveBool = async (val) => {
+            const resolved = await resolveLiquid(val) ?? val;
+            if (typeof resolved === "boolean") return resolved;
+            if (typeof resolved === "string") return resolved === "true";
+            return !!resolved;
+          };
           const skipTransport = aiAny2.skip_transport_context === true;
           if (aiAny2.apiKey !== void 0) {
             aiConfig.apiKey = aiAny2.apiKey;
           }
           if (aiAny2.model !== void 0) {
-            let modelVal = String(aiAny2.model);
-            if (modelVal.includes("{{")) {
-              try {
-                const rendered = await this.liquidEngine.parseAndRender(modelVal, {
-                  inputs: config.workflowInputs || {},
-                  env: process.env
-                });
-                modelVal = rendered.trim();
-              } catch {
-              }
-            }
+            const modelVal = await resolveLiquid(aiAny2.model) ?? String(aiAny2.model);
             if (modelVal) {
               aiConfig.model = modelVal;
             }
           }
           if (aiAny2.timeout !== void 0) {
-            aiConfig.timeout = aiAny2.timeout;
+            const resolvedTimeout = await resolveLiquid(aiAny2.timeout) ?? aiAny2.timeout;
+            aiConfig.timeout = Number(resolvedTimeout);
           }
           if (aiAny2.max_iterations !== void 0 || aiAny2.maxIterations !== void 0) {
             const raw = aiAny2.max_iterations ?? aiAny2.maxIterations;
-            aiConfig.maxIterations = Number(raw);
+            const resolved = await resolveLiquid(raw) ?? raw;
+            aiConfig.maxIterations = Number(resolved);
           }
           if (aiAny2.provider !== void 0) {
-            let providerVal = String(aiAny2.provider);
-            if (providerVal.includes("{{")) {
-              try {
-                const rendered = await this.liquidEngine.parseAndRender(providerVal, {
-                  inputs: config.workflowInputs || {},
-                  env: process.env
-                });
-                providerVal = rendered.trim();
-              } catch {
-              }
-            }
+            const providerVal = await resolveLiquid(aiAny2.provider) ?? String(aiAny2.provider);
             if (providerVal) {
               aiConfig.provider = providerVal;
             }
@@ -23905,16 +23922,16 @@ ${preview}`);
             aiConfig.debug = aiAny2.debug;
           }
           if (aiAny2.enableDelegate !== void 0) {
-            aiConfig.enableDelegate = aiAny2.enableDelegate;
+            aiConfig.enableDelegate = await resolveBool(aiAny2.enableDelegate);
           }
           if (aiAny2.enableTasks !== void 0) {
-            aiConfig.enableTasks = aiAny2.enableTasks;
+            aiConfig.enableTasks = await resolveBool(aiAny2.enableTasks);
           }
           if (aiAny2.enableExecutePlan !== void 0) {
-            aiConfig.enableExecutePlan = aiAny2.enableExecutePlan;
+            aiConfig.enableExecutePlan = await resolveBool(aiAny2.enableExecutePlan);
           }
           if (aiAny2.allowEdit !== void 0) {
-            aiConfig.allowEdit = aiAny2.allowEdit;
+            aiConfig.allowEdit = await resolveBool(aiAny2.allowEdit);
           }
           if (aiAny2.allowedTools !== void 0) {
             aiConfig.allowedTools = aiAny2.allowedTools;
@@ -23923,20 +23940,20 @@ ${preview}`);
             );
           }
           if (aiAny2.disableTools !== void 0) {
-            aiConfig.disableTools = aiAny2.disableTools;
+            aiConfig.disableTools = await resolveBool(aiAny2.disableTools);
             this.logDebug(`[AI Provider] Read disableTools from YAML: ${aiAny2.disableTools}`);
           }
           if (aiAny2.allowBash !== void 0) {
-            aiConfig.allowBash = aiAny2.allowBash;
+            aiConfig.allowBash = await resolveBool(aiAny2.allowBash);
           }
           if (aiAny2.bashConfig !== void 0) {
             aiConfig.bashConfig = aiAny2.bashConfig;
           }
           if (aiAny2.search_delegate_provider !== void 0) {
-            aiConfig.search_delegate_provider = aiAny2.search_delegate_provider;
+            aiConfig.search_delegate_provider = await resolveLiquid(aiAny2.search_delegate_provider) ?? aiAny2.search_delegate_provider;
           }
           if (aiAny2.search_delegate_model !== void 0) {
-            aiConfig.search_delegate_model = aiAny2.search_delegate_model;
+            aiConfig.search_delegate_model = await resolveLiquid(aiAny2.search_delegate_model) ?? aiAny2.search_delegate_model;
           }
           if (aiAny2.completion_prompt !== void 0) {
             aiConfig.completionPrompt = aiAny2.completion_prompt;
@@ -24047,6 +24064,9 @@ ${preview}`);
         if (config.ai_max_iterations !== void 0 && aiConfig.maxIterations === void 0) {
           aiConfig.maxIterations = config.ai_max_iterations;
         }
+        if (aiConfig.maxIterations === void 0 || Number.isNaN(aiConfig.maxIterations)) {
+          aiConfig.maxIterations = 100;
+        }
         const sharedLimiter = sessionInfo?._parentContext?.sharedConcurrencyLimiter;
         if (sharedLimiter) {
           aiConfig.concurrencyLimiter = sharedLimiter;
@@ -29635,14 +29655,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path29 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path33 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path29 && !path29.startsWith("/")) {
-          path29 = `/${path29}`;
+        if (path33 && !path33.startsWith("/")) {
+          path33 = `/${path33}`;
         }
-        url = new URL(origin + path29);
+        url = new URL(origin + path33);
       }
       return url;
     }
@@ -31256,20 +31276,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path29) {
-      if (typeof path29 !== "string") {
+    module2.exports = function basename4(path33) {
+      if (typeof path33 !== "string") {
         return "";
       }
-      for (var i = path29.length - 1; i >= 0; --i) {
-        switch (path29.charCodeAt(i)) {
+      for (var i = path33.length - 1; i >= 0; --i) {
+        switch (path33.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path29 = path29.slice(i + 1);
-            return path29 === ".." || path29 === "." ? "" : path29;
+            path33 = path33.slice(i + 1);
+            return path33 === ".." || path33 === "." ? "" : path33;
         }
       }
-      return path29 === ".." || path29 === "." ? "" : path29;
+      return path33 === ".." || path33 === "." ? "" : path33;
     };
   }
 });
@@ -32273,11 +32293,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto7.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto9.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -32554,7 +32574,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto7 === void 0) {
+      if (crypto9 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -32569,7 +32589,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto7.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto9.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -32662,8 +32682,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve15, reject) => {
-        res = resolve15;
+      const promise = new Promise((resolve20, reject) => {
+        res = resolve20;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -33916,8 +33936,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto7 = require("crypto");
-      random = (max) => crypto7.randomInt(0, max);
+      const crypto9 = require("crypto");
+      random = (max) => crypto9.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -34168,8 +34188,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
                 });
               }
             });
-            const busboyResolve = new Promise((resolve15, reject) => {
-              busboy.on("finish", resolve15);
+            const busboyResolve = new Promise((resolve20, reject) => {
+              busboy.on("finish", resolve20);
               busboy.on("error", (err) => reject(new TypeError(err)));
             });
             if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk);
@@ -34300,7 +34320,7 @@ var require_request = __commonJS({
     }
     var Request2 = class _Request {
       constructor(origin, {
-        path: path29,
+        path: path33,
         method,
         body,
         headers,
@@ -34314,11 +34334,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path29 !== "string") {
+        if (typeof path33 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path29[0] !== "/" && !(path29.startsWith("http://") || path29.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path33[0] !== "/" && !(path33.startsWith("http://") || path33.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path29) !== null) {
+        } else if (invalidPathRegex.exec(path33) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -34381,7 +34401,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path29, query) : path29;
+        this.path = query ? util.buildURL(path33, query) : path33;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -34703,9 +34723,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve20, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve15(data);
+              return err ? reject(err) : resolve20(data);
             });
           });
         }
@@ -34743,12 +34763,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve20, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve15(data);
+              ) : resolve20(data);
             });
           });
         }
@@ -35389,9 +35409,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path29 = search ? `${pathname}${search}` : pathname;
+        const path33 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path29;
+        this.opts.path = path33;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -35810,16 +35830,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve15) => {
+        return new Promise((resolve20) => {
           if (!this[kSize]) {
-            resolve15(null);
+            resolve20(null);
           } else {
-            this[kClosedResolve] = resolve15;
+            this[kClosedResolve] = resolve20;
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve15) => {
+        return new Promise((resolve20) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request = requests[i];
@@ -35830,7 +35850,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve15();
+            resolve20();
           };
           if (this[kHTTP2Session] != null) {
             util.destroy(this[kHTTP2Session], err);
@@ -36410,7 +36430,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve15, reject) => {
+        const socket = await new Promise((resolve20, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -36422,7 +36442,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve15(socket2);
+              resolve20(socket2);
             }
           });
         });
@@ -36633,7 +36653,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path29, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path33, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -36683,7 +36703,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path29} HTTP/1.1\r
+      let header = `${method} ${path33} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -36746,7 +36766,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path29, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path33, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request2[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -36789,7 +36809,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path29;
+      headers[HTTP2_HEADER_PATH] = path33;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -37046,12 +37066,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve15, reject) => {
+      const waitForDrain = () => new Promise((resolve20, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve15;
+          callback = resolve20;
         }
       });
       if (client[kHTTPConnVersion] === "h2") {
@@ -37397,8 +37417,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           return Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          return new Promise((resolve15) => {
-            this[kClosedResolve] = resolve15;
+          return new Promise((resolve20) => {
+            this[kClosedResolve] = resolve20;
           });
         }
       }
@@ -37976,7 +37996,7 @@ var require_readable = __commonJS({
         if (this.closed) {
           return Promise.resolve(null);
         }
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           const signalListenerCleanup = signal ? util.addAbortListener(signal, () => {
             this.destroy();
           }) : noop;
@@ -37985,7 +38005,7 @@ var require_readable = __commonJS({
             if (signal && signal.aborted) {
               reject(signal.reason || Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
             } else {
-              resolve15(null);
+              resolve20(null);
             }
           }).on("error", noop).on("data", function(chunk) {
             limit -= chunk.length;
@@ -38007,11 +38027,11 @@ var require_readable = __commonJS({
         throw new TypeError("unusable");
       }
       assert(!stream[kConsume]);
-      return new Promise((resolve15, reject) => {
+      return new Promise((resolve20, reject) => {
         stream[kConsume] = {
           type,
           stream,
-          resolve: resolve15,
+          resolve: resolve20,
           reject,
           length: 0,
           body: []
@@ -38046,12 +38066,12 @@ var require_readable = __commonJS({
       }
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve15, stream, length } = consume2;
+      const { type, body, resolve: resolve20, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve15(toUSVString(Buffer.concat(body)));
+          resolve20(toUSVString(Buffer.concat(body)));
         } else if (type === "json") {
-          resolve15(JSON.parse(Buffer.concat(body)));
+          resolve20(JSON.parse(Buffer.concat(body)));
         } else if (type === "arrayBuffer") {
           const dst = new Uint8Array(length);
           let pos = 0;
@@ -38059,12 +38079,12 @@ var require_readable = __commonJS({
             dst.set(buf, pos);
             pos += buf.byteLength;
           }
-          resolve15(dst.buffer);
+          resolve20(dst.buffer);
         } else if (type === "blob") {
           if (!Blob2) {
             Blob2 = require("buffer").Blob;
           }
-          resolve15(new Blob2(body, { type: stream[kContentType] }));
+          resolve20(new Blob2(body, { type: stream[kContentType] }));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -38321,9 +38341,9 @@ var require_api_request = __commonJS({
     };
     function request(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           request.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve20(data);
           });
         });
       }
@@ -38496,9 +38516,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve20(data);
           });
         });
       }
@@ -38779,9 +38799,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve20(data);
           });
         });
       }
@@ -38870,9 +38890,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve20, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve20(data);
           });
         });
       }
@@ -39032,20 +39052,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path29) {
-      if (typeof path29 !== "string") {
-        return path29;
+    function safeUrl(path33) {
+      if (typeof path33 !== "string") {
+        return path33;
       }
-      const pathSegments = path29.split("?");
+      const pathSegments = path33.split("?");
       if (pathSegments.length !== 2) {
-        return path29;
+        return path33;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path29, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path29);
+    function matchKey(mockDispatch2, { path: path33, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path33);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -39063,7 +39083,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path29 }) => matchValue(safeUrl(path29), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path33 }) => matchValue(safeUrl(path33), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -39100,9 +39120,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path29, method, body, headers, query } = opts;
+      const { path: path33, method, body, headers, query } = opts;
       return {
-        path: path29,
+        path: path33,
         method,
         body,
         headers,
@@ -39551,10 +39571,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path29, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path33, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path29,
+            Path: path33,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -42495,7 +42515,7 @@ var require_fetch = __commonJS({
       async function dispatch({ body }) {
         const url = requestCurrentURL(request);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve15, reject) => agent.dispatch(
+        return new Promise((resolve20, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -42571,7 +42591,7 @@ var require_fetch = __commonJS({
                   }
                 }
               }
-              resolve15({
+              resolve20({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
@@ -42614,7 +42634,7 @@ var require_fetch = __commonJS({
                 const val = headersList[n + 1].toString("latin1");
                 headers[kHeadersList].append(key, val);
               }
-              resolve15({
+              resolve20({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList: headers[kHeadersList],
@@ -44175,8 +44195,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path29) {
-      for (const char of path29) {
+    function validateCookiePath(path33) {
+      for (const char of path33) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -44973,9 +44993,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -44994,7 +45014,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto7.randomBytes(16).toString("base64");
+      const keyValue = crypto9.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -45023,7 +45043,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto7.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto9.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -45103,9 +45123,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -45114,7 +45134,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto7.randomBytes(4);
+        this.maskKey = crypto9.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -45856,11 +45876,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path29 = opts.path;
+          let path33 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path29 = `/${path29}`;
+            path33 = `/${path33}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path29);
+          url = new URL(util.parseOrigin(url).origin + path33);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -46429,7 +46449,7 @@ var init_mcp_check_provider = __esm({
             logger.warn(
               `MCP ${transportName} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying in ${delay}ms: ${error instanceof Error ? error.message : String(error)}`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, delay));
+            await new Promise((resolve20) => setTimeout(resolve20, delay));
             attempt += 1;
           } finally {
             try {
@@ -46722,7 +46742,7 @@ async function acquirePromptLock() {
     );
   }, 1e4);
   try {
-    await new Promise((resolve15) => waiters.push(resolve15));
+    await new Promise((resolve20) => waiters.push(resolve20));
   } finally {
     clearInterval(reminder);
     const waitedMs = Date.now() - queuedAt;
@@ -46741,7 +46761,7 @@ function releasePromptLock() {
 }
 async function interactivePrompt(options) {
   await acquirePromptLock();
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve20, reject) => {
     const dbg = process.env.VISOR_DEBUG === "true";
     try {
       if (dbg) {
@@ -46828,12 +46848,12 @@ async function interactivePrompt(options) {
     };
     const finish = (value) => {
       cleanup();
-      resolve15(value);
+      resolve20(value);
     };
     if (options.timeout && options.timeout > 0) {
       timeoutId = setTimeout(() => {
         cleanup();
-        if (defaultValue !== void 0) return resolve15(defaultValue);
+        if (defaultValue !== void 0) return resolve20(defaultValue);
         return reject(new Error("Input timeout"));
       }, options.timeout);
     }
@@ -46965,7 +46985,7 @@ async function interactivePrompt(options) {
   });
 }
 async function simplePrompt(prompt) {
-  return new Promise((resolve15) => {
+  return new Promise((resolve20) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
@@ -46981,7 +47001,7 @@ async function simplePrompt(prompt) {
     rl.question(`${prompt}
 > `, (answer) => {
       rl.close();
-      resolve15(answer.trim());
+      resolve20(answer.trim());
     });
   });
 }
@@ -47149,7 +47169,7 @@ function isStdinAvailable() {
   return !process.stdin.isTTY;
 }
 async function readStdin(timeout, maxSize = 1024 * 1024) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve20, reject) => {
     let data = "";
     let timeoutId;
     if (timeout) {
@@ -47176,7 +47196,7 @@ async function readStdin(timeout, maxSize = 1024 * 1024) {
     };
     const onEnd = () => {
       cleanup();
-      resolve15(data.trim());
+      resolve20(data.trim());
     };
     const onError = (err) => {
       cleanup();
@@ -51895,23 +51915,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path29.join(__dirname, "output", sanitized, "schema.json"),
+      path33.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path29.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path33.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path29.join(process.cwd(), "output", sanitized, "schema.json"),
+      path33.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path29.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path33.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs25.readFile(p, "utf-8");
+        const raw = await fs29.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -54363,8 +54383,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -54373,27 +54393,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path33.resolve(process.cwd(), file);
+      templateContent = await fs29.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path29.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs29.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -56533,8 +56553,8 @@ var init_workspace_manager = __esm({
         );
         if (this.cleanupRequested && this.activeOperations === 0) {
           logger.debug(`[Workspace] All references released, proceeding with deferred cleanup`);
-          for (const resolve15 of this.cleanupResolvers) {
-            resolve15();
+          for (const resolve20 of this.cleanupResolvers) {
+            resolve20();
           }
           this.cleanupResolvers = [];
         }
@@ -56581,8 +56601,32 @@ var init_workspace_manager = __esm({
           configuredMainProjectName || this.extractProjectName(this.originalPath)
         );
         this.usedNames.add(mainProjectName);
-        const mainProjectPath = path25.join(this.workspacePath, mainProjectName);
+        let mainProjectPath = path25.join(this.workspacePath, mainProjectName);
         const isGitRepo = await this.isGitRepository(this.originalPath);
+        if (isGitRepo) {
+          try {
+            await commandExecutor.execute(`git -C ${shellEscape(this.originalPath)} worktree prune`, {
+              timeout: 15e3
+            });
+          } catch {
+          }
+        }
+        let subdirOffset = "";
+        if (isGitRepo) {
+          const gitRootResult = await commandExecutor.execute(
+            `git -C ${shellEscape(this.originalPath)} rev-parse --show-toplevel`,
+            { timeout: 5e3 }
+          );
+          if (gitRootResult.exitCode === 0) {
+            const gitRoot = gitRootResult.stdout.trim();
+            const normalizedOriginal = path25.resolve(this.originalPath);
+            const normalizedRoot = path25.resolve(gitRoot);
+            if (normalizedOriginal !== normalizedRoot) {
+              subdirOffset = path25.relative(normalizedRoot, normalizedOriginal);
+              logger.info(`[Workspace] Original path is a subdirectory of git repo: ${subdirOffset}`);
+            }
+          }
+        }
         if (isGitRepo) {
           const exists = await this.pathExists(mainProjectPath);
           if (exists) {
@@ -56616,6 +56660,18 @@ var init_workspace_manager = __esm({
             }
           }
         }
+        const worktreeRootPath = mainProjectPath;
+        if (subdirOffset) {
+          mainProjectPath = path25.join(mainProjectPath, subdirOffset);
+          logger.info(`[Workspace] Adjusted main project path to subdirectory: ${mainProjectPath}`);
+          const subdirExists = await this.pathExists(mainProjectPath);
+          if (!subdirExists) {
+            logger.warn(
+              `[Workspace] Subdirectory '${subdirOffset}' not found in worktree \u2014 falling back to worktree root`
+            );
+            mainProjectPath = path25.join(this.workspacePath, mainProjectName);
+          }
+        }
         try {
           const entries = await fsp2.readdir(this.workspacePath, { withFileTypes: true });
           for (const entry of entries) {
@@ -56631,7 +56687,8 @@ var init_workspace_manager = __esm({
           workspacePath: this.workspacePath,
           mainProjectPath,
           mainProjectName,
-          originalPath: this.originalPath
+          originalPath: this.originalPath,
+          worktreeRootPath
         };
         this.initialized = true;
         logger.info(`Workspace initialized: ${this.workspacePath}`);
@@ -56713,30 +56770,30 @@ var init_workspace_manager = __esm({
           );
           this.cleanupRequested = true;
           await Promise.race([
-            new Promise((resolve15) => {
+            new Promise((resolve20) => {
               if (this.activeOperations === 0) {
-                resolve15();
+                resolve20();
               } else {
-                this.cleanupResolvers.push(resolve15);
+                this.cleanupResolvers.push(resolve20);
               }
             }),
-            new Promise((resolve15) => {
+            new Promise((resolve20) => {
               setTimeout(() => {
                 logger.warn(
                   `[Workspace] Cleanup timeout after ${timeout}ms, proceeding anyway (${this.activeOperations} operations still active)`
                 );
-                resolve15();
+                resolve20();
               }, timeout);
             })
           ]);
         }
         try {
           if (this.mainProjectInfo) {
-            const mainProjectPath = this.mainProjectInfo.mainProjectPath;
+            const worktreePath = this.mainProjectInfo.worktreeRootPath || this.mainProjectInfo.mainProjectPath;
             try {
-              const stats = await fsp2.lstat(mainProjectPath);
+              const stats = await fsp2.lstat(worktreePath);
               if (!stats.isSymbolicLink()) {
-                await this.removeMainProjectWorktree(mainProjectPath);
+                await this.removeMainProjectWorktree(worktreePath);
               }
             } catch {
             }
@@ -57140,8 +57197,8 @@ var init_fair_concurrency_limiter = __esm({
         );
         const queuedAt = Date.now();
         const effectiveTimeout = queueTimeout ?? 12e4;
-        return new Promise((resolve15, reject) => {
-          const entry = { resolve: resolve15, reject, queuedAt };
+        return new Promise((resolve20, reject) => {
+          const entry = { resolve: resolve20, reject, queuedAt };
           entry.reminder = setInterval(() => {
             const waited = Math.round((Date.now() - queuedAt) / 1e3);
             const curQueued = this._totalQueued();
@@ -57449,6 +57506,1380 @@ var init_build_engine_context = __esm({
   }
 });
+// src/policy/default-engine.ts
+var DefaultPolicyEngine;
+var init_default_engine = __esm({
+  "src/policy/default-engine.ts"() {
+    "use strict";
+    DefaultPolicyEngine = class {
+      async initialize(_config) {
+      }
+      async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+      }
+      async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+      }
+      async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+// src/enterprise/license/validator.ts
+var validator_exports = {};
+__export(validator_exports, {
+  LicenseValidator: () => LicenseValidator
+});
+var crypto3, fs21, path26, LicenseValidator;
+var init_validator = __esm({
+  "src/enterprise/license/validator.ts"() {
+    "use strict";
+    crypto3 = __toESM(require("crypto"));
+    fs21 = __toESM(require("fs"));
+    path26 = __toESM(require("path"));
+    LicenseValidator = class _LicenseValidator {
+      /** Ed25519 public key for license verification (PEM format). */
+      static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
+      cache = null;
+      static CACHE_TTL = 5 * 60 * 1e3;
+      // 5 minutes
+      static GRACE_PERIOD = 72 * 3600 * 1e3;
+      // 72 hours after expiry
+      /**
+       * Load and validate license from environment or file.
+       *
+       * Resolution order:
+       * 1. VISOR_LICENSE env var (JWT string)
+       * 2. VISOR_LICENSE_FILE env var (path to file)
+       * 3. .visor-license in project root (cwd)
+       * 4. .visor-license in ~/.config/visor/
+       */
+      async loadAndValidate() {
+        if (this.cache && Date.now() - this.cache.validatedAt < _LicenseValidator.CACHE_TTL) {
+          return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token) return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload) return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+      }
+      /** Check if a specific feature is licensed */
+      hasFeature(feature) {
+        if (!this.cache) return false;
+        return this.cache.payload.features.includes(feature);
+      }
+      /** Check if license is valid (with grace period) */
+      isValid() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      /** Check if the license is within its grace period (expired but still valid) */
+      isInGracePeriod() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now >= expiryMs && now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      resolveToken() {
+        if (process.env.VISOR_LICENSE) {
+          return process.env.VISOR_LICENSE.trim();
+        }
+        if (process.env.VISOR_LICENSE_FILE) {
+          const resolved = path26.resolve(process.env.VISOR_LICENSE_FILE);
+          const home2 = process.env.HOME || process.env.USERPROFILE || "";
+          const allowedPrefixes = [path26.normalize(process.cwd())];
+          if (home2) allowedPrefixes.push(path26.normalize(path26.join(home2, ".config", "visor")));
+          let realPath;
+          try {
+            realPath = fs21.realpathSync(resolved);
+          } catch {
+            return null;
+          }
+          const isSafe = allowedPrefixes.some(
+            (prefix) => realPath === prefix || realPath.startsWith(prefix + path26.sep)
+          );
+          if (!isSafe) return null;
+          return this.readFile(realPath);
+        }
+        const cwdPath = path26.join(process.cwd(), ".visor-license");
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken) return cwdToken;
+        const home = process.env.HOME || process.env.USERPROFILE || "";
+        if (home) {
+          const configPath = path26.join(home, ".config", "visor", ".visor-license");
+          const configToken = this.readFile(configPath);
+          if (configToken) return configToken;
+        }
+        return null;
+      }
+      readFile(filePath) {
+        try {
+          return fs21.readFileSync(filePath, "utf-8").trim();
+        } catch {
+          return null;
+        }
+      }
+      verifyAndDecode(token) {
+        try {
+          const parts = token.split(".");
+          if (parts.length !== 3) return null;
+          const [headerB64, payloadB64, signatureB64] = parts;
+          const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+          if (header.alg !== "EdDSA") return null;
+          const data = `${headerB64}.${payloadB64}`;
+          const signature = Buffer.from(signatureB64, "base64url");
+          const publicKey = crypto3.createPublicKey(_LicenseValidator.PUBLIC_KEY);
+          if (publicKey.asymmetricKeyType !== "ed25519") {
+            return null;
+          }
+          const isValid = crypto3.verify(null, Buffer.from(data), publicKey, signature);
+          if (!isValid) return null;
+          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+          if (!payload.org || !Array.isArray(payload.features) || typeof payload.exp !== "number" || typeof payload.iat !== "number" || !payload.sub) {
+            return null;
+          }
+          const now = Date.now();
+          const expiryMs = payload.exp * 1e3;
+          if (now >= expiryMs + _LicenseValidator.GRACE_PERIOD) {
+            return null;
+          }
+          return payload;
+        } catch {
+          return null;
+        }
+      }
+    };
+  }
+});
+// src/enterprise/policy/opa-compiler.ts
+var fs22, path27, os2, crypto4, import_child_process8, OpaCompiler;
+var init_opa_compiler = __esm({
+  "src/enterprise/policy/opa-compiler.ts"() {
+    "use strict";
+    fs22 = __toESM(require("fs"));
+    path27 = __toESM(require("path"));
+    os2 = __toESM(require("os"));
+    crypto4 = __toESM(require("crypto"));
+    import_child_process8 = require("child_process");
+    OpaCompiler = class _OpaCompiler {
+      static CACHE_DIR = path27.join(os2.tmpdir(), "visor-opa-cache");
+      /**
+       * Resolve the input paths to WASM bytes.
+       *
+       * Strategy:
+       * 1. If any path is a .wasm file, read it directly
+       * 2. If a directory contains policy.wasm, read it
+       * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+       */
+      async resolveWasmBytes(paths) {
+        const regoFiles = [];
+        for (const p of paths) {
+          const resolved = path27.resolve(p);
+          if (path27.normalize(resolved).includes("..")) {
+            throw new Error(`Policy path contains traversal sequences: ${p}`);
+          }
+          if (resolved.endsWith(".wasm") && fs22.existsSync(resolved)) {
+            return fs22.readFileSync(resolved);
+          }
+          if (!fs22.existsSync(resolved)) continue;
+          const stat2 = fs22.statSync(resolved);
+          if (stat2.isDirectory()) {
+            const wasmCandidate = path27.join(resolved, "policy.wasm");
+            if (fs22.existsSync(wasmCandidate)) {
+              return fs22.readFileSync(wasmCandidate);
+            }
+            const files = fs22.readdirSync(resolved);
+            for (const f of files) {
+              if (f.endsWith(".rego")) {
+                regoFiles.push(path27.join(resolved, f));
+              }
+            }
+          } else if (resolved.endsWith(".rego")) {
+            regoFiles.push(resolved);
+          }
+        }
+        if (regoFiles.length === 0) {
+          throw new Error(
+            `OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(", ")}`
+          );
+        }
+        return this.compileRego(regoFiles);
+      }
+      /**
+       * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+       *
+       * Caches the compiled bundle based on a content hash of all input .rego files
+       * so subsequent runs skip compilation if policies haven't changed.
+       */
+      compileRego(regoFiles) {
+        try {
+          (0, import_child_process8.execFileSync)("opa", ["version"], { stdio: "pipe" });
+        } catch {
+          throw new Error(
+            "OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\nOr pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz " + regoFiles.join(" ")
+          );
+        }
+        const hash = crypto4.createHash("sha256");
+        for (const f of regoFiles.sort()) {
+          hash.update(fs22.readFileSync(f));
+          hash.update(f);
+        }
+        const cacheKey = hash.digest("hex").slice(0, 16);
+        const cacheDir = _OpaCompiler.CACHE_DIR;
+        const cachedWasm = path27.join(cacheDir, `${cacheKey}.wasm`);
+        if (fs22.existsSync(cachedWasm)) {
+          return fs22.readFileSync(cachedWasm);
+        }
+        fs22.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path27.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+          const args = [
+            "build",
+            "-t",
+            "wasm",
+            "-e",
+            "visor",
+            // entrypoint: the visor package tree
+            "-o",
+            bundleTar,
+            ...regoFiles
+          ];
+          (0, import_child_process8.execFileSync)("opa", args, {
+            stdio: "pipe",
+            timeout: 3e4
+          });
+        } catch (err) {
+          const stderr = err?.stderr?.toString() || "";
+          throw new Error(
+            `Failed to compile .rego files to WASM:
+${stderr}
+Ensure your .rego files are valid and the \`opa\` CLI is installed.`
+          );
+        }
+        try {
+          (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
+            stdio: "pipe"
+          });
+          const extractedWasm = path27.join(cacheDir, "policy.wasm");
+          if (fs22.existsSync(extractedWasm)) {
+            fs22.renameSync(extractedWasm, cachedWasm);
+          }
+        } catch {
+          try {
+            (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
+              stdio: "pipe"
+            });
+            const extractedWasm = path27.join(cacheDir, "policy.wasm");
+            if (fs22.existsSync(extractedWasm)) {
+              fs22.renameSync(extractedWasm, cachedWasm);
+            }
+          } catch (err2) {
+            throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+          }
+        }
+        try {
+          fs22.unlinkSync(bundleTar);
+        } catch {
+        }
+        if (!fs22.existsSync(cachedWasm)) {
+          throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
+        }
+        return fs22.readFileSync(cachedWasm);
+      }
+    };
+  }
+});
+// src/enterprise/policy/opa-wasm-evaluator.ts
+var fs23, path28, OpaWasmEvaluator;
+var init_opa_wasm_evaluator = __esm({
+  "src/enterprise/policy/opa-wasm-evaluator.ts"() {
+    "use strict";
+    fs23 = __toESM(require("fs"));
+    path28 = __toESM(require("path"));
+    init_opa_compiler();
+    OpaWasmEvaluator = class {
+      policy = null;
+      dataDocument = {};
+      compiler = new OpaCompiler();
+      async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+          const { createRequire } = require("module");
+          const runtimeRequire = createRequire(__filename);
+          const opaWasm = runtimeRequire("@open-policy-agent/opa-wasm");
+          const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+          if (!loadPolicy) {
+            throw new Error("loadPolicy not found in @open-policy-agent/opa-wasm");
+          }
+          this.policy = await loadPolicy(wasmBytes);
+        } catch (err) {
+          if (err?.code === "MODULE_NOT_FOUND" || err?.code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "OPA WASM evaluator requires @open-policy-agent/opa-wasm. Install it with: npm install @open-policy-agent/opa-wasm"
+            );
+          }
+          throw err;
+        }
+      }
+      /**
+       * Load external data from a JSON file to use as the OPA data document.
+       * The loaded data will be passed to `policy.setData()` during evaluation,
+       * making it available in Rego via `data.<key>`.
+       */
+      loadData(dataPath) {
+        const resolved = path28.resolve(dataPath);
+        if (path28.normalize(resolved).includes("..")) {
+          throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs23.existsSync(resolved)) {
+          throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat2 = fs23.statSync(resolved);
+        if (stat2.size > 10 * 1024 * 1024) {
+          throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat2.size} bytes)`);
+        }
+        const raw = fs23.readFileSync(resolved, "utf-8");
+        try {
+          const parsed = JSON.parse(raw);
+          if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+            throw new Error("OPA data file must contain a JSON object (not an array or primitive)");
+          }
+          this.dataDocument = parsed;
+        } catch (err) {
+          if (err.message.startsWith("OPA data file must")) {
+            throw err;
+          }
+          throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+      }
+      async evaluate(input) {
+        if (!this.policy) {
+          throw new Error("OPA WASM evaluator not initialized");
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+          return resultSet[0].result;
+        }
+        return void 0;
+      }
+      async shutdown() {
+        if (this.policy) {
+          if (typeof this.policy.close === "function") {
+            try {
+              this.policy.close();
+            } catch {
+            }
+          } else if (typeof this.policy.free === "function") {
+            try {
+              this.policy.free();
+            } catch {
+            }
+          }
+        }
+        this.policy = null;
+      }
+    };
+  }
+});
+// src/enterprise/policy/opa-http-evaluator.ts
+var OpaHttpEvaluator;
+var init_opa_http_evaluator = __esm({
+  "src/enterprise/policy/opa-http-evaluator.ts"() {
+    "use strict";
+    OpaHttpEvaluator = class {
+      baseUrl;
+      timeout;
+      constructor(baseUrl, timeout = 5e3) {
+        let parsed;
+        try {
+          parsed = new URL(baseUrl);
+        } catch {
+          throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!["http:", "https:"].includes(parsed.protocol)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`
+          );
+        }
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`
+          );
+        }
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+        this.timeout = timeout;
+      }
+      /**
+       * Check if a hostname is blocked due to SSRF concerns.
+       *
+       * Blocks:
+       * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+       * - Link-local addresses (169.254.x.x)
+       * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+       * - IPv6 unique local addresses (fd00::/8)
+       * - Cloud metadata services (*.internal)
+       */
+      isBlockedHostname(hostname) {
+        if (!hostname) return true;
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+        if (normalized === "metadata.google.internal" || normalized.endsWith(".internal")) {
+          return true;
+        }
+        if (normalized === "localhost" || normalized === "localhost.localdomain") {
+          return true;
+        }
+        if (normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
+          return true;
+        }
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+          const octets = ipv4Match.slice(1, 5).map(Number);
+          if (octets.some((octet) => octet > 255)) {
+            return false;
+          }
+          const [a, b] = octets;
+          if (a === 127) {
+            return true;
+          }
+          if (a === 0) {
+            return true;
+          }
+          if (a === 169 && b === 254) {
+            return true;
+          }
+          if (a === 10) {
+            return true;
+          }
+          if (a === 172 && b >= 16 && b <= 31) {
+            return true;
+          }
+          if (a === 192 && b === 168) {
+            return true;
+          }
+        }
+        if (normalized.startsWith("fd") || normalized.startsWith("fc")) {
+          return true;
+        }
+        if (normalized.startsWith("fe80:")) {
+          return true;
+        }
+        return false;
+      }
+      /**
+       * Evaluate a policy rule against an input document via OPA REST API.
+       *
+       * @param input - The input document to evaluate
+       * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+       * @returns The result object from OPA, or undefined on error
+       */
+      async evaluate(input, rulePath) {
+        const encodedPath = rulePath.split("/").map((s) => encodeURIComponent(s)).join("/");
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+          const response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ input }),
+            signal: controller.signal
+          });
+          if (!response.ok) {
+            throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+          }
+          let body;
+          try {
+            body = await response.json();
+          } catch (jsonErr) {
+            throw new Error(
+              `OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`
+            );
+          }
+          return body?.result;
+        } finally {
+          clearTimeout(timer);
+        }
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+// src/enterprise/policy/policy-input-builder.ts
+var PolicyInputBuilder;
+var init_policy_input_builder = __esm({
+  "src/enterprise/policy/policy-input-builder.ts"() {
+    "use strict";
+    PolicyInputBuilder = class {
+      roles;
+      actor;
+      repository;
+      pullRequest;
+      constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+      }
+      /** Resolve which roles apply to the current actor. */
+      resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+          let identityMatch = false;
+          if (roleConfig.author_association && this.actor.authorAssociation && roleConfig.author_association.includes(this.actor.authorAssociation)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.users && this.actor.login && roleConfig.users.includes(this.actor.login)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.slack_users && this.actor.slack?.userId && roleConfig.slack_users.includes(this.actor.slack.userId)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+            const actorEmail = this.actor.slack.email.toLowerCase();
+            if (roleConfig.emails.some((e) => e.toLowerCase() === actorEmail)) {
+              identityMatch = true;
+            }
+          }
+          if (!identityMatch) continue;
+          if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+            if (!this.actor.slack?.channelId || !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+              continue;
+            }
+          }
+          matched.push(roleName);
+        }
+        return matched;
+      }
+      buildActor() {
+        return {
+          authorAssociation: this.actor.authorAssociation,
+          login: this.actor.login,
+          roles: this.resolveRoles(),
+          isLocalMode: this.actor.isLocalMode,
+          ...this.actor.slack && { slack: this.actor.slack }
+        };
+      }
+      forCheckExecution(check) {
+        return {
+          scope: "check.execute",
+          check: {
+            id: check.id,
+            type: check.type,
+            group: check.group,
+            tags: check.tags,
+            criticality: check.criticality,
+            sandbox: check.sandbox,
+            policy: check.policy
+          },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forToolInvocation(serverName, methodName, transport) {
+        return {
+          scope: "tool.invoke",
+          tool: { serverName, methodName, transport },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forCapabilityResolve(checkId, capabilities) {
+        return {
+          scope: "capability.resolve",
+          check: { id: checkId, type: "ai" },
+          capability: capabilities,
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+    };
+  }
+});
+// src/enterprise/policy/opa-policy-engine.ts
+var opa_policy_engine_exports = {};
+__export(opa_policy_engine_exports, {
+  OpaPolicyEngine: () => OpaPolicyEngine
+});
+var OpaPolicyEngine;
+var init_opa_policy_engine = __esm({
+  "src/enterprise/policy/opa-policy-engine.ts"() {
+    "use strict";
+    init_opa_wasm_evaluator();
+    init_opa_http_evaluator();
+    init_policy_input_builder();
+    OpaPolicyEngine = class {
+      evaluator = null;
+      fallback;
+      timeout;
+      config;
+      inputBuilder = null;
+      logger = null;
+      constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || "deny";
+        this.timeout = config.timeout || 5e3;
+      }
+      async initialize(config) {
+        try {
+          this.logger = (init_logger(), __toCommonJS(logger_exports)).logger;
+        } catch {
+        }
+        const actor = {
+          authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+          login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+          isLocalMode: !process.env.GITHUB_ACTIONS
+        };
+        const repo = {
+          owner: process.env.GITHUB_REPOSITORY_OWNER,
+          name: process.env.GITHUB_REPOSITORY?.split("/")[1],
+          branch: process.env.GITHUB_HEAD_REF,
+          baseBranch: process.env.GITHUB_BASE_REF,
+          event: process.env.GITHUB_EVENT_NAME
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER, 10) : void 0;
+        const pullRequest = {
+          number: prNum !== void 0 && Number.isFinite(prNum) ? prNum : void 0
+        };
+        this.inputBuilder = new PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === "local") {
+          if (!config.rules) {
+            throw new Error("OPA local mode requires `policy.rules` path to .wasm or .rego files");
+          }
+          const wasm = new OpaWasmEvaluator();
+          await wasm.initialize(config.rules);
+          if (config.data) {
+            wasm.loadData(config.data);
+          }
+          this.evaluator = wasm;
+        } else if (config.engine === "remote") {
+          if (!config.url) {
+            throw new Error("OPA remote mode requires `policy.url` pointing to OPA server");
+          }
+          this.evaluator = new OpaHttpEvaluator(config.url, this.timeout);
+        } else {
+          this.evaluator = null;
+        }
+      }
+      /**
+       * Update actor/repo/PR context (e.g., after PR info becomes available).
+       * Called by the enterprise loader when engine context is enriched.
+       */
+      setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new PolicyInputBuilder(this.config, actor, repo, pullRequest);
+      }
+      async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === "object" ? checkConfig : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+          id: checkId,
+          type: cfg.type || "ai",
+          group: cfg.group,
+          tags: cfg.tags,
+          criticality: cfg.criticality,
+          sandbox: cfg.sandbox,
+          policy: policyOverride
+        });
+        return this.doEvaluate(input, this.resolveRulePath("check.execute", policyOverride?.rule));
+      }
+      async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, "visor/tool/invoke");
+      }
+      async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, "visor/capability/resolve");
+      }
+      async shutdown() {
+        if (this.evaluator && "shutdown" in this.evaluator) {
+          await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+      }
+      resolveRulePath(defaultScope, override) {
+        if (override) {
+          return override.startsWith("visor/") ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, "/")}`;
+      }
+      async doEvaluate(input, rulePath) {
+        try {
+          this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+          let timer;
+          const timeoutPromise = new Promise((_resolve, reject) => {
+            timer = setTimeout(() => reject(new Error("policy evaluation timeout")), this.timeout);
+          });
+          try {
+            const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+            const decision = this.parseDecision(result);
+            if (!decision.allowed && this.fallback === "warn") {
+              decision.allowed = true;
+              decision.warn = true;
+              decision.reason = `audit: ${decision.reason || "policy denied"}`;
+            }
+            this.logger?.debug(
+              `[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || "none"}`
+            );
+            return decision;
+          } finally {
+            if (timer) clearTimeout(timer);
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: `policy evaluation failed, fallback=${this.fallback}`
+          };
+        }
+      }
+      async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof OpaWasmEvaluator) {
+          const result = await this.evaluator.evaluate(input);
+          return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+      }
+      /**
+       * Navigate nested OPA WASM result tree to reach the specific rule's output.
+       * The WASM entrypoint `-e visor` means the result root IS the visor package,
+       * so we strip the `visor/` prefix and walk the remaining segments.
+       */
+      navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== "object") return result;
+        const segments = rulePath.replace(/^visor\//, "").split("/");
+        let current = result;
+        for (const seg of segments) {
+          if (current && typeof current === "object" && seg in current) {
+            current = current[seg];
+          } else {
+            return void 0;
+          }
+        }
+        return current;
+      }
+      parseDecision(result) {
+        if (result === void 0 || result === null) {
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: this.fallback === "warn" ? "audit: no policy result" : "no policy result"
+          };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+          allowed,
+          reason: result.reason
+        };
+        if (result.capabilities) {
+          decision.capabilities = result.capabilities;
+        }
+        return decision;
+      }
+    };
+  }
+});
+// src/enterprise/scheduler/knex-store.ts
+var knex_store_exports = {};
+__export(knex_store_exports, {
+  KnexStoreBackend: () => KnexStoreBackend
+});
+function toNum(val) {
+  if (val === null || val === void 0) return void 0;
+  return typeof val === "string" ? parseInt(val, 10) : val;
+}
+function safeJsonParse2(value) {
+  if (!value) return void 0;
+  try {
+    return JSON.parse(value);
+  } catch {
+    return void 0;
+  }
+}
+function fromTriggerRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    description: row.description ?? void 0,
+    channels: safeJsonParse2(row.channels),
+    fromUsers: safeJsonParse2(row.from_users),
+    fromBots: row.from_bots === true || row.from_bots === 1,
+    contains: safeJsonParse2(row.contains),
+    matchPattern: row.match_pattern ?? void 0,
+    threads: row.threads,
+    workflow: row.workflow,
+    inputs: safeJsonParse2(row.inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    enabled: row.enabled === true || row.enabled === 1,
+    createdAt: toNum(row.created_at)
+  };
+}
+function toTriggerInsertRow(trigger) {
+  return {
+    id: trigger.id,
+    creator_id: trigger.creatorId,
+    creator_context: trigger.creatorContext ?? null,
+    creator_name: trigger.creatorName ?? null,
+    description: trigger.description ?? null,
+    channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+    from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+    from_bots: trigger.fromBots,
+    contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+    match_pattern: trigger.matchPattern ?? null,
+    threads: trigger.threads,
+    workflow: trigger.workflow,
+    inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+    output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+    status: trigger.status,
+    enabled: trigger.enabled,
+    created_at: trigger.createdAt
+  };
+}
+function fromDbRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    timezone: row.timezone,
+    schedule: row.schedule_expr,
+    runAt: toNum(row.run_at),
+    isRecurring: row.is_recurring === true || row.is_recurring === 1,
+    originalExpression: row.original_expression,
+    workflow: row.workflow ?? void 0,
+    workflowInputs: safeJsonParse2(row.workflow_inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    createdAt: toNum(row.created_at),
+    lastRunAt: toNum(row.last_run_at),
+    nextRunAt: toNum(row.next_run_at),
+    runCount: row.run_count,
+    failureCount: row.failure_count,
+    lastError: row.last_error ?? void 0,
+    previousResponse: row.previous_response ?? void 0
+  };
+}
+function toInsertRow(schedule) {
+  return {
+    id: schedule.id,
+    creator_id: schedule.creatorId,
+    creator_context: schedule.creatorContext ?? null,
+    creator_name: schedule.creatorName ?? null,
+    timezone: schedule.timezone,
+    schedule_expr: schedule.schedule,
+    run_at: schedule.runAt ?? null,
+    is_recurring: schedule.isRecurring,
+    original_expression: schedule.originalExpression,
+    workflow: schedule.workflow ?? null,
+    workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+    output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+    status: schedule.status,
+    created_at: schedule.createdAt,
+    last_run_at: schedule.lastRunAt ?? null,
+    next_run_at: schedule.nextRunAt ?? null,
+    run_count: schedule.runCount,
+    failure_count: schedule.failureCount,
+    last_error: schedule.lastError ?? null,
+    previous_response: schedule.previousResponse ?? null
+  };
+}
+var fs24, path29, import_uuid2, KnexStoreBackend;
+var init_knex_store = __esm({
+  "src/enterprise/scheduler/knex-store.ts"() {
+    "use strict";
+    fs24 = __toESM(require("fs"));
+    path29 = __toESM(require("path"));
+    import_uuid2 = require("uuid");
+    init_logger();
+    KnexStoreBackend = class {
+      knex = null;
+      driver;
+      connection;
+      constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = storageConfig.connection || {};
+      }
+      async initialize() {
+        const { createRequire } = require("module");
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+          knexFactory = runtimeRequire("knex");
+        } catch (err) {
+          const code = err?.code;
+          if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "knex is required for PostgreSQL/MySQL/MSSQL schedule storage. Install it with: npm install knex"
+            );
+          }
+          throw err;
+        }
+        const clientMap = {
+          postgresql: "pg",
+          mysql: "mysql2",
+          mssql: "tedious"
+        };
+        const client = clientMap[this.driver];
+        let connection;
+        if (this.connection.connection_string) {
+          connection = this.connection.connection_string;
+        } else if (this.driver === "mssql") {
+          connection = this.buildMssqlConnection();
+        } else {
+          connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+          client,
+          connection,
+          pool: {
+            min: this.connection.pool?.min ?? 0,
+            max: this.connection.pool?.max ?? 10
+          }
+        });
+        await this.migrateSchema();
+        logger.info(`[KnexStore] Initialized (${this.driver})`);
+      }
+      buildStandardConnection() {
+        return {
+          host: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          ssl: this.resolveSslConfig()
+        };
+      }
+      buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || typeof ssl === "object" && ssl.enabled !== false;
+        return {
+          server: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          options: {
+            encrypt: sslEnabled,
+            trustServerCertificate: typeof ssl === "object" ? ssl.reject_unauthorized === false : !sslEnabled
+          }
+        };
+      }
+      resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === void 0) return false;
+        if (ssl === true) return { rejectUnauthorized: true };
+        if (ssl.enabled === false) return false;
+        const result = {
+          rejectUnauthorized: ssl.reject_unauthorized !== false
+        };
+        if (ssl.ca) {
+          const caPath = this.validateSslPath(ssl.ca, "CA certificate");
+          result.ca = fs24.readFileSync(caPath, "utf8");
+        }
+        if (ssl.cert) {
+          const certPath = this.validateSslPath(ssl.cert, "client certificate");
+          result.cert = fs24.readFileSync(certPath, "utf8");
+        }
+        if (ssl.key) {
+          const keyPath = this.validateSslPath(ssl.key, "client key");
+          result.key = fs24.readFileSync(keyPath, "utf8");
+        }
+        return result;
+      }
+      validateSslPath(filePath, label) {
+        const resolved = path29.resolve(filePath);
+        if (resolved !== path29.normalize(resolved)) {
+          throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs24.existsSync(resolved)) {
+          throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+      }
+      async shutdown() {
+        if (this.knex) {
+          await this.knex.destroy();
+          this.knex = null;
+        }
+      }
+      async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable("schedules");
+        if (!exists) {
+          await knex.schema.createTable("schedules", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.string("timezone", 64).notNullable().defaultTo("UTC");
+            table.string("schedule_expr", 255);
+            table.bigInteger("run_at");
+            table.boolean("is_recurring").notNullable();
+            table.text("original_expression");
+            table.string("workflow", 255);
+            table.text("workflow_inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().index();
+            table.bigInteger("created_at").notNullable();
+            table.bigInteger("last_run_at");
+            table.bigInteger("next_run_at");
+            table.integer("run_count").notNullable().defaultTo(0);
+            table.integer("failure_count").notNullable().defaultTo(0);
+            table.text("last_error");
+            table.text("previous_response");
+            table.index(["status", "next_run_at"]);
+          });
+        }
+        const triggersExist = await knex.schema.hasTable("message_triggers");
+        if (!triggersExist) {
+          await knex.schema.createTable("message_triggers", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.text("description");
+            table.text("channels");
+            table.text("from_users");
+            table.boolean("from_bots").notNullable().defaultTo(false);
+            table.text("contains");
+            table.text("match_pattern");
+            table.string("threads", 20).notNullable().defaultTo("any");
+            table.string("workflow", 255).notNullable();
+            table.text("inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().defaultTo("active").index();
+            table.boolean("enabled").notNullable().defaultTo(true);
+            table.bigInteger("created_at").notNullable();
+          });
+        }
+        const locksExist = await knex.schema.hasTable("scheduler_locks");
+        if (!locksExist) {
+          await knex.schema.createTable("scheduler_locks", (table) => {
+            table.string("lock_id", 255).primary();
+            table.string("node_id", 255).notNullable();
+            table.string("lock_token", 36).notNullable();
+            table.bigInteger("acquired_at").notNullable();
+            table.bigInteger("expires_at").notNullable();
+          });
+        }
+      }
+      getKnex() {
+        if (!this.knex) {
+          throw new Error("[KnexStore] Not initialized. Call initialize() first.");
+        }
+        return this.knex;
+      }
+      // --- CRUD ---
+      async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+          ...schedule,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now(),
+          runCount: 0,
+          failureCount: 0,
+          status: "active"
+        };
+        await knex("schedules").insert(toInsertRow(newSchedule));
+        logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+      }
+      async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", schedule.id).first();
+        if (existing) return;
+        await knex("schedules").insert(toInsertRow(schedule));
+      }
+      async get(id) {
+        const knex = this.getKnex();
+        const row = await knex("schedules").where("id", id).first();
+        return row ? fromDbRow2(row) : void 0;
+      }
+      async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromDbRow2(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        delete row.id;
+        await knex("schedules").where("id", id).update(row);
+        return updated;
+      }
+      async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("schedules").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted schedule ${id}`);
+          return true;
+        }
+        return false;
+      }
+      // --- Queries ---
+      async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("creator_id", creatorId);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("status", "active");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        const bFalse = this.driver === "mssql" ? 0 : false;
+        const bTrue = this.driver === "mssql" ? 1 : true;
+        const rows = await knex("schedules").where("status", "active").andWhere(function() {
+          this.where(function() {
+            this.where("is_recurring", bFalse).whereNotNull("run_at").where("run_at", "<=", ts);
+          }).orWhere(function() {
+            this.where("is_recurring", bTrue).whereNotNull("next_run_at").where("next_run_at", "<=", ts);
+          });
+        });
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, "\\$&");
+        const pattern = `%${escaped}%`;
+        const rows = await knex("schedules").where("creator_id", creatorId).where("status", "active").whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getStats() {
+        const knex = this.getKnex();
+        const boolTrue = this.driver === "mssql" ? "1" : "true";
+        const boolFalse = this.driver === "mssql" ? "0" : "false";
+        const result = await knex("schedules").select(
+          knex.raw("COUNT(*) as total"),
+          knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"),
+          knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"),
+          knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"),
+          knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`)
+        ).first();
+        return {
+          total: Number(result.total) || 0,
+          active: Number(result.active) || 0,
+          paused: Number(result.paused) || 0,
+          completed: Number(result.completed) || 0,
+          failed: Number(result.failed) || 0,
+          recurring: Number(result.recurring) || 0,
+          oneTime: Number(result.one_time) || 0
+        };
+      }
+      async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+          const result = await knex("schedules").count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxGlobal) {
+            throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+          }
+        }
+        if (limits.maxPerUser) {
+          const result = await knex("schedules").where("creator_id", creatorId).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxPerUser) {
+            throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+          }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+          const bTrue = this.driver === "mssql" ? 1 : true;
+          const result = await knex("schedules").where("creator_id", creatorId).where("is_recurring", bTrue).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+            throw new Error(
+              `You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`
+            );
+          }
+        }
+      }
+      // --- HA Distributed Locking (via scheduler_locks table) ---
+      async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const token = (0, import_uuid2.v4)();
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("expires_at", "<", now).update({
+          node_id: nodeId,
+          lock_token: token,
+          acquired_at: now,
+          expires_at: expiresAt
+        });
+        if (updated > 0) return token;
+        try {
+          await knex("scheduler_locks").insert({
+            lock_id: lockId,
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt
+          });
+          return token;
+        } catch {
+          return null;
+        }
+      }
+      async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).del();
+      }
+      async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+      }
+      async flush() {
+      }
+      // --- Message Trigger CRUD ---
+      async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+          ...trigger,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now()
+        };
+        await knex("message_triggers").insert(toTriggerInsertRow(newTrigger));
+        logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+      }
+      async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex("message_triggers").where("id", id).first();
+        return row ? fromTriggerRow2(row) : void 0;
+      }
+      async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("message_triggers").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromTriggerRow2(existing);
+        const updated = {
+          ...current,
+          ...patch,
+          id: current.id,
+          createdAt: current.createdAt
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex("message_triggers").where("id", id).update(row);
+        return updated;
+      }
+      async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("message_triggers").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted trigger ${id}`);
+          return true;
+        }
+        return false;
+      }
+      async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("creator_id", creatorId);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+      async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("status", "active").where("enabled", this.driver === "mssql" ? 1 : true);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+    };
+  }
+});
+// src/enterprise/loader.ts
+var loader_exports = {};
+__export(loader_exports, {
+  loadEnterprisePolicyEngine: () => loadEnterprisePolicyEngine,
+  loadEnterpriseStoreBackend: () => loadEnterpriseStoreBackend
+});
+async function loadEnterprisePolicyEngine(config) {
+  try {
+    const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+    const validator = new LicenseValidator2();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature("policy")) {
+      return new DefaultPolicyEngine();
+    }
+    if (validator.isInGracePeriod()) {
+      console.warn(
+        "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+      );
+    }
+    const { OpaPolicyEngine: OpaPolicyEngine2 } = await Promise.resolve().then(() => (init_opa_policy_engine(), opa_policy_engine_exports));
+    const engine = new OpaPolicyEngine2(config);
+    await engine.initialize(config);
+    return engine;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    try {
+      const { logger: logger2 } = (init_logger(), __toCommonJS(logger_exports));
+      logger2.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+    } catch {
+    }
+    return new DefaultPolicyEngine();
+  }
+}
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+  const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+  const validator = new LicenseValidator2();
+  const license = await validator.loadAndValidate();
+  if (!license || !validator.hasFeature("scheduler-sql")) {
+    throw new Error(
+      `The ${driver} schedule storage driver requires a Visor Enterprise license with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`
+    );
+  }
+  if (validator.isInGracePeriod()) {
+    console.warn(
+      "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+    );
+  }
+  const { KnexStoreBackend: KnexStoreBackend2 } = await Promise.resolve().then(() => (init_knex_store(), knex_store_exports));
+  return new KnexStoreBackend2(driver, storageConfig, haConfig);
+}
+var init_loader = __esm({
+  "src/enterprise/loader.ts"() {
+    "use strict";
+    init_default_engine();
+  }
+});
 // src/event-bus/event-bus.ts
 var event_bus_exports = {};
 __export(event_bus_exports, {
@@ -58151,8 +59582,8 @@ var init_github_comments = __esm({
        * Update existing comment or create new one with collision detection
        */
       async updateOrCreateComment(owner, repo, prNumber, content, options = {}) {
-        return new Promise((resolve15, reject) => {
-          this._writeQueue = this._writeQueue.then(() => this._doUpdateOrCreate(owner, repo, prNumber, content, options)).then(resolve15, reject);
+        return new Promise((resolve20, reject) => {
+          this._writeQueue = this._writeQueue.then(() => this._doUpdateOrCreate(owner, repo, prNumber, content, options)).then(resolve20, reject);
         });
       }
       async _doUpdateOrCreate(owner, repo, prNumber, content, options = {}) {
@@ -58363,8 +59794,8 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve15) => {
-          const t = setTimeout(resolve15, ms);
+        return new Promise((resolve20) => {
+          const t = setTimeout(resolve20, ms);
           if (typeof t.unref === "function") {
             try {
               t.unref();
@@ -58649,8 +60080,8 @@ ${end}`);
       async updateGroupedComment(ctx, comments, group, changedIds) {
         const existingLock = this.updateLocks.get(group);
         let resolveLock;
-        const ourLock = new Promise((resolve15) => {
-          resolveLock = resolve15;
+        const ourLock = new Promise((resolve20) => {
+          resolveLock = resolve20;
         });
         this.updateLocks.set(group, ourLock);
         try {
@@ -58981,7 +60412,7 @@ ${blocks}
        * Sleep utility for enforcing delays
        */
       sleep(ms) {
-        return new Promise((resolve15) => setTimeout(resolve15, ms));
+        return new Promise((resolve20) => setTimeout(resolve20, ms));
       }
     };
   }
@@ -59378,7 +60809,16 @@ var init_slack_frontend = __esm({
         this.subs.push(
           bus.on("StateTransition", async (env) => {
             const ev = env && env.payload || env;
-            if (ev && (ev.to === "Completed" || ev.to === "Error")) {
+            if (ev && ev.to === "Completed") {
+              await this.finalizeReactions(ctx).catch(() => {
+              });
+            } else if (ev && ev.to === "Error") {
+              if (!this.errorNotified) {
+                await this.maybePostError(ctx, "Run failed", "Workflow finished with errors").catch(
+                  () => {
+                  }
+                );
+              }
               await this.finalizeReactions(ctx).catch(() => {
               });
             }
@@ -59388,7 +60828,7 @@ var init_slack_frontend = __esm({
           bus.on("Shutdown", async (env) => {
             const ev = env && env.payload || env;
             const message = ev?.error?.message || "Fatal error";
-            await this.maybePostError(ctx, "Run failed", message).catch(() => {
+            await this.forcePostError(ctx, "Run failed", message).catch(() => {
             });
           })
         );
@@ -59514,6 +60954,16 @@ var init_slack_frontend = __esm({
       }
       async maybePostError(ctx, title, message, checkId) {
         if (this.errorNotified) return;
+        return this.postErrorToSlack(ctx, title, message, checkId);
+      }
+      /**
+       * Post error to Slack regardless of errorNotified flag.
+       * Used for fatal/shutdown errors that must always reach the user.
+       */
+      async forcePostError(ctx, title, message, checkId) {
+        return this.postErrorToSlack(ctx, title, message, checkId);
+      }
+      async postErrorToSlack(ctx, title, message, checkId) {
         const slack = this.getSlack(ctx);
         if (!slack) return;
         const payload = this.getInboundSlackPayload(ctx);
@@ -60843,11 +62293,11 @@ var require_request3 = __commonJS({
     "use strict";
     var __awaiter = exports2 && exports2.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve15) {
-          resolve15(value);
+        return value instanceof P ? value : new P(function(resolve20) {
+          resolve20(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve15, reject) {
+      return new (P || (P = Promise))(function(resolve20, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -60863,7 +62313,7 @@ var require_request3 = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve15(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve20(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -60887,9 +62337,9 @@ var require_request3 = __commonJS({
       HttpMethod2["PATCH"] = "PATCH";
     })(HttpMethod = exports2.HttpMethod || (exports2.HttpMethod = {}));
     var SvixRequest = class {
-      constructor(method, path29) {
+      constructor(method, path33) {
         this.method = method;
-        this.path = path29;
+        this.path = path33;
         this.queryParams = {};
         this.headerParams = {};
       }
@@ -60992,7 +62442,7 @@ var require_request3 = __commonJS({
     }
     function sendWithRetry(url, init, retryScheduleInMs, nextInterval = 50, triesLeft = 2, fetchImpl = fetch, retryCount = 1) {
       return __awaiter(this, void 0, void 0, function* () {
-        const sleep = (interval) => new Promise((resolve15) => setTimeout(resolve15, interval));
+        const sleep = (interval) => new Promise((resolve20) => setTimeout(resolve20, interval));
         try {
           const response = yield fetchImpl(url, init);
           if (triesLeft <= 0 || response.status < 500) {
@@ -70066,7 +71516,7 @@ ${message}`;
 });
 // src/agent-protocol/task-store.ts
-function safeJsonParse2(value) {
+function safeJsonParse3(value) {
   if (!value) return void 0;
   try {
     return JSON.parse(value);
@@ -70083,12 +71533,12 @@ function taskRowToAgentTask(row) {
     context_id: row.context_id,
     status: {
       state: row.state,
-      message: safeJsonParse2(row.status_message),
+      message: safeJsonParse3(row.status_message),
       timestamp: row.updated_at
     },
-    artifacts: safeJsonParse2(row.artifacts) ?? [],
-    history: safeJsonParse2(row.history) ?? [],
-    metadata: safeJsonParse2(row.request_metadata),
+    artifacts: safeJsonParse3(row.artifacts) ?? [],
+    history: safeJsonParse3(row.history) ?? [],
+    metadata: safeJsonParse3(row.request_metadata),
     workflow_id: row.workflow_id ?? void 0
   };
 }
@@ -70325,7 +71775,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT artifacts FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const artifacts = safeJsonParse2(row.artifacts) ?? [];
+        const artifacts = safeJsonParse3(row.artifacts) ?? [];
         artifacts.push(artifact);
         db.prepare("UPDATE agent_tasks SET artifacts = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(artifacts),
@@ -70337,7 +71787,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT history FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const history = safeJsonParse2(row.history) ?? [];
+        const history = safeJsonParse3(row.history) ?? [];
         history.push(message);
         db.prepare("UPDATE agent_tasks SET history = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(history),
@@ -70849,13 +72299,13 @@ __export(a2a_frontend_exports, {
   resultToArtifacts: () => resultToArtifacts
 });
 function readJsonBody(req) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve20, reject) => {
     const chunks = [];
     req.on("data", (chunk) => chunks.push(chunk));
     req.on("end", () => {
       try {
         const body = Buffer.concat(chunks).toString("utf8");
-        resolve15(body ? JSON.parse(body) : {});
+        resolve20(body ? JSON.parse(body) : {});
       } catch {
         reject(new ParseError("Malformed JSON body"));
       }
@@ -71098,12 +72548,12 @@ var init_a2a_frontend = __esm({
         }
         const port = this.config.port ?? 9e3;
         const host = this.config.host ?? "0.0.0.0";
-        await new Promise((resolve15) => {
+        await new Promise((resolve20) => {
           this.server.listen(port, host, () => {
             const addr = this.server.address();
             this._boundPort = typeof addr === "object" && addr ? addr.port : port;
             logger.info(`A2A server listening on ${host}:${this._boundPort}`);
-            resolve15();
+            resolve20();
           });
         });
         if (this.agentCard) {
@@ -71127,8 +72577,8 @@ var init_a2a_frontend = __esm({
         }
         this.streamManager.shutdown();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
-            this.server.close((err) => err ? reject(err) : resolve15());
+          await new Promise((resolve20, reject) => {
+            this.server.close((err) => err ? reject(err) : resolve20());
           });
           this.server = null;
         }
@@ -71845,15 +73295,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path28, fs24, StateMachineExecutionEngine;
+var path32, fs28, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path28 = __toESM(require("path"));
-    fs24 = __toESM(require("fs"));
+    path32 = __toESM(require("path"));
+    fs28 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -72085,8 +73535,8 @@ var init_state_machine_execution_engine = __esm({
             logger.debug(
               `[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`
             );
-            const { loadEnterprisePolicyEngine } = await import("./enterprise/loader");
-            context2.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
+            const { loadEnterprisePolicyEngine: loadEnterprisePolicyEngine2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
+            context2.policyEngine = await loadEnterprisePolicyEngine2(configWithTagFilter.policy);
             logger.debug(
               `[PolicyEngine] Initialized: ${context2.policyEngine?.constructor?.name || "unknown"}`
             );
@@ -72240,9 +73690,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path28.resolve(process.cwd(), ".visor", "snapshots");
-                  fs24.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path28.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path32.resolve(process.cwd(), ".visor", "snapshots");
+                  fs28.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path32.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -72383,7 +73833,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs25 = await import("fs/promises");
+        const fs29 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -72403,14 +73853,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs25.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs29.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs25 = await import("fs/promises");
-        const raw = await fs25.readFile(filePath, "utf8");
+        const fs29 = await import("fs/promises");
+        const raw = await fs29.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**