@cicore/cli 1.0.0

package/dist/commands/db/promote-silo.js

@@ -0,0 +1,930 @@
+/**
+ * CiCore CLI — `ci db promote-silo` (F5 / Faz 6).
+ *
+ * 9-step orchestrator that promotes a pool-tier brand to a dedicated silo DB.
+ * LOCKED spec: docs/planning/2026-06-01-faz6-promote-silo.md.
+ *
+ * Mustafa LOCK'ları (mimari sözleşme — bypass YASAK):
+ *   K1 — COPY pipe + FK-aware sıralama (parents→children) veya post-load
+ *        constraints VALIDATE. FK ihlali = sessiz kayıp.
+ *   K2 — Otomatik tablo discovery + child FK kapsama. Manifest üretilir +
+ *        --confirm-manifest gate (insan-gözden-geçirme; CI'da --yes ile bypass).
+ *   K3 — Pool RLS bypass (superuser) AMA her COPY EXPLICIT `WHERE brand_id=:b`.
+ *        Kapalı RLS'e güvenme; her COPY filtre TAŞIR.
+ *        + Anti-sızıntı assertion (Step 7): silo'da brand_id != :b satır = 0.
+ *   K4 — Per-step idempotent guard; cp_provisioning_jobs.steps jsonb resumable.
+ *        Mevcut provision-agent çatısını REUSE et.
+ *
+ * INVARIANT (zorunlu):
+ *   INV-1 — Cutover (Step 8) YALNIZ Step 7 verify YEŞİL ise. Pool-filtered
+ *           row-count + checksum eşitliği; geçmezse cutover YOK.
+ *   INV-2 — Promote başarılı olsa bile pool verisi SİLİNMEZ. Cleanup ayrı
+ *           job (Faz 6.1, 14 gün retention). Geri-dönülebilir.
+ *
+ * Bu komut iki şapkada koşar:
+ *   1) Standalone: `ci db promote-silo --brand <slug> --host <alias>` —
+ *      operator debug + apply dry-run + ilk tatbikat.
+ *   2) Agent dispatch: `ci agent run` `db_promote_silo` job tipini gördüğünde
+ *      bu komut spawn edilir (mevcut spawn pattern; agent index.ts dispatch).
+ *
+ * Bu turun KAPSAM DIŞI: gerçek child-FK discovery + COPY pipe data-plane
+ * implementation. v1 skeleton: validate → discovery (brand_id kolonu olan
+ * tablolar + FK child genişletme) → silo CREATE + schema clone → manifest
+ * jsonb logging → verify gate iskeleti + INV-1/INV-2 guard. Gerçek data
+ * migrate adımları Faz 6 apply tatbikatı sırasında refinement görür (mkt
+ * sentinel brand test ile).
+ */
+import { log } from '../../lib/logger.js';
+import { getHostConfig } from '../../lib/hosts.js';
+import { dbSelectJson, dbExec } from '../../lib/ops/db.js';
+import { runRemoteScript } from '../../lib/ops/ssh.js';
+import { invalidateBrandStatus } from '../../lib/ops/redis.js';
+import { isDryRun } from '../../lib/config.js';
+const CONTROL_DB = 'vucore_control';
+const SLUG_RE = /^[a-z][a-z0-9_-]{1,62}$/;
+const STEP_COUNT = 9;
+const RETENTION_DAYS_DEFAULT = 14;
+// ─────────────────────────────────────────────────────────────────────────
+// Public API — komut tanımı
+// ─────────────────────────────────────────────────────────────────────────
+export function registerPromoteSilo(db) {
+    db.command('promote-silo')
+        .description('Promote a pool-tier brand to a dedicated silo DB (9-step orchestrator; idempotent + resumable)')
+        .requiredOption('--brand <slug>', 'Brand slug to promote')
+        .option('-h, --host <host>', 'Host alias (cicore | mkt)')
+        .option('--job-id <uuid>', 'Existing cp_provisioning_jobs id (resume); else a new ad-hoc run')
+        .option('--confirm-manifest', 'Skip the human-review pause on Step 2 (CI/agent mode)', false)
+        .option('--dry-run', 'Plan only — Step 1+2 (validate + discovery), no DDL/DML', false)
+        .action(async (opts) => {
+        const cfg = resolveHost(opts.host);
+        if (!SLUG_RE.test(opts.brand)) {
+            log.error(`Invalid --brand slug '${opts.brand}'.`);
+            process.exit(1);
+        }
+        const ctx = {
+            cfg,
+            brand: opts.brand,
+            jobId: opts.jobId ?? null,
+            confirmManifest: opts.confirmManifest === true,
+            dryRun: opts.dryRun === true || isDryRun(), // collision-robust (Part B)
+            steps: blankSteps(STEP_COUNT),
+        };
+        const ok = await runOrchestrator(ctx);
+        process.exit(ok ? 0 : 1);
+    });
+}
+export async function runOrchestrator(ctx) {
+    log.info(`[promote-silo] brand=${ctx.brand} host=${ctx.cfg.alias} dry-run=${ctx.dryRun}`);
+    try {
+        // STEP 1 — VALIDATE
+        const brand = await step(ctx, 0, 'validate', () => doValidate(ctx));
+        // STEP 2 — DISCOVERY (brand-scoped manifest + reference tables, INV-4)
+        const pool = await fetchPoolDb(ctx);
+        const discovery = await step(ctx, 1, 'discovery', () => doDiscovery(ctx, brand, pool));
+        if (ctx.dryRun) {
+            log.success('[promote-silo] dry-run complete: validate + discovery only');
+            log.info(`  manifest: ${discovery.tables.length} brand-scoped table(s)`);
+            discovery.tables.forEach(t => log.info(`    · ${t.schema}.${t.table} (via=${t.via})`));
+            log.info(`  references: ${discovery.references.length} global table(s) (INV-4 full-copy)`);
+            discovery.references.forEach(r => log.info(`    · ${r.schema}.${r.table}`));
+            return true;
+        }
+        // STEP 3 — PROVISION SILO DB
+        const silo = await step(ctx, 2, 'provision_silo', () => doProvisionSilo(ctx, brand));
+        // STEP 4 — SCHEMA MIGRATE
+        await step(ctx, 3, 'schema_migrate', () => doSchemaMigrate(ctx, pool, silo));
+        // STEP 5 — MARK MIGRATING
+        await step(ctx, 4, 'mark_migrating', () => doMarkMigrating(ctx, brand));
+        // STEP 6 — DATA MIGRATE (a) reference full-copy, (b) brand-scoped manifest
+        await step(ctx, 5, 'data_migrate', () => doDataMigrate(ctx, brand, discovery.tables, discovery.references, pool, silo));
+        // STEP 7 — VERIFY (INV-1 cutover + INV-4 FK orphan + anti-sızıntı)
+        await step(ctx, 6, 'verify', () => doVerify(ctx, brand, discovery.tables, discovery.references, pool, silo));
+        // STEP 8 — REGISTRY FLIP (atomic single-txn)
+        await step(ctx, 7, 'registry_flip', () => doRegistryFlip(ctx, brand, silo));
+        // STEP 9 — CACHE INVALIDATE + AUDIT END
+        await step(ctx, 8, 'cache_invalidate', () => doCacheInvalidate(ctx, brand));
+        log.success(`[promote-silo] ✅ success — brand '${ctx.brand}' promoted to silo (pool intact; INV-2)`);
+        return true;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        log.error(`[promote-silo] ❌ failed at step ${currentStepIndex(ctx) + 1}: ${msg}`);
+        await persistSteps(ctx, 'failed', msg);
+        return false;
+    }
+}
+/** Generic per-step wrapper: idempotent guard + state log + audit. */
+export async function step(ctx, idx, name, body) {
+    if (ctx.steps[idx].status === 'completed') {
+        log.info(`[step ${idx + 1}/${STEP_COUNT}] ${name} — already completed, skip (resume)`);
+        return (ctx.steps[idx].detail ?? {});
+    }
+    ctx.steps[idx].status = 'running';
+    ctx.steps[idx].startedAt = new Date().toISOString();
+    await persistSteps(ctx, 'running', null);
+    log.info(`[step ${idx + 1}/${STEP_COUNT}] ${name} — start`);
+    try {
+        const out = await body();
+        ctx.steps[idx].status = 'completed';
+        ctx.steps[idx].finishedAt = new Date().toISOString();
+        ctx.steps[idx].detail = sanitizeForJson(out);
+        await persistSteps(ctx, 'running', null);
+        log.success(`[step ${idx + 1}/${STEP_COUNT}] ${name} — done`);
+        return out;
+    }
+    catch (err) {
+        ctx.steps[idx].status = 'failed';
+        ctx.steps[idx].error = err instanceof Error ? err.message : String(err);
+        ctx.steps[idx].finishedAt = new Date().toISOString();
+        throw err;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────
+// Step bodies — minimal but invariant-correct
+// ─────────────────────────────────────────────────────────────────────────
+/** Step 1 — VALIDATE: brand var + tier=pool + sentinel değil + en az 1 satır. */
+export async function doValidate(ctx) {
+    const rows = await dbSelectJson(ctx.cfg, CONTROL_DB, `SELECT id::text, slug, db_tier, is_default::text, status, placement_region
+       FROM cp_brands WHERE slug='${sqlLit(ctx.brand)}' LIMIT 1`);
+    if (rows.length === 0)
+        throw new Error(`brand '${ctx.brand}' not found in cp_brands`);
+    const b = rows[0];
+    if (b.db_tier === 'silo')
+        throw new Error(`brand '${ctx.brand}' is already silo (idempotent no-op)`);
+    if (b.db_tier !== 'pool')
+        throw new Error(`brand '${ctx.brand}' has unexpected tier '${b.db_tier}'`);
+    if (b.is_default === 't' || b.is_default === true || b.is_default === 'true') {
+        throw new Error(`brand '${ctx.brand}' is_default=true — sentinel brand cannot be promoted`);
+    }
+    return b;
+}
+/**
+ * Step 2 — DISCOVERY: tablo manifest üretimi (GERÇEK, K2 tamlık).
+ *
+ * Akış:
+ *   1. `direct[]` — public şemada `brand_id` kolonu olan tablolar.
+ *   2. `fkEdges[]` — pg_catalog'tan TÜM single-column FK ilişkileri
+ *      (child.fk_col → parent.pk_col). Composite FK'lar (nadir; addon
+ *      tarafından nadiren) — sadece ilk kolon kullanılır + uyarı logla.
+ *   3. **BFS closure** — direct tablolardan başlayıp FK arc'larıyla
+ *      ulaşılabilen tüm child tabloları depth-tagged topla. brand-reachable
+ *      hiçbir tablo sessizce atlanmaz (Mustafa K2 tamlık zorunluluğu).
+ *   4. **Predicate composition** — her tablo için WHERE fragment'i üret:
+ *        direct → `brand_id = '<uuid>'`
+ *        fk     → `<fk_col> IN (SELECT <parent_pk> FROM <parent> WHERE <parent_predicate>)`
+ *      Recursive: çok-seviyeli FK'lar nested SUBQUERY ile zincirlenir.
+ *   5. **Topological sort** — `depth` artan sırada (parents → children).
+ *      İki yönlü cycle (FK cycle, postgres'te ON DELETE CASCADE arası nadir)
+ *      → cycle hatası fırlat (operator manuel müdahalesi).
+ *
+ * `--confirm-manifest` flag yoksa manifest dökümü + DUR (insan-gözden-geçirme).
+ * CI/agent mode (panel enqueue) flag'i her zaman geçer.
+ */
+export async function doDiscovery(ctx, brand, pool) {
+    // 1. brand_id kolonu olan tablolar (direct entry'ler).
+    const directRows = await dbSelectJson(ctx.cfg, pool.db_name, `SELECT table_schema, table_name FROM information_schema.columns
+      WHERE column_name='brand_id' AND table_schema='public'
+      ORDER BY table_schema, table_name`);
+    if (directRows.length === 0) {
+        log.warn(`[discovery] no 'brand_id' columns in pool DB '${pool.db_name}' — manifest will be empty`);
+    }
+    // 2. FK ilişkileri (single-column; composite uyarı + ilk col kullan).
+    const fkRows = await dbSelectJson(ctx.cfg, pool.db_name, `SELECT
+        nc.nspname             AS child_schema,
+        cc.relname             AS child_table,
+        ca.attname             AS child_column,
+        np.nspname             AS parent_schema,
+        pc.relname             AS parent_table,
+        pa.attname             AS parent_column,
+        array_length(c.conkey, 1) AS col_count
+       FROM pg_constraint c
+       JOIN pg_class cc      ON cc.oid = c.conrelid
+       JOIN pg_namespace nc  ON nc.oid = cc.relnamespace
+       JOIN pg_class pc      ON pc.oid = c.confrelid
+       JOIN pg_namespace np  ON np.oid = pc.relnamespace
+       JOIN pg_attribute ca  ON ca.attrelid = c.conrelid  AND ca.attnum = c.conkey[1]
+       JOIN pg_attribute pa  ON pa.attrelid = c.confrelid AND pa.attnum = c.confkey[1]
+      WHERE c.contype = 'f' AND nc.nspname = 'public' AND np.nspname = 'public'
+      ORDER BY child_schema, child_table, child_column`);
+    // Composite FK uyarısı (ilk col kullanılır; production'da composite path lazım).
+    for (const fk of fkRows) {
+        if (Number(fk.col_count) > 1) {
+            log.warn(`[discovery] composite FK ignored beyond first column: ${fk.child_schema}.${fk.child_table}(${fk.child_column}) → ${fk.parent_schema}.${fk.parent_table}(${fk.parent_column}) — col_count=${fk.col_count}`);
+        }
+    }
+    // 3. BFS closure — direct'ten başla, FK arc'larıyla yayıl.
+    const brandIdLit = sqlLit(brand.id);
+    const entries = new Map(); // tableKey → entry
+    for (const r of directRows) {
+        const key = `${r.table_schema}.${r.table_name}`;
+        entries.set(key, {
+            schema: r.table_schema,
+            table: r.table_name,
+            via: 'direct',
+            fkPath: [],
+            predicate: `brand_id = '${brandIdLit}'`,
+            depth: 0,
+        });
+    }
+    // Adjacency: parent → list of (child + fk_col + parent_pk)
+    const childrenOf = new Map();
+    for (const fk of fkRows) {
+        const parent = `${fk.parent_schema}.${fk.parent_table}`;
+        const child = `${fk.child_schema}.${fk.child_table}`;
+        if (parent === child)
+            continue; // self-FK loop: ignore
+        if (!childrenOf.has(parent))
+            childrenOf.set(parent, []);
+        childrenOf.get(parent).push({ child, childCol: fk.child_column, parentCol: fk.parent_column });
+    }
+    // BFS queue: parent entries from direct + their newly-discovered children.
+    const queue = [...entries.keys()];
+    let safety = 0;
+    while (queue.length > 0) {
+        if (++safety > 2000)
+            throw new Error('[discovery] BFS safety break (>2000 iterations) — possible FK cycle');
+        const parentKey = queue.shift();
+        const parentEntry = entries.get(parentKey);
+        if (!parentEntry)
+            continue;
+        const children = childrenOf.get(parentKey) ?? [];
+        for (const c of children) {
+            if (entries.has(c.child))
+                continue; // zaten ekli (direct veya başka path)
+            // Predicate: child <fk_col> IN (SELECT <parent_pk> FROM <parent> WHERE <parent_predicate>)
+            const predicate = `${quoteIdent(c.childCol)} IN ` +
+                `(SELECT ${quoteIdent(c.parentCol)} FROM ${quoteQualified(parentKey)} WHERE ${parentEntry.predicate})`;
+            const [schema, table] = c.child.split('.');
+            entries.set(c.child, {
+                schema, table,
+                via: 'fk',
+                fkPath: [parentKey, ...parentEntry.fkPath],
+                predicate,
+                depth: parentEntry.depth + 1,
+            });
+            queue.push(c.child);
+        }
+    }
+    // 4. Topological sort: depth asc, sonra schema.table asc (deterministik).
+    const manifest = Array.from(entries.values()).sort((a, b) => {
+        if (a.depth !== b.depth)
+            return a.depth - b.depth;
+        const ka = `${a.schema}.${a.table}`;
+        const kb = `${b.schema}.${b.table}`;
+        return ka < kb ? -1 : ka > kb ? 1 : 0;
+    });
+    const directCount = manifest.filter(t => t.via === 'direct').length;
+    const fkCount = manifest.filter(t => t.via === 'fk').length;
+    log.info(`[discovery] manifest: ${manifest.length} table(s) — ${directCount} direct + ${fkCount} fk (closure)`);
+    manifest.forEach(t => {
+        const tail = t.via === 'fk' ? ` parent_chain=${t.fkPath.join('→')}` : '';
+        log.info(`  · [depth=${t.depth}] ${t.schema}.${t.table} (via=${t.via})${tail}`);
+        log.debug(`      predicate: WHERE ${t.predicate}`);
+    });
+    // 5. INV-4 — Reference tabloları tespit (TRANSITİF fixpoint).
+    //
+    // Önceki tek-geçişli yaklaşım çok-seviyeli zincirde eksik kalıyordu:
+    //   brand → cities → countries → continents
+    // 'cities' yakalanırdı (closure → cities), ama 'countries'/'continents'
+    // YAKALANMAZDI — 'cities' closure'a dahil değil, FK out-edge'i taranmıyordu.
+    // Sonuç: silo'da 'cities' satırları 'countries'a dangling FK; orphan-check
+    // yakalardı (fail-safe) ama meşru migration'ı bloklardı.
+    //
+    // Çözüm: 'kapsanan küme' = closure ∪ keşfedilmiş reference'lar. Yeni FK
+    // edge'in child'ı kapsanan kümede AMA parent kapsanan kümede DEĞİLse →
+    // yeni reference. Worklist boşalana dek tekrarla (fixpoint). Safety guard
+    // ile cycle break.
+    const closureKeys = new Set(manifest.map(t => `${t.schema}.${t.table}`));
+    const refMap = new Map();
+    const covered = new Set(closureKeys);
+    const worklist = [];
+    let safetyRef = 0;
+    const considerEdge = (childKey, parentSchema, parentTable) => {
+        const parentKey = `${parentSchema}.${parentTable}`;
+        if (childKey === parentKey)
+            return; // self-FK
+        if (covered.has(parentKey))
+            return; // zaten kapsanmış
+        if (!covered.has(childKey))
+            return; // child kapsanmamış → henüz alakalı değil
+        const existing = refMap.get(parentKey);
+        if (existing) {
+            if (!existing.referrers.includes(childKey))
+                existing.referrers.push(childKey);
+            return;
+        }
+        refMap.set(parentKey, {
+            schema: parentSchema,
+            table: parentTable,
+            referrers: [childKey],
+        });
+        covered.add(parentKey);
+        worklist.push(parentKey);
+    };
+    // Tur 1 — closure'un out-FK edge'lerini tara.
+    for (const fk of fkRows) {
+        considerEdge(`${fk.child_schema}.${fk.child_table}`, fk.parent_schema, fk.parent_table);
+    }
+    // Fixpoint — her yeni reference'ın kendi out-FK'larını da değerlendir.
+    while (worklist.length > 0) {
+        if (++safetyRef > 2000) {
+            throw new Error('[discovery] reference fixpoint safety break (>2000 iter) — possible FK cycle in references');
+        }
+        const newRefKey = worklist.shift();
+        for (const fk of fkRows) {
+            const childKey = `${fk.child_schema}.${fk.child_table}`;
+            if (childKey !== newRefKey)
+                continue;
+            considerEdge(childKey, fk.parent_schema, fk.parent_table);
+        }
+    }
+    // 6. Reference'lar arası FK varsa: parents-first topological sort
+    //    (örn. continents → countries → cities sırası). Aksi takdirde
+    //    session_replication_role=replica fallback'i tutar ama temiz sıra
+    //    cycle-safe yükleme için tercih.
+    const references = topoSortReferences(Array.from(refMap.values()), fkRows);
+    if (references.length > 0) {
+        log.info(`[discovery] reference tables (INV-4 full-copy, transitive closure): ${references.length}`);
+        references.forEach(r => log.info(`  · ${r.schema}.${r.table} (referred by: ${r.referrers.join(', ')})`));
+    }
+    else {
+        log.info('[discovery] no out-of-closure FK references (no global reference tables)');
+    }
+    if (!ctx.confirmManifest) {
+        throw new Error('manifest review required — re-run with --confirm-manifest after operator review (K2 + INV-4)');
+    }
+    return { tables: manifest, references };
+}
+/**
+ * Reference tabloları arası FK varsa: parents-first topological sort.
+ * Kahn's algoritması. Cycle → throw (operator manuel müdahalesi; nadir).
+ * Stable: in-degree 0 küme alfabetik sırayla pop'lanır.
+ */
+export function topoSortReferences(refs, fkRows) {
+    if (refs.length <= 1)
+        return refs.slice();
+    // Explicit `string` generic — template literal type ('${string}.${string}')
+    // inference'ı kapat; aşağıdaki Map<string, ...> kullanımları narrow tipte
+    // takılmasın.
+    const refKeys = new Set(refs.map(r => `${r.schema}.${r.table}`));
+    const byKey = new Map(refs.map(r => [`${r.schema}.${r.table}`, r]));
+    // child→parent edge: child reference, in-degree of child artar.
+    const inDeg = new Map();
+    const children = new Map(); // parentKey → [childKey...]
+    for (const k of refKeys)
+        inDeg.set(k, 0);
+    for (const fk of fkRows) {
+        const childKey = `${fk.child_schema}.${fk.child_table}`;
+        const parentKey = `${fk.parent_schema}.${fk.parent_table}`;
+        if (childKey === parentKey)
+            continue;
+        if (!refKeys.has(childKey) || !refKeys.has(parentKey))
+            continue;
+        inDeg.set(childKey, (inDeg.get(childKey) ?? 0) + 1);
+        if (!children.has(parentKey))
+            children.set(parentKey, []);
+        if (!children.get(parentKey).includes(childKey))
+            children.get(parentKey).push(childKey);
+    }
+    // Kahn's: in-degree 0 kümesini stable (alfabetik) tut.
+    const ready = [];
+    for (const [k, d] of inDeg)
+        if (d === 0)
+            ready.push(k);
+    ready.sort();
+    const sorted = [];
+    let safety = 0;
+    while (ready.length > 0) {
+        if (++safety > refs.length + 100) {
+            throw new Error('[discovery] reference topo sort safety break — possible FK cycle in references');
+        }
+        const k = ready.shift();
+        sorted.push(byKey.get(k));
+        for (const c of children.get(k) ?? []) {
+            const d = (inDeg.get(c) ?? 0) - 1;
+            inDeg.set(c, d);
+            if (d === 0) {
+                // Stable insert (sıralı kalsın).
+                const idx = ready.findIndex(x => x > c);
+                if (idx === -1)
+                    ready.push(c);
+                else
+                    ready.splice(idx, 0, c);
+            }
+        }
+    }
+    if (sorted.length !== refs.length) {
+        throw new Error(`[discovery] reference topo sort incomplete (${sorted.length}/${refs.length}); FK cycle among references`);
+    }
+    return sorted;
+}
+/** Postgres identifier'ı çift tırnağa al (reserved keyword + case-sensitive korumalı). */
+export function quoteIdent(name) {
+    return '"' + name.replace(/"/g, '""') + '"';
+}
+/** "schema.table" → "schema"."table" */
+export function quoteQualified(qualified) {
+    const [schema, table] = qualified.split('.');
+    return `${quoteIdent(schema)}.${quoteIdent(table)}`;
+}
+/** Step 3 — PROVISION SILO DB (idempotent: var ise atla). */
+export async function doProvisionSilo(ctx, brand) {
+    const hash = shortHash(brand.id);
+    const coreSlug = (ctx.cfg.brandName || 'core').toLowerCase().replace(/[^a-z0-9]/g, '');
+    const dbName = `db_${coreSlug}_${brand.slug.replace(/-/g, '_')}_${hash}`;
+    const dbUser = `${dbName}_user`;
+    // İdempotent: zaten varsa create skip.
+    const exists = await dbSelectJson(ctx.cfg, 'postgres', `SELECT '1' AS exists FROM pg_database WHERE datname='${sqlLit(dbName)}'`);
+    if (exists.length === 0) {
+        const pg = ctx.cfg.dbContainerName;
+        const admin = ctx.cfg.dbAdminUser;
+        const script = `set -euo pipefail\n` +
+            `docker exec ${pg} psql -U ${admin} -h 127.0.0.1 -d postgres -v ON_ERROR_STOP=1 <<SQL\n` +
+            `CREATE DATABASE ${dbName};\n` +
+            `DO \\$\\$ BEGIN\n` +
+            `  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='${dbUser}') THEN\n` +
+            `    CREATE ROLE ${dbUser} LOGIN;\n` +
+            `  END IF;\n` +
+            `END \\$\\$;\n` +
+            `GRANT ALL PRIVILEGES ON DATABASE ${dbName} TO ${dbUser};\n` +
+            `SQL\n`;
+        const res = await runRemoteScript(ctx.cfg, script, { silent: true });
+        if (!res.success)
+            throw new Error(`silo provision failed: ${res.stderr.trim() || res.stdout.trim()}`);
+    }
+    else {
+        log.info(`[provision] silo DB '${dbName}' already exists — skip create (idempotent)`);
+    }
+    // Şu an pool DB host/port'unu paylaşıyor (cluster aynı); M2.2'de relocation.
+    const pool = await fetchPoolDb(ctx);
+    return { db_host: pool.db_host, db_port: pool.db_port, db_name: dbName, db_user: dbUser };
+}
+/** Step 4 — SCHEMA MIGRATE: pool schema-only dump → silo restore. İdempotent. */
+export async function doSchemaMigrate(ctx, pool, silo) {
+    // İdempotent guard: silo'da herhangi bir tablo varsa atla.
+    const siloTables = await dbSelectJson(ctx.cfg, silo.db_name, `SELECT count(*)::text AS n FROM information_schema.tables WHERE table_schema='public'`);
+    if (siloTables.length > 0 && Number.parseInt(siloTables[0].n, 10) > 0) {
+        log.info(`[schema] silo '${silo.db_name}' already has ${siloTables[0].n} tables — skip (resume)`);
+        return { ok: true };
+    }
+    const pg = ctx.cfg.dbContainerName;
+    const admin = ctx.cfg.dbAdminUser;
+    const script = `set -euo pipefail\n` +
+        `docker exec ${pg} pg_dump -U ${admin} -h 127.0.0.1 -d ${pool.db_name} --schema-only --no-owner --no-acl \\\n` +
+        `  | docker exec -i ${pg} psql -U ${admin} -h 127.0.0.1 -d ${silo.db_name} -v ON_ERROR_STOP=1\n`;
+    const res = await runRemoteScript(ctx.cfg, script, { silent: true });
+    if (!res.success)
+        throw new Error(`schema migrate failed: ${res.stderr.trim() || res.stdout.trim()}`);
+    return { ok: true };
+}
+/** Step 5 — MARK MIGRATING: cp_brands.status='migrating' (UI uyarısı). */
+export async function doMarkMigrating(ctx, brand) {
+    await dbExec(ctx.cfg, CONTROL_DB, `UPDATE cp_brands SET status='migrating', updated_at=now()
+      WHERE id='${brand.id}' AND status != 'migrating'`);
+    await invalidateBrandStatus(ctx.cfg, brand.id); // F1: freeze anlık cross-worker
+    return { status: 'migrating' };
+}
+/**
+ * Step 6 — DATA MIGRATE (GERÇEK COPY pipe).
+ *
+ * Mustafa kilitleri:
+ *   K1 — FK koruması: per-table COPY pipe iki tarafta da
+ *        `SET session_replication_role = replica` ile çalışır
+ *        (trigger + FK constraint suspend; PostgreSQL replication
+ *        pattern'i, "data restore için güvenli"). Topolojik manifest
+ *        sırası (parents→children) zaten doğru sırayı sağlıyor; replica
+ *        mode "belt + suspenders" — composite veya cycle gibi nadir
+ *        senaryolarda sessiz FK hatasını imkansızlaştırır.
+ *   K3 — Sızıntı koruması: her COPY pool tarafı SELECT'inde manifest'in
+ *        ürettiği EXPLICIT predicate'i taşır (kapalı RLS'e güvenme;
+ *        statik discovery garantisi).
+ *
+ * İdempotency / resumability:
+ *   - silo_count == pool_predicate_count → atla (resume).
+ *   - silo_count == 0 → TRUNCATE skip, doğrudan COPY.
+ *   - 0 < silo_count != pool_predicate_count → partial copy: TRUNCATE
+ *     RESTART IDENTITY (silo yeni DB; CASCADE değil, downstream entry'ler
+ *     manifest sırasında zaten ele alınacak) + COPY.
+ *
+ * Subprocess seçimi (Mustafa "sen seç + gerekçesini doc'a yaz"):
+ *   psql subprocess pipe seçildi. Gerekçe: (a) mevcut altyapı CLI→SSH→
+ *   docker exec; Node↔postgres direct connection mevcut değil (VPN ardı,
+ *   credentials .env'de host-side). (b) pg-copy-streams ek Node bağımlı;
+ *   credential + connection lifecycle managemnt overhead. (c) psql streaming
+ *   pipe production-tested pattern (pg_dump | psql; pgBackRest internal).
+ *   (d) Tek bağımlılık: docker + psql (zaten kurulu). (e) Hata yönetimi:
+ *   pipefail + ON_ERROR_STOP=1 + exit code; stderr parse.
+ *
+ * Format: TEXT (default). BINARY daha hızlı ama type compatibility +
+ * version sensitivity riski; sentinel tatbikatı sonrası BINARY'ye geçiş
+ * düşünülebilir.
+ */
+export async function doDataMigrate(ctx, brand, manifest, references, pool, silo) {
+    let migrated = 0;
+    let skipped = 0;
+    let rowsTotal = 0;
+    let refsCopied = 0;
+    let refsRows = 0;
+    // (a) INV-4 — Reference tabloları FİLTRESİZ tam-kopya (parents önce).
+    // Brand-scoped pipe'tan ÖNCE çalışır; dangling FK önler. v1 default
+    // full-copy (operator manifest review'da görür); fail-loud alternatifi
+    // M3'te per-table override.
+    for (const r of references) {
+        const label = `${r.schema}.${r.table}`;
+        const poolCount = await countWhere(ctx, pool.db_name, r.schema, r.table, '1=1');
+        const siloCount = await countWhere(ctx, silo.db_name, r.schema, r.table, '1=1');
+        if (poolCount === siloCount && siloCount > 0) {
+            log.info(`  [ref:skip ] ${label} — silo_count=${siloCount} matches pool (idempotent)`);
+            refsCopied++; // already at desired state — sayıma dahil
+            refsRows += siloCount;
+            continue;
+        }
+        if (poolCount === 0 && siloCount === 0) {
+            log.info(`  [ref:empty] ${label} — both sides 0, no-op`);
+            continue;
+        }
+        if (siloCount > 0 && siloCount !== poolCount) {
+            log.warn(`  [ref:reset] ${label} — partial copy (silo=${siloCount} pool=${poolCount}); TRUNCATE + full-copy`);
+            await truncateTable(ctx, silo.db_name, r.schema, r.table);
+        }
+        if (poolCount > 100_000) {
+            log.warn(`  [ref:warn ] ${label} — large reference table (${poolCount} rows); full-copy will take time`);
+        }
+        log.info(`  [ref:copy ] ${label} — ${poolCount} row(s) (referrers: ${r.referrers.join(', ')})`);
+        // Filtresiz tam-kopya: pseudo-entry yarat (predicate = 'true').
+        const refEntry = {
+            schema: r.schema, table: r.table, via: 'direct', fkPath: [],
+            predicate: 'true', depth: -1,
+        };
+        await copyTableWithPredicate(ctx, pool.db_name, silo.db_name, refEntry);
+        const after = await countWhere(ctx, silo.db_name, r.schema, r.table, '1=1');
+        if (after !== poolCount) {
+            log.warn(`  [ref:warn ] ${label} post-copy silo=${after} != pool=${poolCount} (Step 7 verify will block cutover)`);
+        }
+        refsCopied++;
+        refsRows += after;
+    }
+    if (references.length > 0) {
+        log.info(`[data-migrate] references: copied=${refsCopied}/${references.length} rows=${refsRows}`);
+    }
+    // (b) Brand-scoped manifest — topological sırada COPY pipe.
+    if (manifest.length === 0) {
+        log.info('[data-migrate] brand-scoped manifest empty — nothing further to copy');
+        return { migrated, skipped, rows: rowsTotal, refsCopied, refsRows };
+    }
+    for (const t of manifest) {
+        const tableLabel = `${t.schema}.${t.table}`;
+        const poolCount = await countWithPredicate(ctx, pool.db_name, t);
+        const siloCount = await countWhere(ctx, silo.db_name, t.schema, t.table, '1=1');
+        if (poolCount === siloCount && siloCount > 0) {
+            log.info(`  [skip ] ${tableLabel} — silo_count=${siloCount} matches pool_predicate_count (idempotent)`);
+            skipped++;
+            rowsTotal += siloCount;
+            continue;
+        }
+        if (poolCount === 0 && siloCount === 0) {
+            log.info(`  [empty] ${tableLabel} — no rows match predicate, no-op`);
+            skipped++;
+            continue;
+        }
+        if (siloCount > 0 && siloCount !== poolCount) {
+            log.warn(`  [reset] ${tableLabel} — partial copy detected (silo=${siloCount} pool=${poolCount}); TRUNCATE + COPY`);
+            await truncateTable(ctx, silo.db_name, t.schema, t.table);
+        }
+        log.info(`  [copy ] ${tableLabel} — ${poolCount} row(s) via=${t.via} depth=${t.depth}`);
+        await copyTableWithPredicate(ctx, pool.db_name, silo.db_name, t);
+        const after = await countWhere(ctx, silo.db_name, t.schema, t.table, '1=1');
+        if (after !== poolCount) {
+            // INV-1 ön-uyarı; gerçek cutover gate Step 7. Burada throw etmiyoruz —
+            // Step 7 verify görsün diye veriyi sayım uyuşmazlığıyla bırak; Mustafa
+            // INV-1 sözleşmesi cutover gate'in TEK yer olduğunu söyler.
+            log.warn(`  [warn ] ${tableLabel} post-copy silo=${after} != pool=${poolCount} (Step 7 verify will block cutover)`);
+        }
+        migrated++;
+        rowsTotal += after;
+    }
+    log.info(`[data-migrate] brand: migrated=${migrated} skipped=${skipped} rows=${rowsTotal}`);
+    return { migrated, skipped, rows: rowsTotal, refsCopied, refsRows };
+}
+/** Helper — pool tarafında `count(*) WHERE <entry.predicate>`. */
+export async function countWithPredicate(ctx, dbName, t) {
+    const rows = await dbSelectJson(ctx.cfg, dbName, `SELECT count(*)::text AS n FROM ${quoteQualified(`${t.schema}.${t.table}`)} WHERE ${t.predicate}`);
+    return rows.length ? Number.parseInt(rows[0].n, 10) : 0;
+}
+/** Helper — `count(*) WHERE <where>` (silo tarafında `1=1` veya brand_id!=X). */
+export async function countWhere(ctx, dbName, schema, table, where) {
+    const rows = await dbSelectJson(ctx.cfg, dbName, `SELECT count(*)::text AS n FROM ${quoteQualified(`${schema}.${table}`)} WHERE ${where}`);
+    return rows.length ? Number.parseInt(rows[0].n, 10) : 0;
+}
+/** Helper — silo'da partial copy artığı varsa temizle. */
+export async function truncateTable(ctx, dbName, schema, table) {
+    // RESTART IDENTITY — sequence'i sıfırla. CASCADE değil; manifest'in
+    // sıralaması child'ları zaten ayrı entry olarak işliyor.
+    await dbExec(ctx.cfg, dbName, `TRUNCATE TABLE ${quoteQualified(`${schema}.${table}`)} RESTART IDENTITY`);
+}
+/**
+ * Helper — pool'dan silo'ya bir tablonun WHERE-filtreli verisini COPY pipe ile
+ * taşı. psql subprocess pipe: pool TO STDOUT | silo FROM STDIN. session_
+ * replication_role=replica iki tarafta da (FK + trigger bypass).
+ */
+export async function copyTableWithPredicate(ctx, poolDb, siloDb, t) {
+    const pg = ctx.cfg.dbContainerName;
+    const admin = ctx.cfg.dbAdminUser;
+    const qTable = quoteQualified(`${t.schema}.${t.table}`);
+    // Pool SELECT (read source). Predicate fragment'i quoteIdent'lenmiş.
+    const selectSql = `SET session_replication_role = replica; ` +
+        `COPY (SELECT * FROM ${qTable} WHERE ${t.predicate}) TO STDOUT`;
+    // Silo INSERT (write target). Aynı session-level setting.
+    const insertSql = `SET session_replication_role = replica; ` +
+        `COPY ${qTable} FROM STDIN`;
+    // Bash pipe — set -o pipefail, ON_ERROR_STOP=1; psql çıkışları stderr'e
+    // yazarsa hata yakalanır. SSH üzerinden docker exec ile koşar.
+    const script = `set -euo pipefail\n` +
+        `docker exec -i ${pg} bash -lc ` +
+        `'set -o pipefail && ` +
+        `  psql -U ${admin} -h 127.0.0.1 -d ${poolDb} -v ON_ERROR_STOP=1 --quiet --tuples-only -c ` +
+        sshSqlArg(selectSql) +
+        `  | psql -U ${admin} -h 127.0.0.1 -d ${siloDb} -v ON_ERROR_STOP=1 --quiet --tuples-only -c ` +
+        sshSqlArg(insertSql) +
+        `'\n`;
+    const res = await runRemoteScript(ctx.cfg, script, { silent: true });
+    if (!res.success) {
+        throw new Error(`COPY ${t.schema}.${t.table} failed: ${(res.stderr || res.stdout).trim().slice(0, 500)}`);
+    }
+}
+/**
+ * SQL string'ini docker exec bash -lc içinde tek-tırnak literal olarak güvenli
+ * geç. Bash double-quote escape değil — outer single-quote içinde inner
+ * single-quote'lara `'\''` ile çıkış yapıyoruz; tüm shq() pattern'iyle aynı.
+ */
+export function sshSqlArg(sql) {
+    // Outer 'bash -lc' SCRIPT'i kendisi single quote içinde (script'i
+    // SSH'a heredoc-değil-arg geçirmemize bağlı değil — runRemoteScript heredoc).
+    // İçeride psql -c "<SQL>" double-quote'u kullanıyoruz; SQL içindeki "
+    // ler escape edilir.
+    const escaped = sql.replace(/"/g, '\\"');
+    return `"${escaped}"`;
+}
+/**
+ * Step 7 — VERIFY (GERÇEK INV-1 cutover gate + K3 anti-sızıntı).
+ *
+ * Üç gate, her tablo için:
+ *   1. **COUNT eşitliği** (ZORUNLU): pool WHERE predicate == silo WHERE 1=1.
+ *   2. **CHECKSUM** (ölçeklenebilir): per-row md5 → string_agg ORDER BY pk →
+ *      outer md5. PK yoksa checksum atlanır (uyarı + count-only fallback);
+ *      sentinel tatbikatlı tablo şemalarında her tablonun PK'sı olmalı.
+ *      Pragmatik MD5 seçimi: tek SELECT'le çalışır, postgres 9+; bit_xor
+ *      modern (postgres 14+) ama version uyumluluğu için MD5 + string_agg
+ *      seçildi. Büyük tablo (>~1M satır) → string_agg server-side bellek
+ *      mertebesi MB; sentinel için sorun değil. Gerçek müşteri büyük
+ *      tablolarda bit_xor opt M3.
+ *   3. **Anti-sızıntı** (K3, direct entry'lerde): silo WHERE brand_id != :b
+ *      == 0. fk-only tablolarda brand_id yok → bu gate'i atla (parent
+ *      predicate zaten sızıntıyı engelliyor).
+ *
+ * Herhangi biri FAIL → THROW (Step 8 atomic flip ÇALIŞMAZ; INV-1 koruması).
+ * Pool intakt (INV-2); silo forensic için kalır (operator inceleyip
+ * Faz 6.2 rollback ile temiz geri alabilir veya manuel fix).
+ */
+export async function doVerify(ctx, brand, manifest, references, pool, silo) {
+    let mismatches = 0;
+    let leakage = 0;
+    let checksumsSkipped = 0;
+    let orphans = 0;
+    for (const t of manifest) {
+        const label = `${t.schema}.${t.table}`;
+        // Gate 1: count eşitliği.
+        const poolCount = await countWithPredicate(ctx, pool.db_name, t);
+        const siloCount = await countWhere(ctx, silo.db_name, t.schema, t.table, '1=1');
+        if (poolCount !== siloCount) {
+            log.error(`  [count]  ${label} — pool_predicate=${poolCount} silo=${siloCount} MISMATCH`);
+            mismatches++;
+            continue; // checksum/leak fail-fast, atla
+        }
+        log.info(`  [count]  ${label} — ${poolCount} ✓`);
+        // Gate 2: checksum (PK varsa).
+        const pkCols = await fetchPrimaryKeyColumns(ctx, pool.db_name, t.schema, t.table);
+        if (pkCols.length === 0) {
+            log.warn(`  [chk  ]  ${label} — no PK; checksum SKIPPED (count-only)`);
+            checksumsSkipped++;
+        }
+        else {
+            const orderBy = pkCols.map(quoteIdent).join(', ');
+            const poolHash = await tableChecksum(ctx, pool.db_name, t.schema, t.table, t.predicate, orderBy);
+            const siloHash = await tableChecksum(ctx, silo.db_name, t.schema, t.table, '1=1', orderBy);
+            if (poolHash !== siloHash) {
+                log.error(`  [chk  ]  ${label} — pool_md5=${poolHash} silo_md5=${siloHash} MISMATCH`);
+                mismatches++;
+                continue;
+            }
+            log.info(`  [chk  ]  ${label} — md5=${poolHash} ✓`);
+        }
+        // Gate 3: anti-sızıntı (sadece direct — brand_id kolonu olan tablolar).
+        if (t.via === 'direct') {
+            const leak = await countWhere(ctx, silo.db_name, t.schema, t.table, `brand_id != '${sqlLit(brand.id)}'`);
+            if (leak > 0) {
+                log.error(`  [leak ]  ${label} — silo has ${leak} row(s) with brand_id != ${brand.id} (K3 ihlali)`);
+                leakage += leak;
+            }
+            else {
+                log.info(`  [leak ]  ${label} — anti-leakage 0 ✓`);
+            }
+        }
+    }
+    // Gate 4 (INV-4): FK orphan check — referential integrity post-migration.
+    // Brand-scoped manifest'in tüm FK'leri ve reference tablolarını referans
+    // edenler için silo'da dangling = 0 olmalı. Dangling > 0 → cutover YOK.
+    if (manifest.length > 0) {
+        const orphanCount = await checkFkOrphans(ctx, silo.db_name, manifest);
+        orphans = orphanCount;
+        if (orphanCount > 0) {
+            log.error(`[verify] FK-orphan check: ${orphanCount} dangling row(s) in silo (INV-4 ihlali)`);
+        }
+        else {
+            log.info(`[verify] FK-orphan check: 0 dangling rows ✓`);
+        }
+    }
+    log.info(`[verify] gate result: brand_tables=${manifest.length} refs=${references.length} ` +
+        `mismatches=${mismatches} leakage=${leakage} ` +
+        `checksums_skipped=${checksumsSkipped} fk_orphans=${orphans}`);
+    if (mismatches > 0 || leakage > 0 || orphans > 0) {
+        throw new Error(`INV-1 cutover gate FAIL — mismatches=${mismatches} leakage=${leakage} orphans=${orphans}; ` +
+            `pool intact (INV-2); silo retained for forensic`);
+    }
+    return { tables: manifest.length, mismatches, leakage, checksumsSkipped, orphans };
+}
+/**
+ * Silo'da FK dangling sayısı (INV-4).
+ *
+ * Akış: brand-scoped tabloların TÜM single-column FK'leri için
+ *   SELECT count(*) FROM <child> WHERE <fk_col> IS NOT NULL
+ *     AND NOT EXISTS (SELECT 1 FROM <parent> WHERE <pk> = <child>.<fk_col>)
+ * Reference tablolarını da kapsar (zaten silo'da olmaları gerek; eğer
+ * eksiksizse orphan = 0). Parent'ın silo'da varlığı şart değil — eğer
+ * yoksa NOT EXISTS true döner ve orphan artar.
+ *
+ * Composite FK'lar Step 2'de zaten ilk kolonla logged-warning + indirgendi;
+ * bu FK orphan check de ilk kolonu kontrol eder.
+ */
+export async function checkFkOrphans(ctx, dbName, manifest) {
+    // Manifest'teki tabloların FK out-edge'lerini topla.
+    const manifestKeys = new Set(manifest.map(t => `${t.schema}.${t.table}`));
+    const fkRows = await dbSelectJson(ctx.cfg, dbName, `SELECT
+        nc.nspname             AS child_schema,
+        cc.relname             AS child_table,
+        ca.attname             AS child_column,
+        np.nspname             AS parent_schema,
+        pc.relname             AS parent_table,
+        pa.attname             AS parent_column,
+        array_length(c.conkey, 1) AS col_count
+       FROM pg_constraint c
+       JOIN pg_class cc      ON cc.oid = c.conrelid
+       JOIN pg_namespace nc  ON nc.oid = cc.relnamespace
+       JOIN pg_class pc      ON pc.oid = c.confrelid
+       JOIN pg_namespace np  ON np.oid = pc.relnamespace
+       JOIN pg_attribute ca  ON ca.attrelid = c.conrelid  AND ca.attnum = c.conkey[1]
+       JOIN pg_attribute pa  ON pa.attrelid = c.confrelid AND pa.attnum = c.confkey[1]
+      WHERE c.contype = 'f' AND nc.nspname = 'public'`);
+    let totalOrphans = 0;
+    for (const fk of fkRows) {
+        const childKey = `${fk.child_schema}.${fk.child_table}`;
+        if (!manifestKeys.has(childKey))
+            continue; // sadece brand-scoped tabloların FK'leri
+        const qChild = quoteQualified(childKey);
+        const qParent = quoteQualified(`${fk.parent_schema}.${fk.parent_table}`);
+        const qFk = quoteIdent(fk.child_column);
+        const qPk = quoteIdent(fk.parent_column);
+        const sql = `SELECT count(*)::text AS n FROM ${qChild} c ` +
+            `WHERE c.${qFk} IS NOT NULL ` +
+            `AND NOT EXISTS (SELECT 1 FROM ${qParent} p WHERE p.${qPk} = c.${qFk})`;
+        const rows = await dbSelectJson(ctx.cfg, dbName, sql);
+        const orphans = rows.length ? Number.parseInt(rows[0].n, 10) : 0;
+        if (orphans > 0) {
+            log.error(`  [fk   ] ${childKey}.${fk.child_column} → ${fk.parent_schema}.${fk.parent_table}.${fk.parent_column}: ` +
+                `${orphans} orphan(s) (INV-4)`);
+            totalOrphans += orphans;
+        }
+    }
+    return totalOrphans;
+}
+/**
+ * Tabloda WHERE-filtreli md5 checksum hesapla.
+ *   md5(coalesce(string_agg(md5(t::text), '' ORDER BY <pk>), ''))
+ * Sıralama: PK kolonları (deterministik). Empty result → empty-string md5
+ * (constant); pool == silo eşitliği boş tabloda da tutar.
+ */
+export async function tableChecksum(ctx, dbName, schema, table, where, orderBy) {
+    const q = quoteQualified(`${schema}.${table}`);
+    const sql = `SELECT md5(coalesce(string_agg(md5(t.*::text), '' ORDER BY ${orderBy}), '')) AS h ` +
+        `FROM ${q} t WHERE ${where}`;
+    const rows = await dbSelectJson(ctx.cfg, dbName, sql);
+    return rows.length ? rows[0].h : '';
+}
+/**
+ * Tablonun PK kolonlarını sırayla döndür. PK yoksa boş array.
+ * pg_index.indisprimary + pg_attribute join.
+ */
+export async function fetchPrimaryKeyColumns(ctx, dbName, schema, table) {
+    const qSchema = sqlLit(schema);
+    const qTable = sqlLit(table);
+    const rows = await dbSelectJson(ctx.cfg, dbName, `SELECT a.attname
+       FROM pg_index i
+       JOIN pg_attribute a ON a.attrelid = i.indrelid AND a.attnum = ANY(i.indkey)
+       JOIN pg_class c     ON c.oid = i.indrelid
+       JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE i.indisprimary AND n.nspname = '${qSchema}' AND c.relname = '${qTable}'
+      ORDER BY array_position(i.indkey, a.attnum)`);
+    return rows.map(r => r.attname);
+}
+/**
+ * Step 8 — REGISTRY FLIP (atomic single-txn).
+ *
+ * Insert silo into cp_databases AND update cp_brands tier+data_db_name
+ * in ONE transaction. INV-2: pool data UNTOUCHED.
+ */
+export async function doRegistryFlip(ctx, brand, silo) {
+    const sql = `BEGIN;\n` +
+        `INSERT INTO cp_databases (owner_type, owner_id, db_kind, cluster_name, db_host, db_port, db_name, db_user, status, db_tier, placement_region)\n` +
+        `SELECT 'brand', '${brand.id}', 'dedicated', 'shared-1', '${sqlLit(silo.db_host)}', ${silo.db_port},\n` +
+        `       '${sqlLit(silo.db_name)}', '${sqlLit(silo.db_user)}', 'active', 'silo', ${brand.placement_region ? `'${sqlLit(brand.placement_region)}'` : 'NULL'}\n` +
+        ` WHERE NOT EXISTS (\n` +
+        `   SELECT 1 FROM cp_databases WHERE db_name='${sqlLit(silo.db_name)}' AND owner_type='brand' AND owner_id='${brand.id}'\n` +
+        ` );\n` +
+        `UPDATE cp_brands SET db_tier='silo', data_db_name='${sqlLit(silo.db_name)}', status='active', updated_at=now()\n` +
+        ` WHERE id='${brand.id}' AND db_tier='pool';\n` +
+        `COMMIT;\n`;
+    const res = await dbExec(ctx.cfg, CONTROL_DB, sql);
+    if (!res.success)
+        throw new Error(`registry flip failed: ${res.stderr.trim()}`);
+    return { silo_id: silo.db_name, tier: 'silo' };
+}
+/**
+ * Step 9 — CACHE INVALIDATE + AUDIT END.
+ *
+ * In-process cache invalidate (TenantDbResolver::invalidate) PHP-side; CLI
+ * burada yalnız cp_audit_log'a tamamlanma kaydı düşer + finished_at güncel.
+ * Multi-instance Redis pub/sub M3 perf milestone.
+ */
+export async function doCacheInvalidate(ctx, brand) {
+    await dbExec(ctx.cfg, CONTROL_DB, `INSERT INTO cp_audit_log (actor, action, target, after)
+     VALUES ('cli:promote-silo', 'promote_silo_completed', 'brand:${brand.id}',
+             '${sqlLit(JSON.stringify({ brand: ctx.brand, retention_days: RETENTION_DAYS_DEFAULT }))}'::jsonb)`);
+    return { logged: true };
+}
+// ─────────────────────────────────────────────────────────────────────────
+// Yardımcılar
+// ─────────────────────────────────────────────────────────────────────────
+export async function fetchPoolDb(ctx) {
+    const rows = await dbSelectJson(ctx.cfg, CONTROL_DB, `SELECT db_host, db_port, db_name, db_user
+       FROM cp_databases
+      WHERE owner_type='core' AND db_tier='pool' AND status='active'
+      LIMIT 1`);
+    if (rows.length === 0)
+        throw new Error('no active pool DB in cp_databases (owner=core, tier=pool)');
+    return rows[0];
+}
+export async function persistSteps(ctx, status, err) {
+    if (!ctx.jobId)
+        return; // ad-hoc run: skip; CI mode jobId zorunlu
+    const errSql = err === null ? 'NULL' : `'${sqlLit(err)}'`;
+    const stepsJson = JSON.stringify(ctx.steps);
+    await dbExec(ctx.cfg, CONTROL_DB, `UPDATE cp_provisioning_jobs SET status='${status}', steps='${sqlLit(stepsJson)}'::jsonb, error=${errSql}
+      WHERE id='${ctx.jobId}'`);
+}
+export function currentStepIndex(ctx) {
+    for (let i = 0; i < ctx.steps.length; i++) {
+        if (ctx.steps[i].status === 'running' || ctx.steps[i].status === 'failed')
+            return i;
+    }
+    return ctx.steps.findIndex(s => s.status === 'pending');
+}
+export function blankSteps(n) {
+    return Array.from({ length: n }, () => ({ status: 'pending' }));
+}
+export function shortHash(s) {
+    // Basit deterministik 6-char ID — collision riski apply yüzeyinde küçük.
+    let h = 0;
+    for (const ch of s)
+        h = ((h << 5) - h + ch.charCodeAt(0)) | 0;
+    return Math.abs(h).toString(16).padStart(6, '0').slice(0, 6);
+}
+export function sanitizeForJson(value) {
+    if (value === null || typeof value !== 'object')
+        return { value };
+    return value;
+}
+export function resolveHost(alias) {
+    if (alias === undefined) {
+        log.error('--host is required (cicore | mkt).');
+        process.exit(1);
+    }
+    try {
+        return getHostConfig(alias);
+    }
+    catch (err) {
+        log.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
+export function sqlLit(s) { return s.replace(/'/g, "''"); }
+//# sourceMappingURL=promote-silo.js.map