@probelabs/visor 0.1.98 → 0.1.100

package/dist/sdk/{chunk-POYXI3MQ.mjs → chunk-X2JKUOE5.mjs}

@@ -1,7 +1,7 @@
 import {
   init_tracer_init,
   initializeTracer
-} from "./chunk-YXOWIDEF.mjs";
+} from "./chunk-TUTOLSFV.mjs";
 import {
   MemoryStore,
   createExtendedLiquid,
@@ -11,15 +11,16 @@ import {
   logger,
   logger_exports,
   resolveAssociationFromEvent
-} from "./chunk-I3GQJIR7.mjs";
+} from "./chunk-B5QBV2QJ.mjs";
 import {
   addEvent,
   addFailIfTriggered,
   emitNdjsonFallback,
   emitNdjsonSpanWithEvents,
   fallback_ndjson_exports,
-  init_fallback_ndjson
-} from "./chunk-IG3BFIIN.mjs";
+  init_fallback_ndjson,
+  withActiveSpan
+} from "./chunk-FVS5CJ5S.mjs";
 import {
   __esm,
   __export,
@@ -139,7 +140,7 @@ var init_session_registry = __esm({
           });
           if (sourceAgent.debug && checkName) {
             try {
-              const { initializeTracer: initializeTracer2 } = await import("./tracer-init-RJGAIOBP.mjs");
+              const { initializeTracer: initializeTracer2 } = await import("./tracer-init-WC75N5NW.mjs");
               const tracerResult = await initializeTracer2(newSessionId, checkName);
               if (tracerResult) {
                 clonedAgent.tracer = tracerResult.tracer;
@@ -476,7 +477,7 @@ ${content}
    * Sleep utility
    */
   sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
   /**
    * Group results by specified criteria
@@ -544,7 +545,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs5 = __require("fs");
+    const fs7 = __require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -555,7 +556,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs5.existsSync(candidatePath)) {
+      if (fs7.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -630,6 +631,7 @@ var AIReviewService = class {
       this.config.model = process.env.MODEL_NAME;
     }
   }
+  // NOTE: per request, no additional redaction/encryption helpers are used.
   /**
    * Execute AI review using probe agent
    */
@@ -946,14 +948,12 @@ ${prContext}
     const isIssue = prContextInfo.isIssue === true;
     const isPRContext = prContextInfo.isPRContext === true;
     const includeCodeContext = isPRContext || prContextInfo.includeCodeContext !== false;
-    const log2 = this.config.debug ? console.error : () => {
-    };
     if (isPRContext) {
-      log2("\u{1F50D} Including full code diffs in AI context (PR mode)");
+      log("\u{1F50D} Including full code diffs in AI context (PR mode)");
     } else if (!includeCodeContext) {
-      log2("\u{1F4CA} Including only file summary in AI context (no diffs)");
+      log("\u{1F4CA} Including only file summary in AI context (no diffs)");
     } else {
-      log2("\u{1F50D} Including code diffs in AI context");
+      log("\u{1F50D} Including code diffs in AI context");
     }
     if (isIssue) {
       let context2 = `<issue>
@@ -1201,8 +1201,8 @@ ${schemaString}`);
       }
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
           const provider = this.config.provider || "auto";
           const model = this.config.model || "default";
@@ -1316,20 +1316,20 @@ ${"=".repeat(60)}
 `;
           readableVersion += `${"=".repeat(60)}
 `;
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
-          if (!fs5.existsSync(debugArtifactsDir)) {
-            fs5.mkdirSync(debugArtifactsDir, { recursive: true });
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
+          if (!fs7.existsSync(debugArtifactsDir)) {
+            fs7.mkdirSync(debugArtifactsDir, { recursive: true });
           }
-          const debugFile = path6.join(
+          const debugFile = path9.join(
             debugArtifactsDir,
             `prompt-${_checkName || "unknown"}-${timestamp}.json`
           );
-          fs5.writeFileSync(debugFile, debugJson, "utf-8");
-          const readableFile = path6.join(
+          fs7.writeFileSync(debugFile, debugJson, "utf-8");
+          const readableFile = path9.join(
             debugArtifactsDir,
             `prompt-${_checkName || "unknown"}-${timestamp}.txt`
           );
-          fs5.writeFileSync(readableFile, readableVersion, "utf-8");
+          fs7.writeFileSync(readableFile, readableVersion, "utf-8");
           log(`
 \u{1F4BE} Full debug info saved to:`);
           log(`   JSON: ${debugFile}`);
@@ -1361,8 +1361,8 @@ ${"=".repeat(60)}
       log(`\u{1F4E4} Response length: ${response.length} characters`);
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
           const agentAny2 = agent;
           let fullHistory = [];
@@ -1373,10 +1373,10 @@ ${"=".repeat(60)}
           } else if (agentAny2._messages) {
             fullHistory = agentAny2._messages;
           }
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
-          const sessionFile = path6.join(
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
+          const sessionBase = path9.join(
             debugArtifactsDir,
-            `session-${_checkName || "unknown"}-${timestamp}.json`
+            `session-${_checkName || "unknown"}-${timestamp}`
           );
           const sessionData = {
             timestamp,
@@ -1384,15 +1384,9 @@ ${"=".repeat(60)}
             provider: this.config.provider || "auto",
             model: this.config.model || "default",
             schema: effectiveSchema,
-            fullConversationHistory: fullHistory,
-            totalMessages: fullHistory.length,
-            latestResponse: response
+            totalMessages: fullHistory.length
           };
-          fs5.writeFileSync(sessionFile, JSON.stringify(sessionData, null, 2), "utf-8");
-          const sessionTxtFile = path6.join(
-            debugArtifactsDir,
-            `session-${_checkName || "unknown"}-${timestamp}.txt`
-          );
+          fs7.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
           let readable = `=============================================================
 `;
           readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -1409,22 +1403,18 @@ ${"=".repeat(60)}
 
 `;
           fullHistory.forEach((msg, idx) => {
+            const role = msg.role || "unknown";
+            const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
             readable += `
 ${"=".repeat(60)}
+MESSAGE ${idx + 1}/${fullHistory.length}
+Role: ${role}
+${"=".repeat(60)}
 `;
-            readable += `MESSAGE ${idx + 1}/${fullHistory.length}
-`;
-            readable += `Role: ${msg.role || "unknown"}
-`;
-            readable += `${"=".repeat(60)}
-`;
-            const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
             readable += content + "\n";
           });
-          fs5.writeFileSync(sessionTxtFile, readable, "utf-8");
+          fs7.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
           log(`\u{1F4BE} Complete session history saved:`);
-          log(`   JSON: ${sessionFile}`);
-          log(`   TXT:  ${sessionTxtFile}`);
           log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
         } catch (error) {
           log(`\u26A0\uFE0F Could not save complete session history: ${error}`);
@@ -1432,11 +1422,11 @@ ${"=".repeat(60)}
       }
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
-          const responseFile = path6.join(
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
+          const responseFile = path9.join(
             debugArtifactsDir,
             `response-${_checkName || "unknown"}-${timestamp}.txt`
           );
@@ -1469,7 +1459,7 @@ ${"=".repeat(60)}
 `;
           responseContent += `${"=".repeat(60)}
 `;
-          fs5.writeFileSync(responseFile, responseContent, "utf-8");
+          fs7.writeFileSync(responseFile, responseContent, "utf-8");
           log(`\u{1F4BE} Response saved to: ${responseFile}`);
         } catch (error) {
           log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -1485,9 +1475,9 @@ ${"=".repeat(60)}
             await agentAny._telemetryConfig.shutdown();
             log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
             if (process.env.GITHUB_ACTIONS) {
-              const fs5 = __require("fs");
-              if (fs5.existsSync(agentAny._traceFilePath)) {
-                const stats = fs5.statSync(agentAny._traceFilePath);
+              const fs7 = __require("fs");
+              if (fs7.existsSync(agentAny._traceFilePath)) {
+                const stats = fs7.statSync(agentAny._traceFilePath);
                 console.log(
                   `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                 );
@@ -1498,12 +1488,14 @@ ${"=".repeat(60)}
             log(`\u{1F4CA} Trace saved to: ${agentAny._traceFilePath}`);
           }
         } catch (exportError) {
-          console.error("\u26A0\uFE0F  Warning: Failed to export trace for cloned session:", exportError);
+          logger.warn(`\u26A0\uFE0F  Warning: Failed to export trace for cloned session: ${exportError}`);
         }
       }
       return { response, effectiveSchema };
     } catch (error) {
-      console.error("\u274C ProbeAgent session reuse failed:", error);
+      logger.error(
+        `\u274C ProbeAgent session reuse failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
       throw new Error(
         `ProbeAgent session reuse failed: ${error instanceof Error ? error.message : "Unknown error"}`
       );
@@ -1607,8 +1599,8 @@ ${schemaString}`);
       const model = this.config.model || "default";
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const os = __require("os");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
           const debugData = {
@@ -1682,30 +1674,20 @@ ${"=".repeat(60)}
           readableVersion += `${"=".repeat(60)}
 `;
           const tempDir = os.tmpdir();
-          const promptFile = path6.join(tempDir, `visor-prompt-${timestamp}.txt`);
-          fs5.writeFileSync(promptFile, prompt, "utf-8");
+          const promptFile = path9.join(tempDir, `visor-prompt-${timestamp}.txt`);
+          fs7.writeFileSync(promptFile, prompt, "utf-8");
           log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
           try {
-            if (!fs5.existsSync(debugArtifactsDir)) {
-              fs5.mkdirSync(debugArtifactsDir, { recursive: true });
-            }
-            const debugFile = path6.join(
-              debugArtifactsDir,
-              `prompt-${_checkName || "unknown"}-${timestamp}.json`
-            );
-            fs5.writeFileSync(debugFile, debugJson, "utf-8");
-            const readableFile = path6.join(
+            const base = path9.join(
               debugArtifactsDir,
-              `prompt-${_checkName || "unknown"}-${timestamp}.txt`
+              `prompt-${_checkName || "unknown"}-${timestamp}`
             );
-            fs5.writeFileSync(readableFile, readableVersion, "utf-8");
+            fs7.writeFileSync(base + ".json", debugJson, "utf-8");
+            fs7.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
             log(`
-\u{1F4BE} Full debug info saved to:`);
-            log(`   JSON: ${debugFile}`);
-            log(`   TXT:  ${readableFile}`);
-            log(`   - Includes: prompt, schema, provider, model, and schema options`);
+\u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
           } catch {
           }
           log(`
@@ -1748,8 +1730,8 @@ $ ${cliCommand}
       log(`\u{1F4E4} Response length: ${response.length} characters`);
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
           const agentAny = agent;
           let fullHistory = [];
@@ -1760,10 +1742,10 @@ $ ${cliCommand}
           } else if (agentAny._messages) {
             fullHistory = agentAny._messages;
           }
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
-          const sessionFile = path6.join(
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
+          const sessionBase = path9.join(
             debugArtifactsDir,
-            `session-${_checkName || "unknown"}-${timestamp}.json`
+            `session-${_checkName || "unknown"}-${timestamp}`
           );
           const sessionData = {
             timestamp,
@@ -1771,15 +1753,9 @@ $ ${cliCommand}
             provider: this.config.provider || "auto",
             model: this.config.model || "default",
             schema: effectiveSchema,
-            fullConversationHistory: fullHistory,
-            totalMessages: fullHistory.length,
-            latestResponse: response
+            totalMessages: fullHistory.length
           };
-          fs5.writeFileSync(sessionFile, JSON.stringify(sessionData, null, 2), "utf-8");
-          const sessionTxtFile = path6.join(
-            debugArtifactsDir,
-            `session-${_checkName || "unknown"}-${timestamp}.txt`
-          );
+          fs7.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
           let readable = `=============================================================
 `;
           readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -1796,22 +1772,18 @@ $ ${cliCommand}
 
 `;
           fullHistory.forEach((msg, idx) => {
+            const role = msg.role || "unknown";
+            const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
             readable += `
 ${"=".repeat(60)}
+MESSAGE ${idx + 1}/${fullHistory.length}
+Role: ${role}
+${"=".repeat(60)}
 `;
-            readable += `MESSAGE ${idx + 1}/${fullHistory.length}
-`;
-            readable += `Role: ${msg.role || "unknown"}
-`;
-            readable += `${"=".repeat(60)}
-`;
-            const content = typeof msg.content === "string" ? msg.content : JSON.stringify(msg.content, null, 2);
             readable += content + "\n";
           });
-          fs5.writeFileSync(sessionTxtFile, readable, "utf-8");
+          fs7.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
           log(`\u{1F4BE} Complete session history saved:`);
-          log(`   JSON: ${sessionFile}`);
-          log(`   TXT:  ${sessionTxtFile}`);
           log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
         } catch (error) {
           log(`\u26A0\uFE0F Could not save complete session history: ${error}`);
@@ -1819,11 +1791,11 @@ ${"=".repeat(60)}
       }
       if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
         try {
-          const fs5 = __require("fs");
-          const path6 = __require("path");
+          const fs7 = __require("fs");
+          const path9 = __require("path");
           const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path6.join(process.cwd(), "debug-artifacts");
-          const responseFile = path6.join(
+          const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path9.join(process.cwd(), "debug-artifacts");
+          const responseFile = path9.join(
             debugArtifactsDir,
             `response-${_checkName || "unknown"}-${timestamp}.txt`
           );
@@ -1856,7 +1828,7 @@ ${"=".repeat(60)}
 `;
           responseContent += `${"=".repeat(60)}
 `;
-          fs5.writeFileSync(responseFile, responseContent, "utf-8");
+          fs7.writeFileSync(responseFile, responseContent, "utf-8");
           log(`\u{1F4BE} Response saved to: ${responseFile}`);
         } catch (error) {
           log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -1874,9 +1846,9 @@ ${"=".repeat(60)}
             await telemetry.shutdown();
             log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
             if (process.env.GITHUB_ACTIONS) {
-              const fs5 = __require("fs");
-              if (fs5.existsSync(traceFilePath)) {
-                const stats = fs5.statSync(traceFilePath);
+              const fs7 = __require("fs");
+              if (fs7.existsSync(traceFilePath)) {
+                const stats = fs7.statSync(traceFilePath);
                 console.log(
                   `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                 );
@@ -1887,7 +1859,7 @@ ${"=".repeat(60)}
             log(`\u{1F4CA} Trace saved to: ${traceFilePath}`);
           }
         } catch (exportError) {
-          console.error("\u26A0\uFE0F  Warning: Failed to export trace:", exportError);
+          logger.warn(`\u26A0\uFE0F  Warning: Failed to export trace: ${exportError}`);
         }
       }
       if (_checkName) {
@@ -1914,8 +1886,8 @@ ${"=".repeat(60)}
    * Load schema content from schema files or inline definitions
    */
   async loadSchemaContent(schema) {
-    const fs5 = __require("fs").promises;
-    const path6 = __require("path");
+    const fs7 = __require("fs").promises;
+    const path9 = __require("path");
     if (typeof schema === "object" && schema !== null) {
       log("\u{1F4CB} Using inline schema object from configuration");
       return JSON.stringify(schema);
@@ -1928,14 +1900,14 @@ ${"=".repeat(60)}
       }
     } catch {
     }
-    if ((schema.startsWith("./") || schema.includes(".json")) && !path6.isAbsolute(schema)) {
+    if ((schema.startsWith("./") || schema.includes(".json")) && !path9.isAbsolute(schema)) {
       if (schema.includes("..") || schema.includes("\0")) {
         throw new Error("Invalid schema path: path traversal not allowed");
       }
       try {
-        const schemaPath2 = path6.resolve(process.cwd(), schema);
+        const schemaPath2 = path9.resolve(process.cwd(), schema);
         log(`\u{1F4CB} Loading custom schema from file: ${schemaPath2}`);
-        const schemaContent = await fs5.readFile(schemaPath2, "utf-8");
+        const schemaContent = await fs7.readFile(schemaPath2, "utf-8");
         return schemaContent.trim();
       } catch (error) {
         throw new Error(
@@ -1947,9 +1919,9 @@ ${"=".repeat(60)}
     if (!sanitizedSchemaName || sanitizedSchemaName !== schema) {
       throw new Error("Invalid schema name");
     }
-    const schemaPath = path6.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+    const schemaPath = path9.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
     try {
-      const schemaContent = await fs5.readFile(schemaPath, "utf-8");
+      const schemaContent = await fs7.readFile(schemaPath, "utf-8");
       return schemaContent.trim();
     } catch (error) {
       throw new Error(
@@ -2059,6 +2031,25 @@ ${"=".repeat(60)}
         }
       }
       const isCustomSchema = _schema === "custom" || _schema && (_schema.startsWith("./") || _schema.endsWith(".json")) || _schema && _schema !== "code-review" && !_schema.includes("output/");
+      const _debugSchemaLogging = this.config.debug === true || process.env.VISOR_DEBUG_AI_SESSIONS === "true";
+      if (_debugSchemaLogging) {
+        const details = {
+          schema: _schema,
+          isCustomSchema,
+          isCustomLiteral: _schema === "custom",
+          startsWithDotSlash: typeof _schema === "string" ? _schema.startsWith("./") : false,
+          endsWithJson: typeof _schema === "string" ? _schema.endsWith(".json") : false,
+          notCodeReview: _schema !== "code-review",
+          noOutputPrefix: typeof _schema === "string" ? !_schema.includes("output/") : false
+        };
+        try {
+          log(`\u{1F50D} Schema detection: ${JSON.stringify(details)}`);
+        } catch {
+          log(
+            `\u{1F50D} Schema detection: _schema="${String(_schema)}", isCustomSchema=${isCustomSchema}`
+          );
+        }
+      }
       if (isCustomSchema) {
         log("\u{1F4CB} Custom schema detected - preserving all fields from parsed JSON");
         log(`\u{1F4CA} Schema: ${_schema}`);
@@ -2104,33 +2095,39 @@ ${"=".repeat(60)}
       log("\u2705 Successfully created ReviewSummary");
       return result;
     } catch (error) {
-      console.error("\u274C Failed to parse AI response:", error);
-      console.error("\u{1F4C4} FULL RAW RESPONSE:");
-      console.error("=".repeat(80));
-      console.error(response);
-      console.error("=".repeat(80));
-      console.error(`\u{1F4CF} Response length: ${response.length} characters`);
-      if (error instanceof SyntaxError) {
-        console.error("\u{1F50D} JSON parsing error - the response may not be valid JSON");
-        console.error("\u{1F50D} Error details:", error.message);
-        const errorMatch = error.message.match(/position (\d+)/);
-        if (errorMatch) {
-          const position = parseInt(errorMatch[1]);
-          console.error(`\u{1F50D} Error at position ${position}:`);
-          const start = Math.max(0, position - 50);
-          const end = Math.min(response.length, position + 50);
-          console.error(`\u{1F50D} Context: "${response.substring(start, end)}"`);
-          console.error(`\u{1F50D} Response beginning: "${response.substring(0, 100)}"`);
-        }
-        if (response.includes("I cannot")) {
-          console.error("\u{1F50D} Response appears to be a refusal/explanation rather than JSON");
-        }
-        if (response.includes("```")) {
-          console.error("\u{1F50D} Response appears to contain markdown code blocks");
-        }
-        if (response.startsWith("<")) {
-          console.error("\u{1F50D} Response appears to start with XML/HTML");
+      const detailed = this.config.debug === true || process.env.VISOR_DEBUG_AI_SESSIONS === "true";
+      const message = error instanceof Error ? error.message : String(error);
+      if (detailed) {
+        logger.debug(`\u274C Failed to parse AI response: ${message}`);
+        logger.debug("\u{1F4C4} FULL RAW RESPONSE:");
+        logger.debug("=".repeat(80));
+        logger.debug(response);
+        logger.debug("=".repeat(80));
+        logger.debug(`\u{1F4CF} Response length: ${response.length} characters`);
+        if (error instanceof SyntaxError) {
+          logger.debug("\u{1F50D} JSON parsing error - the response may not be valid JSON");
+          logger.debug(`\u{1F50D} Error details: ${error.message}`);
+          const errorMatch = error.message.match(/position (\d+)/);
+          if (errorMatch) {
+            const position = parseInt(errorMatch[1]);
+            logger.debug(`\u{1F50D} Error at position ${position}:`);
+            const start = Math.max(0, position - 50);
+            const end = Math.min(response.length, position + 50);
+            logger.debug(`\u{1F50D} Context: "${response.substring(start, end)}"`);
+            logger.debug(`\u{1F50D} Response beginning: "${response.substring(0, 100)}"`);
+          }
+          if (response.includes("I cannot")) {
+            logger.debug("\u{1F50D} Response appears to be a refusal/explanation rather than JSON");
+          }
+          if (response.includes("```")) {
+            logger.debug("\u{1F50D} Response appears to contain markdown code blocks");
+          }
+          if (response.startsWith("<")) {
+            logger.debug("\u{1F50D} Response appears to start with XML/HTML");
+          }
         }
+      } else {
+        logger.error(`\u274C Failed to parse AI response: ${message}`);
       }
       throw new Error(
         `Invalid AI response format: ${error instanceof Error ? error.message : "Unknown error"}`
@@ -2195,7 +2192,7 @@ ${"=".repeat(60)}
    * Generate mock response for testing
    */
   async generateMockResponse(_prompt) {
-    await new Promise((resolve) => setTimeout(resolve, 500));
+    await new Promise((resolve4) => setTimeout(resolve4, 500));
     const mockResponse = {
       content: JSON.stringify({
         issues: [
@@ -2277,7 +2274,7 @@ var PRReviewer = class {
   async reviewPR(owner, repo, prNumber, prInfo, options = {}) {
     const { debug = false, config, checks } = options;
     if (config && checks && checks.length > 0) {
-      const { CheckExecutionEngine: CheckExecutionEngine2 } = await import("./check-execution-engine-W5FLIWZL.mjs");
+      const { CheckExecutionEngine: CheckExecutionEngine2 } = await import("./check-execution-engine-F3662LY7.mjs");
       const engine = new CheckExecutionEngine2();
       const { results } = await engine.executeGroupedChecks(
         prInfo,
@@ -2308,15 +2305,15 @@ var PRReviewer = class {
         if (["code-review", "overview", "plain", "text"].includes(schema)) {
           return true;
         }
-        const fs5 = __require("fs").promises;
-        const path6 = __require("path");
+        const fs7 = __require("fs").promises;
+        const path9 = __require("path");
         const sanitizedSchemaName = schema.replace(/[^a-zA-Z0-9-]/g, "");
         if (!sanitizedSchemaName || sanitizedSchemaName !== schema) {
           return false;
         }
-        const schemaPath = path6.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const schemaPath = path9.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         try {
-          const schemaContent = await fs5.readFile(schemaPath, "utf-8");
+          const schemaContent = await fs7.readFile(schemaPath, "utf-8");
           const schemaObj = JSON.parse(schemaContent);
           const properties = schemaObj.properties;
           return !!(properties && "text" in properties);
@@ -2382,16 +2379,16 @@ var PRReviewer = class {
     }
   }
   async formatGroupComment(checkResults, _options, _githubContext) {
-    const normalize = (s) => s.replace(/\\n/g, "\n");
+    const normalize2 = (s) => s.replace(/\\n/g, "\n");
     const checkContents = checkResults.map((result) => {
       const trimmed = result.content?.trim();
-      if (trimmed) return normalize(trimmed);
+      if (trimmed) return normalize2(trimmed);
       const out = result.output;
       if (out) {
-        if (typeof out === "string" && out.trim()) return normalize(out.trim());
+        if (typeof out === "string" && out.trim()) return normalize2(out.trim());
         if (typeof out === "object") {
           const txt = out.text || out.response || out.message;
-          if (typeof txt === "string" && txt.trim()) return normalize(txt.trim());
+          if (typeof txt === "string" && txt.trim()) return normalize2(txt.trim());
         }
       }
       return "";
@@ -2487,15 +2484,15 @@ var PRReviewer = class {
   }
   saveDebugArtifact(debug) {
     try {
-      const fs5 = __require("fs");
-      const path6 = __require("path");
-      const debugDir = path6.join(process.cwd(), "debug-artifacts");
-      if (!fs5.existsSync(debugDir)) {
-        fs5.mkdirSync(debugDir, { recursive: true });
+      const fs7 = __require("fs");
+      const path9 = __require("path");
+      const debugDir = path9.join(process.cwd(), "debug-artifacts");
+      if (!fs7.existsSync(debugDir)) {
+        fs7.mkdirSync(debugDir, { recursive: true });
       }
       const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
       const filename = `visor-debug-${timestamp}.md`;
-      const filepath = path6.join(debugDir, filename);
+      const filepath = path9.join(debugDir, filename);
       const content = [
         `# Visor Debug Information`,
         ``,
@@ -2516,7 +2513,7 @@ var PRReviewer = class {
         debug.rawResponse,
         "```"
       ].join("\n");
-      fs5.writeFileSync(filepath, content, "utf8");
+      fs7.writeFileSync(filepath, content, "utf8");
       return filename;
     } catch (error) {
       console.error("Failed to save debug artifact:", error);
@@ -2527,15 +2524,90 @@ var PRReviewer = class {
 
 // src/git-repository-analyzer.ts
 import { simpleGit } from "simple-git";
-import * as path2 from "path";
+import * as path3 from "path";
+import * as fs2 from "fs";
+
+// src/utils/file-exclusion.ts
+import ignore from "ignore";
 import * as fs from "fs";
+import * as path2 from "path";
+var DEFAULT_EXCLUSION_PATTERNS = [
+  "dist/",
+  "build/",
+  ".next/",
+  "out/",
+  "node_modules/",
+  "coverage/",
+  ".turbo/",
+  "bundled/"
+];
+var FileExclusionHelper = class {
+  gitignore = null;
+  workingDirectory;
+  /**
+   * @param workingDirectory - Directory to search for .gitignore
+   * @param additionalPatterns - Additional patterns to include (optional, defaults to common build artifacts)
+   */
+  constructor(workingDirectory = process.cwd(), additionalPatterns = DEFAULT_EXCLUSION_PATTERNS) {
+    const normalizedPath = path2.resolve(workingDirectory);
+    if (normalizedPath.includes("\0")) {
+      throw new Error("Invalid workingDirectory: contains null bytes");
+    }
+    this.workingDirectory = normalizedPath;
+    this.loadGitignore(additionalPatterns);
+  }
+  /**
+   * Load .gitignore patterns from the working directory (called once in constructor)
+   * @param additionalPatterns - Additional patterns to add to gitignore rules
+   */
+  loadGitignore(additionalPatterns) {
+    const gitignorePath = path2.resolve(this.workingDirectory, ".gitignore");
+    const resolvedWorkingDir = path2.resolve(this.workingDirectory);
+    try {
+      const relativePath = path2.relative(resolvedWorkingDir, gitignorePath);
+      if (relativePath.startsWith("..") || path2.isAbsolute(relativePath)) {
+        throw new Error("Invalid gitignore path: path traversal detected");
+      }
+      if (relativePath !== ".gitignore") {
+        throw new Error("Invalid gitignore path: must be .gitignore in working directory");
+      }
+      this.gitignore = ignore();
+      if (additionalPatterns && additionalPatterns.length > 0) {
+        this.gitignore.add(additionalPatterns);
+      }
+      if (fs.existsSync(gitignorePath)) {
+        const rawContent = fs.readFileSync(gitignorePath, "utf8");
+        const gitignoreContent = rawContent.replace(/[\r\n]+/g, "\n").replace(/[\x00-\x09\x0B-\x1F\x7F]/g, "").split("\n").filter((line) => line.length < 1e3).join("\n").trim();
+        this.gitignore.add(gitignoreContent);
+        console.error("\u2705 Loaded .gitignore patterns for file filtering");
+      } else if (additionalPatterns && additionalPatterns.length > 0) {
+        console.error("\u26A0\uFE0F  No .gitignore found, using default exclusion patterns");
+      }
+    } catch (error) {
+      console.warn("\u26A0\uFE0F Failed to load .gitignore:", error instanceof Error ? error.message : error);
+    }
+  }
+  /**
+   * Check if a file should be excluded based on .gitignore patterns
+   */
+  shouldExcludeFile(filename) {
+    if (this.gitignore) {
+      return this.gitignore.ignores(filename);
+    }
+    return false;
+  }
+};
+
+// src/git-repository-analyzer.ts
 var MAX_PATCH_SIZE = 50 * 1024;
 var GitRepositoryAnalyzer = class {
   git;
   cwd;
+  fileExclusionHelper;
   constructor(workingDirectory = process.cwd()) {
     this.cwd = workingDirectory;
     this.git = simpleGit(workingDirectory);
+    this.fileExclusionHelper = new FileExclusionHelper(workingDirectory);
   }
   /**
    * Analyze the current git repository state and return data compatible with PRInfo interface
@@ -2670,34 +2742,6 @@ ${file.patch}`).join("\n\n");
       return "main";
     }
   }
-  /**
-   * Check if a file should be excluded from analysis
-   * This includes:
-   * - Files in .gitignore (even if force-added)
-   * - Built/generated files (dist/, build/, .next/, etc.)
-   */
-  async shouldExcludeFile(filename) {
-    const excludePatterns = [
-      /^dist\//,
-      /^build\//,
-      /^\.next\//,
-      /^out\//,
-      /^node_modules\//,
-      /^coverage\//,
-      /^\.turbo\//
-    ];
-    for (const pattern of excludePatterns) {
-      if (pattern.test(filename)) {
-        return true;
-      }
-    }
-    try {
-      const result = await this.git.raw(["check-ignore", filename]);
-      return result.trim().length > 0;
-    } catch {
-      return false;
-    }
-  }
   /**
    * Truncate a patch if it exceeds MAX_PATCH_SIZE
    */
@@ -2738,11 +2782,11 @@ ${file.patch}`).join("\n\n");
         }))
       ];
       for (const { file, status: status2 } of fileChanges) {
-        if (await this.shouldExcludeFile(file)) {
+        if (this.fileExclusionHelper.shouldExcludeFile(file)) {
           console.error(`\u23ED\uFE0F  Skipping excluded file: ${file}`);
           continue;
         }
-        const filePath = path2.join(this.cwd, file);
+        const filePath = path3.join(this.cwd, file);
         const fileChange = await this.analyzeFileChange(file, status2, filePath, includeContext);
         changes.push(fileChange);
       }
@@ -2763,7 +2807,7 @@ ${file.patch}`).join("\n\n");
         return [];
       }
       for (const file of diffSummary.files) {
-        if (await this.shouldExcludeFile(file.file)) {
+        if (this.fileExclusionHelper.shouldExcludeFile(file.file)) {
           console.error(`\u23ED\uFE0F  Skipping excluded file: ${file.file}`);
           continue;
         }
@@ -2818,7 +2862,7 @@ ${file.patch}`).join("\n\n");
     let content;
     let truncated = false;
     try {
-      if (includeContext && status !== "added" && fs.existsSync(filePath)) {
+      if (includeContext && status !== "added" && fs2.existsSync(filePath)) {
         const diff = await this.git.diff(["--", filename]).catch(() => "");
         if (diff) {
           const result = this.truncatePatch(diff, filename);
@@ -2828,7 +2872,7 @@ ${file.patch}`).join("\n\n");
           additions = lines.filter((line) => line.startsWith("+")).length;
           deletions = lines.filter((line) => line.startsWith("-")).length;
         }
-      } else if (status !== "added" && fs.existsSync(filePath)) {
+      } else if (status !== "added" && fs2.existsSync(filePath)) {
         const diff = await this.git.diff(["--", filename]).catch(() => "");
         if (diff) {
           const lines = diff.split("\n");
@@ -2836,17 +2880,17 @@ ${file.patch}`).join("\n\n");
           deletions = lines.filter((line) => line.startsWith("-")).length;
         }
       }
-      if (status === "added" && fs.existsSync(filePath)) {
+      if (status === "added" && fs2.existsSync(filePath)) {
         try {
-          const stats = fs.statSync(filePath);
+          const stats = fs2.statSync(filePath);
           if (stats.isFile() && stats.size < 1024 * 1024) {
             if (includeContext) {
-              content = fs.readFileSync(filePath, "utf8");
+              content = fs2.readFileSync(filePath, "utf8");
               const result = this.truncatePatch(content, filename);
               patch = result.patch;
               truncated = result.truncated;
             }
-            const fileContent = includeContext ? content : fs.readFileSync(filePath, "utf8");
+            const fileContent = includeContext ? content : fs2.readFileSync(filePath, "utf8");
             additions = fileContent.split("\n").length;
           }
         } catch {
@@ -2929,11 +2973,14 @@ ${file.patch}`).join("\n\n");
 };
 
 // src/pr-analyzer.ts
+import * as path4 from "path";
 var PRAnalyzer = class {
-  constructor(octokit, maxRetries = 3) {
+  constructor(octokit, maxRetries = 3, workingDirectory = path4.resolve(process.cwd())) {
     this.octokit = octokit;
     this.maxRetries = maxRetries;
+    this.fileExclusionHelper = new FileExclusionHelper(workingDirectory);
   }
+  fileExclusionHelper;
   /**
    * Fetch commit diff for incremental analysis
    */
@@ -2989,14 +3036,25 @@ ${file.patch}`).join("\n\n");
     const authorAssociation = pr.author_association && typeof pr.author_association === "string" ? pr.author_association : void 0;
     const base = pr.base && typeof pr.base === "object" && pr.base.ref ? typeof pr.base.ref === "string" ? pr.base.ref : String(pr.base.ref) : "main";
     const head = pr.head && typeof pr.head === "object" && pr.head.ref ? typeof pr.head.ref === "string" ? pr.head.ref : String(pr.head.ref) : "feature";
-    const validFiles = files ? files.filter((file) => file && typeof file === "object" && file.filename).map((file) => ({
+    let skippedCount = 0;
+    const validFiles = files ? files.filter((file) => file && typeof file === "object" && file.filename).filter((file) => {
+      const filename = typeof file.filename === "string" ? file.filename : String(file.filename || "unknown");
+      if (!filename || this.fileExclusionHelper.shouldExcludeFile(filename)) {
+        skippedCount++;
+        return false;
+      }
+      return true;
+    }).map((file) => ({
       filename: typeof file.filename === "string" ? file.filename : String(file.filename || "unknown"),
       additions: typeof file.additions === "number" ? Math.max(0, file.additions) : 0,
       deletions: typeof file.deletions === "number" ? Math.max(0, file.deletions) : 0,
       changes: typeof file.changes === "number" ? Math.max(0, file.changes) : 0,
       patch: typeof file.patch === "string" ? file.patch : void 0,
       status: ["added", "removed", "modified", "renamed"].includes(file.status) ? file.status : "modified"
-    })).filter((file) => file.filename.length > 0) : [];
+    })) : [];
+    if (skippedCount > 0) {
+      console.log(`\u23ED\uFE0F  Skipped ${skippedCount} excluded file(s)`);
+    }
     const prInfo = {
       number: typeof pr.number === "number" ? pr.number : parseInt(String(pr.number || 1), 10),
       title,
@@ -3075,7 +3133,7 @@ ${file.patch}`).join("\n\n");
         }
         if (this.isRetryableError(error)) {
           const delay = Math.min(1e3 * Math.pow(2, attempt), 5e3);
-          await new Promise((resolve) => setTimeout(resolve, delay));
+          await new Promise((resolve4) => setTimeout(resolve4, delay));
         } else {
           throw error;
         }
@@ -3202,8 +3260,8 @@ var EnvironmentResolver = class {
 };
 
 // src/issue-filter.ts
-import * as fs2 from "fs";
-import * as path3 from "path";
+import * as fs3 from "fs";
+import * as path5 from "path";
 var IssueFilter = class {
   fileCache = /* @__PURE__ */ new Map();
   suppressionEnabled;
@@ -3271,17 +3329,17 @@ var IssueFilter = class {
       return this.fileCache.get(filePath);
     }
     try {
-      const resolvedPath = path3.isAbsolute(filePath) ? filePath : path3.join(workingDir, filePath);
-      if (!fs2.existsSync(resolvedPath)) {
-        if (fs2.existsSync(filePath)) {
-          const content2 = fs2.readFileSync(filePath, "utf8");
+      const resolvedPath = path5.isAbsolute(filePath) ? filePath : path5.join(workingDir, filePath);
+      if (!fs3.existsSync(resolvedPath)) {
+        if (fs3.existsSync(filePath)) {
+          const content2 = fs3.readFileSync(filePath, "utf8");
           const lines2 = content2.split("\n");
           this.fileCache.set(filePath, lines2);
           return lines2;
         }
         return null;
       }
-      const content = fs2.readFileSync(resolvedPath, "utf8");
+      const content = fs3.readFileSync(resolvedPath, "utf8");
       const lines = content.split("\n");
       this.fileCache.set(filePath, lines);
       return lines;
@@ -3298,8 +3356,135 @@ var IssueFilter = class {
 };
 
 // src/providers/ai-check-provider.ts
-import fs3 from "fs/promises";
-import path4 from "path";
+import fs4 from "fs/promises";
+import path6 from "path";
+import { trace, context as otContext } from "@opentelemetry/api";
+
+// src/telemetry/state-capture.ts
+var MAX_ATTRIBUTE_LENGTH = 1e4;
+var MAX_ARRAY_ITEMS = 100;
+function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
+  try {
+    if (value === void 0 || value === null) return String(value);
+    const seen = /* @__PURE__ */ new WeakSet();
+    const json = JSON.stringify(value, (key, val) => {
+      if (typeof val === "object" && val !== null) {
+        if (seen.has(val)) return "[Circular]";
+        seen.add(val);
+      }
+      if (typeof val === "string" && val.length > maxLength) {
+        return val.substring(0, maxLength) + "...[truncated]";
+      }
+      return val;
+    });
+    if (json.length > maxLength) {
+      return json.substring(0, maxLength) + "...[truncated]";
+    }
+    return json;
+  } catch (err) {
+    return `[Error serializing: ${err instanceof Error ? err.message : String(err)}]`;
+  }
+}
+function captureCheckInputContext(span, context) {
+  try {
+    const keys = Object.keys(context);
+    span.setAttribute("visor.check.input.keys", keys.join(","));
+    span.setAttribute("visor.check.input.count", keys.length);
+    span.setAttribute("visor.check.input.context", safeSerialize(context));
+    if (context.pr) {
+      span.setAttribute("visor.check.input.pr", safeSerialize(context.pr, 1e3));
+    }
+    if (context.outputs) {
+      span.setAttribute("visor.check.input.outputs", safeSerialize(context.outputs, 5e3));
+    }
+    if (context.env) {
+      span.setAttribute("visor.check.input.env_keys", Object.keys(context.env).join(","));
+    }
+  } catch (err) {
+    try {
+      span.setAttribute("visor.check.input.error", String(err));
+    } catch {
+    }
+  }
+}
+function captureCheckOutput(span, output) {
+  try {
+    span.setAttribute("visor.check.output.type", typeof output);
+    if (Array.isArray(output)) {
+      span.setAttribute("visor.check.output.length", output.length);
+      const preview = output.slice(0, 10);
+      span.setAttribute("visor.check.output.preview", safeSerialize(preview, 2e3));
+    }
+    span.setAttribute("visor.check.output", safeSerialize(output));
+  } catch (err) {
+    try {
+      span.setAttribute("visor.check.output.error", String(err));
+    } catch {
+    }
+  }
+}
+function captureForEachState(span, items, index, currentItem) {
+  try {
+    span.setAttribute("visor.foreach.total", items.length);
+    span.setAttribute("visor.foreach.index", index);
+    span.setAttribute("visor.foreach.current_item", safeSerialize(currentItem, 500));
+    if (items.length <= MAX_ARRAY_ITEMS) {
+      span.setAttribute("visor.foreach.items", safeSerialize(items));
+    } else {
+      span.setAttribute(
+        "visor.foreach.items.preview",
+        safeSerialize(items.slice(0, MAX_ARRAY_ITEMS))
+      );
+      span.setAttribute("visor.foreach.items.truncated", true);
+    }
+  } catch (err) {
+    span.setAttribute("visor.foreach.error", String(err));
+  }
+}
+function captureTransformJS(span, code, input, output) {
+  try {
+    const codePreview = code.length > 2e3 ? code.substring(0, 2e3) + "...[truncated]" : code;
+    span.setAttribute("visor.transform.code", codePreview);
+    span.setAttribute("visor.transform.code.length", code.length);
+    span.setAttribute("visor.transform.input", safeSerialize(input, 2e3));
+    span.setAttribute("visor.transform.output", safeSerialize(output, 2e3));
+  } catch (err) {
+    span.setAttribute("visor.transform.error", String(err));
+  }
+}
+function captureProviderCall(span, providerType, request, response) {
+  try {
+    span.setAttribute("visor.provider.type", providerType);
+    if (request.model) span.setAttribute("visor.provider.request.model", String(request.model));
+    if (request.prompt) {
+      span.setAttribute("visor.provider.request.prompt.length", request.prompt.length);
+      span.setAttribute("visor.provider.request.prompt.preview", request.prompt.substring(0, 500));
+    }
+    if (response.content) {
+      span.setAttribute("visor.provider.response.length", response.content.length);
+      span.setAttribute("visor.provider.response.preview", response.content.substring(0, 500));
+    }
+    if (response.tokens) {
+      span.setAttribute("visor.provider.response.tokens", response.tokens);
+    }
+  } catch (err) {
+    span.setAttribute("visor.provider.error", String(err));
+  }
+}
+function captureStateSnapshot(span, checkId, outputs, memory) {
+  try {
+    span.addEvent("state.snapshot", {
+      "visor.snapshot.check_id": checkId,
+      "visor.snapshot.outputs": safeSerialize(outputs, 5e3),
+      "visor.snapshot.memory": safeSerialize(memory, 5e3),
+      "visor.snapshot.timestamp": (/* @__PURE__ */ new Date()).toISOString()
+    });
+  } catch (err) {
+    span.setAttribute("visor.snapshot.error", String(err));
+  }
+}
+
+// src/providers/ai-check-provider.ts
 var AICheckProvider = class extends CheckProvider {
   aiReviewService;
   liquidEngine;
@@ -3416,7 +3601,7 @@ var AICheckProvider = class extends CheckProvider {
     const hasFileExtension = /\.[a-zA-Z0-9]{1,10}$/i.test(str);
     const hasPathSeparators = /[\/\\]/.test(str);
     const isRelativePath = /^\.{1,2}\//.test(str);
-    const isAbsolutePath = path4.isAbsolute(str);
+    const isAbsolutePath = path6.isAbsolute(str);
     const hasTypicalFileChars = /^[a-zA-Z0-9._\-\/\\:~]+$/.test(str);
     if (!(hasFileExtension || isRelativePath || isAbsolutePath || hasPathSeparators)) {
       return false;
@@ -3426,14 +3611,14 @@ var AICheckProvider = class extends CheckProvider {
     }
     try {
       let resolvedPath;
-      if (path4.isAbsolute(str)) {
-        resolvedPath = path4.normalize(str);
+      if (path6.isAbsolute(str)) {
+        resolvedPath = path6.normalize(str);
       } else {
-        resolvedPath = path4.resolve(process.cwd(), str);
+        resolvedPath = path6.resolve(process.cwd(), str);
       }
-      const fs5 = __require("fs").promises;
+      const fs7 = __require("fs").promises;
       try {
-        const stat = await fs5.stat(resolvedPath);
+        const stat = await fs7.stat(resolvedPath);
         return stat.isFile();
       } catch {
         return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -3450,14 +3635,14 @@ var AICheckProvider = class extends CheckProvider {
       throw new Error("Prompt file must have .liquid extension");
     }
     let resolvedPath;
-    if (path4.isAbsolute(promptPath)) {
+    if (path6.isAbsolute(promptPath)) {
       resolvedPath = promptPath;
     } else {
-      resolvedPath = path4.resolve(process.cwd(), promptPath);
+      resolvedPath = path6.resolve(process.cwd(), promptPath);
     }
-    if (!path4.isAbsolute(promptPath)) {
-      const normalizedPath = path4.normalize(resolvedPath);
-      const currentDir = path4.resolve(process.cwd());
+    if (!path6.isAbsolute(promptPath)) {
+      const normalizedPath = path6.normalize(resolvedPath);
+      const currentDir = path6.resolve(process.cwd());
       if (!normalizedPath.startsWith(currentDir)) {
         throw new Error("Invalid prompt file path: path traversal detected");
       }
@@ -3466,7 +3651,7 @@ var AICheckProvider = class extends CheckProvider {
       throw new Error("Invalid prompt file path: path traversal detected");
     }
     try {
-      const promptContent = await fs3.readFile(resolvedPath, "utf-8");
+      const promptContent = await fs4.readFile(resolvedPath, "utf-8");
       return promptContent;
     } catch (error) {
       throw new Error(
@@ -3639,6 +3824,40 @@ var AICheckProvider = class extends CheckProvider {
         );
       }
     }
+    const templateContext = {
+      pr: {
+        number: prInfo.number,
+        title: prInfo.title,
+        author: prInfo.author,
+        branch: prInfo.head,
+        base: prInfo.base
+      },
+      files: prInfo.files,
+      outputs: _dependencyResults ? Object.fromEntries(
+        Array.from(_dependencyResults.entries()).map(([checkName, result]) => [
+          checkName,
+          result.output !== void 0 ? result.output : result
+        ])
+      ) : {}
+    };
+    try {
+      const span = trace.getSpan(otContext.active());
+      if (span) {
+        captureCheckInputContext(span, templateContext);
+      }
+    } catch {
+    }
+    try {
+      const checkId = config.checkName || config.id || "unknown";
+      const ctxJson = JSON.stringify(templateContext);
+      const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+      emitNdjsonSpanWithEvents2(
+        "visor.check",
+        { "visor.check.id": checkId, "visor.check.input.context": ctxJson },
+        []
+      );
+    } catch {
+    }
     const processedPrompt = await this.processPrompt(
       customPrompt,
       prInfo,
@@ -3691,10 +3910,43 @@ var AICheckProvider = class extends CheckProvider {
       const suppressionEnabled = config.suppressionEnabled !== false;
       const issueFilter = new IssueFilter(suppressionEnabled);
       const filteredIssues = issueFilter.filterIssues(result.issues || [], process.cwd());
-      return {
+      const finalResult = {
         ...result,
         issues: filteredIssues
       };
+      try {
+        const span = trace.getSpan(otContext.active());
+        if (span) {
+          captureProviderCall(
+            span,
+            "ai",
+            {
+              prompt: processedPrompt.substring(0, 500),
+              // Preview only
+              model: aiConfig.model
+            },
+            {
+              content: JSON.stringify(finalResult).substring(0, 500),
+              tokens: result.usage?.totalTokens
+            }
+          );
+          const outputForSpan = finalResult.output ?? finalResult;
+          captureCheckOutput(span, outputForSpan);
+        }
+      } catch {
+      }
+      try {
+        const checkId = config.checkName || config.id || "unknown";
+        const outJson = JSON.stringify(finalResult.output ?? finalResult);
+        const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+        emitNdjsonSpanWithEvents2(
+          "visor.check",
+          { "visor.check.id": checkId, "visor.check.output": outJson },
+          []
+        );
+      } catch {
+      }
+      return finalResult;
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       console.error(`\u274C AI Check Provider Error for check: ${errorMessage}`);
@@ -3739,6 +3991,7 @@ var AICheckProvider = class extends CheckProvider {
 };
 
 // src/providers/http-check-provider.ts
+import { trace as trace2, context as otContext2 } from "@opentelemetry/api";
 var HttpCheckProvider = class extends CheckProvider {
   liquid;
   constructor() {
@@ -3800,6 +4053,13 @@ var HttpCheckProvider = class extends CheckProvider {
       outputs: dependencyResults ? Object.fromEntries(dependencyResults) : {},
       metadata: config.metadata || {}
     };
+    try {
+      const span = trace2.getSpan(otContext2.active());
+      if (span) {
+        captureCheckInputContext(span, templateContext);
+      }
+    } catch {
+    }
     let payload;
     try {
       const renderedBody = await this.liquid.parseAndRender(bodyTemplate, templateContext);
@@ -3822,10 +4082,31 @@ var HttpCheckProvider = class extends CheckProvider {
       const suppressionEnabled = config.suppressionEnabled !== false;
       const issueFilter = new IssueFilter(suppressionEnabled);
       const filteredIssues = issueFilter.filterIssues(result.issues || [], process.cwd());
-      return {
+      const finalResult = {
         ...result,
         issues: filteredIssues
       };
+      try {
+        const span = trace2.getSpan(otContext2.active());
+        if (span) {
+          captureProviderCall(
+            span,
+            "http",
+            {
+              url,
+              method,
+              body: JSON.stringify(payload).substring(0, 500)
+            },
+            {
+              content: JSON.stringify(response).substring(0, 500)
+            }
+          );
+          const outputForSpan = finalResult.output ?? finalResult;
+          captureCheckOutput(span, outputForSpan);
+        }
+      } catch {
+      }
+      return finalResult;
     } catch (error) {
       return this.createErrorResult(url, error);
     }
@@ -4474,8 +4755,111 @@ var LogCheckProvider = class extends CheckProvider {
   }
 };
 
-// src/providers/github-ops-provider.ts
+// src/utils/sandbox.ts
 import Sandbox from "@nyariv/sandboxjs";
+function createSecureSandbox() {
+  const globals = {
+    ...Sandbox.SAFE_GLOBALS,
+    Math,
+    JSON,
+    // Provide console with limited surface. Calls are harmless in CI logs and
+    // help with debugging value_js / transform_js expressions.
+    console: {
+      log: console.log,
+      warn: console.warn,
+      error: console.error
+    }
+  };
+  const prototypeWhitelist = new Map(Sandbox.SAFE_PROTOTYPES);
+  const arrayMethods = /* @__PURE__ */ new Set([
+    "some",
+    "every",
+    "filter",
+    "map",
+    "reduce",
+    "find",
+    "includes",
+    "indexOf",
+    "length",
+    "slice",
+    "concat",
+    "join",
+    "push",
+    "pop",
+    "shift",
+    "unshift",
+    "sort",
+    "reverse",
+    "flat",
+    "flatMap"
+  ]);
+  prototypeWhitelist.set(Array.prototype, arrayMethods);
+  const stringMethods = /* @__PURE__ */ new Set([
+    "toLowerCase",
+    "toUpperCase",
+    "includes",
+    "indexOf",
+    "startsWith",
+    "endsWith",
+    "slice",
+    "substring",
+    "length",
+    "trim",
+    "split",
+    "replace",
+    "match",
+    "padStart",
+    "padEnd"
+  ]);
+  prototypeWhitelist.set(String.prototype, stringMethods);
+  const objectMethods = /* @__PURE__ */ new Set([
+    "hasOwnProperty",
+    "toString",
+    "valueOf",
+    "keys",
+    "values"
+  ]);
+  prototypeWhitelist.set(Object.prototype, objectMethods);
+  return new Sandbox({ globals, prototypeWhitelist });
+}
+function compileAndRun(sandbox, userCode, scope, opts = { injectLog: true, wrapFunction: true, logPrefix: "[sandbox]" }) {
+  const inject = opts?.injectLog === true;
+  let safePrefix = String(opts?.logPrefix ?? "[sandbox]");
+  safePrefix = safePrefix.replace(/[\r\n\t\0]/g, "").replace(/[`$\\]/g, "").replace(/\$\{/g, "").slice(0, 64);
+  const header = inject ? `const __lp = ${JSON.stringify(safePrefix)}; const log = (...a) => { try { console.log(__lp, ...a); } catch {} };
+` : "";
+  const body = opts.wrapFunction ? `const __fn = () => {
+${userCode}
+};
+return __fn();
+` : `${userCode}`;
+  const code = `${header}${body}`;
+  let exec;
+  try {
+    exec = sandbox.compile(code);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`sandbox_compile_error: ${msg}`);
+  }
+  let out;
+  try {
+    out = exec(scope);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`sandbox_execution_error: ${msg}`);
+  }
+  if (out && typeof out.run === "function") {
+    try {
+      return out.run();
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      throw new Error(`sandbox_runner_error: ${msg}`);
+    }
+  }
+  return out;
+}
+
+// src/providers/github-ops-provider.ts
 var GitHubOpsProvider = class extends CheckProvider {
   sandbox;
   getName() {
@@ -4502,25 +4886,20 @@ var GitHubOpsProvider = class extends CheckProvider {
   }
   async execute(prInfo, config, dependencyResults) {
     const cfg = config;
-    let octokit = config.eventContext?.octokit;
+    const octokit = config.eventContext?.octokit;
     if (!octokit) {
-      const token = process.env["INPUT_GITHUB-TOKEN"] || process.env["GITHUB_TOKEN"];
-      if (!token) {
-        return {
-          issues: [
-            {
-              file: "system",
-              line: 0,
-              ruleId: "github/missing_token",
-              message: "No GitHub token available; set GITHUB_TOKEN or pass github-token input for native GitHub operations",
-              severity: "error",
-              category: "logic"
-            }
-          ]
-        };
-      }
-      const { Octokit } = await import("@octokit/rest");
-      octokit = new Octokit({ auth: token });
+      return {
+        issues: [
+          {
+            file: "system",
+            line: 0,
+            ruleId: "github/missing_octokit",
+            message: "No authenticated Octokit instance available in event context. GitHub operations require proper authentication context.",
+            severity: "error",
+            category: "logic"
+          }
+        ]
+      };
     }
     const repoEnv = process.env.GITHUB_REPOSITORY || "";
     const [owner, repo] = repoEnv.split("/");
@@ -4598,14 +4977,19 @@ var GitHubOpsProvider = class extends CheckProvider {
     if (cfg.value_js && cfg.value_js.trim()) {
       try {
         const sandbox = this.getSecureSandbox();
-        const code = `
-          const __fn = () => {
-${cfg.value_js}
-};
-          return __fn();
-        `;
-        const exec = sandbox.compile(code);
-        const res = exec({ pr: prInfo, values });
+        const depOutputs = {};
+        if (dependencyResults) {
+          for (const [name, result] of dependencyResults.entries()) {
+            const summary = result;
+            depOutputs[name] = summary.output !== void 0 ? summary.output : summary;
+          }
+        }
+        const res = compileAndRun(
+          sandbox,
+          cfg.value_js,
+          { pr: prInfo, values, outputs: depOutputs },
+          { injectLog: true, wrapFunction: true, logPrefix: "[github:value_js]" }
+        );
         if (typeof res === "string") values = [res];
         else if (Array.isArray(res)) values = res.map((v) => String(v));
       } catch (e) {
@@ -4696,51 +5080,14 @@ ${cfg.value_js}
    */
   getSecureSandbox() {
     if (this.sandbox) return this.sandbox;
-    const globals = {
-      ...Sandbox.SAFE_GLOBALS,
-      Math
-    };
-    const prototypeWhitelist = new Map(Sandbox.SAFE_PROTOTYPES);
-    const arrayMethods = /* @__PURE__ */ new Set([
-      "some",
-      "every",
-      "filter",
-      "map",
-      "reduce",
-      "find",
-      "includes",
-      "indexOf",
-      "length",
-      "slice",
-      "concat",
-      "join"
-    ]);
-    prototypeWhitelist.set(Array.prototype, arrayMethods);
-    const stringMethods = /* @__PURE__ */ new Set([
-      "toLowerCase",
-      "toUpperCase",
-      "includes",
-      "indexOf",
-      "startsWith",
-      "endsWith",
-      "slice",
-      "substring",
-      "length",
-      "trim",
-      "split",
-      "replace"
-    ]);
-    prototypeWhitelist.set(String.prototype, stringMethods);
-    const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-    prototypeWhitelist.set(Object.prototype, objectMethods);
-    this.sandbox = new Sandbox({ globals, prototypeWhitelist });
+    this.sandbox = createSecureSandbox();
     return this.sandbox;
   }
 };
 
 // src/providers/claude-code-check-provider.ts
-import fs4 from "fs/promises";
-import path5 from "path";
+import fs5 from "fs/promises";
+import path7 from "path";
 
 // src/providers/claude-code-types.ts
 async function safeImport(moduleName) {
@@ -4901,7 +5248,7 @@ var ClaudeCodeCheckProvider = class extends CheckProvider {
     const hasFileExtension = /\.[a-zA-Z0-9]{1,10}$/i.test(str);
     const hasPathSeparators = /[\/\\]/.test(str);
     const isRelativePath = /^\.{1,2}\//.test(str);
-    const isAbsolutePath = path5.isAbsolute(str);
+    const isAbsolutePath = path7.isAbsolute(str);
     const hasTypicalFileChars = /^[a-zA-Z0-9._\-\/\\:~]+$/.test(str);
     if (!(hasFileExtension || isRelativePath || isAbsolutePath || hasPathSeparators)) {
       return false;
@@ -4911,13 +5258,13 @@ var ClaudeCodeCheckProvider = class extends CheckProvider {
     }
     try {
       let resolvedPath;
-      if (path5.isAbsolute(str)) {
-        resolvedPath = path5.normalize(str);
+      if (path7.isAbsolute(str)) {
+        resolvedPath = path7.normalize(str);
       } else {
-        resolvedPath = path5.resolve(process.cwd(), str);
+        resolvedPath = path7.resolve(process.cwd(), str);
       }
       try {
-        const stat = await fs4.stat(resolvedPath);
+        const stat = await fs5.stat(resolvedPath);
         return stat.isFile();
       } catch {
         return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -4934,14 +5281,14 @@ var ClaudeCodeCheckProvider = class extends CheckProvider {
       throw new Error("Prompt file must have .liquid extension");
     }
     let resolvedPath;
-    if (path5.isAbsolute(promptPath)) {
+    if (path7.isAbsolute(promptPath)) {
       resolvedPath = promptPath;
     } else {
-      resolvedPath = path5.resolve(process.cwd(), promptPath);
+      resolvedPath = path7.resolve(process.cwd(), promptPath);
     }
-    if (!path5.isAbsolute(promptPath)) {
-      const normalizedPath = path5.normalize(resolvedPath);
-      const currentDir = path5.resolve(process.cwd());
+    if (!path7.isAbsolute(promptPath)) {
+      const normalizedPath = path7.normalize(resolvedPath);
+      const currentDir = path7.resolve(process.cwd());
       if (!normalizedPath.startsWith(currentDir)) {
         throw new Error("Invalid prompt file path: path traversal detected");
       }
@@ -4950,7 +5297,7 @@ var ClaudeCodeCheckProvider = class extends CheckProvider {
       throw new Error("Invalid prompt file path: path traversal detected");
     }
     try {
-      const promptContent = await fs4.readFile(resolvedPath, "utf-8");
+      const promptContent = await fs5.readFile(resolvedPath, "utf-8");
       return promptContent;
     } catch (error) {
       throw new Error(
@@ -5192,8 +5539,8 @@ var ClaudeCodeCheckProvider = class extends CheckProvider {
 };
 
 // src/providers/command-check-provider.ts
-import Sandbox2 from "@nyariv/sandboxjs";
 init_logger();
+import { trace as trace3, context as otContext3 } from "@opentelemetry/api";
 var CommandCheckProvider = class extends CheckProvider {
   liquid;
   sandbox;
@@ -5206,13 +5553,7 @@ var CommandCheckProvider = class extends CheckProvider {
     });
   }
   createSecureSandbox() {
-    const globals = {
-      ...Sandbox2.SAFE_GLOBALS,
-      console,
-      JSON
-    };
-    const prototypeWhitelist = new Map(Sandbox2.SAFE_PROTOTYPES);
-    return new Sandbox2({ globals, prototypeWhitelist });
+    return createSecureSandbox();
   }
   getName() {
     return "command";
@@ -5261,6 +5602,24 @@ var CommandCheckProvider = class extends CheckProvider {
     logger.debug(
       `\u{1F527} Debug: Template outputs keys: ${Object.keys(templateContext.outputs || {}).join(", ")}`
     );
+    try {
+      const span = trace3.getSpan(otContext3.active());
+      if (span) {
+        captureCheckInputContext(span, templateContext);
+      }
+    } catch {
+    }
+    try {
+      const checkId = config.checkName || config.id || "unknown";
+      const ctxJson = JSON.stringify(templateContext);
+      const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+      emitNdjsonSpanWithEvents2(
+        "visor.check",
+        { "visor.check.id": checkId, "visor.check.input.context": ctxJson },
+        [{ name: "check.started" }, { name: "check.completed" }]
+      );
+    } catch {
+    }
     try {
       let renderedCommand = command;
       if (command.includes("{{") || command.includes("{%")) {
@@ -5455,8 +5814,12 @@ ${bodyWithReturn}
           if (parsedFromSandboxJson !== void 0) {
             finalOutput = parsedFromSandboxJson;
           } else {
-            const exec2 = this.sandbox.compile(code);
-            finalOutput = exec2({ scope: jsContext }).run();
+            finalOutput = compileAndRun(
+              this.sandbox,
+              code,
+              { scope: jsContext },
+              { injectLog: false, wrapFunction: false }
+            );
           }
           try {
             if (finalOutput && typeof finalOutput === "object" && !Array.isArray(finalOutput) && (finalOutput.error === void 0 || finalOutput.issues === void 0)) {
@@ -5867,6 +6230,27 @@ ${bodyWithReturn}
         ...content ? { content } : {},
         ...promoted
       };
+      try {
+        const span = trace3.getSpan(otContext3.active());
+        if (span) {
+          captureCheckOutput(span, outputForDependents);
+          if (transformJs && output !== finalOutput) {
+            captureTransformJS(span, transformJs, output, finalOutput);
+          }
+        }
+      } catch {
+      }
+      try {
+        const checkId = config.checkName || config.id || "unknown";
+        const outJson = JSON.stringify(result.output ?? result);
+        const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
+        emitNdjsonSpanWithEvents2(
+          "visor.check",
+          { "visor.check.id": checkId, "visor.check.output": outJson },
+          [{ name: "check.started" }, { name: "check.completed" }]
+        );
+      } catch {
+      }
       try {
         if (transformJs) {
           const rawObj = snapshotForExtraction || finalOutput;
@@ -6431,7 +6815,6 @@ ${stderrOutput}` : `Command execution failed: ${errorMessage}`;
 
 // src/providers/memory-check-provider.ts
 init_logger();
-import Sandbox3 from "@nyariv/sandboxjs";
 var MemoryCheckProvider = class extends CheckProvider {
   liquid;
   sandbox;
@@ -6446,61 +6829,7 @@ var MemoryCheckProvider = class extends CheckProvider {
    * Create a secure sandbox for JavaScript execution
    */
   createSecureSandbox() {
-    const globals = {
-      ...Sandbox3.SAFE_GLOBALS,
-      Math,
-      console: {
-        log: console.log,
-        warn: console.warn,
-        error: console.error
-      }
-    };
-    const prototypeWhitelist = new Map(Sandbox3.SAFE_PROTOTYPES);
-    const arrayMethods = /* @__PURE__ */ new Set([
-      "some",
-      "every",
-      "filter",
-      "map",
-      "reduce",
-      "find",
-      "includes",
-      "indexOf",
-      "length",
-      "slice",
-      "concat",
-      "join",
-      "push",
-      "pop",
-      "shift",
-      "unshift",
-      "sort",
-      "reverse"
-    ]);
-    prototypeWhitelist.set(Array.prototype, arrayMethods);
-    const stringMethods = /* @__PURE__ */ new Set([
-      "toLowerCase",
-      "toUpperCase",
-      "includes",
-      "indexOf",
-      "startsWith",
-      "endsWith",
-      "slice",
-      "substring",
-      "length",
-      "trim",
-      "split",
-      "replace",
-      "match",
-      "padStart",
-      "padEnd"
-    ]);
-    prototypeWhitelist.set(String.prototype, stringMethods);
-    const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-    prototypeWhitelist.set(Object.prototype, objectMethods);
-    return new Sandbox3({
-      globals,
-      prototypeWhitelist
-    });
+    return createSecureSandbox();
   }
   getName() {
     return "memory";
@@ -6792,15 +7121,12 @@ var MemoryCheckProvider = class extends CheckProvider {
       this.sandbox = this.createSecureSandbox();
     }
     try {
-      const log2 = (...args) => {
-        logger.info(`\u{1F50D} [memory-js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-      };
-      const scope = {
-        ...context,
-        log: log2
-      };
-      const exec = this.sandbox.compile(`return (${expression});`);
-      return exec(scope).run();
+      const scope = { ...context };
+      return compileAndRun(this.sandbox, `return (${expression});`, scope, {
+        injectLog: true,
+        wrapFunction: false,
+        logPrefix: "[memory:value_js]"
+      });
     } catch (error) {
       const errorMsg = error instanceof Error ? error.message : "Unknown error";
       throw new Error(`Failed to evaluate value_js: ${errorMsg}`);
@@ -6811,20 +7137,16 @@ var MemoryCheckProvider = class extends CheckProvider {
    * Unlike evaluateJavaScript, this supports full scripts with statements, not just expressions
    */
   evaluateJavaScriptBlock(script, context) {
-    if (!this.sandbox) {
-      this.sandbox = this.createSecureSandbox();
-    }
-    try {
-      const log2 = (...args) => {
-        logger.info(`\u{1F50D} [memory-js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-      };
-      const scope = {
-        ...context,
-        log: log2
-      };
-      const exec = this.sandbox.compile(script);
-      const result = exec(scope).run();
-      return result;
+    if (!this.sandbox) {
+      this.sandbox = this.createSecureSandbox();
+    }
+    try {
+      const scope = { ...context };
+      return compileAndRun(this.sandbox, script, scope, {
+        injectLog: true,
+        wrapFunction: false,
+        logPrefix: "[memory:exec_js]"
+      });
     } catch (error) {
       const errorMsg = error instanceof Error ? error.message : "Unknown error";
       logger.error(`[memory-js] Script execution error: ${errorMsg}`);
@@ -6916,7 +7238,6 @@ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-import Sandbox4 from "@nyariv/sandboxjs";
 var McpCheckProvider = class extends CheckProvider {
   liquid;
   sandbox;
@@ -6935,67 +7256,7 @@ var McpCheckProvider = class extends CheckProvider {
    * - No access to filesystem, network, or system resources
    */
   createSecureSandbox() {
-    const log2 = (...args) => {
-      logger.debug(`[transform_js] ${args.map((a) => JSON.stringify(a)).join(" ")}`);
-    };
-    const globals = {
-      ...Sandbox4.SAFE_GLOBALS,
-      // Excludes Function, eval, require, process, etc.
-      Math,
-      JSON,
-      console: {
-        log: log2
-      }
-    };
-    const prototypeWhitelist = new Map(Sandbox4.SAFE_PROTOTYPES);
-    const arrayMethods = /* @__PURE__ */ new Set([
-      "some",
-      "every",
-      "filter",
-      "map",
-      "reduce",
-      "find",
-      "includes",
-      "indexOf",
-      "length",
-      "slice",
-      "concat",
-      "join",
-      "push",
-      "pop",
-      "shift",
-      "unshift",
-      "sort",
-      "reverse",
-      "flat",
-      "flatMap"
-    ]);
-    prototypeWhitelist.set(Array.prototype, arrayMethods);
-    const stringMethods = /* @__PURE__ */ new Set([
-      "toLowerCase",
-      "toUpperCase",
-      "includes",
-      "indexOf",
-      "startsWith",
-      "endsWith",
-      "slice",
-      "substring",
-      "length",
-      "trim",
-      "split",
-      "replace",
-      // String.prototype.replace for text manipulation (e.g., "hello".replace("h", "H"))
-      "match",
-      "padStart",
-      "padEnd"
-    ]);
-    prototypeWhitelist.set(String.prototype, stringMethods);
-    const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf", "keys", "values"]);
-    prototypeWhitelist.set(Object.prototype, objectMethods);
-    return new Sandbox4({
-      globals,
-      prototypeWhitelist
-    });
+    return createSecureSandbox();
   }
   getName() {
     return "mcp";
@@ -7124,8 +7385,12 @@ var McpCheckProvider = class extends CheckProvider {
             outputs: templateContext.outputs,
             env: templateContext.env
           };
-          const exec = this.sandbox.compile(`return (${cfg.transform_js});`);
-          finalOutput = exec(scope).run();
+          finalOutput = compileAndRun(
+            this.sandbox,
+            `return (${cfg.transform_js});`,
+            scope,
+            { injectLog: true, wrapFunction: false, logPrefix: "[mcp:transform_js]" }
+          );
         } catch (error) {
           logger.error(`Failed to apply JavaScript transform: ${error}`);
           return {
@@ -7490,6 +7755,484 @@ var McpCheckProvider = class extends CheckProvider {
   }
 };
 
+// src/utils/interactive-prompt.ts
+import * as readline from "readline";
+var colors = {
+  reset: "\x1B[0m",
+  dim: "\x1B[2m",
+  bold: "\x1B[1m",
+  cyan: "\x1B[36m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  gray: "\x1B[90m"
+};
+var supportsUnicode = process.env.LANG?.includes("UTF-8") || process.platform === "darwin";
+var box = supportsUnicode ? {
+  topLeft: "\u250C",
+  topRight: "\u2510",
+  bottomLeft: "\u2514",
+  bottomRight: "\u2518",
+  horizontal: "\u2500",
+  vertical: "\u2502",
+  leftT: "\u251C",
+  rightT: "\u2524"
+} : {
+  topLeft: "+",
+  topRight: "+",
+  bottomLeft: "+",
+  bottomRight: "+",
+  horizontal: "-",
+  vertical: "|",
+  leftT: "+",
+  rightT: "+"
+};
+function formatTime(ms) {
+  const seconds = Math.ceil(ms / 1e3);
+  const mins = Math.floor(seconds / 60);
+  const secs = seconds % 60;
+  return `${mins}:${secs.toString().padStart(2, "0")}`;
+}
+function drawLine(char, width) {
+  return char.repeat(width);
+}
+function wrapText(text, width) {
+  const words = text.split(" ");
+  const lines = [];
+  let currentLine = "";
+  for (const word of words) {
+    if (currentLine.length + word.length + 1 <= width) {
+      currentLine += (currentLine ? " " : "") + word;
+    } else {
+      if (currentLine) lines.push(currentLine);
+      currentLine = word;
+    }
+  }
+  if (currentLine) lines.push(currentLine);
+  return lines;
+}
+function displayPromptUI(options, remainingMs) {
+  const width = Math.min(process.stdout.columns || 80, 80) - 4;
+  const icon = supportsUnicode ? "\u{1F4AC}" : ">";
+  console.log("\n");
+  console.log(`${box.topLeft}${drawLine(box.horizontal, width + 2)}${box.topRight}`);
+  console.log(
+    `${box.vertical} ${colors.bold}${icon} Human Input Required${colors.reset}${" ".repeat(
+      width - 22
+    )} ${box.vertical}`
+  );
+  console.log(`${box.leftT}${drawLine(box.horizontal, width + 2)}${box.rightT}`);
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  const promptLines = wrapText(options.prompt, width - 2);
+  for (const line of promptLines) {
+    console.log(
+      `${box.vertical} ${colors.cyan}${line}${colors.reset}${" ".repeat(
+        width - line.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  const instruction = options.multiline ? "(Type your response, press Ctrl+D when done)" : "(Type your response and press Enter)";
+  console.log(
+    `${box.vertical} ${colors.dim}${instruction}${colors.reset}${" ".repeat(
+      width - instruction.length
+    )} ${box.vertical}`
+  );
+  if (options.placeholder && !options.multiline) {
+    console.log(
+      `${box.vertical} ${colors.dim}${options.placeholder}${colors.reset}${" ".repeat(
+        width - options.placeholder.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.vertical} ${" ".repeat(width)} ${box.vertical}`);
+  if (remainingMs !== void 0 && options.timeout) {
+    const timeIcon = supportsUnicode ? "\u23F1 " : "Time: ";
+    const timeStr = `${timeIcon} ${formatTime(remainingMs)} remaining`;
+    console.log(
+      `${box.vertical} ${colors.yellow}${timeStr}${colors.reset}${" ".repeat(
+        width - timeStr.length
+      )} ${box.vertical}`
+    );
+  }
+  console.log(`${box.bottomLeft}${drawLine(box.horizontal, width + 2)}${box.bottomRight}`);
+  console.log("");
+  process.stdout.write(`${colors.green}>${colors.reset} `);
+}
+async function interactivePrompt(options) {
+  return new Promise((resolve4, reject) => {
+    let input = "";
+    let timeoutId;
+    let countdownInterval;
+    let remainingMs = options.timeout;
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    });
+    displayPromptUI(options, remainingMs);
+    const cleanup = () => {
+      if (timeoutId) clearTimeout(timeoutId);
+      if (countdownInterval) clearInterval(countdownInterval);
+      rl.close();
+    };
+    const finish = (value) => {
+      cleanup();
+      console.log("");
+      resolve4(value);
+    };
+    if (options.timeout) {
+      timeoutId = setTimeout(() => {
+        cleanup();
+        console.log(`
+${colors.yellow}\u23F1  Timeout reached${colors.reset}`);
+        if (options.defaultValue !== void 0) {
+          console.log(
+            `${colors.gray}Using default value: ${options.defaultValue}${colors.reset}
+`
+          );
+          resolve4(options.defaultValue);
+        } else {
+          reject(new Error("Input timeout"));
+        }
+      }, options.timeout);
+      if (remainingMs) {
+        countdownInterval = setInterval(() => {
+          remainingMs = remainingMs - 1e3;
+          if (remainingMs <= 0) {
+            if (countdownInterval) clearInterval(countdownInterval);
+          }
+        }, 1e3);
+      }
+    }
+    if (options.multiline) {
+      rl.on("line", (line) => {
+        input += (input ? "\n" : "") + line;
+      });
+      rl.on("close", () => {
+        cleanup();
+        const trimmed = input.trim();
+        if (!trimmed && !options.allowEmpty) {
+          console.log(`${colors.yellow}\u26A0  Empty input not allowed${colors.reset}`);
+          reject(new Error("Empty input not allowed"));
+        } else {
+          finish(trimmed);
+        }
+      });
+    } else {
+      rl.question("", (answer) => {
+        const trimmed = answer.trim();
+        if (!trimmed && !options.allowEmpty && !options.defaultValue) {
+          cleanup();
+          console.log(`${colors.yellow}\u26A0  Empty input not allowed${colors.reset}`);
+          reject(new Error("Empty input not allowed"));
+        } else {
+          finish(trimmed || options.defaultValue || "");
+        }
+      });
+    }
+    rl.on("SIGINT", () => {
+      cleanup();
+      console.log("\n\n" + colors.yellow + "\u26A0  Cancelled by user" + colors.reset);
+      reject(new Error("Cancelled by user"));
+    });
+  });
+}
+async function simplePrompt(prompt) {
+  return new Promise((resolve4) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(`${prompt}
+> `, (answer) => {
+      rl.close();
+      resolve4(answer.trim());
+    });
+  });
+}
+
+// src/utils/stdin-reader.ts
+function isStdinAvailable() {
+  return !process.stdin.isTTY;
+}
+async function readStdin(timeout, maxSize = 1024 * 1024) {
+  return new Promise((resolve4, reject) => {
+    let data = "";
+    let timeoutId;
+    if (timeout) {
+      timeoutId = setTimeout(() => {
+        cleanup();
+        reject(new Error(`Stdin read timeout after ${timeout}ms`));
+      }, timeout);
+    }
+    const cleanup = () => {
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      process.stdin.removeListener("data", onData);
+      process.stdin.removeListener("end", onEnd);
+      process.stdin.removeListener("error", onError);
+      process.stdin.pause();
+    };
+    const onData = (chunk) => {
+      data += chunk.toString();
+      if (data.length > maxSize) {
+        cleanup();
+        reject(new Error(`Input exceeds maximum size of ${maxSize} bytes`));
+      }
+    };
+    const onEnd = () => {
+      cleanup();
+      resolve4(data.trim());
+    };
+    const onError = (err) => {
+      cleanup();
+      reject(err);
+    };
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", onData);
+    process.stdin.on("end", onEnd);
+    process.stdin.on("error", onError);
+    process.stdin.resume();
+  });
+}
+async function tryReadStdin(timeout, maxSize = 1024 * 1024) {
+  if (!isStdinAvailable()) {
+    return null;
+  }
+  try {
+    return await readStdin(timeout, maxSize);
+  } catch {
+    return null;
+  }
+}
+
+// src/providers/human-input-check-provider.ts
+import * as fs6 from "fs";
+import * as path8 from "path";
+var HumanInputCheckProvider = class _HumanInputCheckProvider extends CheckProvider {
+  /**
+   * @deprecated Use ExecutionContext.cliMessage instead
+   * Kept for backward compatibility
+   */
+  static cliMessage;
+  /**
+   * @deprecated Use ExecutionContext.hooks instead
+   * Kept for backward compatibility
+   */
+  static hooks = {};
+  /**
+   * Set the CLI message value (from --message argument)
+   * @deprecated Use ExecutionContext.cliMessage instead
+   */
+  static setCLIMessage(message) {
+    _HumanInputCheckProvider.cliMessage = message;
+  }
+  /**
+   * Get the current CLI message value
+   * @deprecated Use ExecutionContext.cliMessage instead
+   */
+  static getCLIMessage() {
+    return _HumanInputCheckProvider.cliMessage;
+  }
+  /**
+   * Set hooks for SDK mode
+   * @deprecated Use ExecutionContext.hooks instead
+   */
+  static setHooks(hooks) {
+    _HumanInputCheckProvider.hooks = hooks;
+  }
+  getName() {
+    return "human-input";
+  }
+  getDescription() {
+    return "Prompts for human input during workflow execution (CLI interactive or SDK hook)";
+  }
+  async validateConfig(config) {
+    if (!config || typeof config !== "object") {
+      return false;
+    }
+    const cfg = config;
+    if (cfg.type !== "human-input") {
+      return false;
+    }
+    if (!cfg.prompt || typeof cfg.prompt !== "string") {
+      console.error('human-input check requires a "prompt" field');
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Check if a string looks like a file path
+   */
+  looksLikePath(str) {
+    return str.includes("/") || str.includes("\\");
+  }
+  /**
+   * Sanitize user input to prevent injection attacks in dependent checks
+   * Removes potentially dangerous characters while preserving useful input
+   */
+  sanitizeInput(input) {
+    let sanitized = input.replace(/\0/g, "");
+    sanitized = sanitized.replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/g, "");
+    const maxLength = 100 * 1024;
+    if (sanitized.length > maxLength) {
+      sanitized = sanitized.substring(0, maxLength);
+    }
+    return sanitized;
+  }
+  /**
+   * Try to read message from file if it exists
+   * Validates path to prevent directory traversal attacks
+   */
+  async tryReadFile(filePath) {
+    try {
+      const absolutePath = path8.isAbsolute(filePath) ? filePath : path8.resolve(process.cwd(), filePath);
+      const normalizedPath = path8.normalize(absolutePath);
+      const cwd = process.cwd();
+      if (!normalizedPath.startsWith(cwd + path8.sep) && normalizedPath !== cwd) {
+        return null;
+      }
+      try {
+        await fs6.promises.access(normalizedPath, fs6.constants.R_OK);
+        const stats = await fs6.promises.stat(normalizedPath);
+        if (!stats.isFile()) {
+          return null;
+        }
+        const content = await fs6.promises.readFile(normalizedPath, "utf-8");
+        return content.trim();
+      } catch {
+        return null;
+      }
+    } catch {
+    }
+    return null;
+  }
+  /**
+   * Get user input through various methods
+   */
+  async getUserInput(checkName, config, context) {
+    const prompt = config.prompt || "Please provide input:";
+    const placeholder = config.placeholder || "Enter your response...";
+    const allowEmpty = config.allow_empty ?? false;
+    const multiline = config.multiline ?? false;
+    const timeout = config.timeout ? config.timeout * 1e3 : void 0;
+    const defaultValue = config.default;
+    const cliMessage = context?.cliMessage ?? _HumanInputCheckProvider.cliMessage;
+    if (cliMessage !== void 0) {
+      const message = cliMessage;
+      if (this.looksLikePath(message)) {
+        const fileContent = await this.tryReadFile(message);
+        if (fileContent !== null) {
+          return fileContent;
+        }
+      }
+      return message;
+    }
+    const stdinInput = await tryReadStdin(timeout);
+    if (stdinInput !== null && stdinInput.length > 0) {
+      return stdinInput;
+    }
+    const hooks = context?.hooks ?? _HumanInputCheckProvider.hooks;
+    if (hooks?.onHumanInput) {
+      const request = {
+        checkId: checkName,
+        prompt,
+        placeholder,
+        allowEmpty,
+        multiline,
+        timeout,
+        default: defaultValue
+      };
+      try {
+        const result = await hooks.onHumanInput(request);
+        return result;
+      } catch (error) {
+        throw new Error(
+          `Hook onHumanInput failed: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+    if (process.stdin.isTTY) {
+      try {
+        const result = await interactivePrompt({
+          prompt,
+          placeholder,
+          multiline,
+          timeout,
+          defaultValue,
+          allowEmpty
+        });
+        return result;
+      } catch (error) {
+        throw new Error(
+          `Interactive prompt failed: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+    try {
+      const result = await simplePrompt(prompt);
+      if (!result && !allowEmpty && !defaultValue) {
+        throw new Error("Empty input not allowed");
+      }
+      return result || defaultValue || "";
+    } catch (error) {
+      throw new Error(
+        `Simple prompt failed: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  async execute(_prInfo, config, _dependencyResults, context) {
+    const checkName = config.checkName || "human-input";
+    try {
+      const userInput = await this.getUserInput(checkName, config, context);
+      const sanitizedInput = this.sanitizeInput(userInput);
+      return {
+        issues: [],
+        output: sanitizedInput
+      };
+    } catch (error) {
+      return {
+        issues: [
+          {
+            file: "",
+            line: 0,
+            ruleId: "human-input-error",
+            message: `Failed to get user input: ${error instanceof Error ? error.message : String(error)}`,
+            severity: "error",
+            category: "logic"
+          }
+        ]
+      };
+    }
+  }
+  getSupportedConfigKeys() {
+    return [
+      "type",
+      "prompt",
+      "placeholder",
+      "allow_empty",
+      "multiline",
+      "timeout",
+      "default",
+      "depends_on",
+      "on",
+      "if",
+      "group"
+    ];
+  }
+  async isAvailable() {
+    return true;
+  }
+  getRequirements() {
+    return [
+      "No external dependencies required",
+      "Works in CLI mode with --message argument, piped stdin, or interactive prompts",
+      "SDK mode requires onHumanInput hook to be configured"
+    ];
+  }
+};
+
 // src/providers/check-provider-registry.ts
 var CheckProviderRegistry = class _CheckProviderRegistry {
   providers = /* @__PURE__ */ new Map();
@@ -7519,6 +8262,7 @@ var CheckProviderRegistry = class _CheckProviderRegistry {
     this.register(new LogCheckProvider());
     this.register(new MemoryCheckProvider());
     this.register(new GitHubOpsProvider());
+    this.register(new HumanInputCheckProvider());
     try {
       this.register(new ClaudeCodeCheckProvider());
     } catch (error) {
@@ -7823,7 +8567,6 @@ var DependencyResolver = class {
 };
 
 // src/failure-condition-evaluator.ts
-import Sandbox5 from "@nyariv/sandboxjs";
 var FailureConditionEvaluator = class _FailureConditionEvaluator {
   sandbox;
   constructor() {
@@ -7832,54 +8575,7 @@ var FailureConditionEvaluator = class _FailureConditionEvaluator {
    * Create a secure sandbox with whitelisted functions and globals
    */
   createSecureSandbox() {
-    const globals = {
-      ...Sandbox5.SAFE_GLOBALS,
-      // Allow Math for calculations
-      Math,
-      // Allow console for debugging (in controlled environment)
-      console: {
-        log: console.log,
-        warn: console.warn,
-        error: console.error
-      }
-    };
-    const prototypeWhitelist = new Map(Sandbox5.SAFE_PROTOTYPES);
-    const arrayMethods = /* @__PURE__ */ new Set([
-      "some",
-      "every",
-      "filter",
-      "map",
-      "reduce",
-      "find",
-      "includes",
-      "indexOf",
-      "length",
-      "slice",
-      "concat",
-      "join"
-    ]);
-    prototypeWhitelist.set(Array.prototype, arrayMethods);
-    const stringMethods = /* @__PURE__ */ new Set([
-      "toLowerCase",
-      "toUpperCase",
-      "includes",
-      "indexOf",
-      "startsWith",
-      "endsWith",
-      "slice",
-      "substring",
-      "length",
-      "trim",
-      "split",
-      "replace"
-    ]);
-    prototypeWhitelist.set(String.prototype, stringMethods);
-    const objectMethods = /* @__PURE__ */ new Set(["hasOwnProperty", "toString", "valueOf"]);
-    prototypeWhitelist.set(Object.prototype, objectMethods);
-    return new Sandbox5({
-      globals,
-      prototypeWhitelist
-    });
+    return createSecureSandbox();
   }
   /**
    * Evaluate simple fail_if condition
@@ -8152,7 +8848,7 @@ var FailureConditionEvaluator = class _FailureConditionEvaluator {
    */
   evaluateExpression(condition, context) {
     try {
-      const normalize = (expr) => {
+      const normalize2 = (expr) => {
         const trimmed = expr.trim();
         if (!/[\n;]/.test(trimmed)) return trimmed;
         const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -8295,7 +8991,7 @@ var FailureConditionEvaluator = class _FailureConditionEvaluator {
       try {
         exec = this.sandbox.compile(`return (${raw});`);
       } catch {
-        const normalizedExpr = normalize(condition);
+        const normalizedExpr = normalize2(condition);
         exec = this.sandbox.compile(`return (${normalizedExpr});`);
       }
       const result = exec(scope).run();
@@ -8981,8 +9677,8 @@ Please check your configuration and try again.`
 
 // src/check-execution-engine.ts
 init_logger();
-import Sandbox6 from "@nyariv/sandboxjs";
 init_fallback_ndjson();
+import { trace as trace4, context as otContext4 } from "@opentelemetry/api";
 function getSafeEnvironmentVariables() {
   const safeEnvVars = [
     "CI",
@@ -9024,6 +9720,8 @@ var CheckExecutionEngine = class _CheckExecutionEngine {
   outputHistory = /* @__PURE__ */ new Map();
   // Event override to simulate alternate event (used during routing goto)
   routingEventOverride;
+  // Execution context for providers (CLI message, hooks, etc.)
+  executionContext;
   // Cached GitHub context for context elevation when running in Actions
   actionContext;
   constructor(workingDirectory, octokit) {
@@ -9053,19 +9751,19 @@ var CheckExecutionEngine = class _CheckExecutionEngine {
     }
     return baseContext;
   }
+  /**
+   * Set execution context for providers (CLI message, hooks, etc.)
+   * This allows passing state without using static properties
+   */
+  setExecutionContext(context) {
+    this.executionContext = context;
+  }
   /**
    * Lazily create a secure sandbox for routing JS (goto_js, run_js)
    */
   getRoutingSandbox() {
     if (this.routingSandbox) return this.routingSandbox;
-    const globals = {
-      ...Sandbox6.SAFE_GLOBALS,
-      Math,
-      JSON,
-      console: { log: console.log }
-    };
-    const prototypeWhitelist = new Map(Sandbox6.SAFE_PROTOTYPES);
-    this.routingSandbox = new Sandbox6({ globals, prototypeWhitelist });
+    this.routingSandbox = createSecureSandbox();
     return this.routingSandbox;
   }
   redact(str, limit = 200) {
@@ -9077,7 +9775,7 @@ var CheckExecutionEngine = class _CheckExecutionEngine {
     }
   }
   async sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
   deterministicJitter(baseMs, seedStr) {
     let h = 2166136261;
@@ -9138,16 +9836,16 @@ var CheckExecutionEngine = class _CheckExecutionEngine {
           ),
           event: eventObj
         };
-        const code = `
-          const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const log = (...a)=>console.log('\u{1F50D} Debug:',...a); const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;
-          const __fn = () => {
-${expr}
-};
-          const __res = __fn();
-          return Array.isArray(__res) ? __res : (__res ? [__res] : []);
-        `;
-        const exec = sandbox.compile(code);
-        const res = exec({ scope }).run();
+        const prelude = `const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;`;
+        const code = `${prelude}
+${expr}`;
+        const result = compileAndRun(
+          sandbox,
+          code,
+          { scope },
+          { injectLog: false, wrapFunction: true }
+        );
+        const res = Array.isArray(result) ? result : result ? [result] : [];
         if (debug) {
           log2(`\u{1F527} Debug: run_js evaluated \u2192 [${this.redact(res)}]`);
         }
@@ -9191,16 +9889,15 @@ ${expr}
           ),
           event: eventObj
         };
-        const code = `
-          const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const log = (...a)=>console.log('\u{1F50D} Debug:',...a); const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;
-          const __fn = () => {
-${expr}
-};
-          const __res = __fn();
-          return (typeof __res === 'string' && __res) ? __res : null;
-        `;
-        const exec = sandbox.compile(code);
-        const res = exec({ scope }).run();
+        const prelude2 = `const step = scope.step; const attempt = scope.attempt; const loop = scope.loop; const error = scope.error; const foreach = scope.foreach; const outputs = scope.outputs; const output = scope.output; const pr = scope.pr; const files = scope.files; const env = scope.env; const event = scope.event; const hasMinPermission = scope.permissions.hasMinPermission; const isOwner = scope.permissions.isOwner; const isMember = scope.permissions.isMember; const isCollaborator = scope.permissions.isCollaborator; const isContributor = scope.permissions.isContributor; const isFirstTimer = scope.permissions.isFirstTimer;`;
+        const code2 = `${prelude2}
+${expr}`;
+        const res = compileAndRun(
+          sandbox,
+          code2,
+          { scope },
+          { injectLog: false, wrapFunction: true }
+        );
         if (debug) {
           log2(`\u{1F527} Debug: goto_js evaluated \u2192 ${this.redact(res)}`);
         }
@@ -9320,7 +10017,11 @@ ${expr}
       }
       let r;
       try {
-        r = await prov.execute(prInfoForInline, provCfg, depResults, sessionInfo);
+        const inlineContext = {
+          ...sessionInfo,
+          ...this.executionContext
+        };
+        r = await prov.execute(prInfoForInline, provCfg, depResults, inlineContext);
       } finally {
         this.routingEventOverride = prevEventOverride;
       }
@@ -9351,7 +10052,31 @@ ${expr}
           });
         } catch {
         }
-        const res = await provider.execute(prInfo, providerConfig, dependencyResults, sessionInfo);
+        const context = {
+          ...sessionInfo,
+          ...this.executionContext
+        };
+        const res = await withActiveSpan(
+          `visor.check.${checkName}`,
+          {
+            "visor.check.id": checkName,
+            "visor.check.type": providerConfig.type || "ai",
+            "visor.check.attempt": attempt
+          },
+          async () => {
+            try {
+              return await provider.execute(prInfo, providerConfig, dependencyResults, context);
+            } finally {
+              try {
+                emitNdjsonSpanWithEvents("visor.check", { "visor.check.id": checkName }, [
+                  { name: "check.started" },
+                  { name: "check.completed" }
+                ]);
+              } catch {
+              }
+            }
+          }
+        );
         try {
           currentRouteOutput = res?.output;
         } catch {
@@ -9979,7 +10704,7 @@ ${expr}
   /**
    * Execute review checks and return grouped results with statistics for new architecture
    */
-  async executeGroupedChecks(prInfo, checks, timeout, config, outputFormat, debug, maxParallelism, failFast, tagFilter) {
+  async executeGroupedChecks(prInfo, checks, timeout, config, outputFormat, debug, maxParallelism, failFast, tagFilter, _pauseGate) {
     const logFn = outputFormat === "json" || outputFormat === "sarif" ? debug ? console.error : () => {
     } : console.log;
     if (debug) {
@@ -10052,7 +10777,8 @@ ${expr}
         logFn,
         debug,
         maxParallelism,
-        failFast
+        failFast,
+        _pauseGate
       );
     }
     if (checks.length === 1) {
@@ -10065,7 +10791,8 @@ ${expr}
         timeout,
         config,
         logFn,
-        debug
+        debug,
+        _pauseGate
       );
       const groupedResults = {};
       groupedResults[checkResult.group] = [checkResult];
@@ -10082,7 +10809,7 @@ ${expr}
   /**
    * Execute single check and return grouped result
    */
-  async executeSingleGroupedCheck(prInfo, checkName, timeout, config, logFn, debug) {
+  async executeSingleGroupedCheck(prInfo, checkName, timeout, config, logFn, debug, _pauseGate) {
     if (!config?.checks?.[checkName]) {
       throw new Error(`No configuration found for check: ${checkName}`);
     }
@@ -10096,6 +10823,8 @@ ${expr}
       focus: checkConfig.focus || this.mapCheckNameToFocus(checkName),
       schema: checkConfig.schema,
       group: checkConfig.group,
+      checkName,
+      // propagate for fallback NDJSON attribution
       eventContext: this.enrichEventContext(prInfo.eventContext),
       ai: {
         timeout: timeout || 6e5,
@@ -10210,7 +10939,7 @@ ${expr}
   /**
    * Execute multiple checks with dependency awareness - return grouped results with statistics
    */
-  async executeGroupedDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast) {
+  async executeGroupedDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast, pauseGate) {
     const reviewSummary = await this.executeDependencyAwareChecks(
       prInfo,
       checks,
@@ -10219,7 +10948,8 @@ ${expr}
       logFn,
       debug,
       maxParallelism,
-      failFast
+      failFast,
+      pauseGate
     );
     const executionStatistics = this.buildExecutionStatistics();
     const groupedResults = await this.convertReviewSummaryToGroupedResults(
@@ -10320,7 +11050,7 @@ ${expr}
    * - Enforcing .liquid file extension
    */
   async validateTemplatePath(templatePath) {
-    const path6 = await import("path");
+    const path9 = await import("path");
     if (!templatePath || typeof templatePath !== "string" || templatePath.trim() === "") {
       throw new Error("Template path must be a non-empty string");
     }
@@ -10330,7 +11060,7 @@ ${expr}
     if (!templatePath.endsWith(".liquid")) {
       throw new Error("Template file must have .liquid extension");
     }
-    if (path6.isAbsolute(templatePath)) {
+    if (path9.isAbsolute(templatePath)) {
       throw new Error("Template path must be relative to project directory");
     }
     if (templatePath.includes("..")) {
@@ -10344,14 +11074,14 @@ ${expr}
     if (!projectRoot || typeof projectRoot !== "string") {
       throw new Error("Unable to determine project root directory");
     }
-    const resolvedPath = path6.resolve(projectRoot, templatePath);
-    const resolvedProjectRoot = path6.resolve(projectRoot);
+    const resolvedPath = path9.resolve(projectRoot, templatePath);
+    const resolvedProjectRoot = path9.resolve(projectRoot);
     if (!resolvedPath || !resolvedProjectRoot || resolvedPath === "" || resolvedProjectRoot === "") {
       throw new Error(
         `Unable to resolve template path: projectRoot="${projectRoot}", templatePath="${templatePath}", resolvedPath="${resolvedPath}", resolvedProjectRoot="${resolvedProjectRoot}"`
       );
     }
-    if (!resolvedPath.startsWith(resolvedProjectRoot + path6.sep) && resolvedPath !== resolvedProjectRoot) {
+    if (!resolvedPath.startsWith(resolvedProjectRoot + path9.sep) && resolvedPath !== resolvedProjectRoot) {
       throw new Error("Template path escapes project directory");
     }
     return resolvedPath;
@@ -10394,9 +11124,9 @@ ${expr}
     if (typeof directContent === "string" && directContent.trim()) {
       return directContent.trim();
     }
-    const { createExtendedLiquid: createExtendedLiquid2 } = await import("./liquid-extensions-GMEGEGC3.mjs");
-    const fs5 = await import("fs/promises");
-    const path6 = await import("path");
+    const { createExtendedLiquid: createExtendedLiquid2 } = await import("./liquid-extensions-KVL4MKRH.mjs");
+    const fs7 = await import("fs/promises");
+    const path9 = await import("path");
     const liquid = createExtendedLiquid2({
       trimTagLeft: false,
       trimTagRight: false,
@@ -10419,7 +11149,7 @@ ${expr}
         templateContent = checkConfig.template.content;
       } else if (checkConfig.template.file) {
         const validatedPath = await this.validateTemplatePath(checkConfig.template.file);
-        templateContent = await fs5.readFile(validatedPath, "utf-8");
+        templateContent = await fs7.readFile(validatedPath, "utf-8");
       } else {
         throw new Error('Custom template must specify either "file" or "content"');
       }
@@ -10430,8 +11160,8 @@ ${expr}
       if (!sanitizedSchema) {
         throw new Error("Invalid schema name");
       }
-      const templatePath = path6.join(__dirname, `output/${sanitizedSchema}/template.liquid`);
-      templateContent = await fs5.readFile(templatePath, "utf-8");
+      const templatePath = path9.join(__dirname, `output/${sanitizedSchema}/template.liquid`);
+      templateContent = await fs7.readFile(templatePath, "utf-8");
       if (sanitizedSchema === "issue-assistant") {
         enrichAssistantContext = true;
       }
@@ -10463,7 +11193,7 @@ ${expr}
       templateData.authorAssociation = authorAssociation;
       templateData.event = { name: eventName, action: eventAction };
     }
-    const { withPermissionsContext } = await import("./liquid-extensions-GMEGEGC3.mjs");
+    const { withPermissionsContext } = await import("./liquid-extensions-KVL4MKRH.mjs");
     let authorAssociationForFilters;
     try {
       const anyInfo = _prInfo;
@@ -10487,7 +11217,7 @@ ${expr}
     }
     const finalRendered = rendered.trim();
     try {
-      const { emitMermaidFromMarkdown } = await import("./mermaid-telemetry-4DUEYCLE.mjs");
+      const { emitMermaidFromMarkdown } = await import("./mermaid-telemetry-FBF6D35S.mjs");
       emitMermaidFromMarkdown(checkName, finalRendered, "content");
     } catch {
     }
@@ -10539,7 +11269,7 @@ ${expr}
   /**
    * Execute multiple checks with dependency awareness - intelligently parallel and sequential
    */
-  async executeDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast) {
+  async executeDependencyAwareChecks(prInfo, checks, timeout, config, logFn, debug, maxParallelism, failFast, pauseGate) {
     const log2 = logFn || console.error;
     if (debug) {
       log2(`\u{1F527} Debug: Starting dependency-aware execution of ${checks.length} checks`);
@@ -10674,6 +11404,13 @@ ${expr}
       }
       const levelChecks = executionGroup.parallel.filter((name) => !results.has(name));
       const levelTaskFunctions = levelChecks.map((checkName) => async () => {
+        if (pauseGate) {
+          try {
+            await pauseGate();
+          } catch {
+            return { checkName, error: "__STOP__", result: null, skipped: true };
+          }
+        }
         if (results.has(checkName)) {
           if (debug) log2(`\u{1F527} Debug: Skipping ${checkName} (already satisfied earlier)`);
           return { checkName, error: null, result: results.get(checkName) };
@@ -10762,7 +11499,7 @@ ${expr}
               });
               if (!hasFatalFailure && config && (config.fail_if || config.checks[depId]?.fail_if)) {
                 try {
-                  hasFatalFailure = await this.failIfTriggered(depId, depRes, config);
+                  hasFatalFailure = await this.failIfTriggered(depId, depRes, config, results);
                 } catch {
                 }
               }
@@ -10995,7 +11732,9 @@ ${expr}
                     const fRes = await this.evaluateFailureConditions(
                       childName,
                       childItemRes,
-                      config
+                      config,
+                      prInfo,
+                      results
                     );
                     if (fRes.length > 0) {
                       const fIssues = fRes.filter((f) => f.failed).map((f) => ({
@@ -11038,6 +11777,13 @@ ${expr}
                 }
               };
               const itemTasks = forEachItems.map((item, itemIndex) => async () => {
+                if (pauseGate) {
+                  try {
+                    await pauseGate();
+                  } catch {
+                    throw new Error("__STOP__");
+                  }
+                }
                 try {
                   emitNdjsonSpanWithEvents(
                     "visor.foreach.item",
@@ -11050,6 +11796,13 @@ ${expr}
                   );
                 } catch {
                 }
+                try {
+                  const span = trace4.getSpan(otContext4.active());
+                  if (span) {
+                    captureForEachState(span, forEachItems, itemIndex, item);
+                  }
+                } catch {
+                }
                 const forEachDependencyResults = /* @__PURE__ */ new Map();
                 for (const [depName, depResult] of dependencyResults) {
                   if (forEachParents.includes(depName)) {
@@ -11100,7 +11853,9 @@ ${expr}
                         const depFailures = await this.evaluateFailureConditions(
                           depId,
                           depItemRes,
-                          config
+                          config,
+                          prInfo,
+                          results
                         );
                         hasFatalDepFailure = depFailures.some((f) => f.failed);
                       } catch {
@@ -11176,7 +11931,9 @@ ${expr}
                   const itemFailures = await this.evaluateFailureConditions(
                     checkName,
                     itemResult,
-                    config
+                    config,
+                    prInfo,
+                    results
                   );
                   if (itemFailures.length > 0) {
                     const failureIssues = itemFailures.filter((f) => f.failed).map((f) => ({
@@ -11346,7 +12103,13 @@ ${expr}
                       { index: itemIndex, total: forEachItems.length, parent: forEachParentName }
                     );
                     if (config && (config.fail_if || nodeCfg.fail_if)) {
-                      const fRes = await this.evaluateFailureConditions(node, nodeItemRes, config);
+                      const fRes = await this.evaluateFailureConditions(
+                        node,
+                        nodeItemRes,
+                        config,
+                        prInfo,
+                        results
+                      );
                       if (fRes.length > 0) {
                         const fIssues = fRes.filter((f) => f.failed).map((f) => ({
                           file: "system",
@@ -11441,7 +12204,13 @@ ${expr}
                         rForEval = { ...r, output: parsed };
                       }
                     }
-                    const failures = await this.evaluateFailureConditions(parent, rForEval, config);
+                    const failures = await this.evaluateFailureConditions(
+                      parent,
+                      rForEval,
+                      config,
+                      prInfo,
+                      results
+                    );
                     if (failures.some((f) => f.failed)) {
                     }
                     if (failures.some((f) => f.failed)) return true;
@@ -11560,7 +12329,9 @@ ${expr}
                         const failures = await this.evaluateFailureConditions(
                           checkName,
                           r,
-                          config
+                          config,
+                          prInfo,
+                          results
                         );
                         hadFatal = failures.some((f) => f.failed);
                       } catch {
@@ -11667,7 +12438,9 @@ ${expr}
               const failureResults = await this.evaluateFailureConditions(
                 checkName,
                 finalResult,
-                config
+                config,
+                prInfo,
+                results
               );
               if (failureResults.length > 0) {
                 const failureIssues = failureResults.filter((f) => f.failed).map((f) => ({
@@ -11782,6 +12555,14 @@ ${error.stack || ""}` : String(error);
         const checkName = levelChecksList[i];
         const result = levelResults[i];
         const checkConfig = config.checks[checkName];
+        if (result.status === "fulfilled" && result.value?.error === "__STOP__") {
+          shouldStopExecution = true;
+          break;
+        }
+        if (result.status === "rejected" && result.reason instanceof Error && result.reason.message === "__STOP__") {
+          shouldStopExecution = true;
+          break;
+        }
         if (result.status === "fulfilled" && result.value.result && !result.value.error) {
           if (result.value.skipped) {
             if (debug) {
@@ -11842,6 +12623,21 @@ ${error.stack || ""}` : String(error);
             this.trackOutputHistory(checkName, reviewResultWithOutput.output);
           }
           results.set(checkName, reviewResult);
+          try {
+            const span = trace4.getSpan(otContext4.active());
+            if (span) {
+              const allOutputs = {};
+              results.forEach((result2, name) => {
+                if (result2.output !== void 0) {
+                  allOutputs[name] = result2.output;
+                }
+              });
+              const memoryStore = MemoryStore.getInstance();
+              const memoryData = await memoryStore.getAll();
+              captureStateSnapshot(span, checkName, allOutputs, memoryData);
+            }
+          } catch {
+          }
         } else {
           const errorSummary = {
             issues: [
@@ -12560,13 +13356,14 @@ ${result.value.result.debug.rawResponse}`;
   /**
    * Evaluate failure conditions for a check result
    */
-  async evaluateFailureConditions(checkName, reviewSummary, config, prInfo) {
+  async evaluateFailureConditions(checkName, reviewSummary, config, prInfo, previousOutputs) {
     if (!config) {
       return [];
     }
     const checkConfig = config.checks[checkName];
     const checkSchema = typeof checkConfig?.schema === "object" ? "custom" : checkConfig?.schema || "";
     const checkGroup = checkConfig?.group || "";
+    const outputsRecord = previousOutputs ? previousOutputs instanceof Map ? Object.fromEntries(previousOutputs.entries()) : previousOutputs : void 0;
     const globalFailIf = config.fail_if;
     const checkFailIf = checkConfig?.fail_if;
     if (globalFailIf || checkFailIf) {
@@ -12577,7 +13374,8 @@ ${result.value.result.debug.rawResponse}`;
           checkSchema,
           checkGroup,
           reviewSummary,
-          globalFailIf
+          globalFailIf,
+          outputsRecord
         );
         try {
           addEvent("fail_if.evaluated", {
@@ -12642,7 +13440,8 @@ ${result.value.result.debug.rawResponse}`;
           checkSchema,
           checkGroup,
           reviewSummary,
-          checkFailIf
+          checkFailIf,
+          outputsRecord
         );
         try {
           addEvent("fail_if.evaluated", {
@@ -13171,9 +13970,15 @@ ${result.value.result.debug.rawResponse}`;
     if (!issues || issues.length === 0) return false;
     return issues.some((i) => this.isFatalRule(i.ruleId || "", i.severity));
   }
-  async failIfTriggered(checkName, result, config) {
+  async failIfTriggered(checkName, result, config, previousOutputs) {
     if (!config) return false;
-    const failures = await this.evaluateFailureConditions(checkName, result, config);
+    const failures = await this.evaluateFailureConditions(
+      checkName,
+      result,
+      config,
+      void 0,
+      previousOutputs
+    );
     return failures.some((f) => f.failed);
   }
   /**
@@ -13286,4 +14091,4 @@ ${result.value.result.debug.rawResponse}`;
 export {
   CheckExecutionEngine
 };
-//# sourceMappingURL=chunk-POYXI3MQ.mjs.map
+//# sourceMappingURL=chunk-X2JKUOE5.mjs.map