@probelabs/visor 0.1.97 → 0.1.100

package/dist/sdk/sdk.js

@@ -406,7 +406,7 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve4) => setTimeout(resolve4, ms));
+        return new Promise((resolve7) => setTimeout(resolve7, ms));
       }
       /**
        * Group results by specified criteria
@@ -468,7 +468,19 @@ __export(tracer_init_exports, {
 });
 async function initializeTracer(sessionId, checkName) {
   try {
-    if (import_probe.SimpleTelemetry && import_probe.SimpleAppTracer) {
+    let ProbeLib;
+    try {
+      ProbeLib = await import("@probelabs/probe");
+    } catch {
+      try {
+        ProbeLib = require("@probelabs/probe");
+      } catch {
+        ProbeLib = {};
+      }
+    }
+    const SimpleTelemetry = ProbeLib?.SimpleTelemetry;
+    const SimpleAppTracer = ProbeLib?.SimpleAppTracer;
+    if (SimpleTelemetry && SimpleAppTracer) {
       const sanitizedCheckName = checkName ? path.basename(checkName) : "check";
       const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
       const traceDir = process.env.GITHUB_WORKSPACE ? path.join(process.env.GITHUB_WORKSPACE, "debug-artifacts") : path.join(process.cwd(), "debug-artifacts");
@@ -484,12 +496,12 @@ async function initializeTracer(sessionId, checkName) {
         );
         return null;
       }
-      const telemetry = new import_probe.SimpleTelemetry({
+      const telemetry = new SimpleTelemetry({
         enableFile: true,
         filePath: traceFilePath,
         enableConsole: false
       });
-      const tracer = new import_probe.SimpleAppTracer(telemetry, sessionId);
+      const tracer = new SimpleAppTracer(telemetry, sessionId);
       console.error(`\u{1F4CA} Simple tracing enabled, will save to: ${traceFilePath}`);
       if (process.env.GITHUB_ACTIONS) {
         console.log(`::notice title=AI Trace::Trace will be saved to ${traceFilePath}`);
@@ -508,13 +520,12 @@ async function initializeTracer(sessionId, checkName) {
     return null;
   }
 }
-var path, fs, import_probe;
+var path, fs;
 var init_tracer_init = __esm({
   "src/utils/tracer-init.ts"() {
     "use strict";
     path = __toESM(require("path"));
     fs = __toESM(require("fs"));
-    import_probe = require("@probelabs/probe");
   }
 });
 
@@ -712,7 +723,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs12 = require("fs");
+    const fs14 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path2.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -723,7 +734,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs12.existsSync(candidatePath)) {
+      if (fs14.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -735,7 +746,7 @@ async function processDiffWithOutline(diffContent) {
       return diffContent;
     }
     process.env.PROBE_PATH = probeBinaryPath;
-    const extractPromise = (0, import_probe2.extract)({
+    const extractPromise = (0, import_probe.extract)({
       content: diffContent,
       format: "outline-diff",
       allowTests: true
@@ -758,11 +769,11 @@ async function processDiffWithOutline(diffContent) {
     return diffContent;
   }
 }
-var import_probe2, path2;
+var import_probe, path2;
 var init_diff_processor = __esm({
   "src/utils/diff-processor.ts"() {
     "use strict";
-    import_probe2 = require("@probelabs/probe");
+    import_probe = require("@probelabs/probe");
     path2 = __toESM(require("path"));
   }
 });
@@ -771,11 +782,11 @@ var init_diff_processor = __esm({
 function log(...args) {
   logger.debug(args.join(" "));
 }
-var import_probe3, AIReviewService;
+var import_probe2, AIReviewService;
 var init_ai_review_service = __esm({
   "src/ai-review-service.ts"() {
     "use strict";
-    import_probe3 = require("@probelabs/probe");
+    import_probe2 = require("@probelabs/probe");
     init_session_registry();
     init_logger();
     init_tracer_init();
@@ -815,6 +826,7 @@ var init_ai_review_service = __esm({
           this.config.model = process.env.MODEL_NAME;
         }
       }
+      // NOTE: per request, no additional redaction/encryption helpers are used.
       /**
        * Execute AI review using probe agent
        */
@@ -1131,14 +1143,12 @@ ${prContext}
         const isIssue = prContextInfo.isIssue === true;
         const isPRContext = prContextInfo.isPRContext === true;
         const includeCodeContext = isPRContext || prContextInfo.includeCodeContext !== false;
-        const log2 = this.config.debug ? console.error : () => {
-        };
         if (isPRContext) {
-          log2("\u{1F50D} Including full code diffs in AI context (PR mode)");
+          log("\u{1F50D} Including full code diffs in AI context (PR mode)");
         } else if (!includeCodeContext) {
-          log2("\u{1F4CA} Including only file summary in AI context (no diffs)");
+          log("\u{1F4CA} Including only file summary in AI context (no diffs)");
         } else {
-          log2("\u{1F50D} Including code diffs in AI context");
+          log("\u{1F50D} Including code diffs in AI context");
         }
         if (isIssue) {
           let context2 = `<issue>
@@ -1386,8 +1396,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -1501,20 +1511,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
-              if (!fs12.existsSync(debugArtifactsDir)) {
-                fs12.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
+              if (!fs14.existsSync(debugArtifactsDir)) {
+                fs14.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path13.join(
+              const debugFile = path16.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs12.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path13.join(
+              fs14.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path16.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs12.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs14.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -1546,8 +1556,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -1558,10 +1568,10 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
-              const sessionFile = path13.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path16.join(
                 debugArtifactsDir,
-                `session-${_checkName || "unknown"}-${timestamp}.json`
+                `session-${_checkName || "unknown"}-${timestamp}`
               );
               const sessionData = {
                 timestamp,
@@ -1569,15 +1579,9 @@ ${"=".repeat(60)}
                 provider: this.config.provider || "auto",
                 model: this.config.model || "default",
                 schema: effectiveSchema,
-                fullConversationHistory: fullHistory,
-                totalMessages: fullHistory.length,
-                latestResponse: response
+                totalMessages: fullHistory.length
               };
-              fs12.writeFileSync(sessionFile, JSON.stringify(sessionData, null, 2), "utf-8");
-              const sessionTxtFile = path13.join(
-                debugArtifactsDir,
-                `session-${_checkName || "unknown"}-${timestamp}.txt`
-              );
+              fs14.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -1594,22 +1598,18 @@ ${"=".repeat(60)}
 
 `;
               fullHistory.forEach((msg, idx) => {
+                const role = msg.role || "unknown";
+                const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
                 readable += `
 ${"=".repeat(60)}
+MESSAGE ${idx + 1}/${fullHistory.length}
+Role: ${role}
+${"=".repeat(60)}
 `;
-                readable += `MESSAGE ${idx + 1}/${fullHistory.length}
-`;
-                readable += `Role: ${msg.role || "unknown"}
-`;
-                readable += `${"=".repeat(60)}
-`;
-                const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
                 readable += content + "\n";
               });
-              fs12.writeFileSync(sessionTxtFile, readable, "utf-8");
+              fs14.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
-              log(`   JSON: ${sessionFile}`);
-              log(`   TXT:  ${sessionTxtFile}`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save complete session history: ${error}`);
@@ -1617,11 +1617,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
-              const responseFile = path13.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
+              const responseFile = path16.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -1654,7 +1654,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs12.writeFileSync(responseFile, responseContent, "utf-8");
+              fs14.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -1670,9 +1670,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs12 = require("fs");
-                  if (fs12.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs12.statSync(agentAny._traceFilePath);
+                  const fs14 = require("fs");
+                  if (fs14.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs14.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -1683,12 +1683,14 @@ ${"=".repeat(60)}
                 log(`\u{1F4CA} Trace saved to: ${agentAny._traceFilePath}`);
               }
             } catch (exportError) {
-              console.error("\u26A0\uFE0F  Warning: Failed to export trace for cloned session:", exportError);
+              logger.warn(`\u26A0\uFE0F  Warning: Failed to export trace for cloned session: ${exportError}`);
             }
           }
           return { response, effectiveSchema };
         } catch (error) {
-          console.error("\u274C ProbeAgent session reuse failed:", error);
+          logger.error(
+            `\u274C ProbeAgent session reuse failed: ${error instanceof Error ? error.message : "Unknown error"}`
+          );
           throw new Error(
             `ProbeAgent session reuse failed: ${error instanceof Error ? error.message : "Unknown error"}`
           );
@@ -1759,7 +1761,7 @@ ${"=".repeat(60)}
           if (this.config.model) {
             options.model = this.config.model;
           }
-          const agent = new import_probe3.ProbeAgent(options);
+          const agent = new import_probe2.ProbeAgent(options);
           log("\u{1F680} Calling ProbeAgent...");
           let schemaString = void 0;
           let effectiveSchema = typeof schema === "object" ? "custom" : schema;
@@ -1792,8 +1794,8 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const os = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
@@ -1867,30 +1869,20 @@ ${"=".repeat(60)}
               readableVersion += `${"=".repeat(60)}
 `;
               const tempDir = os.tmpdir();
-              const promptFile = path13.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs12.writeFileSync(promptFile, prompt, "utf-8");
+              const promptFile = path16.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs14.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
               try {
-                if (!fs12.existsSync(debugArtifactsDir)) {
-                  fs12.mkdirSync(debugArtifactsDir, { recursive: true });
-                }
-                const debugFile = path13.join(
-                  debugArtifactsDir,
-                  `prompt-${_checkName || "unknown"}-${timestamp}.json`
-                );
-                fs12.writeFileSync(debugFile, debugJson, "utf-8");
-                const readableFile = path13.join(
+                const base = path16.join(
                   debugArtifactsDir,
-                  `prompt-${_checkName || "unknown"}-${timestamp}.txt`
+                  `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs12.writeFileSync(readableFile, readableVersion, "utf-8");
+                fs14.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs14.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
-\u{1F4BE} Full debug info saved to:`);
-                log(`   JSON: ${debugFile}`);
-                log(`   TXT:  ${readableFile}`);
-                log(`   - Includes: prompt, schema, provider, model, and schema options`);
+\u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
               }
               log(`
@@ -1933,8 +1925,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -1945,10 +1937,10 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
-              const sessionFile = path13.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path16.join(
                 debugArtifactsDir,
-                `session-${_checkName || "unknown"}-${timestamp}.json`
+                `session-${_checkName || "unknown"}-${timestamp}`
               );
               const sessionData = {
                 timestamp,
@@ -1956,15 +1948,9 @@ $ ${cliCommand}
                 provider: this.config.provider || "auto",
                 model: this.config.model || "default",
                 schema: effectiveSchema,
-                fullConversationHistory: fullHistory,
-                totalMessages: fullHistory.length,
-                latestResponse: response
+                totalMessages: fullHistory.length
               };
-              fs12.writeFileSync(sessionFile, JSON.stringify(sessionData, null, 2), "utf-8");
-              const sessionTxtFile = path13.join(
-                debugArtifactsDir,
-                `session-${_checkName || "unknown"}-${timestamp}.txt`
-              );
+              fs14.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -1981,22 +1967,18 @@ $ ${cliCommand}
 
 `;
               fullHistory.forEach((msg, idx) => {
+                const role = msg.role || "unknown";
+                const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
                 readable += `
 ${"=".repeat(60)}
+MESSAGE ${idx + 1}/${fullHistory.length}
+Role: ${role}
+${"=".repeat(60)}
 `;
-                readable += `MESSAGE ${idx + 1}/${fullHistory.length}
-`;
-                readable += `Role: ${msg.role || "unknown"}
-`;
-                readable += `${"=".repeat(60)}
-`;
-                const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
                 readable += content + "\n";
               });
-              fs12.writeFileSync(sessionTxtFile, readable, "utf-8");
+              fs14.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
-              log(`   JSON: ${sessionFile}`);
-              log(`   TXT:  ${sessionTxtFile}`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save complete session history: ${error}`);
@@ -2004,11 +1986,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs12 = require("fs");
-              const path13 = require("path");
+              const fs14 = require("fs");
+              const path16 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path13.join(process.cwd(), "debug-artifacts");
-              const responseFile = path13.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path16.join(process.cwd(), "debug-artifacts");
+              const responseFile = path16.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -2041,7 +2023,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs12.writeFileSync(responseFile, responseContent, "utf-8");
+              fs14.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -2059,9 +2041,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs12 = require("fs");
-                  if (fs12.existsSync(traceFilePath)) {
-                    const stats = fs12.statSync(traceFilePath);
+                  const fs14 = require("fs");
+                  if (fs14.existsSync(traceFilePath)) {
+                    const stats = fs14.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -2072,7 +2054,7 @@ ${"=".repeat(60)}
                 log(`\u{1F4CA} Trace saved to: ${traceFilePath}`);
               }
             } catch (exportError) {
-              console.error("\u26A0\uFE0F  Warning: Failed to export trace:", exportError);
+              logger.warn(`\u26A0\uFE0F  Warning: Failed to export trace: ${exportError}`);
             }
           }
           if (_checkName) {
@@ -2099,8 +2081,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs12 = require("fs").promises;
-        const path13 = require("path");
+        const fs14 = require("fs").promises;
+        const path16 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -2113,14 +2095,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path13.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path16.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath2 = path13.resolve(process.cwd(), schema);
+            const schemaPath2 = path16.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath2}`);
-            const schemaContent = await fs12.readFile(schemaPath2, "utf-8");
+            const schemaContent = await fs14.readFile(schemaPath2, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -2132,9 +2114,9 @@ ${"=".repeat(60)}
         if (!sanitizedSchemaName || sanitizedSchemaName !== schema) {
           throw new Error("Invalid schema name");
         }
-        const schemaPath = path13.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const schemaPath = path16.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         try {
-          const schemaContent = await fs12.readFile(schemaPath, "utf-8");
+          const schemaContent = await fs14.readFile(schemaPath, "utf-8");
           return schemaContent.trim();
         } catch (error) {
           throw new Error(
@@ -2244,6 +2226,25 @@ ${"=".repeat(60)}
             }
           }
           const isCustomSchema = _schema === "custom" || _schema && (_schema.startsWith("./") || _schema.endsWith(".json")) || _schema && _schema !== "code-review" && !_schema.includes("output/");
+          const _debugSchemaLogging = this.config.debug === true || process.env.VISOR_DEBUG_AI_SESSIONS === "true";
+          if (_debugSchemaLogging) {
+            const details = {
+              schema: _schema,
+              isCustomSchema,
+              isCustomLiteral: _schema === "custom",
+              startsWithDotSlash: typeof _schema === "string" ? _schema.startsWith("./") : false,
+              endsWithJson: typeof _schema === "string" ? _schema.endsWith(".json") : false,
+              notCodeReview: _schema !== "code-review",
+              noOutputPrefix: typeof _schema === "string" ? !_schema.includes("output/") : false
+            };
+            try {
+              log(`\u{1F50D} Schema detection: ${JSON.stringify(details)}`);
+            } catch {
+              log(
+                `\u{1F50D} Schema detection: _schema="${String(_schema)}", isCustomSchema=${isCustomSchema}`
+              );
+            }
+          }
           if (isCustomSchema) {
             log("\u{1F4CB} Custom schema detected - preserving all fields from parsed JSON");
             log(`\u{1F4CA} Schema: ${_schema}`);
@@ -2289,33 +2290,39 @@ ${"=".repeat(60)}
           log("\u2705 Successfully created ReviewSummary");
           return result;
         } catch (error) {
-          console.error("\u274C Failed to parse AI response:", error);
-          console.error("\u{1F4C4} FULL RAW RESPONSE:");
-          console.error("=".repeat(80));
-          console.error(response);
-          console.error("=".repeat(80));
-          console.error(`\u{1F4CF} Response length: ${response.length} characters`);
-          if (error instanceof SyntaxError) {
-            console.error("\u{1F50D} JSON parsing error - the response may not be valid JSON");
-            console.error("\u{1F50D} Error details:", error.message);
-            const errorMatch = error.message.match(/position (\d+)/);
-            if (errorMatch) {
-              const position = parseInt(errorMatch[1]);
-              console.error(`\u{1F50D} Error at position ${position}:`);
-              const start = Math.max(0, position - 50);
-              const end = Math.min(response.length, position + 50);
-              console.error(`\u{1F50D} Context: "${response.substring(start, end)}"`);
-              console.error(`\u{1F50D} Response beginning: "${response.substring(0, 100)}"`);
-            }
-            if (response.includes("I cannot")) {
-              console.error("\u{1F50D} Response appears to be a refusal/explanation rather than JSON");
-            }
-            if (response.includes("```")) {
-              console.error("\u{1F50D} Response appears to contain markdown code blocks");
-            }
-            if (response.startsWith("<")) {
-              console.error("\u{1F50D} Response appears to start with XML/HTML");
+          const detailed = this.config.debug === true || process.env.VISOR_DEBUG_AI_SESSIONS === "true";
+          const message = error instanceof Error ? error.message : String(error);
+          if (detailed) {
+            logger.debug(`\u274C Failed to parse AI response: ${message}`);
+            logger.debug("\u{1F4C4} FULL RAW RESPONSE:");
+            logger.debug("=".repeat(80));
+            logger.debug(response);
+            logger.debug("=".repeat(80));
+            logger.debug(`\u{1F4CF} Response length: ${response.length} characters`);
+            if (error instanceof SyntaxError) {
+              logger.debug("\u{1F50D} JSON parsing error - the response may not be valid JSON");
+              logger.debug(`\u{1F50D} Error details: ${error.message}`);
+              const errorMatch = error.message.match(/position (\d+)/);
+              if (errorMatch) {
+                const position = parseInt(errorMatch[1]);
+                logger.debug(`\u{1F50D} Error at position ${position}:`);
+                const start = Math.max(0, position - 50);
+                const end = Math.min(response.length, position + 50);
+                logger.debug(`\u{1F50D} Context: "${response.substring(start, end)}"`);
+                logger.debug(`\u{1F50D} Response beginning: "${response.substring(0, 100)}"`);
+              }
+              if (response.includes("I cannot")) {
+                logger.debug("\u{1F50D} Response appears to be a refusal/explanation rather than JSON");
+              }
+              if (response.includes("```")) {
+                logger.debug("\u{1F50D} Response appears to contain markdown code blocks");
+              }
+              if (response.startsWith("<")) {
+                logger.debug("\u{1F50D} Response appears to start with XML/HTML");
+              }
             }
+          } else {
+            logger.error(`\u274C Failed to parse AI response: ${message}`);
           }
           throw new Error(
             `Invalid AI response format: ${error instanceof Error ? error.message : "Unknown error"}`
@@ -2380,7 +2387,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt) {
-        await new Promise((resolve4) => setTimeout(resolve4, 500));
+        await new Promise((resolve7) => setTimeout(resolve7, 500));
         const mockResponse = {
           content: JSON.stringify({
             issues: [
@@ -2501,15 +2508,15 @@ var init_reviewer = __esm({
             if (["code-review", "overview", "plain", "text"].includes(schema)) {
               return true;
             }
-            const fs12 = require("fs").promises;
-            const path13 = require("path");
+            const fs14 = require("fs").promises;
+            const path16 = require("path");
             const sanitizedSchemaName = schema.replace(/[^a-zA-Z0-9-]/g, "");
             if (!sanitizedSchemaName || sanitizedSchemaName !== schema) {
               return false;
             }
-            const schemaPath = path13.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+            const schemaPath = path16.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
             try {
-              const schemaContent = await fs12.readFile(schemaPath, "utf-8");
+              const schemaContent = await fs14.readFile(schemaPath, "utf-8");
               const schemaObj = JSON.parse(schemaContent);
               const properties = schemaObj.properties;
               return !!(properties && "text" in properties);
@@ -2575,16 +2582,16 @@ var init_reviewer = __esm({
         }
       }
       async formatGroupComment(checkResults, _options, _githubContext) {
-        const normalize2 = (s) => s.replace(/\\n/g, "\n");
+        const normalize3 = (s) => s.replace(/\\n/g, "\n");
         const checkContents = checkResults.map((result) => {
           const trimmed = result.content?.trim();
-          if (trimmed) return normalize2(trimmed);
+          if (trimmed) return normalize3(trimmed);
           const out = result.output;
           if (out) {
-            if (typeof out === "string" && out.trim()) return normalize2(out.trim());
+            if (typeof out === "string" && out.trim()) return normalize3(out.trim());
             if (typeof out === "object") {
               const txt = out.text || out.response || out.message;
-              if (typeof txt === "string" && txt.trim()) return normalize2(txt.trim());
+              if (typeof txt === "string" && txt.trim()) return normalize3(txt.trim());
             }
           }
           return "";
@@ -2680,15 +2687,15 @@ var init_reviewer = __esm({
       }
       saveDebugArtifact(debug) {
         try {
-          const fs12 = require("fs");
-          const path13 = require("path");
-          const debugDir = path13.join(process.cwd(), "debug-artifacts");
-          if (!fs12.existsSync(debugDir)) {
-            fs12.mkdirSync(debugDir, { recursive: true });
+          const fs14 = require("fs");
+          const path16 = require("path");
+          const debugDir = path16.join(process.cwd(), "debug-artifacts");
+          if (!fs14.existsSync(debugDir)) {
+            fs14.mkdirSync(debugDir, { recursive: true });
           }
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
           const filename = `visor-debug-${timestamp}.md`;
-          const filepath = path13.join(debugDir, filename);
+          const filepath = path16.join(debugDir, filename);
           const content = [
             `# Visor Debug Information`,
             ``,
@@ -2709,7 +2716,7 @@ var init_reviewer = __esm({
             debug.rawResponse,
             "```"
           ].join("\n");
-          fs12.writeFileSync(filepath, content, "utf8");
+          fs14.writeFileSync(filepath, content, "utf8");
           return filename;
         } catch (error) {
           console.error("Failed to save debug artifact:", error);
@@ -2720,21 +2727,101 @@ var init_reviewer = __esm({
   }
 });
 
+// src/utils/file-exclusion.ts
+var import_ignore, fs2, path3, DEFAULT_EXCLUSION_PATTERNS, FileExclusionHelper;
+var init_file_exclusion = __esm({
+  "src/utils/file-exclusion.ts"() {
+    "use strict";
+    import_ignore = __toESM(require("ignore"));
+    fs2 = __toESM(require("fs"));
+    path3 = __toESM(require("path"));
+    DEFAULT_EXCLUSION_PATTERNS = [
+      "dist/",
+      "build/",
+      ".next/",
+      "out/",
+      "node_modules/",
+      "coverage/",
+      ".turbo/",
+      "bundled/"
+    ];
+    FileExclusionHelper = class {
+      gitignore = null;
+      workingDirectory;
+      /**
+       * @param workingDirectory - Directory to search for .gitignore
+       * @param additionalPatterns - Additional patterns to include (optional, defaults to common build artifacts)
+       */
+      constructor(workingDirectory = process.cwd(), additionalPatterns = DEFAULT_EXCLUSION_PATTERNS) {
+        const normalizedPath = path3.resolve(workingDirectory);
+        if (normalizedPath.includes("\0")) {
+          throw new Error("Invalid workingDirectory: contains null bytes");
+        }
+        this.workingDirectory = normalizedPath;
+        this.loadGitignore(additionalPatterns);
+      }
+      /**
+       * Load .gitignore patterns from the working directory (called once in constructor)
+       * @param additionalPatterns - Additional patterns to add to gitignore rules
+       */
+      loadGitignore(additionalPatterns) {
+        const gitignorePath = path3.resolve(this.workingDirectory, ".gitignore");
+        const resolvedWorkingDir = path3.resolve(this.workingDirectory);
+        try {
+          const relativePath = path3.relative(resolvedWorkingDir, gitignorePath);
+          if (relativePath.startsWith("..") || path3.isAbsolute(relativePath)) {
+            throw new Error("Invalid gitignore path: path traversal detected");
+          }
+          if (relativePath !== ".gitignore") {
+            throw new Error("Invalid gitignore path: must be .gitignore in working directory");
+          }
+          this.gitignore = (0, import_ignore.default)();
+          if (additionalPatterns && additionalPatterns.length > 0) {
+            this.gitignore.add(additionalPatterns);
+          }
+          if (fs2.existsSync(gitignorePath)) {
+            const rawContent = fs2.readFileSync(gitignorePath, "utf8");
+            const gitignoreContent = rawContent.replace(/[\r\n]+/g, "\n").replace(/[\x00-\x09\x0B-\x1F\x7F]/g, "").split("\n").filter((line) => line.length < 1e3).join("\n").trim();
+            this.gitignore.add(gitignoreContent);
+            console.error("\u2705 Loaded .gitignore patterns for file filtering");
+          } else if (additionalPatterns && additionalPatterns.length > 0) {
+            console.error("\u26A0\uFE0F  No .gitignore found, using default exclusion patterns");
+          }
+        } catch (error) {
+          console.warn("\u26A0\uFE0F Failed to load .gitignore:", error instanceof Error ? error.message : error);
+        }
+      }
+      /**
+       * Check if a file should be excluded based on .gitignore patterns
+       */
+      shouldExcludeFile(filename) {
+        if (this.gitignore) {
+          return this.gitignore.ignores(filename);
+        }
+        return false;
+      }
+    };
+  }
+});
+
 // src/git-repository-analyzer.ts
-var import_simple_git, path3, fs2, MAX_PATCH_SIZE, GitRepositoryAnalyzer;
+var import_simple_git, path4, fs3, MAX_PATCH_SIZE, GitRepositoryAnalyzer;
 var init_git_repository_analyzer = __esm({
   "src/git-repository-analyzer.ts"() {
     "use strict";
     import_simple_git = require("simple-git");
-    path3 = __toESM(require("path"));
-    fs2 = __toESM(require("fs"));
+    path4 = __toESM(require("path"));
+    fs3 = __toESM(require("fs"));
+    init_file_exclusion();
     MAX_PATCH_SIZE = 50 * 1024;
     GitRepositoryAnalyzer = class {
       git;
       cwd;
+      fileExclusionHelper;
       constructor(workingDirectory = process.cwd()) {
         this.cwd = workingDirectory;
         this.git = (0, import_simple_git.simpleGit)(workingDirectory);
+        this.fileExclusionHelper = new FileExclusionHelper(workingDirectory);
       }
       /**
        * Analyze the current git repository state and return data compatible with PRInfo interface
@@ -2869,34 +2956,6 @@ ${file.patch}`).join("\n\n");
           return "main";
         }
       }
-      /**
-       * Check if a file should be excluded from analysis
-       * This includes:
-       * - Files in .gitignore (even if force-added)
-       * - Built/generated files (dist/, build/, .next/, etc.)
-       */
-      async shouldExcludeFile(filename) {
-        const excludePatterns = [
-          /^dist\//,
-          /^build\//,
-          /^\.next\//,
-          /^out\//,
-          /^node_modules\//,
-          /^coverage\//,
-          /^\.turbo\//
-        ];
-        for (const pattern of excludePatterns) {
-          if (pattern.test(filename)) {
-            return true;
-          }
-        }
-        try {
-          const result = await this.git.raw(["check-ignore", filename]);
-          return result.trim().length > 0;
-        } catch {
-          return false;
-        }
-      }
       /**
        * Truncate a patch if it exceeds MAX_PATCH_SIZE
        */
@@ -2937,11 +2996,11 @@ ${file.patch}`).join("\n\n");
             }))
           ];
           for (const { file, status: status2 } of fileChanges) {
-            if (await this.shouldExcludeFile(file)) {
+            if (this.fileExclusionHelper.shouldExcludeFile(file)) {
               console.error(`\u23ED\uFE0F  Skipping excluded file: ${file}`);
               continue;
             }
-            const filePath = path3.join(this.cwd, file);
+            const filePath = path4.join(this.cwd, file);
             const fileChange = await this.analyzeFileChange(file, status2, filePath, includeContext);
             changes.push(fileChange);
           }
@@ -2962,7 +3021,7 @@ ${file.patch}`).join("\n\n");
             return [];
           }
           for (const file of diffSummary.files) {
-            if (await this.shouldExcludeFile(file.file)) {
+            if (this.fileExclusionHelper.shouldExcludeFile(file.file)) {
               console.error(`\u23ED\uFE0F  Skipping excluded file: ${file.file}`);
               continue;
             }
@@ -3017,7 +3076,7 @@ ${file.patch}`).join("\n\n");
         let content;
         let truncated = false;
         try {
-          if (includeContext && status !== "added" && fs2.existsSync(filePath)) {
+          if (includeContext && status !== "added" && fs3.existsSync(filePath)) {
             const diff = await this.git.diff(["--", filename]).catch(() => "");
             if (diff) {
               const result = this.truncatePatch(diff, filename);
@@ -3027,7 +3086,7 @@ ${file.patch}`).join("\n\n");
               additions = lines.filter((line) => line.startsWith("+")).length;
               deletions = lines.filter((line) => line.startsWith("-")).length;
             }
-          } else if (status !== "added" && fs2.existsSync(filePath)) {
+          } else if (status !== "added" && fs3.existsSync(filePath)) {
             const diff = await this.git.diff(["--", filename]).catch(() => "");
             if (diff) {
               const lines = diff.split("\n");
@@ -3035,17 +3094,17 @@ ${file.patch}`).join("\n\n");
               deletions = lines.filter((line) => line.startsWith("-")).length;
             }
           }
-          if (status === "added" && fs2.existsSync(filePath)) {
+          if (status === "added" && fs3.existsSync(filePath)) {
             try {
-              const stats = fs2.statSync(filePath);
+              const stats = fs3.statSync(filePath);
               if (stats.isFile() && stats.size < 1024 * 1024) {
                 if (includeContext) {
-                  content = fs2.readFileSync(filePath, "utf8");
+                  content = fs3.readFileSync(filePath, "utf8");
                   const result = this.truncatePatch(content, filename);
                   patch = result.patch;
                   truncated = result.truncated;
                 }
-                const fileContent = includeContext ? content : fs2.readFileSync(filePath, "utf8");
+                const fileContent = includeContext ? content : fs3.readFileSync(filePath, "utf8");
                 additions = fileContent.split("\n").length;
               }
             } catch {
@@ -3130,15 +3189,19 @@ ${file.patch}`).join("\n\n");
 });
 
 // src/pr-analyzer.ts
-var PRAnalyzer;
+var path5, PRAnalyzer;
 var init_pr_analyzer = __esm({
   "src/pr-analyzer.ts"() {
     "use strict";
+    path5 = __toESM(require("path"));
+    init_file_exclusion();
     PRAnalyzer = class {
-      constructor(octokit, maxRetries = 3) {
+      constructor(octokit, maxRetries = 3, workingDirectory = path5.resolve(process.cwd())) {
         this.octokit = octokit;
         this.maxRetries = maxRetries;
+        this.fileExclusionHelper = new FileExclusionHelper(workingDirectory);
       }
+      fileExclusionHelper;
       /**
        * Fetch commit diff for incremental analysis
        */
@@ -3194,14 +3257,25 @@ ${file.patch}`).join("\n\n");
         const authorAssociation = pr.author_association && typeof pr.author_association === "string" ? pr.author_association : void 0;
         const base = pr.base && typeof pr.base === "object" && pr.base.ref ? typeof pr.base.ref === "string" ? pr.base.ref : String(pr.base.ref) : "main";
         const head = pr.head && typeof pr.head === "object" && pr.head.ref ? typeof pr.head.ref === "string" ? pr.head.ref : String(pr.head.ref) : "feature";
-        const validFiles = files ? files.filter((file) => file && typeof file === "object" && file.filename).map((file) => ({
+        let skippedCount = 0;
+        const validFiles = files ? files.filter((file) => file && typeof file === "object" && file.filename).filter((file) => {
+          const filename = typeof file.filename === "string" ? file.filename : String(file.filename || "unknown");
+          if (!filename || this.fileExclusionHelper.shouldExcludeFile(filename)) {
+            skippedCount++;
+            return false;
+          }
+          return true;
+        }).map((file) => ({
           filename: typeof file.filename === "string" ? file.filename : String(file.filename || "unknown"),
           additions: typeof file.additions === "number" ? Math.max(0, file.additions) : 0,
           deletions: typeof file.deletions === "number" ? Math.max(0, file.deletions) : 0,
           changes: typeof file.changes === "number" ? Math.max(0, file.changes) : 0,
           patch: typeof file.patch === "string" ? file.patch : void 0,
           status: ["added", "removed", "modified", "renamed"].includes(file.status) ? file.status : "modified"
-        })).filter((file) => file.filename.length > 0) : [];
+        })) : [];
+        if (skippedCount > 0) {
+          console.log(`\u23ED\uFE0F  Skipped ${skippedCount} excluded file(s)`);
+        }
         const prInfo = {
           number: typeof pr.number === "number" ? pr.number : parseInt(String(pr.number || 1), 10),
           title,
@@ -3280,7 +3354,7 @@ ${file.patch}`).join("\n\n");
             }
             if (this.isRetryableError(error)) {
               const delay = Math.min(1e3 * Math.pow(2, attempt), 5e3);
-              await new Promise((resolve4) => setTimeout(resolve4, delay));
+              await new Promise((resolve7) => setTimeout(resolve7, delay));
             } else {
               throw error;
             }
@@ -3421,12 +3495,12 @@ var init_env_resolver = __esm({
 });
 
 // src/issue-filter.ts
-var fs3, path4, IssueFilter;
+var fs4, path6, IssueFilter;
 var init_issue_filter = __esm({
   "src/issue-filter.ts"() {
     "use strict";
-    fs3 = __toESM(require("fs"));
-    path4 = __toESM(require("path"));
+    fs4 = __toESM(require("fs"));
+    path6 = __toESM(require("path"));
     IssueFilter = class {
       fileCache = /* @__PURE__ */ new Map();
       suppressionEnabled;
@@ -3494,17 +3568,17 @@ var init_issue_filter = __esm({
           return this.fileCache.get(filePath);
         }
         try {
-          const resolvedPath = path4.isAbsolute(filePath) ? filePath : path4.join(workingDir, filePath);
-          if (!fs3.existsSync(resolvedPath)) {
-            if (fs3.existsSync(filePath)) {
-              const content2 = fs3.readFileSync(filePath, "utf8");
+          const resolvedPath = path6.isAbsolute(filePath) ? filePath : path6.join(workingDir, filePath);
+          if (!fs4.existsSync(resolvedPath)) {
+            if (fs4.existsSync(filePath)) {
+              const content2 = fs4.readFileSync(filePath, "utf8");
               const lines2 = content2.split("\n");
               this.fileCache.set(filePath, lines2);
               return lines2;
             }
             return null;
           }
-          const content = fs3.readFileSync(resolvedPath, "utf8");
+          const content = fs4.readFileSync(resolvedPath, "utf8");
           const lines = content.split("\n");
           this.fileCache.set(filePath, lines);
           return lines;
@@ -4047,7 +4121,7 @@ __export(liquid_extensions_exports, {
 function sanitizeLabel(value) {
   if (value == null) return "";
   const s = String(value);
-  return s.replace(/[^A-Za-z0-9:\/]/g, "").replace(/\/{2,}/g, "/");
+  return s.replace(/[^A-Za-z0-9:\/\- ]/g, "").replace(/\/{2,}/g, "/").trim();
 }
 function sanitizeLabelList(labels) {
   if (!Array.isArray(labels)) return [];
@@ -4174,8 +4248,209 @@ var init_liquid_extensions = __esm({
   }
 });
 
+// src/telemetry/state-capture.ts
+function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
+  try {
+    if (value === void 0 || value === null) return String(value);
+    const seen = /* @__PURE__ */ new WeakSet();
+    const json = JSON.stringify(value, (key, val) => {
+      if (typeof val === "object" && val !== null) {
+        if (seen.has(val)) return "[Circular]";
+        seen.add(val);
+      }
+      if (typeof val === "string" && val.length > maxLength) {
+        return val.substring(0, maxLength) + "...[truncated]";
+      }
+      return val;
+    });
+    if (json.length > maxLength) {
+      return json.substring(0, maxLength) + "...[truncated]";
+    }
+    return json;
+  } catch (err) {
+    return `[Error serializing: ${err instanceof Error ? err.message : String(err)}]`;
+  }
+}
+function captureCheckInputContext(span, context) {
+  try {
+    const keys = Object.keys(context);
+    span.setAttribute("visor.check.input.keys", keys.join(","));
+    span.setAttribute("visor.check.input.count", keys.length);
+    span.setAttribute("visor.check.input.context", safeSerialize(context));
+    if (context.pr) {
+      span.setAttribute("visor.check.input.pr", safeSerialize(context.pr, 1e3));
+    }
+    if (context.outputs) {
+      span.setAttribute("visor.check.input.outputs", safeSerialize(context.outputs, 5e3));
+    }
+    if (context.env) {
+      span.setAttribute("visor.check.input.env_keys", Object.keys(context.env).join(","));
+    }
+  } catch (err) {
+    try {
+      span.setAttribute("visor.check.input.error", String(err));
+    } catch {
+    }
+  }
+}
+function captureCheckOutput(span, output) {
+  try {
+    span.setAttribute("visor.check.output.type", typeof output);
+    if (Array.isArray(output)) {
+      span.setAttribute("visor.check.output.length", output.length);
+      const preview = output.slice(0, 10);
+      span.setAttribute("visor.check.output.preview", safeSerialize(preview, 2e3));
+    }
+    span.setAttribute("visor.check.output", safeSerialize(output));
+  } catch (err) {
+    try {
+      span.setAttribute("visor.check.output.error", String(err));
+    } catch {
+    }
+  }
+}
+function captureForEachState(span, items, index, currentItem) {
+  try {
+    span.setAttribute("visor.foreach.total", items.length);
+    span.setAttribute("visor.foreach.index", index);
+    span.setAttribute("visor.foreach.current_item", safeSerialize(currentItem, 500));
+    if (items.length <= MAX_ARRAY_ITEMS) {
+      span.setAttribute("visor.foreach.items", safeSerialize(items));
+    } else {
+      span.setAttribute(
+        "visor.foreach.items.preview",
+        safeSerialize(items.slice(0, MAX_ARRAY_ITEMS))
+      );
+      span.setAttribute("visor.foreach.items.truncated", true);
+    }
+  } catch (err) {
+    span.setAttribute("visor.foreach.error", String(err));
+  }
+}
+function captureTransformJS(span, code, input, output) {
+  try {
+    const codePreview = code.length > 2e3 ? code.substring(0, 2e3) + "...[truncated]" : code;
+    span.setAttribute("visor.transform.code", codePreview);
+    span.setAttribute("visor.transform.code.length", code.length);
+    span.setAttribute("visor.transform.input", safeSerialize(input, 2e3));
+    span.setAttribute("visor.transform.output", safeSerialize(output, 2e3));
+  } catch (err) {
+    span.setAttribute("visor.transform.error", String(err));
+  }
+}
+function captureProviderCall(span, providerType, request, response) {
+  try {
+    span.setAttribute("visor.provider.type", providerType);
+    if (request.model) span.setAttribute("visor.provider.request.model", String(request.model));
+    if (request.prompt) {
+      span.setAttribute("visor.provider.request.prompt.length", request.prompt.length);
+      span.setAttribute("visor.provider.request.prompt.preview", request.prompt.substring(0, 500));
+    }
+    if (response.content) {
+      span.setAttribute("visor.provider.response.length", response.content.length);
+      span.setAttribute("visor.provider.response.preview", response.content.substring(0, 500));
+    }
+    if (response.tokens) {
+      span.setAttribute("visor.provider.response.tokens", response.tokens);
+    }
+  } catch (err) {
+    span.setAttribute("visor.provider.error", String(err));
+  }
+}
+function captureStateSnapshot(span, checkId, outputs, memory) {
+  try {
+    span.addEvent("state.snapshot", {
+      "visor.snapshot.check_id": checkId,
+      "visor.snapshot.outputs": safeSerialize(outputs, 5e3),
+      "visor.snapshot.memory": safeSerialize(memory, 5e3),
+      "visor.snapshot.timestamp": (/* @__PURE__ */ new Date()).toISOString()
+    });
+  } catch (err) {
+    span.setAttribute("visor.snapshot.error", String(err));
+  }
+}
+var MAX_ATTRIBUTE_LENGTH, MAX_ARRAY_ITEMS;
+var init_state_capture = __esm({
+  "src/telemetry/state-capture.ts"() {
+    "use strict";
+    MAX_ATTRIBUTE_LENGTH = 1e4;
+    MAX_ARRAY_ITEMS = 100;
+  }
+});
+
+// src/telemetry/fallback-ndjson.ts
+var fallback_ndjson_exports = {};
+__export(fallback_ndjson_exports, {
+  emitNdjsonFallback: () => emitNdjsonFallback,
+  emitNdjsonSpanWithEvents: () => emitNdjsonSpanWithEvents,
+  flushNdjson: () => flushNdjson
+});
+function resolveTargetPath(outDir) {
+  if (process.env.VISOR_FALLBACK_TRACE_FILE) {
+    CURRENT_FILE = process.env.VISOR_FALLBACK_TRACE_FILE;
+    return CURRENT_FILE;
+  }
+  if (CURRENT_FILE) return CURRENT_FILE;
+  const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  CURRENT_FILE = path9.join(outDir, `${ts}.ndjson`);
+  return CURRENT_FILE;
+}
+function isEnabled() {
+  if (process.env.VISOR_FALLBACK_TRACE_FILE) return true;
+  return process.env.VISOR_TELEMETRY_ENABLED === "true" && (process.env.VISOR_TELEMETRY_SINK || "file") === "file";
+}
+function appendAsync(outDir, line) {
+  writeChain = writeChain.then(async () => {
+    if (!dirReady) {
+      try {
+        await fs7.promises.mkdir(outDir, { recursive: true });
+      } catch {
+      }
+      dirReady = true;
+    }
+    const target = resolveTargetPath(outDir);
+    await fs7.promises.appendFile(target, line, "utf8");
+  }).catch(() => {
+  });
+}
+async function flushNdjson() {
+  try {
+    await writeChain;
+  } catch {
+  }
+}
+function emitNdjsonFallback(name, attrs) {
+  try {
+    if (!isEnabled()) return;
+    const outDir = process.env.VISOR_TRACE_DIR || path9.join(process.cwd(), "output", "traces");
+    const line = JSON.stringify({ name, attributes: attrs }) + "\n";
+    appendAsync(outDir, line);
+  } catch {
+  }
+}
+function emitNdjsonSpanWithEvents(name, attrs, events) {
+  try {
+    if (!isEnabled()) return;
+    const outDir = process.env.VISOR_TRACE_DIR || path9.join(process.cwd(), "output", "traces");
+    const line = JSON.stringify({ name, attributes: attrs, events }) + "\n";
+    appendAsync(outDir, line);
+  } catch {
+  }
+}
+var fs7, path9, CURRENT_FILE, dirReady, writeChain;
+var init_fallback_ndjson = __esm({
+  "src/telemetry/fallback-ndjson.ts"() {
+    "use strict";
+    fs7 = __toESM(require("fs"));
+    path9 = __toESM(require("path"));
+    CURRENT_FILE = null;
+    dirReady = false;
+    writeChain = Promise.resolve();
+  }
+});
+
 // src/providers/ai-check-provider.ts
-var import_promises3, import_path3, AICheckProvider;
+var import_promises3, import_path3, import_api, AICheckProvider;
 var init_ai_check_provider = __esm({
   "src/providers/ai-check-provider.ts"() {
     "use strict";
@@ -4186,6 +4461,8 @@ var init_ai_check_provider = __esm({
     init_liquid_extensions();
     import_promises3 = __toESM(require("fs/promises"));
     import_path3 = __toESM(require("path"));
+    import_api = require("@opentelemetry/api");
+    init_state_capture();
     AICheckProvider = class extends CheckProvider {
       aiReviewService;
       liquidEngine;
@@ -4317,9 +4594,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path3.default.resolve(process.cwd(), str);
           }
-          const fs12 = require("fs").promises;
+          const fs14 = require("fs").promises;
           try {
-            const stat = await fs12.stat(resolvedPath);
+            const stat = await fs14.stat(resolvedPath);
             return stat.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -4525,6 +4802,40 @@ var init_ai_check_provider = __esm({
             );
           }
         }
+        const templateContext = {
+          pr: {
+            number: prInfo.number,
+            title: prInfo.title,
+            author: prInfo.author,
+            branch: prInfo.head,
+            base: prInfo.base
+          },
+          files: prInfo.files,
+          outputs: _dependencyResults ? Object.fromEntries(
+            Array.from(_dependencyResults.entries()).map(([checkName, result]) => [
+              checkName,
+              result.output !== void 0 ? result.output : result
+            ])
+          ) : {}
+        };
+        try {
+          const span = import_api.trace.getSpan(import_api.context.active());
+          if (span) {
+            captureCheckInputContext(span, templateContext);
+          }
+        } catch {
+        }
+        try {
+          const checkId = config.checkName || config.id || "unknown";
+          const ctxJson = JSON.stringify(templateContext);
+          const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+          emitNdjsonSpanWithEvents2(
+            "visor.check",
+            { "visor.check.id": checkId, "visor.check.input.context": ctxJson },
+            []
+          );
+        } catch {
+        }
         const processedPrompt = await this.processPrompt(
           customPrompt,
           prInfo,
@@ -4577,10 +4888,43 @@ var init_ai_check_provider = __esm({
           const suppressionEnabled = config.suppressionEnabled !== false;
           const issueFilter = new IssueFilter(suppressionEnabled);
           const filteredIssues = issueFilter.filterIssues(result.issues || [], process.cwd());
-          return {
+          const finalResult = {
             ...result,
             issues: filteredIssues
           };
+          try {
+            const span = import_api.trace.getSpan(import_api.context.active());
+            if (span) {
+              captureProviderCall(
+                span,
+                "ai",
+                {
+                  prompt: processedPrompt.substring(0, 500),
+                  // Preview only
+                  model: aiConfig.model
+                },
+                {
+                  content: JSON.stringify(finalResult).substring(0, 500),
+                  tokens: result.usage?.totalTokens
+                }
+              );
+              const outputForSpan = finalResult.output ?? finalResult;
+              captureCheckOutput(span, outputForSpan);
+            }
+          } catch {
+          }
+          try {
+            const checkId = config.checkName || config.id || "unknown";
+            const outJson = JSON.stringify(finalResult.output ?? finalResult);
+            const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+            emitNdjsonSpanWithEvents2(
+              "visor.check",
+              { "visor.check.id": checkId, "visor.check.output": outJson },
+              []
+            );
+          } catch {
+          }
+          return finalResult;
         } catch (error) {
           const errorMessage = error instanceof Error ? error.message : String(error);
           console.error(`\u274C AI Check Provider Error for check: ${errorMessage}`);
@@ -4627,13 +4971,15 @@ var init_ai_check_provider = __esm({
 });
 
 // src/providers/http-check-provider.ts
-var HttpCheckProvider;
+var import_api2, HttpCheckProvider;
 var init_http_check_provider = __esm({
   "src/providers/http-check-provider.ts"() {
     "use strict";
     init_check_provider_interface();
     init_issue_filter();
     init_liquid_extensions();
+    import_api2 = require("@opentelemetry/api");
+    init_state_capture();
     HttpCheckProvider = class extends CheckProvider {
       liquid;
       constructor() {
@@ -4695,6 +5041,13 @@ var init_http_check_provider = __esm({
           outputs: dependencyResults ? Object.fromEntries(dependencyResults) : {},
           metadata: config.metadata || {}
         };
+        try {
+          const span = import_api2.trace.getSpan(import_api2.context.active());
+          if (span) {
+            captureCheckInputContext(span, templateContext);
+          }
+        } catch {
+        }
         let payload;
         try {
           const renderedBody = await this.liquid.parseAndRender(bodyTemplate, templateContext);
@@ -4717,10 +5070,31 @@ var init_http_check_provider = __esm({
           const suppressionEnabled = config.suppressionEnabled !== false;
           const issueFilter = new IssueFilter(suppressionEnabled);
           const filteredIssues = issueFilter.filterIssues(result.issues || [], process.cwd());
-          return {
+          const finalResult = {
             ...result,
             issues: filteredIssues
           };
+          try {
+            const span = import_api2.trace.getSpan(import_api2.context.active());
+            if (span) {
+              captureProviderCall(
+                span,
+                "http",
+                {
+                  url,
+                  method,
+                  body: JSON.stringify(payload).substring(0, 500)
+                },
+                {
+                  content: JSON.stringify(response).substring(0, 500)
+                }
+              );
+              const outputForSpan = finalResult.output ?? finalResult;
+              captureCheckOutput(span, outputForSpan);
+            }
+          } catch {
+          }
+          return finalResult;
         } catch (error) {
           return this.createErrorResult(url, error);
         }
@@ -5402,13 +5776,123 @@ var init_log_check_provider = __esm({
   }
 });
 
+// src/utils/sandbox.ts
+function createSecureSandbox() {
+  const globals = {
+    ...import_sandboxjs.default.SAFE_GLOBALS,
+    Math,
+    JSON,
+    // Provide console with limited surface. Calls are harmless in CI logs and
+    // help with debugging value_js / transform_js expressions.
+    console: {
+      log: console.log,
+      warn: console.warn,
+      error: console.error
+    }
+  };
+  const prototypeWhitelist = new Map(import_sandboxjs.default.SAFE_PROTOTYPES);
+  const arrayMethods = /* @__PURE__ */ new Set([
+    "some",
+    "every",
+    "filter",
+    "map",
+    "reduce",
+    "find",
+    "includes",
+    "indexOf",
+    "length",
+    "slice",
+    "concat",
+    "join",
+    "push",
+    "pop",
+    "shift",
+    "unshift",
+    "sort",
+    "reverse",
+    "flat",
+    "flatMap"
+  ]);
+  prototypeWhitelist.set(Array.prototype, arrayMethods);
+  const stringMethods = /* @__PURE__ */ new Set([
+    "toLowerCase",
+    "toUpperCase",
+    "includes",
+    "indexOf",
+    "startsWith",
+    "endsWith",
+    "slice",
+    "substring",
+    "length",
+    "trim",
+    "split",
+    "replace",
+    "match",
+    "padStart",
+    "padEnd"
+  ]);
+  prototypeWhitelist.set(String.prototype, stringMethods);
+  const objectMethods = /* @__PURE__ */ new Set([
+    "hasOwnProperty",
+    "toString",
+    "valueOf",
+    "keys",
+    "values"
+  ]);
+  prototypeWhitelist.set(Object.prototype, objectMethods);
+  return new import_sandboxjs.default({ globals, prototypeWhitelist });
+}
+function compileAndRun(sandbox, userCode, scope, opts = { injectLog: true, wrapFunction: true, logPrefix: "[sandbox]" }) {
+  const inject = opts?.injectLog === true;
+  let safePrefix = String(opts?.logPrefix ?? "[sandbox]");
+  safePrefix = safePrefix.replace(/[\r\n\t\0]/g, "").replace(/[`$\\]/g, "").replace(/\$\{/g, "").slice(0, 64);
+  const header = inject ? `const __lp = ${JSON.stringify(safePrefix)}; const log = (...a) => { try { console.log(__lp, ...a); } catch {} };
+` : "";
+  const body = opts.wrapFunction ? `const __fn = () => {
+${userCode}
+};
+return __fn();
+` : `${userCode}`;
+  const code = `${header}${body}`;
+  let exec;
+  try {
+    exec = sandbox.compile(code);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`sandbox_compile_error: ${msg}`);
+  }
+  let out;
+  try {
+    out = exec(scope);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`sandbox_execution_error: ${msg}`);
+  }
+  if (out && typeof out.run === "function") {
+    try {
+      return out.run();
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new Error(`sandbox_runner_error: ${msg}`);
+    }
+  }
+  return out;
+}
+var import_sandboxjs;
+var init_sandbox = __esm({
+  "src/utils/sandbox.ts"() {
+    "use strict";
+    import_sandboxjs = __toESM(require("@nyariv/sandboxjs"));
+  }
+});
+
 // src/providers/github-ops-provider.ts
-var import_sandboxjs, GitHubOpsProvider;
+var GitHubOpsProvider;
 var init_github_ops_provider = __esm({
   "src/providers/github-ops-provider.ts"() {
     "use strict";
     init_check_provider_interface();
-    import_sandboxjs = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     init_liquid_extensions();
     GitHubOpsProvider = class extends CheckProvider {
       sandbox;
@@ -5436,25 +5920,20 @@ var init_github_ops_provider = __esm({
       }
       async execute(prInfo, config, dependencyResults) {
         const cfg = config;
-        let octokit = config.eventContext?.octokit;
+        const octokit = config.eventContext?.octokit;
         if (!octokit) {
-          const token = process.env["INPUT_GITHUB-TOKEN"] || process.env["GITHUB_TOKEN"];
-          if (!token) {
-            return {
-              issues: [
-                {
-                  file: "system",
-                  line: 0,
-                  ruleId: "github/missing_token",
-                  message: "No GitHub token available; set GITHUB_TOKEN or pass github-token input for native GitHub operations",
-                  severity: "error",
-                  category: "logic"
-                }
-              ]
-            };
-          }
-          const { Octokit } = await import("@octokit/rest");
-          octokit = new Octokit({ auth: token });
+          return {
+            issues: [
+              {
+                file: "system",
+                line: 0,
+                ruleId: "github/missing_octokit",
+                message: "No authenticated Octokit instance available in event context. GitHub operations require proper authentication context.",
+                severity: "error",
+                category: "logic"
+              }
+            ]
+          };
         }
         const repoEnv = process.env.GITHUB_REPOSITORY || "";
         const [owner, repo] = repoEnv.split("/");
@@ -5532,14 +6011,19 @@ var init_github_ops_provider = __esm({
         if (cfg.value_js && cfg.value_js.trim()) {
           try {
             const sandbox = this.getSecureSandbox();
-            const code = `
-          const __fn = () => {
-${cfg.value_js}
-};
-          return __fn();
-        `;
-            const exec = sandbox.compile(code);
-            const res = exec({ pr: prInfo, values });
+            const depOutputs = {};
+            if (dependencyResults) {
+              for (const [name, result] of dependencyResults.entries()) {
+                const summary = result;
+                depOutputs[name] = summary.output !== void 0 ? summary.output : summary;
+              }
+            }
+            const res = compileAndRun(
+              sandbox,
+              cfg.value_js,
+              { pr: prInfo, values, outputs: depOutputs },
+              { injectLog: true, wrapFunction: true, logPrefix: "[github:value_js]" }
+            );
             if (typeof res === "string") values = [res];
             else if (Array.isArray(res)) values = res.map((v) => String(v));
           } catch (e) {
@@ -5630,44 +6114,7 @@ ${cfg.value_js}
        */
       getSecureSandbox() {
         if (this.sandbox) return this.sandbox;
-        const globals = {
-          ...import_sandboxjs.default.SAFE_GLOBALS,
-          Math
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs.default.SAFE_PROTOTYPES);
-        const arrayMethods = /* @__PURE__ */ new Set([
-          "some",
-          "every",
-          "filter",
-          "map",
-          "reduce",
-          "find",
-          "includes",
-          "indexOf",
-          "length",
-          "slice",
-          "concat",
-          "join"
-        ]);
-        prototypeWhitelist.set(Array.prototype, arrayMethods);
-        const stringMethods = /* @__PURE__ */ new Set([
-          "toLowerCase",
-          "toUpperCase",
-          "includes",
-          "indexOf",
-          "startsWith",
-          "endsWith",
-          "slice",
-          "substring",
-          "length",
-          "trim",
-          "split",
-          "replace"
-        ]);
-        prototypeWhitelist.set(String.prototype, stringMethods);
-        const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-        prototypeWhitelist.set(Object.prototype, objectMethods);
-        this.sandbox = new import_sandboxjs.default({ globals, prototypeWhitelist });
+        this.sandbox = createSecureSandbox();
         return this.sandbox;
       }
     };
@@ -6142,15 +6589,17 @@ var init_claude_code_check_provider = __esm({
 });
 
 // src/providers/command-check-provider.ts
-var import_sandboxjs2, CommandCheckProvider;
+var import_api3, CommandCheckProvider;
 var init_command_check_provider = __esm({
   "src/providers/command-check-provider.ts"() {
     "use strict";
     init_check_provider_interface();
-    import_sandboxjs2 = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     init_liquid_extensions();
     init_logger();
     init_author_permissions();
+    import_api3 = require("@opentelemetry/api");
+    init_state_capture();
     CommandCheckProvider = class extends CheckProvider {
       liquid;
       sandbox;
@@ -6163,13 +6612,7 @@ var init_command_check_provider = __esm({
         });
       }
       createSecureSandbox() {
-        const globals = {
-          ...import_sandboxjs2.default.SAFE_GLOBALS,
-          console,
-          JSON
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs2.default.SAFE_PROTOTYPES);
-        return new import_sandboxjs2.default({ globals, prototypeWhitelist });
+        return createSecureSandbox();
       }
       getName() {
         return "command";
@@ -6218,6 +6661,24 @@ var init_command_check_provider = __esm({
         logger.debug(
           `\u{1F527} Debug: Template outputs keys: ${Object.keys(templateContext.outputs || {}).join(", ")}`
         );
+        try {
+          const span = import_api3.trace.getSpan(import_api3.context.active());
+          if (span) {
+            captureCheckInputContext(span, templateContext);
+          }
+        } catch {
+        }
+        try {
+          const checkId = config.checkName || config.id || "unknown";
+          const ctxJson = JSON.stringify(templateContext);
+          const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+          emitNdjsonSpanWithEvents2(
+            "visor.check",
+            { "visor.check.id": checkId, "visor.check.input.context": ctxJson },
+            [{ name: "check.started" }, { name: "check.completed" }]
+          );
+        } catch {
+        }
         try {
           let renderedCommand = command;
           if (command.includes("{{") || command.includes("{%")) {
@@ -6412,8 +6873,12 @@ ${bodyWithReturn}
               if (parsedFromSandboxJson !== void 0) {
                 finalOutput = parsedFromSandboxJson;
               } else {
-                const exec2 = this.sandbox.compile(code);
-                finalOutput = exec2({ scope: jsContext }).run();
+                finalOutput = compileAndRun(
+                  this.sandbox,
+                  code,
+                  { scope: jsContext },
+                  { injectLog: false, wrapFunction: false }
+                );
               }
               try {
                 if (finalOutput && typeof finalOutput === "object" && !Array.isArray(finalOutput) && (finalOutput.error === void 0 || finalOutput.issues === void 0)) {
@@ -6824,6 +7289,27 @@ ${bodyWithReturn}
             ...content ? { content } : {},
             ...promoted
           };
+          try {
+            const span = import_api3.trace.getSpan(import_api3.context.active());
+            if (span) {
+              captureCheckOutput(span, outputForDependents);
+              if (transformJs && output !== finalOutput) {
+                captureTransformJS(span, transformJs, output, finalOutput);
+              }
+            }
+          } catch {
+          }
+          try {
+            const checkId = config.checkName || config.id || "unknown";
+            const outJson = JSON.stringify(result.output ?? result);
+            const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+            emitNdjsonSpanWithEvents2(
+              "visor.check",
+              { "visor.check.id": checkId, "visor.check.output": outJson },
+              [{ name: "check.started" }, { name: "check.completed" }]
+            );
+          } catch {
+          }
           try {
             if (transformJs) {
               const rawObj = snapshotForExtraction || finalOutput;
@@ -7389,7 +7875,7 @@ ${stderrOutput}` : `Command execution failed: ${errorMessage}`;
 });
 
 // src/providers/memory-check-provider.ts
-var import_sandboxjs3, MemoryCheckProvider;
+var MemoryCheckProvider;
 var init_memory_check_provider = __esm({
   "src/providers/memory-check-provider.ts"() {
     "use strict";
@@ -7397,7 +7883,7 @@ var init_memory_check_provider = __esm({
     init_memory_store();
     init_liquid_extensions();
     init_logger();
-    import_sandboxjs3 = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     MemoryCheckProvider = class extends CheckProvider {
       liquid;
       sandbox;
@@ -7412,61 +7898,7 @@ var init_memory_check_provider = __esm({
        * Create a secure sandbox for JavaScript execution
        */
       createSecureSandbox() {
-        const globals = {
-          ...import_sandboxjs3.default.SAFE_GLOBALS,
-          Math,
-          console: {
-            log: console.log,
-            warn: console.warn,
-            error: console.error
-          }
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs3.default.SAFE_PROTOTYPES);
-        const arrayMethods = /* @__PURE__ */ new Set([
-          "some",
-          "every",
-          "filter",
-          "map",
-          "reduce",
-          "find",
-          "includes",
-          "indexOf",
-          "length",
-          "slice",
-          "concat",
-          "join",
-          "push",
-          "pop",
-          "shift",
-          "unshift",
-          "sort",
-          "reverse"
-        ]);
-        prototypeWhitelist.set(Array.prototype, arrayMethods);
-        const stringMethods = /* @__PURE__ */ new Set([
-          "toLowerCase",
-          "toUpperCase",
-          "includes",
-          "indexOf",
-          "startsWith",
-          "endsWith",
-          "slice",
-          "substring",
-          "length",
-          "trim",
-          "split",
-          "replace",
-          "match",
-          "padStart",
-          "padEnd"
-        ]);
-        prototypeWhitelist.set(String.prototype, stringMethods);
-        const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-        prototypeWhitelist.set(Object.prototype, objectMethods);
-        return new import_sandboxjs3.default({
-          globals,
-          prototypeWhitelist
-        });
+        return createSecureSandbox();
       }
       getName() {
         return "memory";
@@ -7758,15 +8190,12 @@ var init_memory_check_provider = __esm({
           this.sandbox = this.createSecureSandbox();
         }
         try {
-          const log2 = (...args) => {
-            logger.info(`\u{1F50D} [memory-js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-          };
-          const scope = {
-            ...context,
-            log: log2
-          };
-          const exec = this.sandbox.compile(`return (${expression});`);
-          return exec(scope).run();
+          const scope = { ...context };
+          return compileAndRun(this.sandbox, `return (${expression});`, scope, {
+            injectLog: true,
+            wrapFunction: false,
+            logPrefix: "[memory:value_js]"
+          });
         } catch (error) {
           const errorMsg = error instanceof Error ? error.message : "Unknown error";
           throw new Error(`Failed to evaluate value_js: ${errorMsg}`);
@@ -7781,16 +8210,12 @@ var init_memory_check_provider = __esm({
           this.sandbox = this.createSecureSandbox();
         }
         try {
-          const log2 = (...args) => {
-            logger.info(`\u{1F50D} [memory-js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-          };
-          const scope = {
-            ...context,
-            log: log2
-          };
-          const exec = this.sandbox.compile(script);
-          const result = exec(scope).run();
-          return result;
+          const scope = { ...context };
+          return compileAndRun(this.sandbox, script, scope, {
+            injectLog: true,
+            wrapFunction: false,
+            logPrefix: "[memory:exec_js]"
+          });
         } catch (error) {
           const errorMsg = error instanceof Error ? error.message : "Unknown error";
           logger.error(`[memory-js] Script execution error: ${errorMsg}`);
@@ -7879,7 +8304,7 @@ var init_memory_check_provider = __esm({
 });
 
 // src/providers/mcp-check-provider.ts
-var import_client, import_stdio, import_sse, import_streamableHttp, import_sandboxjs4, McpCheckProvider;
+var import_client, import_stdio, import_sse, import_streamableHttp, McpCheckProvider;
 var init_mcp_check_provider = __esm({
   "src/providers/mcp-check-provider.ts"() {
     "use strict";
@@ -7890,7 +8315,7 @@ var init_mcp_check_provider = __esm({
     import_stdio = require("@modelcontextprotocol/sdk/client/stdio.js");
     import_sse = require("@modelcontextprotocol/sdk/client/sse.js");
     import_streamableHttp = require("@modelcontextprotocol/sdk/client/streamableHttp.js");
-    import_sandboxjs4 = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     McpCheckProvider = class extends CheckProvider {
       liquid;
       sandbox;
@@ -7909,67 +8334,7 @@ var init_mcp_check_provider = __esm({
        * - No access to filesystem, network, or system resources
        */
       createSecureSandbox() {
-        const log2 = (...args) => {
-          logger.debug(`[transform_js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-        };
-        const globals = {
-          ...import_sandboxjs4.default.SAFE_GLOBALS,
-          // Excludes Function, eval, require, process, etc.
-          Math,
-          JSON,
-          console: {
-            log: log2
-          }
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs4.default.SAFE_PROTOTYPES);
-        const arrayMethods = /* @__PURE__ */ new Set([
-          "some",
-          "every",
-          "filter",
-          "map",
-          "reduce",
-          "find",
-          "includes",
-          "indexOf",
-          "length",
-          "slice",
-          "concat",
-          "join",
-          "push",
-          "pop",
-          "shift",
-          "unshift",
-          "sort",
-          "reverse",
-          "flat",
-          "flatMap"
-        ]);
-        prototypeWhitelist.set(Array.prototype, arrayMethods);
-        const stringMethods = /* @__PURE__ */ new Set([
-          "toLowerCase",
-          "toUpperCase",
-          "includes",
-          "indexOf",
-          "startsWith",
-          "endsWith",
-          "slice",
-          "substring",
-          "length",
-          "trim",
-          "split",
-          "replace",
-          // String.prototype.replace for text manipulation (e.g., "hello".replace("h", "H"))
-          "match",
-          "padStart",
-          "padEnd"
-        ]);
-        prototypeWhitelist.set(String.prototype, stringMethods);
-        const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf", "keys", "values"]);
-        prototypeWhitelist.set(Object.prototype, objectMethods);
-        return new import_sandboxjs4.default({
-          globals,
-          prototypeWhitelist
-        });
+        return createSecureSandbox();
       }
       getName() {
         return "mcp";
@@ -8098,8 +8463,12 @@ var init_mcp_check_provider = __esm({
                 outputs: templateContext.outputs,
                 env: templateContext.env
               };
-              const exec = this.sandbox.compile(`return (${cfg.transform_js});`);
-              finalOutput = exec(scope).run();
+              finalOutput = compileAndRun(
+                this.sandbox,
+                `return (${cfg.transform_js});`,
+                scope,
+                { injectLog: true, wrapFunction: false, logPrefix: "[mcp:transform_js]" }
+              );
             } catch (error) {
               logger.error(`Failed to apply JavaScript transform: ${error}`);
               return {
@@ -8412,44 +8781,538 @@ var init_mcp_check_provider = __esm({
           replacement: replacement || void 0
         };
       }
-      toTrimmedString(value) {
-        if (typeof value === "string") {
-          const trimmed = value.trim();
-          return trimmed.length > 0 ? trimmed : null;
+      toTrimmedString(value) {
+        if (typeof value === "string") {
+          const trimmed = value.trim();
+          return trimmed.length > 0 ? trimmed : null;
+        }
+        if (value !== null && value !== void 0 && typeof value.toString === "function") {
+          const converted = String(value).trim();
+          return converted.length > 0 ? converted : null;
+        }
+        return null;
+      }
+      toNumber(value) {
+        if (value === null || value === void 0) {
+          return null;
+        }
+        const num = Number(value);
+        if (Number.isFinite(num)) {
+          return Math.trunc(num);
+        }
+        return null;
+      }
+      getSupportedConfigKeys() {
+        return [
+          "type",
+          "transport",
+          "command",
+          "args",
+          "env",
+          "workingDirectory",
+          "url",
+          "headers",
+          "sessionId",
+          "method",
+          "methodArgs",
+          "argsTransform",
+          "transform",
+          "transform_js",
+          "timeout",
+          "depends_on",
+          "on",
+          "if",
+          "group"
+        ];
+      }
+      async isAvailable() {
+        return true;
+      }
+      getRequirements() {
+        return ["MCP method name specified", "Transport configuration (stdio: command, sse/http: url)"];
+      }
+    };
+  }
+});
+
+// src/utils/interactive-prompt.ts
+function formatTime(ms) {
+  const seconds = Math.ceil(ms / 1e3);
+  const mins = Math.floor(seconds / 60);
+  const secs = seconds % 60;
+  return `${mins}:${secs.toString().padStart(2, "0")}`;
+}
+function drawLine(char, width) {
+  return char.repeat(width);
+}
+function wrapText(text, width) {
+  const words = text.split(" ");
+  const lines = [];
+  let currentLine = "";
+  for (const word of words) {
+    if (currentLine.length + word.length + 1 <= width) {
+      currentLine += (currentLine ? " " : "") + word;
+    } else {
+      if (currentLine) lines.push(currentLine);
+      currentLine = word;
+    }
+  }
+  if (currentLine) lines.push(currentLine);
+  return lines;
+}
+function displayPromptUI(options, remainingMs) {
+  const width = Math.min(process.stdout.columns || 80, 80) - 4;
+  const icon = supportsUnicode ? "\u{1F4AC}" : ">";
+  console.log("\n");
+  console.log(`${box.topLeft}${drawLine(box.horizontal, width + 2)}${box.topRight}`);
+  console.log(
+    `${box.vertical} ${colors.bold}${icon} Human Input Required${colors.reset}${" ".repeat(
+      width - 22
+    )} ${box.vertical}`
+  );
+  console.log(`${box.leftT}${drawLine(box.horizontal, width + 2)}${box.rightT}`);
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  const promptLines = wrapText(options.prompt, width - 2);
+  for (const line of promptLines) {
+    console.log(
+      `${box.vertical} ${colors.cyan}${line}${colors.reset}${" ".repeat(
+        width - line.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  const instruction = options.multiline ? "(Type your response, press Ctrl+D when done)" : "(Type your response and press Enter)";
+  console.log(
+    `${box.vertical} ${colors.dim}${instruction}${colors.reset}${" ".repeat(
+      width - instruction.length
+    )} ${box.vertical}`
+  );
+  if (options.placeholder && !options.multiline) {
+    console.log(
+      `${box.vertical} ${colors.dim}${options.placeholder}${colors.reset}${" ".repeat(
+        width - options.placeholder.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  if (remainingMs !== void 0 && options.timeout) {
+    const timeIcon = supportsUnicode ? "\u23F1 " : "Time: ";
+    const timeStr = `${timeIcon} ${formatTime(remainingMs)} remaining`;
+    console.log(
+      `${box.vertical} ${colors.yellow}${timeStr}${colors.reset}${" ".repeat(
+        width - timeStr.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.bottomLeft}${drawLine(box.horizontal, width + 2)}${box.bottomRight}`);
+  console.log("");
+  process.stdout.write(`${colors.green}>${colors.reset} `);
+}
+async function interactivePrompt(options) {
+  return new Promise((resolve7, reject) => {
+    let input = "";
+    let timeoutId;
+    let countdownInterval;
+    let remainingMs = options.timeout;
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    });
+    displayPromptUI(options, remainingMs);
+    const cleanup = () => {
+      if (timeoutId) clearTimeout(timeoutId);
+      if (countdownInterval) clearInterval(countdownInterval);
+      rl.close();
+    };
+    const finish = (value) => {
+      cleanup();
+      console.log("");
+      resolve7(value);
+    };
+    if (options.timeout) {
+      timeoutId = setTimeout(() => {
+        cleanup();
+        console.log(`
+${colors.yellow}\u23F1  Timeout reached${colors.reset}`);
+        if (options.defaultValue !== void 0) {
+          console.log(
+            `${colors.gray}Using default value: ${options.defaultValue}${colors.reset}
+`
+          );
+          resolve7(options.defaultValue);
+        } else {
+          reject(new Error("Input timeout"));
+        }
+      }, options.timeout);
+      if (remainingMs) {
+        countdownInterval = setInterval(() => {
+          remainingMs = remainingMs - 1e3;
+          if (remainingMs <= 0) {
+            if (countdownInterval) clearInterval(countdownInterval);
+          }
+        }, 1e3);
+      }
+    }
+    if (options.multiline) {
+      rl.on("line", (line) => {
+        input += (input ? "\n" : "") + line;
+      });
+      rl.on("close", () => {
+        cleanup();
+        const trimmed = input.trim();
+        if (!trimmed && !options.allowEmpty) {
+          console.log(`${colors.yellow}\u26A0  Empty input not allowed${colors.reset}`);
+          reject(new Error("Empty input not allowed"));
+        } else {
+          finish(trimmed);
+        }
+      });
+    } else {
+      rl.question("", (answer) => {
+        const trimmed = answer.trim();
+        if (!trimmed && !options.allowEmpty && !options.defaultValue) {
+          cleanup();
+          console.log(`${colors.yellow}\u26A0  Empty input not allowed${colors.reset}`);
+          reject(new Error("Empty input not allowed"));
+        } else {
+          finish(trimmed || options.defaultValue || "");
+        }
+      });
+    }
+    rl.on("SIGINT", () => {
+      cleanup();
+      console.log("\n\n" + colors.yellow + "\u26A0  Cancelled by user" + colors.reset);
+      reject(new Error("Cancelled by user"));
+    });
+  });
+}
+async function simplePrompt(prompt) {
+  return new Promise((resolve7) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(`${prompt}
+> `, (answer) => {
+      rl.close();
+      resolve7(answer.trim());
+    });
+  });
+}
+var readline, colors, supportsUnicode, box;
+var init_interactive_prompt = __esm({
+  "src/utils/interactive-prompt.ts"() {
+    "use strict";
+    readline = __toESM(require("readline"));
+    colors = {
+      reset: "\x1B[0m",
+      dim: "\x1B[2m",
+      bold: "\x1B[1m",
+      cyan: "\x1B[36m",
+      green: "\x1B[32m",
+      yellow: "\x1B[33m",
+      gray: "\x1B[90m"
+    };
+    supportsUnicode = process.env.LANG?.includes("UTF-8") || process.platform === "darwin";
+    box = supportsUnicode ? {
+      topLeft: "\u250C",
+      topRight: "\u2510",
+      bottomLeft: "\u2514",
+      bottomRight: "\u2518",
+      horizontal: "\u2500",
+      vertical: "\u2502",
+      leftT: "\u251C",
+      rightT: "\u2524"
+    } : {
+      topLeft: "+",
+      topRight: "+",
+      bottomLeft: "+",
+      bottomRight: "+",
+      horizontal: "-",
+      vertical: "|",
+      leftT: "+",
+      rightT: "+"
+    };
+  }
+});
+
+// src/utils/stdin-reader.ts
+function isStdinAvailable() {
+  return !process.stdin.isTTY;
+}
+async function readStdin(timeout, maxSize = 1024 * 1024) {
+  return new Promise((resolve7, reject) => {
+    let data = "";
+    let timeoutId;
+    if (timeout) {
+      timeoutId = setTimeout(() => {
+        cleanup();
+        reject(new Error(`Stdin read timeout after ${timeout}ms`));
+      }, timeout);
+    }
+    const cleanup = () => {
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      process.stdin.removeListener("data", onData);
+      process.stdin.removeListener("end", onEnd);
+      process.stdin.removeListener("error", onError);
+      process.stdin.pause();
+    };
+    const onData = (chunk) => {
+      data += chunk.toString();
+      if (data.length > maxSize) {
+        cleanup();
+        reject(new Error(`Input exceeds maximum size of ${maxSize} bytes`));
+      }
+    };
+    const onEnd = () => {
+      cleanup();
+      resolve7(data.trim());
+    };
+    const onError = (err) => {
+      cleanup();
+      reject(err);
+    };
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", onData);
+    process.stdin.on("end", onEnd);
+    process.stdin.on("error", onError);
+    process.stdin.resume();
+  });
+}
+async function tryReadStdin(timeout, maxSize = 1024 * 1024) {
+  if (!isStdinAvailable()) {
+    return null;
+  }
+  try {
+    return await readStdin(timeout, maxSize);
+  } catch {
+    return null;
+  }
+}
+var init_stdin_reader = __esm({
+  "src/utils/stdin-reader.ts"() {
+    "use strict";
+  }
+});
+
+// src/providers/human-input-check-provider.ts
+var fs10, path12, HumanInputCheckProvider;
+var init_human_input_check_provider = __esm({
+  "src/providers/human-input-check-provider.ts"() {
+    "use strict";
+    init_check_provider_interface();
+    init_interactive_prompt();
+    init_stdin_reader();
+    fs10 = __toESM(require("fs"));
+    path12 = __toESM(require("path"));
+    HumanInputCheckProvider = class _HumanInputCheckProvider extends CheckProvider {
+      /**
+       * @deprecated Use ExecutionContext.cliMessage instead
+       * Kept for backward compatibility
+       */
+      static cliMessage;
+      /**
+       * @deprecated Use ExecutionContext.hooks instead
+       * Kept for backward compatibility
+       */
+      static hooks = {};
+      /**
+       * Set the CLI message value (from --message argument)
+       * @deprecated Use ExecutionContext.cliMessage instead
+       */
+      static setCLIMessage(message) {
+        _HumanInputCheckProvider.cliMessage = message;
+      }
+      /**
+       * Get the current CLI message value
+       * @deprecated Use ExecutionContext.cliMessage instead
+       */
+      static getCLIMessage() {
+        return _HumanInputCheckProvider.cliMessage;
+      }
+      /**
+       * Set hooks for SDK mode
+       * @deprecated Use ExecutionContext.hooks instead
+       */
+      static setHooks(hooks) {
+        _HumanInputCheckProvider.hooks = hooks;
+      }
+      getName() {
+        return "human-input";
+      }
+      getDescription() {
+        return "Prompts for human input during workflow execution (CLI interactive or SDK hook)";
+      }
+      async validateConfig(config) {
+        if (!config || typeof config !== "object") {
+          return false;
+        }
+        const cfg = config;
+        if (cfg.type !== "human-input") {
+          return false;
+        }
+        if (!cfg.prompt || typeof cfg.prompt !== "string") {
+          console.error('human-input check requires a "prompt" field');
+          return false;
+        }
+        return true;
+      }
+      /**
+       * Check if a string looks like a file path
+       */
+      looksLikePath(str) {
+        return str.includes("/") || str.includes("\\");
+      }
+      /**
+       * Sanitize user input to prevent injection attacks in dependent checks
+       * Removes potentially dangerous characters while preserving useful input
+       */
+      sanitizeInput(input) {
+        let sanitized = input.replace(/\0/g, "");
+        sanitized = sanitized.replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/g, "");
+        const maxLength = 100 * 1024;
+        if (sanitized.length > maxLength) {
+          sanitized = sanitized.substring(0, maxLength);
         }
-        if (value !== null && value !== void 0 && typeof value.toString === "function") {
-          const converted = String(value).trim();
-          return converted.length > 0 ? converted : null;
+        return sanitized;
+      }
+      /**
+       * Try to read message from file if it exists
+       * Validates path to prevent directory traversal attacks
+       */
+      async tryReadFile(filePath) {
+        try {
+          const absolutePath = path12.isAbsolute(filePath) ? filePath : path12.resolve(process.cwd(), filePath);
+          const normalizedPath = path12.normalize(absolutePath);
+          const cwd = process.cwd();
+          if (!normalizedPath.startsWith(cwd + path12.sep) && normalizedPath !== cwd) {
+            return null;
+          }
+          try {
+            await fs10.promises.access(normalizedPath, fs10.constants.R_OK);
+            const stats = await fs10.promises.stat(normalizedPath);
+            if (!stats.isFile()) {
+              return null;
+            }
+            const content = await fs10.promises.readFile(normalizedPath, "utf-8");
+            return content.trim();
+          } catch {
+            return null;
+          }
+        } catch {
         }
         return null;
       }
-      toNumber(value) {
-        if (value === null || value === void 0) {
-          return null;
+      /**
+       * Get user input through various methods
+       */
+      async getUserInput(checkName, config, context) {
+        const prompt = config.prompt || "Please provide input:";
+        const placeholder = config.placeholder || "Enter your response...";
+        const allowEmpty = config.allow_empty ?? false;
+        const multiline = config.multiline ?? false;
+        const timeout = config.timeout ? config.timeout * 1e3 : void 0;
+        const defaultValue = config.default;
+        const cliMessage = context?.cliMessage ?? _HumanInputCheckProvider.cliMessage;
+        if (cliMessage !== void 0) {
+          const message = cliMessage;
+          if (this.looksLikePath(message)) {
+            const fileContent = await this.tryReadFile(message);
+            if (fileContent !== null) {
+              return fileContent;
+            }
+          }
+          return message;
         }
-        const num = Number(value);
-        if (Number.isFinite(num)) {
-          return Math.trunc(num);
+        const stdinInput = await tryReadStdin(timeout);
+        if (stdinInput !== null && stdinInput.length > 0) {
+          return stdinInput;
+        }
+        const hooks = context?.hooks ?? _HumanInputCheckProvider.hooks;
+        if (hooks?.onHumanInput) {
+          const request = {
+            checkId: checkName,
+            prompt,
+            placeholder,
+            allowEmpty,
+            multiline,
+            timeout,
+            default: defaultValue
+          };
+          try {
+            const result = await hooks.onHumanInput(request);
+            return result;
+          } catch (error) {
+            throw new Error(
+              `Hook onHumanInput failed: ${error instanceof Error ? error.message : String(error)}`
+            );
+          }
+        }
+        if (process.stdin.isTTY) {
+          try {
+            const result = await interactivePrompt({
+              prompt,
+              placeholder,
+              multiline,
+              timeout,
+              defaultValue,
+              allowEmpty
+            });
+            return result;
+          } catch (error) {
+            throw new Error(
+              `Interactive prompt failed: ${error instanceof Error ? error.message : String(error)}`
+            );
+          }
+        }
+        try {
+          const result = await simplePrompt(prompt);
+          if (!result && !allowEmpty && !defaultValue) {
+            throw new Error("Empty input not allowed");
+          }
+          return result || defaultValue || "";
+        } catch (error) {
+          throw new Error(
+            `Simple prompt failed: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+      }
+      async execute(_prInfo, config, _dependencyResults, context) {
+        const checkName = config.checkName || "human-input";
+        try {
+          const userInput = await this.getUserInput(checkName, config, context);
+          const sanitizedInput = this.sanitizeInput(userInput);
+          return {
+            issues: [],
+            output: sanitizedInput
+          };
+        } catch (error) {
+          return {
+            issues: [
+              {
+                file: "",
+                line: 0,
+                ruleId: "human-input-error",
+                message: `Failed to get user input: ${error instanceof Error ? error.message : String(error)}`,
+                severity: "error",
+                category: "logic"
+              }
+            ]
+          };
         }
-        return null;
       }
       getSupportedConfigKeys() {
         return [
           "type",
-          "transport",
-          "command",
-          "args",
-          "env",
-          "workingDirectory",
-          "url",
-          "headers",
-          "sessionId",
-          "method",
-          "methodArgs",
-          "argsTransform",
-          "transform",
-          "transform_js",
+          "prompt",
+          "placeholder",
+          "allow_empty",
+          "multiline",
           "timeout",
+          "default",
           "depends_on",
           "on",
           "if",
@@ -8460,7 +9323,11 @@ var init_mcp_check_provider = __esm({
         return true;
       }
       getRequirements() {
-        return ["MCP method name specified", "Transport configuration (stdio: command, sse/http: url)"];
+        return [
+          "No external dependencies required",
+          "Works in CLI mode with --message argument, piped stdin, or interactive prompts",
+          "SDK mode requires onHumanInput hook to be configured"
+        ];
       }
     };
   }
@@ -8482,6 +9349,7 @@ var init_check_provider_registry = __esm({
     init_command_check_provider();
     init_memory_check_provider();
     init_mcp_check_provider();
+    init_human_input_check_provider();
     CheckProviderRegistry = class _CheckProviderRegistry {
       providers = /* @__PURE__ */ new Map();
       static instance;
@@ -8510,6 +9378,7 @@ var init_check_provider_registry = __esm({
         this.register(new LogCheckProvider());
         this.register(new MemoryCheckProvider());
         this.register(new GitHubOpsProvider());
+        this.register(new HumanInputCheckProvider());
         try {
           this.register(new ClaudeCodeCheckProvider());
         } catch (error) {
@@ -8821,80 +9690,37 @@ var init_dependency_resolver = __esm({
   }
 });
 
-// src/telemetry/fallback-ndjson.ts
-var fallback_ndjson_exports = {};
-__export(fallback_ndjson_exports, {
-  emitNdjsonFallback: () => emitNdjsonFallback,
-  emitNdjsonSpanWithEvents: () => emitNdjsonSpanWithEvents,
-  flushNdjson: () => flushNdjson
-});
-function resolveTargetPath(outDir) {
-  if (process.env.VISOR_FALLBACK_TRACE_FILE) {
-    CURRENT_FILE = process.env.VISOR_FALLBACK_TRACE_FILE;
-    return CURRENT_FILE;
-  }
-  if (CURRENT_FILE) return CURRENT_FILE;
-  const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  CURRENT_FILE = path9.join(outDir, `${ts}.ndjson`);
-  return CURRENT_FILE;
-}
-function isEnabled() {
-  if (process.env.VISOR_FALLBACK_TRACE_FILE) return true;
-  return process.env.VISOR_TELEMETRY_ENABLED === "true" && (process.env.VISOR_TELEMETRY_SINK || "file") === "file";
+// src/telemetry/trace-helpers.ts
+function getTracer() {
+  return import_api4.trace.getTracer("visor");
 }
-function appendAsync(outDir, line) {
-  writeChain = writeChain.then(async () => {
-    if (!dirReady) {
+async function withActiveSpan(name, attrs, fn) {
+  const tracer = getTracer();
+  return await new Promise((resolve7, reject) => {
+    const callback = async (span) => {
       try {
-        await fs8.promises.mkdir(outDir, { recursive: true });
-      } catch {
+        const res = await fn(span);
+        resolve7(res);
+      } catch (err) {
+        try {
+          if (err instanceof Error) span.recordException(err);
+          span.setStatus({ code: import_api4.SpanStatusCode.ERROR });
+        } catch {
+        }
+        reject(err);
+      } finally {
+        try {
+          span.end();
+        } catch {
+        }
       }
-      dirReady = true;
-    }
-    const target = resolveTargetPath(outDir);
-    await fs8.promises.appendFile(target, line, "utf8");
-  }).catch(() => {
+    };
+    const options = attrs ? { attributes: attrs } : {};
+    tracer.startActiveSpan(name, options, callback);
   });
 }
-async function flushNdjson() {
-  try {
-    await writeChain;
-  } catch {
-  }
-}
-function emitNdjsonFallback(name, attrs) {
-  try {
-    if (!isEnabled()) return;
-    const outDir = process.env.VISOR_TRACE_DIR || path9.join(process.cwd(), "output", "traces");
-    const line = JSON.stringify({ name, attributes: attrs }) + "\n";
-    appendAsync(outDir, line);
-  } catch {
-  }
-}
-function emitNdjsonSpanWithEvents(name, attrs, events) {
-  try {
-    if (!isEnabled()) return;
-    const outDir = process.env.VISOR_TRACE_DIR || path9.join(process.cwd(), "output", "traces");
-    const line = JSON.stringify({ name, attributes: attrs, events }) + "\n";
-    appendAsync(outDir, line);
-  } catch {
-  }
-}
-var fs8, path9, CURRENT_FILE, dirReady, writeChain;
-var init_fallback_ndjson = __esm({
-  "src/telemetry/fallback-ndjson.ts"() {
-    "use strict";
-    fs8 = __toESM(require("fs"));
-    path9 = __toESM(require("path"));
-    CURRENT_FILE = null;
-    dirReady = false;
-    writeChain = Promise.resolve();
-  }
-});
-
-// src/telemetry/trace-helpers.ts
 function addEvent(name, attrs) {
-  const span = import_api.trace.getSpan(import_api.context.active());
+  const span = import_api4.trace.getSpan(import_api4.context.active());
   if (span) {
     try {
       span.addEvent(name, attrs);
@@ -8913,11 +9739,11 @@ function addEvent(name, attrs) {
   } catch {
   }
 }
-var import_api;
+var import_api4;
 var init_trace_helpers = __esm({
   "src/telemetry/trace-helpers.ts"() {
     "use strict";
-    import_api = require("@opentelemetry/api");
+    import_api4 = require("@opentelemetry/api");
   }
 });
 
@@ -8972,26 +9798,26 @@ function addDiagramBlock(origin) {
   } catch {
   }
 }
-var import_api2, initialized, meter, TEST_ENABLED, TEST_SNAPSHOT, checkDurationHist, providerDurationHist, foreachDurationHist, issuesCounter, activeChecks, failIfCounter, diagramBlocks;
+var import_api5, initialized, meter, TEST_ENABLED, TEST_SNAPSHOT, checkDurationHist, providerDurationHist, foreachDurationHist, issuesCounter, activeChecks, failIfCounter, diagramBlocks;
 var init_metrics = __esm({
   "src/telemetry/metrics.ts"() {
     "use strict";
-    import_api2 = require("@opentelemetry/api");
+    import_api5 = require("@opentelemetry/api");
     initialized = false;
-    meter = import_api2.metrics.getMeter("visor");
+    meter = import_api5.metrics.getMeter("visor");
     TEST_ENABLED = process.env.VISOR_TEST_METRICS === "true";
     TEST_SNAPSHOT = { fail_if_triggered: 0 };
   }
 });
 
 // src/failure-condition-evaluator.ts
-var import_sandboxjs5, FailureConditionEvaluator;
+var FailureConditionEvaluator;
 var init_failure_condition_evaluator = __esm({
   "src/failure-condition-evaluator.ts"() {
     "use strict";
     init_trace_helpers();
     init_metrics();
-    import_sandboxjs5 = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     init_author_permissions();
     init_memory_store();
     FailureConditionEvaluator = class _FailureConditionEvaluator {
@@ -9002,54 +9828,7 @@ var init_failure_condition_evaluator = __esm({
        * Create a secure sandbox with whitelisted functions and globals
        */
       createSecureSandbox() {
-        const globals = {
-          ...import_sandboxjs5.default.SAFE_GLOBALS,
-          // Allow Math for calculations
-          Math,
-          // Allow console for debugging (in controlled environment)
-          console: {
-            log: console.log,
-            warn: console.warn,
-            error: console.error
-          }
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs5.default.SAFE_PROTOTYPES);
-        const arrayMethods = /* @__PURE__ */ new Set([
-          "some",
-          "every",
-          "filter",
-          "map",
-          "reduce",
-          "find",
-          "includes",
-          "indexOf",
-          "length",
-          "slice",
-          "concat",
-          "join"
-        ]);
-        prototypeWhitelist.set(Array.prototype, arrayMethods);
-        const stringMethods = /* @__PURE__ */ new Set([
-          "toLowerCase",
-          "toUpperCase",
-          "includes",
-          "indexOf",
-          "startsWith",
-          "endsWith",
-          "slice",
-          "substring",
-          "length",
-          "trim",
-          "split",
-          "replace"
-        ]);
-        prototypeWhitelist.set(String.prototype, stringMethods);
-        const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-        prototypeWhitelist.set(Object.prototype, objectMethods);
-        return new import_sandboxjs5.default({
-          globals,
-          prototypeWhitelist
-        });
+        return createSecureSandbox();
       }
       /**
        * Evaluate simple fail_if condition
@@ -9322,7 +10101,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context) {
         try {
-          const normalize2 = (expr) => {
+          const normalize3 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -9465,7 +10244,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize2(condition);
+            const normalizedExpr = normalize3(condition);
             exec = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec(scope).run();
@@ -10175,16 +10954,16 @@ function emitMermaidFromMarkdown(checkName, markdown, origin) {
         addEvent("diagram.block", { check: checkName, origin, code });
         addDiagramBlock(origin);
         if (process.env.VISOR_TRACE_REPORT === "true") {
-          const outDir = process.env.VISOR_TRACE_DIR || path10.join(process.cwd(), "output", "traces");
+          const outDir = process.env.VISOR_TRACE_DIR || path13.join(process.cwd(), "output", "traces");
           try {
-            if (!fs9.existsSync(outDir)) fs9.mkdirSync(outDir, { recursive: true });
+            if (!fs11.existsSync(outDir)) fs11.mkdirSync(outDir, { recursive: true });
             const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-            const jsonPath = path10.join(outDir, `${ts}.trace.json`);
-            const htmlPath = path10.join(outDir, `${ts}.report.html`);
+            const jsonPath = path13.join(outDir, `${ts}.trace.json`);
+            const htmlPath = path13.join(outDir, `${ts}.report.html`);
             let data = { spans: [] };
-            if (fs9.existsSync(jsonPath)) {
+            if (fs11.existsSync(jsonPath)) {
               try {
-                data = JSON.parse(fs9.readFileSync(jsonPath, "utf8"));
+                data = JSON.parse(fs11.readFileSync(jsonPath, "utf8"));
               } catch {
                 data = { spans: [] };
               }
@@ -10192,9 +10971,9 @@ function emitMermaidFromMarkdown(checkName, markdown, origin) {
             data.spans.push({
               events: [{ name: "diagram.block", attrs: { check: checkName, origin, code } }]
             });
-            fs9.writeFileSync(jsonPath, JSON.stringify(data, null, 2), "utf8");
-            if (!fs9.existsSync(htmlPath)) {
-              fs9.writeFileSync(
+            fs11.writeFileSync(jsonPath, JSON.stringify(data, null, 2), "utf8");
+            if (!fs11.existsSync(htmlPath)) {
+              fs11.writeFileSync(
                 htmlPath,
                 '<!doctype html><html><head><meta charset="utf-8"/><title>Visor Trace Report</title></head><body><h2>Visor Trace Report</h2></body></html>',
                 "utf8"
@@ -10210,14 +10989,14 @@ function emitMermaidFromMarkdown(checkName, markdown, origin) {
   }
   return count;
 }
-var fs9, path10, MERMAID_RE;
+var fs11, path13, MERMAID_RE;
 var init_mermaid_telemetry = __esm({
   "src/utils/mermaid-telemetry.ts"() {
     "use strict";
     init_trace_helpers();
     init_metrics();
-    fs9 = __toESM(require("fs"));
-    path10 = __toESM(require("path"));
+    fs11 = __toESM(require("fs"));
+    path13 = __toESM(require("path"));
     MERMAID_RE = /```mermaid\s*\n([\s\S]*?)\n```/gi;
   }
 });
@@ -10250,7 +11029,7 @@ function getSafeEnvironmentVariables() {
   }
   return safeEnv;
 }
-var import_sandboxjs6, CheckExecutionEngine;
+var import_api6, CheckExecutionEngine;
 var init_check_execution_engine = __esm({
   "src/check-execution-engine.ts"() {
     "use strict";
@@ -10263,12 +11042,14 @@ var init_check_execution_engine = __esm({
     init_github_check_service();
     init_issue_filter();
     init_logger();
-    import_sandboxjs6 = __toESM(require("@nyariv/sandboxjs"));
+    init_sandbox();
     init_author_permissions();
     init_memory_store();
     init_fallback_ndjson();
     init_trace_helpers();
     init_metrics();
+    import_api6 = require("@opentelemetry/api");
+    init_state_capture();
     CheckExecutionEngine = class _CheckExecutionEngine {
       gitAnalyzer;
       mockOctokit;
@@ -10287,6 +11068,8 @@ var init_check_execution_engine = __esm({
       outputHistory = /* @__PURE__ */ new Map();
       // Event override to simulate alternate event (used during routing goto)
       routingEventOverride;
+      // Execution context for providers (CLI message, hooks, etc.)
+      executionContext;
       // Cached GitHub context for context elevation when running in Actions
       actionContext;
       constructor(workingDirectory, octokit) {
@@ -10316,19 +11099,19 @@ var init_check_execution_engine = __esm({
         }
         return baseContext;
       }
+      /**
+       * Set execution context for providers (CLI message, hooks, etc.)
+       * This allows passing state without using static properties
+       */
+      setExecutionContext(context) {
+        this.executionContext = context;
+      }
       /**
        * Lazily create a secure sandbox for routing JS (goto_js, run_js)
        */
       getRoutingSandbox() {
         if (this.routingSandbox) return this.routingSandbox;
-        const globals = {
-          ...import_sandboxjs6.default.SAFE_GLOBALS,
-          Math,
-          JSON,
-          console: { log: console.log }
-        };
-        const prototypeWhitelist = new Map(import_sandboxjs6.default.SAFE_PROTOTYPES);
-        this.routingSandbox = new import_sandboxjs6.default({ globals, prototypeWhitelist });
+        this.routingSandbox = createSecureSandbox();
         return this.routingSandbox;
       }
       redact(str, limit = 200) {
@@ -10340,7 +11123,7 @@ var init_check_execution_engine = __esm({
         }
       }
       async sleep(ms) {
-        return new Promise((resolve4) => setTimeout(resolve4, ms));
+        return new Promise((resolve7) => setTimeout(resolve7, ms));
       }
       deterministicJitter(baseMs, seedStr) {
         let h = 2166136261;
@@ -10401,16 +11184,16 @@ var init_check_execution_engine = __esm({
               ),
               event: eventObj
             };
-            const code = `
-          const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const log = (...a)=>console.log('\u{1F50D} Debug:',...a); const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;
-          const __fn = () => {
-${expr}
-};
-          const __res = __fn();
-          return Array.isArray(__res) ? __res : (__res ? [__res] : []);
-        `;
-            const exec = sandbox.compile(code);
-            const res = exec({ scope }).run();
+            const prelude = `const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;`;
+            const code = `${prelude}
+${expr}`;
+            const result = compileAndRun(
+              sandbox,
+              code,
+              { scope },
+              { injectLog: false, wrapFunction: true }
+            );
+            const res = Array.isArray(result) ? result : result ? [result] : [];
             if (debug) {
               log2(`\u{1F527} Debug: run_js evaluated \u2192 [${this.redact(res)}]`);
             }
@@ -10454,16 +11237,15 @@ ${expr}
               ),
               event: eventObj
             };
-            const code = `
-          const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const log = (...a)=>console.log('\u{1F50D} Debug:',...a); const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;
-          const __fn = () => {
-${expr}
-};
-          const __res = __fn();
-          return (typeof __res === 'string' && __res) ? __res : null;
-        `;
-            const exec = sandbox.compile(code);
-            const res = exec({ scope }).run();
+            const prelude2 = `const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;`;
+            const code2 = `${prelude2}
+${expr}`;
+            const res = compileAndRun(
+              sandbox,
+              code2,
+              { scope },
+              { injectLog: false, wrapFunction: true }
+            );
             if (debug) {
               log2(`\u{1F527} Debug: goto_js evaluated \u2192 ${this.redact(res)}`);
             }
@@ -10583,7 +11365,11 @@ ${expr}
           }
           let r;
           try {
-            r = await prov.execute(prInfoForInline, provCfg, depResults, sessionInfo);
+            const inlineContext = {
+              ...sessionInfo,
+              ...this.executionContext
+            };
+            r = await prov.execute(prInfoForInline, provCfg, depResults, inlineContext);
           } finally {
             this.routingEventOverride = prevEventOverride;
           }
@@ -10614,7 +11400,31 @@ ${expr}
               });
             } catch {
             }
-            const res = await provider.execute(prInfo, providerConfig, dependencyResults, sessionInfo);
+            const context = {
+              ...sessionInfo,
+              ...this.executionContext
+            };
+            const res = await withActiveSpan(
+              `visor.check.${checkName}`,
+              {
+                "visor.check.id": checkName,
+                "visor.check.type": providerConfig.type || "ai",
+                "visor.check.attempt": attempt
+              },
+              async () => {
+                try {
+                  return await provider.execute(prInfo, providerConfig, dependencyResults, context);
+                } finally {
+                  try {
+                    emitNdjsonSpanWithEvents("visor.check", { "visor.check.id": checkName }, [
+                      { name: "check.started" },
+                      { name: "check.completed" }
+                    ]);
+                  } catch {
+                  }
+                }
+              }
+            );
             try {
               currentRouteOutput = res?.output;
             } catch {
@@ -11242,7 +12052,7 @@ ${expr}
       /**
        * Execute review checks and return grouped results with statistics for new architecture
        */
-      async executeGroupedChecks(prInfo, checks, timeout, config, outputFormat, debug, maxParallelism, failFast, tagFilter) {
+      async executeGroupedChecks(prInfo, checks, timeout, config, outputFormat, debug, maxParallelism, failFast, tagFilter, _pauseGate) {
         const logFn = outputFormat === "json" || outputFormat === "sarif" ? debug ? console.error : () => {
         } : console.log;
         if (debug) {
@@ -11315,7 +12125,8 @@ ${expr}
             logFn,
             debug,
             maxParallelism,
-            failFast
+            failFast,
+            _pauseGate
           );
         }
         if (checks.length === 1) {
@@ -11328,7 +12139,8 @@ ${expr}
             timeout,
             config,
             logFn,
-            debug
+            debug,
+            _pauseGate
           );
           const groupedResults = {};
           groupedResults[checkResult.group] = [checkResult];
@@ -11345,7 +12157,7 @@ ${expr}
       /**
        * Execute single check and return grouped result
        */
-      async executeSingleGroupedCheck(prInfo, checkName, timeout, config, logFn, debug) {
+      async executeSingleGroupedCheck(prInfo, checkName, timeout, config, logFn, debug, _pauseGate) {
         if (!config?.checks?.[checkName]) {
           throw new Error(`No configuration found for check: ${checkName}`);
         }
@@ -11359,6 +12171,8 @@ ${expr}
           focus: checkConfig.focus || this.mapCheckNameToFocus(checkName),
           schema: checkConfig.schema,
           group: checkConfig.group,
+          checkName,
+          // propagate for fallback NDJSON attribution
           eventContext: this.enrichEventContext(prInfo.eventContext),
           ai: {
             timeout: timeout || 6e5,
@@ -11473,7 +12287,7 @@ ${expr}
       /**
        * Execute multiple checks with dependency awareness - return grouped results with statistics
        */
-      async executeGroupedDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast) {
+      async executeGroupedDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast, pauseGate) {
         const reviewSummary = await this.executeDependencyAwareChecks(
           prInfo,
           checks,
@@ -11482,7 +12296,8 @@ ${expr}
           logFn,
           debug,
           maxParallelism,
-          failFast
+          failFast,
+          pauseGate
         );
         const executionStatistics = this.buildExecutionStatistics();
         const groupedResults = await this.convertReviewSummaryToGroupedResults(
@@ -11583,7 +12398,7 @@ ${expr}
        * - Enforcing .liquid file extension
        */
       async validateTemplatePath(templatePath) {
-        const path13 = await import("path");
+        const path16 = await import("path");
         if (!templatePath || typeof templatePath !== "string" || templatePath.trim() === "") {
           throw new Error("Template path must be a non-empty string");
         }
@@ -11593,7 +12408,7 @@ ${expr}
         if (!templatePath.endsWith(".liquid")) {
           throw new Error("Template file must have .liquid extension");
         }
-        if (path13.isAbsolute(templatePath)) {
+        if (path16.isAbsolute(templatePath)) {
           throw new Error("Template path must be relative to project directory");
         }
         if (templatePath.includes("..")) {
@@ -11607,14 +12422,14 @@ ${expr}
         if (!projectRoot || typeof projectRoot !== "string") {
           throw new Error("Unable to determine project root directory");
         }
-        const resolvedPath = path13.resolve(projectRoot, templatePath);
-        const resolvedProjectRoot = path13.resolve(projectRoot);
+        const resolvedPath = path16.resolve(projectRoot, templatePath);
+        const resolvedProjectRoot = path16.resolve(projectRoot);
         if (!resolvedPath || !resolvedProjectRoot || resolvedPath === "" || resolvedProjectRoot === "") {
           throw new Error(
             `Unable to resolve template path: projectRoot="${projectRoot}", templatePath="${templatePath}", resolvedPath="${resolvedPath}", resolvedProjectRoot="${resolvedProjectRoot}"`
           );
         }
-        if (!resolvedPath.startsWith(resolvedProjectRoot + path13.sep) && resolvedPath !== resolvedProjectRoot) {
+        if (!resolvedPath.startsWith(resolvedProjectRoot + path16.sep) && resolvedPath !== resolvedProjectRoot) {
           throw new Error("Template path escapes project directory");
         }
         return resolvedPath;
@@ -11658,8 +12473,8 @@ ${expr}
           return directContent.trim();
         }
         const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-        const fs12 = await import("fs/promises");
-        const path13 = await import("path");
+        const fs14 = await import("fs/promises");
+        const path16 = await import("path");
         const liquid = createExtendedLiquid2({
           trimTagLeft: false,
           trimTagRight: false,
@@ -11682,7 +12497,7 @@ ${expr}
             templateContent = checkConfig.template.content;
           } else if (checkConfig.template.file) {
             const validatedPath = await this.validateTemplatePath(checkConfig.template.file);
-            templateContent = await fs12.readFile(validatedPath, "utf-8");
+            templateContent = await fs14.readFile(validatedPath, "utf-8");
           } else {
             throw new Error('Custom template must specify either "file" or "content"');
           }
@@ -11693,8 +12508,8 @@ ${expr}
           if (!sanitizedSchema) {
             throw new Error("Invalid schema name");
           }
-          const templatePath = path13.join(__dirname, `output/${sanitizedSchema}/template.liquid`);
-          templateContent = await fs12.readFile(templatePath, "utf-8");
+          const templatePath = path16.join(__dirname, `output/${sanitizedSchema}/template.liquid`);
+          templateContent = await fs14.readFile(templatePath, "utf-8");
           if (sanitizedSchema === "issue-assistant") {
             enrichAssistantContext = true;
           }
@@ -11802,7 +12617,7 @@ ${expr}
       /**
        * Execute multiple checks with dependency awareness - intelligently parallel and sequential
        */
-      async executeDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast) {
+      async executeDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast, pauseGate) {
         const log2 = logFn || console.error;
         if (debug) {
           log2(`\u{1F527} Debug: Starting dependency-aware execution of ${checks.length} checks`);
@@ -11937,6 +12752,13 @@ ${expr}
           }
           const levelChecks = executionGroup.parallel.filter((name) => !results.has(name));
           const levelTaskFunctions = levelChecks.map((checkName) => async () => {
+            if (pauseGate) {
+              try {
+                await pauseGate();
+              } catch {
+                return { checkName, error: "__STOP__", result: null, skipped: true };
+              }
+            }
             if (results.has(checkName)) {
               if (debug) log2(`\u{1F527} Debug: Skipping ${checkName} (already satisfied earlier)`);
               return { checkName, error: null, result: results.get(checkName) };
@@ -12025,7 +12847,7 @@ ${expr}
                   });
                   if (!hasFatalFailure && config && (config.fail_if || config.checks[depId]?.fail_if)) {
                     try {
-                      hasFatalFailure = await this.failIfTriggered(depId, depRes, config);
+                      hasFatalFailure = await this.failIfTriggered(depId, depRes, config, results);
                     } catch {
                     }
                   }
@@ -12258,7 +13080,9 @@ ${expr}
                         const fRes = await this.evaluateFailureConditions(
                           childName,
                           childItemRes,
-                          config
+                          config,
+                          prInfo,
+                          results
                         );
                         if (fRes.length > 0) {
                           const fIssues = fRes.filter((f) => f.failed).map((f) => ({
@@ -12301,6 +13125,13 @@ ${expr}
                     }
                   };
                   const itemTasks = forEachItems.map((item, itemIndex) => async () => {
+                    if (pauseGate) {
+                      try {
+                        await pauseGate();
+                      } catch {
+                        throw new Error("__STOP__");
+                      }
+                    }
                     try {
                       emitNdjsonSpanWithEvents(
                         "visor.foreach.item",
@@ -12313,6 +13144,13 @@ ${expr}
                       );
                     } catch {
                     }
+                    try {
+                      const span = import_api6.trace.getSpan(import_api6.context.active());
+                      if (span) {
+                        captureForEachState(span, forEachItems, itemIndex, item);
+                      }
+                    } catch {
+                    }
                     const forEachDependencyResults = /* @__PURE__ */ new Map();
                     for (const [depName, depResult] of dependencyResults) {
                       if (forEachParents.includes(depName)) {
@@ -12363,7 +13201,9 @@ ${expr}
                             const depFailures = await this.evaluateFailureConditions(
                               depId,
                               depItemRes,
-                              config
+                              config,
+                              prInfo,
+                              results
                             );
                             hasFatalDepFailure = depFailures.some((f) => f.failed);
                           } catch {
@@ -12439,7 +13279,9 @@ ${expr}
                       const itemFailures = await this.evaluateFailureConditions(
                         checkName,
                         itemResult,
-                        config
+                        config,
+                        prInfo,
+                        results
                       );
                       if (itemFailures.length > 0) {
                         const failureIssues = itemFailures.filter((f) => f.failed).map((f) => ({
@@ -12609,7 +13451,13 @@ ${expr}
                           { index: itemIndex, total: forEachItems.length, parent: forEachParentName }
                         );
                         if (config && (config.fail_if || nodeCfg.fail_if)) {
-                          const fRes = await this.evaluateFailureConditions(node, nodeItemRes, config);
+                          const fRes = await this.evaluateFailureConditions(
+                            node,
+                            nodeItemRes,
+                            config,
+                            prInfo,
+                            results
+                          );
                           if (fRes.length > 0) {
                             const fIssues = fRes.filter((f) => f.failed).map((f) => ({
                               file: "system",
@@ -12704,7 +13552,13 @@ ${expr}
                             rForEval = { ...r, output: parsed };
                           }
                         }
-                        const failures = await this.evaluateFailureConditions(parent, rForEval, config);
+                        const failures = await this.evaluateFailureConditions(
+                          parent,
+                          rForEval,
+                          config,
+                          prInfo,
+                          results
+                        );
                         if (failures.some((f) => f.failed)) {
                         }
                         if (failures.some((f) => f.failed)) return true;
@@ -12823,7 +13677,9 @@ ${expr}
                             const failures = await this.evaluateFailureConditions(
                               checkName,
                               r,
-                              config
+                              config,
+                              prInfo,
+                              results
                             );
                             hadFatal = failures.some((f) => f.failed);
                           } catch {
@@ -12930,7 +13786,9 @@ ${expr}
                   const failureResults = await this.evaluateFailureConditions(
                     checkName,
                     finalResult,
-                    config
+                    config,
+                    prInfo,
+                    results
                   );
                   if (failureResults.length > 0) {
                     const failureIssues = failureResults.filter((f) => f.failed).map((f) => ({
@@ -13045,6 +13903,14 @@ ${error.stack || ""}` : String(error);
             const checkName = levelChecksList[i];
             const result = levelResults[i];
             const checkConfig = config.checks[checkName];
+            if (result.status === "fulfilled" && result.value?.error === "__STOP__") {
+              shouldStopExecution = true;
+              break;
+            }
+            if (result.status === "rejected" && result.reason instanceof Error && result.reason.message === "__STOP__") {
+              shouldStopExecution = true;
+              break;
+            }
             if (result.status === "fulfilled" && result.value.result && !result.value.error) {
               if (result.value.skipped) {
                 if (debug) {
@@ -13105,6 +13971,21 @@ ${error.stack || ""}` : String(error);
                 this.trackOutputHistory(checkName, reviewResultWithOutput.output);
               }
               results.set(checkName, reviewResult);
+              try {
+                const span = import_api6.trace.getSpan(import_api6.context.active());
+                if (span) {
+                  const allOutputs = {};
+                  results.forEach((result2, name) => {
+                    if (result2.output !== void 0) {
+                      allOutputs[name] = result2.output;
+                    }
+                  });
+                  const memoryStore = MemoryStore.getInstance();
+                  const memoryData = await memoryStore.getAll();
+                  captureStateSnapshot(span, checkName, allOutputs, memoryData);
+                }
+              } catch {
+              }
             } else {
               const errorSummary = {
                 issues: [
@@ -13823,13 +14704,14 @@ ${result.value.result.debug.rawResponse}`;
       /**
        * Evaluate failure conditions for a check result
        */
-      async evaluateFailureConditions(checkName, reviewSummary, config, prInfo) {
+      async evaluateFailureConditions(checkName, reviewSummary, config, prInfo, previousOutputs) {
         if (!config) {
           return [];
         }
         const checkConfig = config.checks[checkName];
         const checkSchema = typeof checkConfig?.schema === "object" ? "custom" : checkConfig?.schema || "";
         const checkGroup = checkConfig?.group || "";
+        const outputsRecord = previousOutputs ? previousOutputs instanceof Map ? Object.fromEntries(previousOutputs.entries()) : previousOutputs : void 0;
         const globalFailIf = config.fail_if;
         const checkFailIf = checkConfig?.fail_if;
         if (globalFailIf || checkFailIf) {
@@ -13840,7 +14722,8 @@ ${result.value.result.debug.rawResponse}`;
               checkSchema,
               checkGroup,
               reviewSummary,
-              globalFailIf
+              globalFailIf,
+              outputsRecord
             );
             try {
               addEvent("fail_if.evaluated", {
@@ -13905,7 +14788,8 @@ ${result.value.result.debug.rawResponse}`;
               checkSchema,
               checkGroup,
               reviewSummary,
-              checkFailIf
+              checkFailIf,
+              outputsRecord
             );
             try {
               addEvent("fail_if.evaluated", {
@@ -14434,9 +15318,15 @@ ${result.value.result.debug.rawResponse}`;
         if (!issues || issues.length === 0) return false;
         return issues.some((i) => this.isFatalRule(i.ruleId || "", i.severity));
       }
-      async failIfTriggered(checkName, result, config) {
+      async failIfTriggered(checkName, result, config, previousOutputs) {
         if (!config) return false;
-        const failures = await this.evaluateFailureConditions(checkName, result, config);
+        const failures = await this.evaluateFailureConditions(
+          checkName,
+          result,
+          config,
+          void 0,
+          previousOutputs
+        );
         return failures.some((f) => f.failed);
       }
       /**
@@ -14834,9 +15724,13 @@ var init_config_schema = __esm({
               ],
               description: 'Extends from other configurations - can be file path, HTTP(S) URL, or "default"'
             },
+            steps: {
+              $ref: "#/definitions/Record%3Cstring%2CCheckConfig%3E",
+              description: "Step configurations (recommended)"
+            },
             checks: {
               $ref: "#/definitions/Record%3Cstring%2CCheckConfig%3E",
-              description: "Check configurations"
+              description: "Check configurations (legacy, use 'steps' instead) - always populated after normalization"
             },
             output: {
               $ref: "#/definitions/OutputConfig",
@@ -14891,7 +15785,7 @@ var init_config_schema = __esm({
               description: "Optional routing defaults for retry/goto/run policies"
             }
           },
-          required: ["version", "checks", "output"],
+          required: ["version", "output"],
           additionalProperties: false,
           description: "Main Visor configuration",
           patternProperties: {
@@ -15175,7 +16069,8 @@ var init_config_schema = __esm({
             "memory",
             "github",
             "claude-code",
-            "mcp"
+            "mcp",
+            "human-input"
           ],
           description: "Valid check types in configuration"
         },
@@ -15879,14 +16774,14 @@ init_check_execution_engine();
 
 // src/config.ts
 var yaml2 = __toESM(require("js-yaml"));
-var fs11 = __toESM(require("fs"));
-var path12 = __toESM(require("path"));
+var fs13 = __toESM(require("fs"));
+var path15 = __toESM(require("path"));
 init_logger();
 var import_simple_git2 = __toESM(require("simple-git"));
 
 // src/utils/config-loader.ts
-var fs10 = __toESM(require("fs"));
-var path11 = __toESM(require("path"));
+var fs12 = __toESM(require("fs"));
+var path14 = __toESM(require("path"));
 var yaml = __toESM(require("js-yaml"));
 var ConfigLoader = class {
   constructor(options = {}) {
@@ -15967,7 +16862,7 @@ var ConfigLoader = class {
         return source.toLowerCase();
       case "local" /* LOCAL */:
         const basePath = this.options.baseDir || process.cwd();
-        return path11.resolve(basePath, source);
+        return path14.resolve(basePath, source);
       default:
         return source;
     }
@@ -15977,19 +16872,19 @@ var ConfigLoader = class {
    */
   async fetchLocalConfig(filePath) {
     const basePath = this.options.baseDir || process.cwd();
-    const resolvedPath = path11.resolve(basePath, filePath);
+    const resolvedPath = path14.resolve(basePath, filePath);
     this.validateLocalPath(resolvedPath);
-    if (!fs10.existsSync(resolvedPath)) {
+    if (!fs12.existsSync(resolvedPath)) {
       throw new Error(`Configuration file not found: ${resolvedPath}`);
     }
     try {
-      const content = fs10.readFileSync(resolvedPath, "utf8");
+      const content = fs12.readFileSync(resolvedPath, "utf8");
       const config = yaml.load(content);
       if (!config || typeof config !== "object") {
         throw new Error(`Invalid YAML in configuration file: ${resolvedPath}`);
       }
       const previousBaseDir = this.options.baseDir;
-      this.options.baseDir = path11.dirname(resolvedPath);
+      this.options.baseDir = path14.dirname(resolvedPath);
       try {
         if (config.extends) {
           const processedConfig = await this.processExtends(config);
@@ -16069,29 +16964,30 @@ var ConfigLoader = class {
   async fetchDefaultConfig() {
     const possiblePaths = [
       // When running as GitHub Action (bundled in dist/)
-      path11.join(__dirname, "defaults", ".visor.yaml"),
+      path14.join(__dirname, "defaults", ".visor.yaml"),
       // When running from source
-      path11.join(__dirname, "..", "..", "defaults", ".visor.yaml"),
+      path14.join(__dirname, "..", "..", "defaults", ".visor.yaml"),
       // Try via package root
-      this.findPackageRoot() ? path11.join(this.findPackageRoot(), "defaults", ".visor.yaml") : "",
+      this.findPackageRoot() ? path14.join(this.findPackageRoot(), "defaults", ".visor.yaml") : "",
       // GitHub Action environment variable
-      process.env.GITHUB_ACTION_PATH ? path11.join(process.env.GITHUB_ACTION_PATH, "defaults", ".visor.yaml") : "",
-      process.env.GITHUB_ACTION_PATH ? path11.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", ".visor.yaml") : ""
+      process.env.GITHUB_ACTION_PATH ? path14.join(process.env.GITHUB_ACTION_PATH, "defaults", ".visor.yaml") : "",
+      process.env.GITHUB_ACTION_PATH ? path14.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", ".visor.yaml") : ""
     ].filter((p) => p);
     let defaultConfigPath;
     for (const possiblePath of possiblePaths) {
-      if (fs10.existsSync(possiblePath)) {
+      if (fs12.existsSync(possiblePath)) {
         defaultConfigPath = possiblePath;
         break;
       }
     }
-    if (defaultConfigPath && fs10.existsSync(defaultConfigPath)) {
+    if (defaultConfigPath && fs12.existsSync(defaultConfigPath)) {
       console.error(`\u{1F4E6} Loading bundled default configuration from ${defaultConfigPath}`);
-      const content = fs10.readFileSync(defaultConfigPath, "utf8");
-      const config = yaml.load(content);
+      const content = fs12.readFileSync(defaultConfigPath, "utf8");
+      let config = yaml.load(content);
       if (!config || typeof config !== "object") {
         throw new Error("Invalid default configuration");
       }
+      config = this.normalizeStepsAndChecks(config);
       if (config.extends) {
         return await this.processExtends(config);
       }
@@ -16166,8 +17062,8 @@ var ConfigLoader = class {
    */
   validateLocalPath(resolvedPath) {
     const projectRoot = this.options.projectRoot || process.cwd();
-    const normalizedPath = path11.normalize(resolvedPath);
-    const normalizedRoot = path11.normalize(projectRoot);
+    const normalizedPath = path14.normalize(resolvedPath);
+    const normalizedRoot = path14.normalize(projectRoot);
     if (!normalizedPath.startsWith(normalizedRoot)) {
       throw new Error(
         `Security error: Path traversal detected. Cannot access files outside project root: ${projectRoot}`
@@ -16193,19 +17089,19 @@ var ConfigLoader = class {
    */
   findPackageRoot() {
     let currentDir = __dirname;
-    const root = path11.parse(currentDir).root;
+    const root = path14.parse(currentDir).root;
     while (currentDir !== root) {
-      const packageJsonPath = path11.join(currentDir, "package.json");
-      if (fs10.existsSync(packageJsonPath)) {
+      const packageJsonPath = path14.join(currentDir, "package.json");
+      if (fs12.existsSync(packageJsonPath)) {
         try {
-          const packageJson = JSON.parse(fs10.readFileSync(packageJsonPath, "utf8"));
+          const packageJson = JSON.parse(fs12.readFileSync(packageJsonPath, "utf8"));
           if (packageJson.name === "@probelabs/visor") {
             return currentDir;
           }
         } catch {
         }
       }
-      currentDir = path11.dirname(currentDir);
+      currentDir = path14.dirname(currentDir);
     }
     return null;
   }
@@ -16222,6 +17118,20 @@ var ConfigLoader = class {
     this.loadedConfigs.clear();
     this.clearCache();
   }
+  /**
+   * Normalize 'checks' and 'steps' keys for backward compatibility
+   * Ensures both keys are present and contain the same data
+   */
+  normalizeStepsAndChecks(config) {
+    if (config.steps && config.checks) {
+      config.checks = config.steps;
+    } else if (config.steps && !config.checks) {
+      config.checks = config.steps;
+    } else if (config.checks && !config.steps) {
+      config.steps = config.checks;
+    }
+    return config;
+  }
 };
 
 // src/config.ts
@@ -16242,6 +17152,7 @@ var ConfigManager = class {
   validCheckTypes = [
     "ai",
     "claude-code",
+    "mcp",
     "command",
     "http",
     "http_input",
@@ -16250,7 +17161,8 @@ var ConfigManager = class {
     "noop",
     "log",
     "memory",
-    "github"
+    "github",
+    "human-input"
   ];
   validEventTriggers = [...VALID_EVENT_TRIGGERS];
   validOutputFormats = ["table", "json", "markdown", "sarif"];
@@ -16260,12 +17172,12 @@ var ConfigManager = class {
    */
   async loadConfig(configPath, options = {}) {
     const { validate = true, mergeDefaults = true, allowedRemotePatterns } = options;
-    const resolvedPath = path12.isAbsolute(configPath) ? configPath : path12.resolve(process.cwd(), configPath);
+    const resolvedPath = path15.isAbsolute(configPath) ? configPath : path15.resolve(process.cwd(), configPath);
     try {
-      if (!fs11.existsSync(resolvedPath)) {
+      if (!fs13.existsSync(resolvedPath)) {
         throw new Error(`Configuration file not found: ${resolvedPath}`);
       }
-      const configContent = fs11.readFileSync(resolvedPath, "utf8");
+      const configContent = fs13.readFileSync(resolvedPath, "utf8");
       let parsedConfig;
       try {
         parsedConfig = yaml2.load(configContent);
@@ -16278,7 +17190,7 @@ var ConfigManager = class {
       }
       if (parsedConfig.extends) {
         const loaderOptions = {
-          baseDir: path12.dirname(resolvedPath),
+          baseDir: path15.dirname(resolvedPath),
           allowRemote: this.isRemoteExtendsAllowed(),
           maxDepth: 10,
           allowedRemotePatterns
@@ -16296,6 +17208,7 @@ var ConfigManager = class {
         parsedConfig = merger.merge(mergedConfig, configWithoutExtends);
         parsedConfig = merger.removeDisabledChecks(parsedConfig);
       }
+      parsedConfig = this.normalizeStepsAndChecks(parsedConfig);
       if (validate) {
         this.validateConfig(parsedConfig);
       }
@@ -16327,9 +17240,9 @@ var ConfigManager = class {
     const gitRoot = await this.findGitRepositoryRoot();
     const searchDirs = [gitRoot, process.cwd()].filter(Boolean);
     for (const baseDir of searchDirs) {
-      const possiblePaths = [path12.join(baseDir, ".visor.yaml"), path12.join(baseDir, ".visor.yml")];
+      const possiblePaths = [path15.join(baseDir, ".visor.yaml"), path15.join(baseDir, ".visor.yml")];
       for (const configPath of possiblePaths) {
-        if (fs11.existsSync(configPath)) {
+        if (fs13.existsSync(configPath)) {
           return this.loadConfig(configPath, options);
         }
       }
@@ -16362,7 +17275,9 @@ var ConfigManager = class {
   async getDefaultConfig() {
     return {
       version: "1.0",
+      steps: {},
       checks: {},
+      // Keep for backward compatibility
       max_parallelism: 3,
       output: {
         pr_comment: {
@@ -16381,34 +17296,35 @@ var ConfigManager = class {
       const possiblePaths = [];
       if (typeof __dirname !== "undefined") {
         possiblePaths.push(
-          path12.join(__dirname, "defaults", ".visor.yaml"),
-          path12.join(__dirname, "..", "defaults", ".visor.yaml")
+          path15.join(__dirname, "defaults", ".visor.yaml"),
+          path15.join(__dirname, "..", "defaults", ".visor.yaml")
         );
       }
       const pkgRoot = this.findPackageRoot();
       if (pkgRoot) {
-        possiblePaths.push(path12.join(pkgRoot, "defaults", ".visor.yaml"));
+        possiblePaths.push(path15.join(pkgRoot, "defaults", ".visor.yaml"));
       }
       if (process.env.GITHUB_ACTION_PATH) {
         possiblePaths.push(
-          path12.join(process.env.GITHUB_ACTION_PATH, "defaults", ".visor.yaml"),
-          path12.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", ".visor.yaml")
+          path15.join(process.env.GITHUB_ACTION_PATH, "defaults", ".visor.yaml"),
+          path15.join(process.env.GITHUB_ACTION_PATH, "dist", "defaults", ".visor.yaml")
         );
       }
       let bundledConfigPath;
       for (const possiblePath of possiblePaths) {
-        if (fs11.existsSync(possiblePath)) {
+        if (fs13.existsSync(possiblePath)) {
           bundledConfigPath = possiblePath;
           break;
         }
       }
-      if (bundledConfigPath && fs11.existsSync(bundledConfigPath)) {
+      if (bundledConfigPath && fs13.existsSync(bundledConfigPath)) {
         console.error(`\u{1F4E6} Loading bundled default configuration from ${bundledConfigPath}`);
-        const configContent = fs11.readFileSync(bundledConfigPath, "utf8");
-        const parsedConfig = yaml2.load(configContent);
+        const configContent = fs13.readFileSync(bundledConfigPath, "utf8");
+        let parsedConfig = yaml2.load(configContent);
         if (!parsedConfig || typeof parsedConfig !== "object") {
           return null;
         }
+        parsedConfig = this.normalizeStepsAndChecks(parsedConfig);
         this.validateConfig(parsedConfig);
         return this.mergeWithDefaults(parsedConfig);
       }
@@ -16425,21 +17341,35 @@ var ConfigManager = class {
    */
   findPackageRoot() {
     let currentDir = __dirname;
-    while (currentDir !== path12.dirname(currentDir)) {
-      const packageJsonPath = path12.join(currentDir, "package.json");
-      if (fs11.existsSync(packageJsonPath)) {
+    while (currentDir !== path15.dirname(currentDir)) {
+      const packageJsonPath = path15.join(currentDir, "package.json");
+      if (fs13.existsSync(packageJsonPath)) {
         try {
-          const packageJson = JSON.parse(fs11.readFileSync(packageJsonPath, "utf8"));
+          const packageJson = JSON.parse(fs13.readFileSync(packageJsonPath, "utf8"));
           if (packageJson.name === "@probelabs/visor") {
             return currentDir;
           }
         } catch {
         }
       }
-      currentDir = path12.dirname(currentDir);
+      currentDir = path15.dirname(currentDir);
     }
     return null;
   }
+  /**
+   * Normalize 'checks' and 'steps' keys for backward compatibility
+   * Ensures both keys are present and contain the same data
+   */
+  normalizeStepsAndChecks(config) {
+    if (config.steps && config.checks) {
+      config.checks = config.steps;
+    } else if (config.steps && !config.checks) {
+      config.checks = config.steps;
+    } else if (config.checks && !config.steps) {
+      config.steps = config.checks;
+    }
+    return config;
+  }
   /**
    * Merge configuration with CLI options
    */
@@ -16495,13 +17425,15 @@ var ConfigManager = class {
         message: "Missing required field: version"
       });
     }
-    if (!config.checks) {
+    if (!config.checks && !config.steps) {
       errors.push({
-        field: "checks",
-        message: "Missing required field: checks"
+        field: "checks/steps",
+        message: 'Missing required field: either "checks" or "steps" must be defined. "steps" is recommended for new configurations.'
       });
-    } else {
-      for (const [checkName, checkConfig] of Object.entries(config.checks)) {
+    }
+    const checksToValidate = config.checks || config.steps;
+    if (checksToValidate) {
+      for (const [checkName, checkConfig] of Object.entries(checksToValidate)) {
         if (!checkConfig.type) {
           checkConfig.type = "ai";
         }
@@ -16821,7 +17753,7 @@ var ConfigManager = class {
     try {
       if (!__ajvValidate) {
         try {
-          const jsonPath = path12.resolve(__dirname, "generated", "config-schema.json");
+          const jsonPath = path15.resolve(__dirname, "generated", "config-schema.json");
           const jsonSchema = require(jsonPath);
           if (jsonSchema) {
             const ajv = new import_ajv.default({ allErrors: true, allowUnionTypes: true, strict: false });
@@ -17110,6 +18042,9 @@ async function runChecks(opts = {}) {
   }
   const checks = opts.checks && opts.checks.length > 0 ? resolveChecks(opts.checks, config) : Object.keys(config.checks || {});
   const engine = new CheckExecutionEngine(opts.cwd);
+  if (opts.executionContext) {
+    engine.setExecutionContext(opts.executionContext);
+  }
   const result = await engine.executeChecks({
     checks,
     workingDirectory: opts.cwd,