promptfoo 0.120.26 → 0.121.1

package/dist/src/{scanner-Dyw21Wg_.js → scanner-J8CA3LsV.js}

@@ -1,29 +1,28 @@
 #!/usr/bin/env node
-import { O as cliState_default, n as getLogLevel, o as logger_default } from "./logger-BotXmWKW.js";
-import { O as TERMINAL_MAX_WIDTH } from "./fetch-SRsE6Ctl.js";
-import "./cloud-BMbRVJFw.js";
-import "./types-t52w-XsS.js";
-import { t as printBorder } from "./util-BSh4a_Q8.js";
-import "./esm-CYhseqj4.js";
-import "./pythonUtils-r1uBuA0n.js";
-import { t as formatDuration } from "./formatDuration-Doo0xq-z.js";
+import { O as state, n as getLogLevel, o as logger } from "./logger-KkObSCzq.js";
+import { D as TERMINAL_MAX_WIDTH, u as sleepWithAbort } from "./fetch-BMv0O527.js";
+import "./cloud-Bc9526yV.js";
+import "./types-CH3Ge2sE.js";
+import { t as printBorder } from "./util-YT5HPZaS.js";
+import "./esm-C03C-mv3.js";
+import "./pythonUtils-C3py6GC1.js";
+import { t as formatDuration } from "./formatDuration-DgBVMN65.js";
 import { z } from "zod";
 import chalk from "chalk";
 import fs from "fs";
-import path, { isAbsolute, resolve as resolve$1 } from "path";
+import path, { isAbsolute, resolve } from "path";
 import yaml from "js-yaml";
 import crypto from "crypto";
 import { spawn } from "child_process";
 import async from "async";
-import { execa } from "execa";
 import ora from "ora";
 import { io } from "socket.io-client";
-import simpleGit$1 from "simple-git";
+import simpleGit from "simple-git";
 import binaryExtensions from "binary-extensions";
+import { execa } from "execa";
 import { isText } from "istextorbinary";
 import textExtensions from "text-extensions";
 import { minimatch } from "minimatch";
-
 //#region src/util/agent/agentAuth.ts
 /**
 * Shared auth credential resolution for agent clients.
@@ -33,9 +32,9 @@ import { minimatch } from "minimatch";
 */
 let cloudConfig$1;
 try {
-	cloudConfig$1 = (await import("./cloud-CZ4hytdm.js")).cloudConfig;
+	cloudConfig$1 = (await import("./cloud-DmE0EwsY.js")).cloudConfig;
 } catch (error) {
-	if (error instanceof Error && "code" in error && error.code === "MODULE_NOT_FOUND") {} else logger_default.debug(`Unexpected error loading cloud config: ${error}`);
+	if (error instanceof Error && "code" in error && error.code === "MODULE_NOT_FOUND") {} else logger.debug(`Unexpected error loading cloud config: ${error}`);
 }
 /**
 * Resolve base authentication credentials using waterfall approach:
@@ -48,24 +47,23 @@ try {
 */
 function resolveBaseAuthCredentials(opts) {
 	if (opts?.apiKey) {
-		logger_default.debug("Using API key from CLI/config");
+		logger.debug("Using API key from CLI/config");
 		return { apiKey: opts.apiKey };
 	}
 	const envApiKey = process.env.PROMPTFOO_API_KEY;
 	if (envApiKey) {
-		logger_default.debug("Using API key from PROMPTFOO_API_KEY env var");
+		logger.debug("Using API key from PROMPTFOO_API_KEY env var");
 		return { apiKey: envApiKey };
 	}
 	if (cloudConfig$1) {
 		const storedApiKey = cloudConfig$1.getApiKey();
 		if (storedApiKey) {
-			logger_default.debug("Using API key from promptfoo auth");
+			logger.debug("Using API key from promptfoo auth");
 			return { apiKey: storedApiKey };
 		}
 	}
 	return {};
 }
-
 //#endregion
 //#region src/util/agent/agentClient.ts
 /**
@@ -79,9 +77,9 @@ function resolveBaseAuthCredentials(opts) {
 */
 let cloudConfig;
 try {
-	cloudConfig = (await import("./cloud-CZ4hytdm.js")).cloudConfig;
+	cloudConfig = (await import("./cloud-DmE0EwsY.js")).cloudConfig;
 } catch (error) {
-	if (error instanceof Error && "code" in error && error.code === "MODULE_NOT_FOUND") {} else logger_default.debug(`Unexpected error loading cloud config: ${error}`);
+	if (error instanceof Error && "code" in error && error.code === "MODULE_NOT_FOUND") {} else logger.debug(`Unexpected error loading cloud config: ${error}`);
 }
 /**
 * Create an agent client that connects to the shared Socket.IO server.
@@ -118,7 +116,7 @@ async function createAgentClient(opts) {
 			}
 		});
 		socket.on("connect", () => {
-			logger_default.debug(`Agent client connected (agent: ${agent}, id: ${socket.id})`);
+			logger.debug(`Agent client connected (agent: ${agent}, id: ${socket.id})`);
 			socket.emit("agent:join", { sessionId });
 			if (settled) return;
 			settled = true;
@@ -155,18 +153,18 @@ async function createAgentClient(opts) {
 		socket.on("connect_error", (error) => {
 			if (settled) return;
 			settled = true;
-			logger_default.debug(`Agent client connection error: ${error.message}`);
+			logger.debug(`Agent client connection error: ${error.message}`);
 			cleanup();
 			reject(/* @__PURE__ */ new Error(`Failed to connect to server: ${error.message}`));
 		});
 		socket.on("disconnect", (reason) => {
-			logger_default.debug(`Agent client disconnected: ${reason}`);
+			logger.debug(`Agent client disconnected: ${reason}`);
 		});
 		socket.on("error", (error) => {
-			logger_default.debug(`Agent client error: ${String(error)}`);
+			logger.debug(`Agent client error: ${String(error)}`);
 		});
 		socket.io.on("reconnect_failed", () => {
-			logger_default.error(`Agent client reconnection failed after all attempts (agent: ${agent})`);
+			logger.error(`Agent client reconnection failed after all attempts (agent: ${agent})`);
 		});
 		const timeoutId = setTimeout(() => {
 			if (!socket.connected && !settled) {
@@ -177,7 +175,6 @@ async function createAgentClient(opts) {
 		}, timeoutMs);
 	});
 }
-
 //#endregion
 //#region src/types/codeScan.ts
 const CodeScanSeverity = {
@@ -321,7 +318,7 @@ const PullRequestContextSchema = z.object({
 	number: z.number(),
 	sha: z.string()
 });
-const ScanRequestSchema = z.object({
+z.object({
 	files: z.array(FileRecordSchema).min(1, "Files array cannot be empty"),
 	metadata: GitMetadataSchema,
 	config: ScanConfigSchema,
@@ -337,7 +334,7 @@ const CommentSchema = z.object({
 	severity: CodeScanSeveritySchema.optional(),
 	aiAgentPrompt: z.string().nullable().optional()
 });
-const PhaseResultsSchema = z.object({
+z.object({
 	inventory: z.string(),
 	tracing: z.string(),
 	analysis: z.string(),
@@ -345,7 +342,7 @@ const PhaseResultsSchema = z.object({
 	fixes: z.string(),
 	comments: z.string()
 });
-const ScanResponseSchema = z.object({
+z.object({
 	success: z.boolean(),
 	review: z.string().optional(),
 	comments: z.array(CommentSchema),
@@ -407,7 +404,6 @@ var ConfigLoadError = class extends Error {
 		this.name = "ConfigLoadError";
 	}
 };
-
 //#endregion
 //#region src/codeScan/config/schema.ts
 /**
@@ -434,7 +430,6 @@ const DEFAULT_CONFIG = {
 	minimumSeverity: CodeScanSeverity.MEDIUM,
 	diffsOnly: false
 };
-
 //#endregion
 //#region src/codeScan/config/loader.ts
 /**
@@ -533,7 +528,6 @@ function resolveGuidance(options, config) {
 function resolveApiHost(options, config) {
 	return options.apiHost || config.apiHost || "https://api.promptfoo.app";
 }
-
 //#endregion
 //#region src/codeScan/git/diff.ts
 /**
@@ -552,7 +546,6 @@ async function validateOnBranch(git) {
 		throw new GitError(`Failed to validate branch: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
-
 //#endregion
 //#region src/codeScan/constants/filtering.ts
 /**
@@ -594,12 +587,10 @@ const DENYLIST_PATTERNS = [
 	"**/*.mp4",
 	"**/*.mov"
 ];
-const MAX_BLOB_SIZE_BYTES = 500 * 1024;
 const MAX_PATCH_SIZE_BYTES = 200 * 1024;
 function isInDenylist(filePath) {
 	return DENYLIST_PATTERNS.some((pattern) => minimatch(filePath, pattern));
 }
-
 //#endregion
 //#region src/codeScan/util/diffHunkParser.ts
 /**
@@ -639,7 +630,6 @@ function parseHunkHeader(line) {
 		newCount: match[4] ? parseInt(match[4], 10) : 1
 	};
 }
-
 //#endregion
 //#region src/codeScan/git/diffAnnotator.ts
 /**
@@ -707,7 +697,6 @@ function annotateDiffWithLineRanges(patch) {
 		lineRanges
 	};
 }
-
 //#endregion
 //#region src/codeScan/git/diffProcessor.ts
 /**
@@ -858,7 +847,7 @@ function attachBlobSizesAndFilter(files, sizeMap) {
 		if (file.skipReason) return file;
 		const beforeSize = file.shaA ? sizeMap.get(file.shaA) : void 0;
 		const afterSize = file.shaB ? sizeMap.get(file.shaB) : void 0;
-		if (beforeSize !== void 0 && beforeSize > MAX_BLOB_SIZE_BYTES || afterSize !== void 0 && afterSize > MAX_BLOB_SIZE_BYTES) return {
+		if (beforeSize !== void 0 && beforeSize > 512e3 || afterSize !== void 0 && afterSize > 512e3) return {
 			...file,
 			beforeSizeBytes: beforeSize,
 			afterSizeBytes: afterSize,
@@ -947,7 +936,7 @@ async function generatePatchForFile(repoPath, base, compare, filePath) {
 			cwd: repoPath,
 			maxBuffer: MAX_PATCH_SIZE_BYTES
 		})).stdout;
-		if (Buffer.byteLength(patch, "utf8") > MAX_PATCH_SIZE_BYTES) return {
+		if (Buffer.byteLength(patch, "utf8") > 204800) return {
 			success: false,
 			skipReason: "patch too large"
 		};
@@ -960,13 +949,13 @@ async function generatePatchForFile(repoPath, base, compare, filePath) {
 	} catch (err) {
 		const errorMessage = err instanceof Error ? err.message : String(err);
 		if (errorMessage.includes("maxBuffer") || errorMessage.includes("stdout maxBuffer")) {
-			logger_default.debug(`git diff --patch ${filePath} exceeded maxBuffer (${MAX_PATCH_SIZE_BYTES} bytes) - patch too large`);
+			logger.debug(`git diff --patch ${filePath} exceeded maxBuffer (${MAX_PATCH_SIZE_BYTES} bytes) - patch too large`);
 			return {
 				success: false,
 				skipReason: "patch too large"
 			};
 		}
-		logger_default.debug(`git diff --patch ${filePath} failed: ${errorMessage} - skipping file`);
+		logger.debug(`git diff --patch ${filePath} failed: ${errorMessage} - skipping file`);
 		return {
 			success: false,
 			skipReason: "diff error"
@@ -1007,7 +996,6 @@ async function processDiff(repoPath, base, compare = "HEAD") {
 		throw new DiffProcessorError(`Failed to process diff: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
-
 //#endregion
 //#region src/codeScan/git/metadata.ts
 /**
@@ -1023,7 +1011,7 @@ async function processDiff(repoPath, base, compare = "HEAD") {
 * @returns Git metadata object
 */
 async function extractMetadata(repoPath, baseBranch, compareRef) {
-	const git = simpleGit$1(repoPath);
+	const git = simpleGit(repoPath);
 	try {
 		const baseRef = baseBranch;
 		const compareRefValue = compareRef;
@@ -1050,7 +1038,6 @@ async function extractMetadata(repoPath, baseBranch, compareRef) {
 		throw new GitMetadataError(`Failed to extract git metadata: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
-
 //#endregion
 //#region src/codeScan/mcp/filesystem.ts
 /**
@@ -1065,9 +1052,9 @@ async function extractMetadata(repoPath, baseBranch, compareRef) {
 */
 function startFilesystemMcpServer(rootDir) {
 	if (!isAbsolute(rootDir)) throw new FilesystemMcpError(`Root directory must be an absolute path, got: ${rootDir}`);
-	const absoluteRootDir = resolve$1(rootDir);
-	logger_default.debug("Starting filesystem MCP server...");
-	logger_default.debug(`Root directory: ${absoluteRootDir}`);
+	const absoluteRootDir = resolve(rootDir);
+	logger.debug("Starting filesystem MCP server...");
+	logger.debug(`Root directory: ${absoluteRootDir}`);
 	try {
 		const mcpProcess = spawn("npx", [
 			"-y",
@@ -1084,16 +1071,16 @@ function startFilesystemMcpServer(rootDir) {
 		mcpProcess.stderr?.on("data", (chunk) => {
 			const message = chunk.toString("utf8");
 			if (message.includes("Failed to request initial roots from client")) return;
-			logger_default.debug(`MCP server stderr: ${message.trim()}`);
+			logger.debug(`MCP server stderr: ${message.trim()}`);
 		});
 		mcpProcess.on("error", (error) => {
-			logger_default.error(`MCP server process error: ${error.message}`);
+			logger.error(`MCP server process error: ${error.message}`);
 		});
 		mcpProcess.on("exit", (code, signal) => {
-			if (code !== null && code !== 0) logger_default.debug(`MCP server exited with code ${code}`);
-			else if (signal) logger_default.debug(`MCP server terminated by signal ${signal}`);
+			if (code !== null && code !== 0) logger.debug(`MCP server exited with code ${code}`);
+			else if (signal) logger.debug(`MCP server terminated by signal ${signal}`);
 		});
-		logger_default.debug(`MCP server started (pid: ${mcpProcess.pid})`);
+		logger.debug(`MCP server started (pid: ${mcpProcess.pid})`);
 		return mcpProcess;
 	} catch (error) {
 		throw new FilesystemMcpError(`Failed to start filesystem MCP server: ${error instanceof Error ? error.message : String(error)}`);
@@ -1105,25 +1092,24 @@ function startFilesystemMcpServer(rootDir) {
 */
 async function stopFilesystemMcpServer(process) {
 	if (!process.pid) {
-		logger_default.debug("MCP server already stopped");
+		logger.debug("MCP server already stopped");
 		return;
 	}
-	logger_default.debug(`Stopping MCP server (pid: ${process.pid})...`);
+	logger.debug(`Stopping MCP server (pid: ${process.pid})...`);
 	return new Promise((resolve) => {
 		const timeout = setTimeout(() => {
-			logger_default.debug("MCP server did not exit gracefully, force killing...");
+			logger.debug("MCP server did not exit gracefully, force killing...");
 			process.kill("SIGKILL");
 			resolve();
 		}, 5e3);
 		process.on("exit", () => {
 			clearTimeout(timeout);
-			logger_default.debug("MCP server stopped");
+			logger.debug("MCP server stopped");
 			resolve();
 		});
 		process.kill("SIGTERM");
 	});
 }
-
 //#endregion
 //#region src/codeScan/mcp/transport.ts
 /**
@@ -1143,7 +1129,7 @@ var SocketIoMcpBridge = class {
 	*/
 	async connect() {
 		if (!this.socket.connected) throw new SocketIoMcpBridgeError("Socket must be connected before starting bridge");
-		logger_default.debug(`Using existing socket connection (id: ${this.socket.id})`);
+		logger.debug(`Using existing socket connection (id: ${this.socket.id})`);
 		this.startBridging();
 	}
 	/**
@@ -1193,7 +1179,7 @@ var SocketIoMcpBridge = class {
 						message
 					});
 				} catch (_error) {
-					logger_default.debug(`Failed to parse MCP output: ${line}`);
+					logger.debug(`Failed to parse MCP output: ${line}`);
 				}
 			}
 		});
@@ -1217,19 +1203,19 @@ var SocketIoMcpBridge = class {
 				const jsonLine = JSON.stringify(messageToSend) + "\n";
 				this.mcpProcess.stdin?.write(jsonLine);
 			} catch (error) {
-				logger_default.error(`Failed to write to MCP stdin: ${error instanceof Error ? error.message : String(error)}`);
+				logger.error(`Failed to write to MCP stdin: ${error instanceof Error ? error.message : String(error)}`);
 			}
 		});
-		logger_default.debug("MCP ↔ Socket.io bridge active");
+		logger.debug("MCP ↔ Socket.io bridge active");
 	}
 	/**
 	* Stop bridging (socket lifecycle managed externally)
 	*/
 	async disconnect() {
-		logger_default.debug("Stopping MCP bridge...");
+		logger.debug("Stopping MCP bridge...");
 		this.wireIdMap.clear();
 		this.wireIdSeq = 0;
-		logger_default.debug("MCP bridge stopped");
+		logger.debug("MCP bridge stopped");
 	}
 	/**
 	* Get socket ID (if connected)
@@ -1244,7 +1230,6 @@ var SocketIoMcpBridge = class {
 		return this.socket?.connected === true;
 	}
 };
-
 //#endregion
 //#region src/codeScan/mcp/index.ts
 /**
@@ -1259,8 +1244,8 @@ var SocketIoMcpBridge = class {
 * @returns MCP bridge setup result
 */
 async function setupMcpBridge(socket, absoluteRepoPath, sessionId) {
-	logger_default.debug("Setting up repo MCP access...");
-	logger_default.debug(`Using session ID: ${sessionId}`);
+	logger.debug("Setting up repo MCP access...");
+	logger.debug(`Using session ID: ${sessionId}`);
 	const mcpProcess = startFilesystemMcpServer(absoluteRepoPath);
 	const mcpBridge = new SocketIoMcpBridge(mcpProcess, socket, sessionId);
 	await mcpBridge.connect();
@@ -1274,7 +1259,6 @@ async function setupMcpBridge(socket, absoluteRepoPath, sessionId) {
 		sessionId
 	};
 }
-
 //#endregion
 //#region src/codeScan/util/auth.ts
 /**
@@ -1300,16 +1284,15 @@ function resolveAuthCredentials(apiKey, forkPR) {
 	if (baseAuth.apiKey) return baseAuth;
 	const oidcToken = process.env.GITHUB_OIDC_TOKEN;
 	if (oidcToken) {
-		logger_default.debug("Using GitHub OIDC token");
+		logger.debug("Using GitHub OIDC token");
 		return { oidcToken };
 	}
 	if (forkPR) {
-		logger_default.debug("Using fork PR context for authentication");
+		logger.debug("Using fork PR context for authentication");
 		return { forkPR };
 	}
 	return {};
 }
-
 //#endregion
 //#region src/codeScan/util/github.ts
 /**
@@ -1328,7 +1311,6 @@ function parseGitHubPr(prString) {
 		number: parseInt(prNumber, 10)
 	};
 }
-
 //#endregion
 //#region src/codeScan/scanner/cleanup.ts
 /**
@@ -1341,14 +1323,13 @@ function parseGitHubPr(prString) {
 */
 function registerCleanupHandlers(refs) {
 	const cleanup = (signal) => {
-		logger_default.debug(`Received ${signal}, cleaning up...`);
+		logger.debug(`Received ${signal}, cleaning up...`);
 		if (refs.abortController) refs.abortController.abort();
 	};
 	process.once("SIGINT", () => cleanup("SIGINT"));
 	process.once("SIGTERM", () => cleanup("SIGTERM"));
 	process.once("SIGQUIT", () => cleanup("SIGQUIT"));
 }
-
 //#endregion
 //#region src/codeScan/scanner/output.ts
 /**
@@ -1381,8 +1362,8 @@ function displayScanResults(response, duration, options) {
 		const { comments, review } = response;
 		const severityCounts = countBySeverity(comments || []);
 		printBorder();
-		logger_default.info(`${chalk.green("✓")} Scan complete (${formatDuration(duration / 1e3)})`);
-		if (severityCounts.total > 0) logger_default.info(chalk.yellow(`⚠ Found ${severityCounts.total} issue${severityCounts.total === 1 ? "" : "s"}`));
+		logger.info(`${chalk.green("✓")} Scan complete (${formatDuration(duration / 1e3)})`);
+		if (severityCounts.total > 0) logger.info(chalk.yellow(`⚠ Found ${severityCounts.total} issue${severityCounts.total === 1 ? "" : "s"}`));
 		printBorder();
 		let reviewText = review;
 		if (!reviewText && comments && comments.length > 0) {
@@ -1390,9 +1371,9 @@ function displayScanResults(response, duration, options) {
 			if (noneComment) reviewText = noneComment.finding;
 		}
 		if (reviewText) {
-			logger_default.info("");
-			logger_default.info(reviewText);
-			logger_default.info("");
+			logger.info("");
+			logger.info(reviewText);
+			logger.info("");
 			printBorder();
 		}
 		if (severityCounts.total > 0) {
@@ -1406,42 +1387,49 @@ function displayScanResults(response, duration, options) {
 				const rankA = a.severity ? getSeverityRank(a.severity) : 0;
 				return (b.severity ? getSeverityRank(b.severity) : 0) - rankA;
 			});
-			logger_default.info("");
+			logger.info("");
 			for (let i = 0; i < sortedComments.length; i++) {
 				const comment = sortedComments[i];
 				const severity = formatSeverity(comment.severity);
 				const location = comment.line ? `${comment.file}:${comment.line}` : comment.file || "";
-				logger_default.info(`${severity} ${chalk.gray(location)}`);
-				logger_default.info("");
-				logger_default.info(comment.finding);
+				logger.info(`${severity} ${chalk.gray(location)}`);
+				logger.info("");
+				logger.info(comment.finding);
 				if (comment.fix) {
-					logger_default.info("");
-					logger_default.info(chalk.bold("Suggested Fix:"));
-					logger_default.info(comment.fix);
+					logger.info("");
+					logger.info(chalk.bold("Suggested Fix:"));
+					logger.info(comment.fix);
 				}
 				if (comment.aiAgentPrompt) {
-					logger_default.info("");
-					logger_default.info(chalk.bold("AI Agent Prompt:"));
-					logger_default.info(comment.aiAgentPrompt);
+					logger.info("");
+					logger.info(chalk.bold("AI Agent Prompt:"));
+					logger.info(comment.aiAgentPrompt);
 				}
 				if (i < sortedComments.length - 1) {
-					logger_default.info("");
-					logger_default.info(chalk.gray("─".repeat(TERMINAL_MAX_WIDTH)));
-					logger_default.info("");
+					logger.info("");
+					logger.info(chalk.gray("─".repeat(TERMINAL_MAX_WIDTH)));
+					logger.info("");
 				}
 			}
 			printBorder();
 			if (options.githubPr) {
-				logger_default.info(`» Comments posted to PR: ${chalk.cyan(options.githubPr)}`);
+				logger.info(`» Comments posted to PR: ${chalk.cyan(options.githubPr)}`);
 				printBorder();
 			}
 		}
 	}
 }
-
 //#endregion
 //#region src/codeScan/scanner/request.ts
 /**
+* Scan Request Building and Execution
+*
+* Handles building scan requests and executing them via the agent client.
+*/
+const CAPACITY_ERROR_MESSAGE = "Server at capacity";
+const MAX_RETRIES = 7;
+const BASE_DELAY_MS = 1e3;
+/**
 * Build scan request from inputs
 *
 * @param files - Files to scan
@@ -1537,7 +1525,46 @@ async function executeScanRequest(client, request, options) {
 		client.start(request);
 	});
 }
-
+/**
+* Check if error is a server capacity error
+*/
+function isCapacityError(error) {
+	if (error instanceof Error) return error.message.includes(CAPACITY_ERROR_MESSAGE);
+	return false;
+}
+/**
+* Execute scan request with retry for capacity errors
+*
+* When the server is at capacity, it returns "Server at capacity. Please retry."
+* This wrapper retries with exponential backoff + jitter to spread load.
+*
+* Backoff schedule: ~1s, ~2s, ~4s, ~8s, ~16s, ~32s (total ~63s max)
+*
+* @param client - Connected agent client
+* @param request - Scan request to send
+* @param options - Execution options
+* @returns Promise resolving to scan response
+* @throws Error if scan fails after all retries
+*/
+async function executeScanRequestWithRetry(client, request, options) {
+	const { showSpinner, spinner } = options;
+	for (let attempt = 0; attempt < MAX_RETRIES; attempt++) try {
+		return await executeScanRequest(client, request, options);
+	} catch (error) {
+		if (!isCapacityError(error)) throw error;
+		if (attempt === MAX_RETRIES - 1) throw error;
+		const jitter = .7 + .6 * Math.random();
+		const delay = BASE_DELAY_MS * Math.pow(2, attempt) * jitter;
+		logger.debug(`Server busy, retrying in ${Math.round(delay / 1e3)}s (attempt ${attempt + 1}/${MAX_RETRIES})`);
+		if (showSpinner && spinner) {
+			const originalText = spinner.text;
+			spinner.text = `Server busy, retrying in ${Math.round(delay / 1e3)}s...`;
+			await sleepWithAbort(delay, options.abortController.signal);
+			spinner.text = originalText;
+		} else await sleepWithAbort(delay, options.abortController.signal);
+	}
+	throw new Error("Scan failed: exceeded maximum retries");
+}
 //#endregion
 //#region src/codeScan/scanner/index.ts
 /**
@@ -1570,13 +1597,13 @@ async function executeScan(repoPath, options) {
 	const guidance = resolveGuidance(options, config);
 	const absoluteRepoPath = path.resolve(repoPath);
 	if (!options.json) {
-		logger_default.info("Beginning scan for LLM-related vulnerabilities in your code.");
-		logger_default.info(`  Minimum severity: ${config.minimumSeverity}`);
-		if (config.diffsOnly) logger_default.info(`  Mode: diffs only`);
-		else logger_default.info(`  Mode: diffs + tracing into repo`);
-		logger_default.info("");
+		logger.info("Beginning scan for LLM-related vulnerabilities in your code.");
+		logger.info(`  Minimum severity: ${config.minimumSeverity}`);
+		if (config.diffsOnly) logger.info(`  Mode: diffs only`);
+		else logger.info(`  Mode: diffs + tracing into repo`);
+		logger.info("");
 	}
-	logger_default.debug(`Repository: ${absoluteRepoPath}`);
+	logger.debug(`Repository: ${absoluteRepoPath}`);
 	const cleanupRefs = {
 		repoPath: absoluteRepoPath,
 		socket: null,
@@ -1586,7 +1613,7 @@ async function executeScan(repoPath, options) {
 		abortController: null
 	};
 	registerCleanupHandlers(cleanupRefs);
-	const isWebUI = Boolean(cliState_default.webUI);
+	const isWebUI = Boolean(state.webUI);
 	const spinner = createSpinner({
 		json: options.json || false,
 		isWebUI,
@@ -1603,7 +1630,7 @@ async function executeScan(repoPath, options) {
 			if (!parsed) throw new Error(`Invalid --github-pr format: "${options.githubPr}". Expected format: owner/repo#number (e.g., promptfoo/promptfoo#123)`);
 			parsedPR = parsed;
 		}
-		if (!showSpinner) logger_default.debug("Connecting to server...");
+		if (!showSpinner) logger.debug("Connecting to server...");
 		client = await createAgentClient({
 			agent: "code-scan",
 			host: resolveApiHost(options, config),
@@ -1618,7 +1645,7 @@ async function executeScan(repoPath, options) {
 			cleanupRefs.mcpProcess = mcpProcess;
 			cleanupRefs.mcpBridge = mcpBridge;
 		}
-		logger_default.debug("Processing git diff...");
+		logger.debug("Processing git diff...");
 		const simpleGit = (await import("simple-git")).default;
 		const git = simpleGit(absoluteRepoPath);
 		if (!options.compare) await validateOnBranch(git);
@@ -1629,11 +1656,11 @@ async function executeScan(repoPath, options) {
 			baseBranch = branches.all.includes("main") || branches.all.includes("origin/main") ? "main" : branches.all.includes("master") || branches.all.includes("origin/master") ? "master" : "main";
 		}
 		const compareRef = options.compare || "HEAD";
-		logger_default.debug(`Comparing: ${baseBranch}...${compareRef}`);
+		logger.debug(`Comparing: ${baseBranch}...${compareRef}`);
 		const files = await processDiff(absoluteRepoPath, baseBranch, compareRef);
 		const includedFiles = files.filter((f) => !f.skipReason && f.patch);
 		const skippedFiles = files.filter((f) => f.skipReason);
-		logger_default.debug(`Files changed: ${files.length} (${includedFiles.length} included, ${skippedFiles.length} skipped)`);
+		logger.debug(`Files changed: ${files.length} (${includedFiles.length} included, ${skippedFiles.length} skipped)`);
 		if (includedFiles.length === 0) {
 			const msg = "No files to scan";
 			if (options.json) {
@@ -1642,18 +1669,18 @@ async function executeScan(repoPath, options) {
 					comments: [],
 					review: msg
 				};
-				logger_default.info(JSON.stringify(response, null, 2));
+				logger.info(JSON.stringify(response, null, 2));
 			} else if (showSpinner && spinner) spinner.succeed(msg);
-			else logger_default.info(msg);
-			cliState_default.postActionCallback = async () => {
+			else logger.info(msg);
+			state.postActionCallback = async () => {
 				await new Promise((resolve) => setTimeout(resolve, 100));
 				process.exitCode = 0;
 			};
 			return;
 		}
 		const metadata = await extractMetadata(absoluteRepoPath, baseBranch, compareRef);
-		logger_default.debug(`Compare ref: ${metadata.branch}`);
-		logger_default.debug(`Commits: ${metadata.commitMessages.length}`);
+		logger.debug(`Compare ref: ${metadata.branch}`);
+		logger.debug(`Commits: ${metadata.commitMessages.length}`);
 		let pullRequest = void 0;
 		if (parsedPR) {
 			const currentCommit = await git.revparse(["HEAD"]);
@@ -1663,11 +1690,11 @@ async function executeScan(repoPath, options) {
 				number: parsedPR.number,
 				sha: currentCommit.trim()
 			};
-			logger_default.debug(`GitHub PR context: ${parsedPR.owner}/${parsedPR.repo}#${parsedPR.number} (${pullRequest.sha.substring(0, 7)})`);
+			logger.debug(`GitHub PR context: ${parsedPR.owner}/${parsedPR.repo}#${parsedPR.number} (${pullRequest.sha.substring(0, 7)})`);
 		}
-		if (!showSpinner) logger_default.debug("Scanning code...");
+		if (!showSpinner) logger.debug("Scanning code...");
 		const scanRequest = buildScanRequest(files, metadata, config, sessionId, pullRequest, guidance);
-		const scanResponse = await executeScanRequest(client, scanRequest, {
+		const scanResponse = await executeScanRequestWithRetry(client, scanRequest, {
 			showSpinner,
 			spinner,
 			abortController
@@ -1682,8 +1709,8 @@ async function executeScan(repoPath, options) {
 		if (errorMessage.includes("Fork PR scanning not authorized")) {
 			const msg = "Fork PR scanning requires maintainer approval. See PR comment for options.";
 			if (showSpinner && spinner) spinner.succeed(msg);
-			else logger_default.info(msg);
-			cliState_default.postActionCallback = async () => {
+			else logger.info(msg);
+			state.postActionCallback = async () => {
 				await new Promise((resolve) => setTimeout(resolve, 100));
 				process.exitCode = 0;
 			};
@@ -1691,26 +1718,26 @@ async function executeScan(repoPath, options) {
 		}
 		const msg = `Scan failed: ${errorMessage}`;
 		if (showSpinner && spinner) spinner.fail(msg);
-		else logger_default.error(msg);
-		cliState_default.postActionCallback = async () => {
+		else logger.error(msg);
+		state.postActionCallback = async () => {
 			await new Promise((resolve) => setTimeout(resolve, 100));
 			if (error instanceof Error && error.message === "cancelled by user") process.exitCode = 130;
 			else process.exitCode = 1;
 		};
 	} finally {
 		if (mcpBridge) await mcpBridge.disconnect().catch(() => {
-			logger_default.debug("MCP bridge cleanup completed");
+			logger.debug("MCP bridge cleanup completed");
 		});
 		if (mcpProcess) await stopFilesystemMcpServer(mcpProcess).catch(() => {
-			logger_default.debug("MCP server cleanup completed");
+			logger.debug("MCP server cleanup completed");
 		});
 		if (client) {
 			client.disconnect();
-			logger_default.debug("Agent client disconnected");
+			logger.debug("Agent client disconnected");
 		}
 	}
 }
-
 //#endregion
 export { executeScan };
-//# sourceMappingURL=scanner-Dyw21Wg_.js.map
+
+//# sourceMappingURL=scanner-J8CA3LsV.js.map