pg_sql_triggers 1.3.0 → 1.4.0

data/README.md

@@ -50,16 +50,18 @@ PgSqlTriggers::DSL.pg_sql_trigger "users_email_validation" do
   table :users
   on :insert, :update
   function :validate_user_email
-  version 1
-  enabled false
-  when_env :production
+  self.version = 1
+  self.enabled = true
+  timing :before
 end
 ```
 
-### Create and Run Migration
+### Generate and Run Migration
 
 ```bash
-rails generate trigger:migration add_email_validation
+# Generate a DSL stub + migration in one command
+rails generate pg_sql_triggers:trigger users_email_validation users insert update --timing before --function validate_user_email
+
 rake trigger:migrate
 ```
 
@@ -83,19 +85,26 @@ Comprehensive documentation is available in the [docs](docs/) directory:
 ## Key Features
 
 ### Trigger DSL
-Define triggers using a Rails-native Ruby DSL with versioning and environment control.
+Define triggers using a Rails-native Ruby DSL with versioning, row/statement-level granularity, and timing control.
+
+### CLI Generator
+Scaffold a DSL stub and migration in one command:
+```bash
+rails generate pg_sql_triggers:trigger TRIGGER_NAME TABLE_NAME [EVENTS...] [--timing before|after] [--function fn_name]
+```
+Files land in `app/triggers/` and `db/triggers/` for code review like any other source change.
 
 ### Migration System
 Manage trigger functions and definitions with a migration system similar to Rails schema migrations.
 
 ### Drift Detection
-Automatically detect when database triggers drift from your DSL definitions.
+Automatically detect when database triggers drift from your DSL definitions. N+1-free bulk detection across all triggers.
 
 ### Production Kill Switch
 Multi-layered safety mechanism preventing accidental destructive operations in production environments.
 
 ### Web Dashboard
-Visual interface for managing triggers, running migrations, and executing SQL capsules. Includes:
+Visual interface for managing triggers and running migrations. Includes:
 - **Quick Actions**: Enable/disable, drop, and re-execute triggers from dashboard
 - **Last Applied Tracking**: See when triggers were last applied with human-readable timestamps
 - **Breadcrumb Navigation**: Easy navigation between dashboard, tables, and triggers
@@ -104,18 +113,15 @@ Visual interface for managing triggers, running migrations, and executing SQL ca
 ### Audit Logging
 Comprehensive audit trail for all trigger operations:
 - Track who performed each operation (actor tracking)
-- Before and after state capture
+- Before and after state capture (including function body)
 - Success/failure logging with error messages
 - Reason tracking for drop and re-execute operations
 
-### SQL Capsules
-Emergency SQL execution feature for critical operations with Admin permission requirements, kill switch protection, and comprehensive logging.
-
 ### Drop & Re-Execute Flow
 Operational controls for trigger lifecycle management with drop and re-execute capabilities, drift comparison, and required reason logging.
 
 ### Permissions
-Three-tier permission system (Viewer, Operator, Admin) with customizable authorization.
+Three-tier permission system (Viewer, Operator, Admin) with customizable authorization. A startup warning is emitted in production when no `permission_checker` is configured.
 
 ## Console API
 
@@ -142,15 +148,6 @@ PgSqlTriggers::Registry.disable("users_email_validation", actor: current_user, c
 # Drop and re-execute triggers
 PgSqlTriggers::Registry.drop("old_trigger", actor: current_user, reason: "No longer needed", confirmation: "EXECUTE TRIGGER_DROP")
 PgSqlTriggers::Registry.re_execute("drifted_trigger", actor: current_user, reason: "Fix drift", confirmation: "EXECUTE TRIGGER_RE_EXECUTE")
-
-# Execute SQL capsules
-capsule = PgSqlTriggers::SQL::Capsule.new(
-  name: "emergency_fix",
-  environment: "production",
-  purpose: "Fix critical data issue",
-  sql: "UPDATE users SET status = 'active' WHERE id = 123"
-)
-PgSqlTriggers::SQL::Executor.execute(capsule, actor: current_user, confirmation: "EXECUTE SQL")
 ```
 
 See the [API Reference](docs/api-reference.md) for complete documentation of all console APIs.
@@ -164,7 +161,7 @@ For working examples and complete demonstrations, check out the [example reposit
 - **Rails-native**: Works seamlessly with Rails conventions
 - **Explicit over magic**: No automatic execution
 - **Safe by default**: Requires explicit confirmation for destructive actions
-- **Power with guardrails**: Emergency SQL escape hatches with safety checks
+- **Code review first**: Generator produces files into working tree; no server-side file writes
 
 ## Development
 

data/app/models/pg_sql_triggers/trigger_registry.rb

@@ -247,7 +247,6 @@ module PgSqlTriggers
       # Execute DROP TRIGGER in transaction
       ActiveRecord::Base.transaction do
         drop_trigger_from_database
-        trigger_name
         destroy!
         log_drop_success
         log_audit_success(:trigger_drop, actor, reason: reason, confirmation_text: confirmation,
@@ -286,7 +285,6 @@ module PgSqlTriggers
 
       # Validate reason is provided
       raise ArgumentError, "Reason is required" if reason.nil? || reason.to_s.strip.empty?
-      raise StandardError, "Cannot re-execute: missing function_body" if function_body.blank?
 
       log_re_execute_attempt(reason)
 
@@ -322,7 +320,8 @@ module PgSqlTriggers
         version,
         function_body || "",
         condition || "",
-        timing || "before"
+        timing || "before",
+        for_each || "row"
       ].join)
     end
 
@@ -394,7 +393,10 @@ module PgSqlTriggers
     end
 
     def recreate_trigger
-      ActiveRecord::Base.connection.execute(function_body)
+      sql = function_body.presence || build_trigger_sql_from_definition
+      raise StandardError, "Cannot re-execute: missing function_body" if sql.blank?
+
+      ActiveRecord::Base.connection.execute(sql)
       if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
         Rails.logger.info "[TRIGGER_RE_EXECUTE] Re-created trigger"
       end
@@ -405,8 +407,41 @@ module PgSqlTriggers
       raise
     end
 
+    # Build a CREATE TRIGGER SQL statement from the stored DSL definition JSON.
+    # Used by re_execute! when function_body is absent (the normal case for DSL triggers).
+    def build_trigger_sql_from_definition
+      return nil if definition.blank?
+
+      defn = JSON.parse(definition)
+      fn_name = defn["function_name"]
+      return nil if fn_name.blank?
+
+      t_name      = table_name
+      timing_kw   = (defn["timing"] || timing || "BEFORE").upcase
+      events      = Array(defn["events"]).map { |e| e.to_s.upcase }.join(" OR ")
+      events      = "INSERT" if events.blank?
+      cond        = defn["condition"] || condition
+      for_each_kw = (defn["for_each"] || for_each || "row").upcase
+
+      sql = "CREATE TRIGGER #{quote_identifier(trigger_name)} "
+      sql += "#{timing_kw} #{events} ON #{quote_identifier(t_name)} "
+      sql += "FOR EACH #{for_each_kw} "
+      sql += "WHEN (#{cond}) " if cond.present?
+      sql += "EXECUTE FUNCTION #{fn_name}();"
+      sql
+    rescue JSON::ParserError
+      nil
+    end
+
     def update_registry_after_re_execute
-      update!(enabled: true, last_executed_at: Time.current)
+      update!(last_executed_at: Time.current)
+      if !enabled && ActiveRecord::Base.connection.table_exists?(table_name)
+        quoted_table   = quote_identifier(table_name)
+        quoted_trigger = quote_identifier(trigger_name)
+        ActiveRecord::Base.connection.execute(
+          "ALTER TABLE #{quoted_table} DISABLE TRIGGER #{quoted_trigger};"
+        )
+      end
       Rails.logger.info "[TRIGGER_RE_EXECUTE] Updated registry" if defined?(Rails.logger)
     end
 
@@ -419,7 +454,8 @@ module PgSqlTriggers
         table_name: table_name,
         source: source,
         environment: environment,
-        installed_at: installed_at&.iso8601
+        installed_at: installed_at&.iso8601,
+        function_body: function_body
       }
     end
 

data/app/views/layouts/pg_sql_triggers/application.html.erb

@@ -18,7 +18,6 @@
       <div>
         <%= link_to "Dashboard", root_path, style: "color: white; margin-right: 1rem;" %>
         <%= link_to "Tables", tables_path, style: "color: white; margin-right: 1rem;" %>
-        <%= link_to "Generator", new_generator_path, style: "color: white; margin-right: 1rem;" %>
         <%= link_to "Audit Log", audit_logs_path, style: "color: white;" %>
       </div>
     </div>

data/app/views/pg_sql_triggers/dashboard/index.html.erb

@@ -2,9 +2,6 @@
   <h2 style="margin: 0;">Trigger Dashboard</h2>
   <div style="display: flex; gap: 1rem;">
     <%= link_to "View Tables", tables_path, class: "btn btn-primary", style: "font-size: 1rem; padding: 0.75rem 1.5rem; text-decoration: none;" %>
-    <%= link_to "Generate New Trigger", new_generator_path,
-        class: "btn btn-success",
-        style: "font-size: 1rem; padding: 0.75rem 1.5rem; text-decoration: none;" %>
   </div>
 </div>
 
@@ -129,7 +126,7 @@
   <div style="background: #e7f3ff; border-left: 4px solid #007bff; padding: 1.5rem; border-radius: 4px;">
     <h3 style="margin-top: 0;">No triggers yet</h3>
     <p style="margin-bottom: 1rem;">Get started by generating your first trigger using the form-based wizard.</p>
-    <%= link_to "Generate New Trigger", new_generator_path, class: "btn btn-primary" %>
+    <%= link_to "View Tables", tables_path, class: "btn btn-primary" %>
   </div>
 <% end %>
 

data/app/views/pg_sql_triggers/tables/index.html.erb

@@ -1,6 +1,5 @@
 <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 2rem;">
   <h2 style="margin: 0;">Database Tables & Triggers</h2>
-  <%= link_to "Generate New Trigger", new_generator_path, class: "btn btn-success" %>
 </div>
 
 <!-- Statistics -->
@@ -113,7 +112,6 @@
             </td>
             <td>
               <%= link_to "View Details", table_path(table[:table_name]), class: "btn btn-primary", style: "padding: 0.25rem 0.5rem; font-size: 0.875rem;" %>
-              <%= link_to "Create Trigger", new_generator_path(pg_sql_triggers_generator_form: { table_name: table[:table_name] }), class: "btn btn-success", style: "padding: 0.25rem 0.5rem; font-size: 0.875rem; margin-top: 0.25rem; display: block;" %>
             </td>
           </tr>
         <% end %>
@@ -170,7 +168,6 @@
       <% end %>
     </p>
     <% if @filter == 'with_triggers' || @filter == 'all' %>
-      <%= link_to "Generate New Trigger", new_generator_path, class: "btn btn-primary" %>
-    <% end %>
+      <% end %>
   </div>
 <% end %>

data/app/views/pg_sql_triggers/tables/show.html.erb

@@ -1,7 +1,6 @@
 <div style="margin-bottom: 2rem;">
   <h2>Table: <%= @table_info[:table_name] %></h2>
   <%= link_to "← Back to Tables", tables_path, class: "btn", style: "background: #6c757d; color: white; text-decoration: none; margin-right: 1rem;" %>
-  <%= link_to "Create Trigger for this Table", new_generator_path(pg_sql_triggers_generator_form: { table_name: @table_info[:table_name] }), class: "btn btn-success" %>
 </div>
 
 <!-- Table Information -->
@@ -138,7 +137,6 @@
   <% else %>
     <div style="background: #e7f3ff; border-left: 4px solid #007bff; padding: 1rem; border-radius: 4px;">
       <p style="margin: 0;">No registered triggers for this table.</p>
-      <%= link_to "Create a trigger", new_generator_path(pg_sql_triggers_generator_form: { table_name: @table_info[:table_name] }), class: "btn btn-primary", style: "margin-top: 0.5rem;" %>
     </div>
   <% end %>
 </div>

data/config/routes.rb

@@ -7,20 +7,6 @@ begin
 
     resources :tables, only: %i[index show]
 
-    resources :generator, only: %i[new create] do
-      collection do
-        post :preview
-        post :validate_table
-        get :tables
-      end
-    end
-
-    resources :sql_capsules, only: %i[new create show] do
-      member do
-        post :execute
-      end
-    end
-
     resources :migrations, only: [] do
       collection do
         post :up

data/db/migrate/20260228000001_add_for_each_to_pg_sql_triggers_registry.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddForEachToPgSqlTriggersRegistry < ActiveRecord::Migration[6.1]
+  def change
+    add_column :pg_sql_triggers_registry, :for_each, :string, default: "row", null: false
+    add_index :pg_sql_triggers_registry, :for_each
+  end
+end

data/docs/api-reference.md

@@ -11,6 +11,8 @@ Complete reference for using PgSqlTriggers programmatically from the Rails conso
 - [TriggerRegistry Model](#triggerregistry-model)
 - [Audit Log API](#audit-log-api)
 
+> **Removed in 1.4.0**: `SQL::Capsule` and `SQL::Executor` have been removed. See [CHANGELOG](../CHANGELOG.md) for details.
+
 ## Registry API
 
 The Registry API provides methods for inspecting and managing triggers.
@@ -485,124 +487,6 @@ end
 
 **Returns**: Result of the block
 
-## SQL Capsule API
-
-The SQL Capsule API provides emergency SQL execution capabilities with safety checks.
-
-### `PgSqlTriggers::SQL::Capsule.new(name:, environment:, purpose:, sql:, created_at: nil)`
-
-Creates a new SQL capsule for emergency operations.
-
-```ruby
-capsule = PgSqlTriggers::SQL::Capsule.new(
-  name: "fix_user_permissions",
-  environment: "production",
-  purpose: "Emergency fix for user permission issue after deployment",
-  sql: "UPDATE users SET role = 'admin' WHERE email = 'admin@example.com';"
-)
-```
-
-**Parameters**:
-- `name` (String): Unique name for the capsule (alphanumeric, underscores, hyphens only)
-- `environment` (String): Target environment (e.g., "production", "staging")
-- `purpose` (String): Description of what the capsule does and why (required for audit trail)
-- `sql` (String): The SQL statement(s) to execute
-- `created_at` (Time, optional): Creation timestamp (defaults to current time)
-
-**Raises**: `ArgumentError` if validation fails
-
-### `capsule.checksum`
-
-Returns the SHA256 checksum of the SQL content.
-
-```ruby
-capsule = PgSqlTriggers::SQL::Capsule.new(name: "fix", ...)
-puts capsule.checksum
-# => "a3f5b8c9d2e..."
-```
-
-**Returns**: String (SHA256 hash)
-
-### `capsule.to_h`
-
-Converts the capsule to a hash for storage or serialization.
-
-```ruby
-capsule_data = capsule.to_h
-# => {
-#   name: "fix_user_permissions",
-#   environment: "production",
-#   purpose: "Emergency fix...",
-#   sql: "UPDATE users...",
-#   checksum: "a3f5b8c9d2e...",
-#   created_at: 2026-01-01 12:00:00 UTC
-# }
-```
-
-**Returns**: Hash
-
-## SQL Executor API
-
-The SQL Executor API handles safe execution of SQL capsules with comprehensive logging.
-
-### `PgSqlTriggers::SQL::Executor.execute(capsule, actor:, confirmation: nil, dry_run: false)`
-
-Executes a SQL capsule with safety checks and logging.
-
-```ruby
-capsule = PgSqlTriggers::SQL::Capsule.new(
-  name: "emergency_fix",
-  environment: "production",
-  purpose: "Fix critical data corruption",
-  sql: "UPDATE orders SET status = 'completed' WHERE id IN (123, 456);"
-)
-
-# Execute the capsule
-result = PgSqlTriggers::SQL::Executor.execute(
-  capsule,
-  actor: { type: "user", id: "admin@example.com" },
-  confirmation: "EXECUTE SQL"
-)
-
-if result[:success]
-  puts "SQL executed successfully"
-  puts "Rows affected: #{result[:data][:rows_affected]}"
-else
-  puts "Execution failed: #{result[:message]}"
-end
-```
-
-**Parameters**:
-- `capsule` (Capsule): The SQL capsule to execute
-- `actor` (Hash): Information about who is executing (Admin permission required)
-- `confirmation` (String, optional): Kill switch confirmation text
-- `dry_run` (Boolean): If true, validates without executing (default: false)
-
-**Returns**: Hash with `:success`, `:message`, and `:data` keys
-
-**Raises**: Permission and kill switch errors are returned in the result hash
-
-### `PgSqlTriggers::SQL::Executor.execute_capsule(capsule_name, actor:, confirmation: nil, dry_run: false)`
-
-Executes a previously stored SQL capsule by name from the registry.
-
-```ruby
-# Execute a capsule stored in the registry
-result = PgSqlTriggers::SQL::Executor.execute_capsule(
-  "emergency_fix",
-  actor: { type: "user", id: "admin@example.com" },
-  confirmation: "EXECUTE SQL"
-)
-```
-
-**Parameters**:
-- `capsule_name` (String): Name of the capsule in the registry
-- `actor` (Hash): Information about who is executing
-- `confirmation` (String, optional): Kill switch confirmation text
-- `dry_run` (Boolean): If true, validates without executing
-
-**Returns**: Hash with execution results
-
 ## DSL API
 
 The DSL API is used to define triggers in your application.
@@ -616,10 +500,10 @@ PgSqlTriggers::DSL.pg_sql_trigger "users_email_validation" do
   table :users
   on :insert, :update
   function :validate_user_email
-  version 1
-  enabled false
+  self.version = 1
+  self.enabled = true
   timing :before
-  when_env :production
+  for_each_row
 end
 ```
 
@@ -651,7 +535,7 @@ on :insert, :update, :delete
 ```
 
 **Parameters**:
-- `events` (Symbols): One or more of `:insert`, `:update`, `:delete`
+- `events` (Symbols): One or more of `:insert`, `:update`, `:delete`, `:truncate`
 
 #### `function(function_name)`
 
@@ -664,37 +548,48 @@ function :validate_user_email
 **Parameters**:
 - `function_name` (Symbol): Function name
 
-#### `version(number)`
+#### `self.version = number`
 
 Sets the trigger version.
 
 ```ruby
-version 1
-version 2
+self.version = 1  # Increment when trigger logic changes
+self.version = 2
 ```
 
 **Parameters**:
 - `number` (Integer): Version number
 
-#### `enabled(state)`
+#### `self.enabled = state`
 
-Sets the initial enabled state.
+Sets the initial enabled state. Defaults to `true`.
 
 ```ruby
-enabled true
-enabled false
+self.enabled = true   # Trigger is active (default)
+self.enabled = false  # Trigger is inactive
 ```
 
 **Parameters**:
 - `state` (Boolean): Initial state
 
+#### `for_each_row` / `for_each_statement`
+
+Specifies PostgreSQL execution granularity. Defaults to `for_each_row`.
+
+```ruby
+for_each_row       # FOR EACH ROW (default)
+for_each_statement # FOR EACH STATEMENT
+```
+
+Stored in the `for_each` column on the registry table and included in checksum calculation.
+
 #### `when_env(*environments)`
 
-Restricts trigger to specific environments.
+**Deprecated.** Restricts trigger to specific environments. Emits a deprecation warning on every call and will be removed in a future major version. Use application-level configuration to gate trigger behaviour by environment instead.
 
 ```ruby
-when_env :production
-when_env :production, :staging
+when_env :production           # Deprecated — avoid in new code
+when_env :production, :staging # Deprecated — avoid in new code
 ```
 
 **Parameters**:
@@ -712,8 +607,6 @@ timing :after   # Trigger fires after constraint checks
 **Parameters**:
 - `timing_value` (Symbol or String): Either `:before` or `:after`
 
-**Returns**: Current timing value if called without argument
-
 ## TriggerRegistry Model
 
 The `TriggerRegistry` ActiveRecord model represents a trigger in the registry.
@@ -728,12 +621,13 @@ trigger.table_name         # => "users"
 trigger.function_name      # => "validate_user_email"
 trigger.events             # => ["insert", "update"]
 trigger.version            # => 1
-trigger.enabled             # => false
-trigger.timing              # => "before" or "after"
-trigger.environments        # => ["production"]
-trigger.condition           # => "NEW.status = 'active'" or nil
-trigger.created_at          # => 2023-12-15 12:00:00 UTC
-trigger.updated_at          # => 2023-12-15 12:00:00 UTC
+trigger.enabled            # => true
+trigger.timing             # => "before" or "after"
+trigger.for_each           # => "row" or "statement"
+trigger.environments       # => [] (when_env is deprecated)
+trigger.condition          # => "NEW.status = 'active'" or nil
+trigger.created_at         # => 2023-12-15 12:00:00 UTC
+trigger.updated_at         # => 2023-12-15 12:00:00 UTC
 ```
 
 ### Instance Methods
@@ -816,7 +710,7 @@ trigger.re_execute!(
 - `confirmation` (String, optional): Kill switch confirmation text
 - `actor` (Hash, optional): Information about who is performing the operation
 
-**Raises**: `ArgumentError` if reason is blank or function_body is missing, `PgSqlTriggers::KillSwitchError`, `StandardError`
+**Raises**: `ArgumentError` if reason is blank, `PgSqlTriggers::KillSwitchError`, `StandardError`
 
 **Returns**: `true` on success
 
@@ -904,10 +798,6 @@ triggers = PgSqlTriggers::Registry.list
 puts "Total triggers: #{triggers.count}"
 
 # 4. Check for drift
-drift = PgSqlTriggers::Registry.diff
-puts "Drifted triggers: #{drift[:drifted].count}"
-
-# Alternative: Use dedicated query methods
 drifted = PgSqlTriggers::Registry.drifted
 in_sync = PgSqlTriggers::Registry.in_sync
 unknown = PgSqlTriggers::Registry.unknown_triggers
@@ -955,16 +845,16 @@ end
 ### Inspection and Reporting
 
 ```ruby
-# Generate a drift report
-drift = PgSqlTriggers::Registry.diff
-
+# Generate a drift report using dedicated query methods
 puts "=== Drift Report ==="
-puts "In Sync: #{drift[:in_sync].count}"
-puts "Drifted: #{drift[:drifted].count}"
+puts "In Sync: #{PgSqlTriggers::Registry.in_sync.count}"
+puts "Drifted: #{PgSqlTriggers::Registry.drifted.count}"
+puts "Dropped: #{PgSqlTriggers::Registry.dropped.count}"
+puts "Unknown: #{PgSqlTriggers::Registry.unknown_triggers.count}"
+
+# Or get the full categorised hash
+drift = PgSqlTriggers::Registry.diff
 puts "Manual Override: #{drift[:manual_override].count}"
-puts "Disabled: #{drift[:disabled].count}"
-puts "Dropped: #{drift[:dropped].count}"
-puts "Unknown: #{drift[:unknown].count}"
 
 # List all triggers with details
 triggers = PgSqlTriggers::Registry.list
@@ -976,6 +866,7 @@ triggers.each do |trigger|
   puts "  Function: #{trigger.function_name}"
   puts "  Events: #{trigger.events.join(', ')}"
   puts "  Timing: #{trigger.timing}"
+  puts "  For Each: #{trigger.for_each}"
   puts "  Version: #{trigger.version}"
   puts "  Enabled: #{trigger.enabled}"
   puts "  Drift: #{trigger.drift_status}"

data/docs/configuration.md

@@ -50,6 +50,25 @@ config.default_environment = -> {
 config.default_environment = -> { 'production' }
 ```
 
+### `db_schema`
+
+The PostgreSQL schema in which triggers are managed. All system catalog queries use this value. Override when your triggers live in a non-`public` schema.
+
+- **Type**: String
+- **Default**: `"public"`
+
+```ruby
+config.db_schema = "public"  # default
+
+# Use a custom schema
+config.db_schema = "app"
+```
+
+You can also set this at runtime:
+```ruby
+PgSqlTriggers.db_schema = "app"
+```
+
 ### `mount_path`
 
 Customize where the web UI is mounted (configured in routes, not initializer).
@@ -192,6 +211,8 @@ Custom authorization logic for the web UI and API.
 - **Returns**: Boolean
 - **Default**: `->(_actor, _action, _environment) { true }`
 
+> **Important**: If `permission_checker` is `nil` (not configured) and the app boots in **production**, the engine emits a `Rails.logger.warn` at startup. Configure a real checker before deploying to production.
+
 ```ruby
 # Default: allow all (development only!)
 config.permission_checker = ->(_actor, _action, _environment) { true }
@@ -210,9 +231,9 @@ config.permission_checker = ->(actor, action, environment) {
   case action
   when :view_triggers, :view_diffs
     user.present? # Viewer level
-  when :enable_trigger, :disable_trigger, :apply_trigger, :generate_trigger, :test_trigger, :dry_run_sql
+  when :enable_trigger, :disable_trigger, :apply_trigger, :test_trigger
     user.operator? || user.admin? # Operator level
-  when :drop_trigger, :execute_sql, :override_drift
+  when :drop_trigger, :override_drift
     user.admin? # Admin level
   else
     false
@@ -287,7 +308,7 @@ The permission checker should handle three levels:
 #### `:admin`
 - All `:operate` permissions
 - Drop triggers
-- Execute SQL capsules
+- Override drift
 - Modify registry directly
 
 ## Environment Detection