@percher/core 0.3.0 → 0.4.1

package/dist/commands/migrate-supabase.d.ts

@@ -0,0 +1,81 @@
+import { z } from "zod";
+import type { Context } from "../context";
+import { type AskUserRecovery, type NoneRecovery, type ToolRecovery } from "../recovery";
+/**
+ * FUTURE9 Phase A — Supabase schema introspection.
+ *
+ * Client-side only: the Supabase personal access token is a
+ * high-privilege credential (full project access). We never route
+ * it through Percher's servers — the call goes from the user's
+ * process directly to api.supabase.com. See decision 1 in
+ * docs/plans/FUTURE9_fas-8-lovable-migration-plan.md.
+ *
+ * This command performs no file writes; it returns a structured
+ * schema description for later phases (B–D) to build on, and so
+ * the user can sanity-check what would migrate before committing.
+ */
+export declare const inspectSupabaseInputSchema: z.ZodObject<{
+    projectRef: z.ZodString;
+    token: z.ZodString;
+}, z.core.$strip>;
+export type InspectSupabaseInput = z.infer<typeof inspectSupabaseInputSchema>;
+export interface SupabaseForeignKey {
+    table: string;
+    column: string;
+}
+export interface SupabaseColumn {
+    name: string;
+    postgresType: string;
+    isNullable: boolean;
+    hasDefault: boolean;
+    defaultExpr: string | null;
+    isPrimaryKey: boolean;
+    foreignKey: SupabaseForeignKey | null;
+}
+export interface SupabaseRlsPolicy {
+    name: string;
+    command: string;
+    usingExpr: string | null;
+    withCheckExpr: string | null;
+}
+export interface SupabaseTable {
+    schema: string;
+    name: string;
+    columns: SupabaseColumn[];
+    rlsPolicies: SupabaseRlsPolicy[];
+    estimatedRowCount: number;
+}
+export interface SupabaseStorageBucket {
+    id: string;
+    name: string;
+    public: boolean;
+}
+export type InspectSupabaseStatus = "ok" | "failed";
+export interface InspectSupabaseError {
+    code: "auth_failed" | "project_not_found" | "project_paused" | "query_timeout" | "network_error" | "unexpected_response";
+    title: string;
+    explanation: string;
+    suggestion: string;
+}
+export interface InspectSupabaseResult {
+    status: InspectSupabaseStatus;
+    projectRef: string;
+    tables: SupabaseTable[];
+    authUsersCount: number | null;
+    storageBuckets: SupabaseStorageBucket[];
+    warnings: string[];
+    error?: InspectSupabaseError;
+    recovery: ToolRecovery | NoneRecovery | AskUserRecovery;
+    summary: string;
+}
+export declare function inspectSupabase(ctx: Context, input: InspectSupabaseInput): Promise<InspectSupabaseResult>;
+/**
+ * Helper for downstream code (phases B–D) to filter tables to just the
+ * ones we'd migrate — i.e. nothing in a Supabase-managed system schema.
+ * Phase A returns these already filtered, but the predicate is exported
+ * so a caller can re-filter a result they've stored.
+ */
+export declare function isMigratableTable(table: {
+    schema: string;
+}): boolean;
+//# sourceMappingURL=migrate-supabase.d.ts.map

package/dist/commands/migrate-supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate-supabase.d.ts","sourceRoot":"","sources":["../../src/commands/migrate-supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,YAAY,EAGjB,KAAK,YAAY,EAClB,MAAM,aAAa,CAAC;AAErB;;;;;;;;;;;;GAYG;AAEH,eAAO,MAAM,0BAA0B;;;iBAarC,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAY9E,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,EAAE,OAAO,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,WAAW,EAAE,iBAAiB,EAAE,CAAC;IACjC,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,QAAQ,CAAC;AAEpD,MAAM,WAAW,oBAAoB;IACnC,IAAI,EACA,aAAa,GACb,mBAAmB,GACnB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,qBAAqB,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,cAAc,EAAE,qBAAqB,EAAE,CAAC;IACxC,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,oBAAoB,CAAC;IAC7B,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,eAAe,CAAC;IACxD,OAAO,EAAE,MAAM,CAAC;CACjB;AA4JD,wBAAsB,eAAe,CACnC,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,oBAAoB,GAC1B,OAAO,CAAC,qBAAqB,CAAC,CAsLhC;AAyQD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAEpE"}

package/dist/commands/migrate-supabase.js

@@ -0,0 +1,579 @@
+import { z } from "zod";
+import { recoveryAsk, recoveryNone, } from "../recovery";
+/**
+ * FUTURE9 Phase A — Supabase schema introspection.
+ *
+ * Client-side only: the Supabase personal access token is a
+ * high-privilege credential (full project access). We never route
+ * it through Percher's servers — the call goes from the user's
+ * process directly to api.supabase.com. See decision 1 in
+ * docs/plans/FUTURE9_fas-8-lovable-migration-plan.md.
+ *
+ * This command performs no file writes; it returns a structured
+ * schema description for later phases (B–D) to build on, and so
+ * the user can sanity-check what would migrate before committing.
+ */
+export const inspectSupabaseInputSchema = z.object({
+    projectRef: z
+        .string()
+        .min(1, "projectRef is required")
+        .describe("Supabase project reference (the 20-char id from the project URL — e.g. `abcdefghijklmnopqrst`)."),
+    token: z
+        .string()
+        .min(1, "token is required")
+        .describe("Supabase personal access token (sbp_...). Never leaves the user's machine — sent directly to api.supabase.com, not via Percher."),
+});
+/**
+ * Production Supabase Management API host. Hardcoded — not overridable
+ * via the public input schema or CLI flags, because the input carries
+ * a high-privilege personal access token and the tool's contract
+ * promises the call goes only to api.supabase.com. Tests intercept
+ * fetch at the global level instead (they don't need to redirect to
+ * a different host to assert behavior — the mock catches every call).
+ */
+const SUPABASE_API_BASE_URL = "https://api.supabase.com";
+// User-schema reserved set — these are Supabase platform-managed
+// or Postgres internals we don't migrate. Mirror this in the SQL
+// WHERE clause; keep the TS list for downstream phases that need
+// to filter post-hoc.
+const SYSTEM_SCHEMAS = new Set([
+    "pg_catalog",
+    "information_schema",
+    "pgsodium",
+    "pgsodium_masks",
+    "vault",
+    "extensions",
+    "pgbouncer",
+    "realtime",
+    "_realtime",
+    "graphql",
+    "graphql_public",
+    "supabase_functions",
+    "supabase_migrations",
+    "auth",
+    "storage",
+    "net",
+]);
+const INTROSPECTION_SQL = `
+WITH
+  pks AS (
+    SELECT tc.table_schema, tc.table_name, kcu.column_name
+    FROM information_schema.table_constraints tc
+    JOIN information_schema.key_column_usage kcu
+      ON tc.constraint_name = kcu.constraint_name
+     AND tc.table_schema = kcu.table_schema
+    WHERE tc.constraint_type = 'PRIMARY KEY'
+  ),
+  fks AS (
+    SELECT tc.table_schema, tc.table_name, kcu.column_name,
+           ccu.table_name AS foreign_table,
+           ccu.column_name AS foreign_column
+    FROM information_schema.table_constraints tc
+    JOIN information_schema.key_column_usage kcu
+      ON tc.constraint_name = kcu.constraint_name
+     AND tc.table_schema = kcu.table_schema
+    JOIN information_schema.constraint_column_usage ccu
+      ON tc.constraint_name = ccu.constraint_name
+     AND tc.table_schema = ccu.table_schema
+    WHERE tc.constraint_type = 'FOREIGN KEY'
+  ),
+  cols AS (
+    SELECT
+      c.table_schema, c.table_name, c.column_name,
+      -- information_schema.columns reports array columns as data_type='ARRAY'
+      -- with the element type hidden in udt_name (prefixed with an
+      -- underscore — e.g. text[] → udt_name='_text'). Format here so the
+      -- result carries the user-friendly Postgres syntax (text[], int4[])
+      -- and so downstream type-mapping (Phase B) can pattern-match on the
+      -- ANSI shape rather than the catalog quirk.
+      CASE
+        WHEN c.data_type = 'ARRAY' THEN substr(c.udt_name, 2) || '[]'
+        ELSE c.data_type
+      END AS data_type,
+      c.is_nullable, c.column_default, c.ordinal_position,
+      (pk.column_name IS NOT NULL) AS is_primary_key,
+      CASE WHEN fk.foreign_table IS NOT NULL
+        THEN json_build_object('table', fk.foreign_table, 'column', fk.foreign_column)
+      END AS foreign_key
+    FROM information_schema.columns c
+    LEFT JOIN pks pk
+      ON c.table_schema = pk.table_schema
+     AND c.table_name = pk.table_name
+     AND c.column_name = pk.column_name
+    LEFT JOIN fks fk
+      ON c.table_schema = fk.table_schema
+     AND c.table_name = fk.table_name
+     AND c.column_name = fk.column_name
+    WHERE c.table_schema NOT IN (
+      'pg_catalog','information_schema','pgsodium','pgsodium_masks','vault',
+      'extensions','pgbouncer','realtime','_realtime','graphql','graphql_public',
+      'supabase_functions','supabase_migrations','auth','storage','net'
+    )
+  ),
+  tables_json AS (
+    SELECT
+      table_schema,
+      table_name,
+      json_agg(
+        json_build_object(
+          'name', column_name,
+          'postgresType', data_type,
+          'isNullable', is_nullable = 'YES',
+          'hasDefault', column_default IS NOT NULL,
+          'defaultExpr', column_default,
+          'isPrimaryKey', is_primary_key,
+          'foreignKey', foreign_key
+        ) ORDER BY ordinal_position
+      ) AS columns
+    FROM cols
+    GROUP BY table_schema, table_name
+  ),
+  policies AS (
+    SELECT schemaname AS table_schema, tablename AS table_name,
+           json_agg(json_build_object(
+             'name', policyname,
+             'command', cmd,
+             'usingExpr', qual,
+             'withCheckExpr', with_check
+           )) AS policies
+    FROM pg_policies
+    GROUP BY schemaname, tablename
+  ),
+  row_counts AS (
+    SELECT n.nspname AS table_schema, c.relname AS table_name,
+           GREATEST(c.reltuples, 0)::bigint AS estimated_row_count
+    FROM pg_class c
+    JOIN pg_namespace n ON n.oid = c.relnamespace
+    WHERE c.relkind = 'r'
+  ),
+  tables_full AS (
+    SELECT
+      t.table_schema,
+      t.table_name,
+      t.columns,
+      COALESCE(p.policies, '[]'::json) AS rls_policies,
+      COALESCE(r.estimated_row_count, 0) AS estimated_row_count
+    FROM tables_json t
+    LEFT JOIN policies p
+      ON t.table_schema = p.table_schema AND t.table_name = p.table_name
+    LEFT JOIN row_counts r
+      ON t.table_schema = r.table_schema AND t.table_name = r.table_name
+  )
+SELECT json_build_object(
+  'tables', COALESCE((
+    SELECT json_agg(json_build_object(
+      'schema', table_schema,
+      'name', table_name,
+      'columns', columns,
+      'rlsPolicies', rls_policies,
+      'estimatedRowCount', estimated_row_count
+    ) ORDER BY table_schema, table_name) FROM tables_full
+  ), '[]'::json),
+  'storageBuckets', COALESCE((
+    SELECT json_agg(json_build_object('id', id, 'name', name, 'public', public))
+    FROM storage.buckets
+  ), '[]'::json),
+  'authUsersCount', (SELECT count(*)::bigint FROM auth.users)
+) AS schema;
+`;
+export async function inspectSupabase(ctx, input) {
+    const url = `${SUPABASE_API_BASE_URL}/v1/projects/${encodeURIComponent(input.projectRef)}/database/query`;
+    ctx.status(`Inspecting Supabase project ${input.projectRef}...`);
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+                authorization: `Bearer ${input.token}`,
+                accept: "application/json",
+            },
+            body: JSON.stringify({ query: INTROSPECTION_SQL }),
+        });
+    }
+    catch (err) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "network_error",
+            title: "Couldn't reach Supabase",
+            explanation: `Network error contacting ${SUPABASE_API_BASE_URL}: ${err instanceof Error ? err.message : String(err)}.`,
+            suggestion: "Check your internet connection and try again.",
+            // No `retry` recovery: the SuggestedTool union doesn't yet include
+            // `percher_inspect_supabase`, and we don't want to round-trip the
+            // Supabase PAT through `recovery.args` (where it can land in logs
+            // and telemetry). Ask the user to rerun the command — they hold
+            // the token locally and can re-issue with no recovery-channel
+            // leak.
+            recovery: recoveryAsk({
+                prompt: `Couldn't reach Supabase. Check your connection and re-run \`bunx percher migrate-from-supabase --project ${input.projectRef} --token <token>\`.`,
+                reasonCode: "infra_transient",
+                retryable: true,
+            }),
+        });
+    }
+    if (response.status === 401 || response.status === 403) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "auth_failed",
+            title: "Supabase token rejected",
+            explanation: "The Supabase personal access token was rejected (401/403). It may be expired, revoked, or lack the required project scope.",
+            suggestion: "Generate a fresh token at https://supabase.com/dashboard/account/tokens and pass it via --token.",
+            recovery: recoveryAsk({
+                prompt: "Your Supabase access token was rejected. Generate a new one at https://supabase.com/dashboard/account/tokens and re-run with --token <new-token>.",
+                reasonCode: "auth_required",
+            }),
+        });
+    }
+    if (response.status === 404) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "project_not_found",
+            title: "Supabase project not found",
+            explanation: `Project ${input.projectRef} doesn't exist or the token doesn't have access to it.`,
+            suggestion: "Check the project ref on https://supabase.com/dashboard and confirm the token belongs to the same account.",
+            recovery: recoveryAsk({
+                prompt: `Supabase project "${input.projectRef}" was not found. Verify the project ref at https://supabase.com/dashboard and re-run with the correct --project.`,
+                reasonCode: "app_not_found",
+            }),
+        });
+    }
+    const rawBody = await safeReadText(response);
+    if (response.status === 408 || response.status === 504) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "query_timeout",
+            title: "Schema query timed out",
+            explanation: "Supabase took too long to run the introspection query. This usually happens on very large databases.",
+            suggestion: "Re-run later, or contact Percher if it keeps timing out — we may need to chunk the introspection for huge schemas.",
+            // See network_error above for why this is ask_user not retry.
+            recovery: recoveryAsk({
+                prompt: `Supabase took too long to run the introspection query. Re-run \`bunx percher migrate-from-supabase --project ${input.projectRef} --token <token>\` in a moment, or open an issue if it keeps timing out.`,
+                reasonCode: "infra_transient",
+                retryable: true,
+            }),
+        });
+    }
+    if (response.status === 503) {
+        const body = parseJsonSafe(rawBody);
+        const message = extractErrorMessage(body) ?? "Supabase project is unavailable.";
+        if (looksLikePaused(message)) {
+            return failure({
+                projectRef: input.projectRef,
+                code: "project_paused",
+                title: "Supabase project is paused",
+                explanation: "Supabase auto-pauses inactive free-tier projects. Schema introspection can't run while the project is paused.",
+                suggestion: "Unpause the project from https://supabase.com/dashboard and retry once it's running.",
+                recovery: recoveryAsk({
+                    prompt: `Supabase project "${input.projectRef}" is paused. Unpause it at https://supabase.com/dashboard, wait until it's running, and re-run the same command.`,
+                    reasonCode: "infra_unavailable",
+                }),
+            });
+        }
+    }
+    if (!response.ok) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "unexpected_response",
+            title: `Supabase returned ${response.status}`,
+            explanation: `Supabase Management API responded with HTTP ${response.status}: ${truncate(rawBody, 400)}`,
+            suggestion: "Inspect the response body above. If the issue is transient, retry; otherwise verify the token's scopes.",
+            recovery: recoveryAsk({
+                prompt: `Supabase Management API responded with HTTP ${response.status}. Inspect the message and decide whether to retry, switch tokens, or skip migration.`,
+                reasonCode: "unknown",
+            }),
+        });
+    }
+    const parsed = parseJsonSafe(rawBody);
+    const rows = extractRows(parsed);
+    if (!rows || rows.length === 0) {
+        return failure({
+            projectRef: input.projectRef,
+            code: "unexpected_response",
+            title: "Supabase returned an empty result",
+            explanation: "The Management API accepted the query but returned no rows. This is unexpected — the introspection query always returns at least one aggregate row.",
+            suggestion: "Re-run the command; if it persists, file an issue with the project ref.",
+            // See network_error above for why this is ask_user not retry.
+            recovery: recoveryAsk({
+                prompt: `Supabase returned an empty result for the schema query — unexpected. Re-run \`bunx percher migrate-from-supabase --project ${input.projectRef} --token <token>\`; if it persists, file an issue.`,
+                reasonCode: "infra_transient",
+                retryable: true,
+            }),
+        });
+    }
+    const schemaBlob = rows[0]?.schema;
+    if (!schemaBlob || typeof schemaBlob !== "object") {
+        return failure({
+            projectRef: input.projectRef,
+            code: "unexpected_response",
+            title: "Couldn't parse Supabase response",
+            explanation: `Expected a JSON object under \`schema\`; got: ${truncate(rawBody, 400)}.`,
+            suggestion: "Re-run; if it persists, file an issue with the response excerpt.",
+            recovery: recoveryAsk({
+                prompt: "Supabase returned a response the inspector couldn't parse. Try again, or open an issue with the response excerpt.",
+                reasonCode: "unknown",
+            }),
+        });
+    }
+    const tables = normalizeTables(schemaBlob.tables);
+    const storageBuckets = normalizeBuckets(schemaBlob.storageBuckets);
+    const authUsersCount = toFiniteNumber(schemaBlob.authUsersCount);
+    const warnings = collectWarnings(tables, storageBuckets, authUsersCount);
+    const summary = renderSummary({
+        projectRef: input.projectRef,
+        tables,
+        authUsersCount,
+        storageBuckets,
+        warnings,
+    });
+    return {
+        status: "ok",
+        projectRef: input.projectRef,
+        tables,
+        authUsersCount,
+        storageBuckets,
+        warnings,
+        recovery: recoveryNone(),
+        summary,
+    };
+}
+function failure(args) {
+    return {
+        status: "failed",
+        projectRef: args.projectRef,
+        tables: [],
+        authUsersCount: null,
+        storageBuckets: [],
+        warnings: [],
+        error: {
+            code: args.code,
+            title: args.title,
+            explanation: args.explanation,
+            suggestion: args.suggestion,
+        },
+        recovery: args.recovery,
+        summary: `${args.title}. ${args.suggestion}`,
+    };
+}
+async function safeReadText(response) {
+    try {
+        return await response.text();
+    }
+    catch {
+        return "";
+    }
+}
+function parseJsonSafe(text) {
+    if (!text)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return null;
+    }
+}
+function extractRows(body) {
+    if (Array.isArray(body))
+        return body;
+    if (body && typeof body === "object") {
+        const maybeRows = body.result ?? body.rows;
+        if (Array.isArray(maybeRows))
+            return maybeRows;
+    }
+    return null;
+}
+function extractErrorMessage(body) {
+    if (!body || typeof body !== "object")
+        return null;
+    const candidate = body.message ??
+        body.error?.message ??
+        body.msg;
+    return typeof candidate === "string" ? candidate : null;
+}
+function looksLikePaused(message) {
+    const lower = message.toLowerCase();
+    return lower.includes("paused") || lower.includes("inactive");
+}
+function normalizeTables(input) {
+    if (!Array.isArray(input))
+        return [];
+    const tables = [];
+    for (const raw of input) {
+        if (!raw || typeof raw !== "object")
+            continue;
+        const r = raw;
+        const schema = typeof r.schema === "string" ? r.schema : "";
+        const name = typeof r.name === "string" ? r.name : "";
+        if (!schema || !name)
+            continue;
+        if (SYSTEM_SCHEMAS.has(schema))
+            continue;
+        tables.push({
+            schema,
+            name,
+            columns: normalizeColumns(r.columns),
+            rlsPolicies: normalizeRlsPolicies(r.rlsPolicies),
+            estimatedRowCount: toFiniteNumber(r.estimatedRowCount) ?? 0,
+        });
+    }
+    return tables;
+}
+function normalizeColumns(input) {
+    if (!Array.isArray(input))
+        return [];
+    const cols = [];
+    for (const raw of input) {
+        if (!raw || typeof raw !== "object")
+            continue;
+        const r = raw;
+        const name = typeof r.name === "string" ? r.name : "";
+        const postgresType = typeof r.postgresType === "string" ? r.postgresType : "";
+        if (!name || !postgresType)
+            continue;
+        cols.push({
+            name,
+            postgresType,
+            isNullable: r.isNullable === true,
+            hasDefault: r.hasDefault === true,
+            defaultExpr: typeof r.defaultExpr === "string" ? r.defaultExpr : null,
+            isPrimaryKey: r.isPrimaryKey === true,
+            foreignKey: normalizeForeignKey(r.foreignKey),
+        });
+    }
+    return cols;
+}
+function normalizeForeignKey(input) {
+    if (!input || typeof input !== "object")
+        return null;
+    const r = input;
+    const table = typeof r.table === "string" ? r.table : "";
+    const column = typeof r.column === "string" ? r.column : "";
+    if (!table || !column)
+        return null;
+    return { table, column };
+}
+function normalizeRlsPolicies(input) {
+    if (!Array.isArray(input))
+        return [];
+    const policies = [];
+    for (const raw of input) {
+        if (!raw || typeof raw !== "object")
+            continue;
+        const r = raw;
+        const name = typeof r.name === "string" ? r.name : "";
+        const command = typeof r.command === "string" ? r.command : "";
+        if (!name)
+            continue;
+        policies.push({
+            name,
+            command,
+            usingExpr: typeof r.usingExpr === "string" ? r.usingExpr : null,
+            withCheckExpr: typeof r.withCheckExpr === "string" ? r.withCheckExpr : null,
+        });
+    }
+    return policies;
+}
+function normalizeBuckets(input) {
+    if (!Array.isArray(input))
+        return [];
+    const buckets = [];
+    for (const raw of input) {
+        if (!raw || typeof raw !== "object")
+            continue;
+        const r = raw;
+        const id = typeof r.id === "string" ? r.id : "";
+        const name = typeof r.name === "string" ? r.name : "";
+        if (!id || !name)
+            continue;
+        buckets.push({ id, name, public: r.public === true });
+    }
+    return buckets;
+}
+function toFiniteNumber(input) {
+    if (typeof input === "number" && Number.isFinite(input))
+        return input;
+    if (typeof input === "string") {
+        const n = Number(input);
+        return Number.isFinite(n) ? n : null;
+    }
+    return null;
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return `${s.slice(0, max)}…`;
+}
+/**
+ * True for any Postgres array column. Accepts both the formatted
+ * `text[]` shape that our SQL emits AND the raw `ARRAY` string that
+ * information_schema reports without formatting. The second branch is
+ * the defensive one — if Supabase ever changes their query envelope or
+ * a regression strips the SQL's array-formatting CASE, the warning
+ * still fires instead of going silent.
+ */
+function isArrayType(postgresType) {
+    return postgresType === "ARRAY" || postgresType.endsWith("[]");
+}
+function collectWarnings(tables, buckets, authUsersCount) {
+    const warnings = [];
+    for (const table of tables) {
+        const pkCount = table.columns.filter((c) => c.isPrimaryKey).length;
+        if (pkCount === 0) {
+            warnings.push(`Table "${table.schema}.${table.name}" has no primary key — PocketBase requires one. A synthetic id will be generated.`);
+        }
+        else if (pkCount > 1) {
+            warnings.push(`Table "${table.schema}.${table.name}" has a composite primary key (${pkCount} columns) — PocketBase only supports a single id; needs manual review.`);
+        }
+        for (const col of table.columns) {
+            // The SQL collapses information_schema's `ARRAY` data_type +
+            // underscore-prefixed udt_name into the ANSI `text[]` syntax.
+            // Defensive: also treat the raw `ARRAY` literal as an array — if a
+            // SQL regression ever leaks the unformatted form through, the
+            // warning still fires instead of going silent. Codex P2 finding
+            // pinned this with a test below.
+            if (isArrayType(col.postgresType)) {
+                warnings.push(`Column "${table.schema}.${table.name}.${col.name}" is an array (${col.postgresType}) — PocketBase has no array UI; will map to json.`);
+            }
+            if (col.postgresType === "USER-DEFINED") {
+                warnings.push(`Column "${table.schema}.${table.name}.${col.name}" uses a user-defined type (likely enum or custom) — verify the PocketBase mapping manually.`);
+            }
+        }
+        if (table.rlsPolicies.length > 0) {
+            warnings.push(`Table "${table.schema}.${table.name}" has ${table.rlsPolicies.length} RLS polic${table.rlsPolicies.length === 1 ? "y" : "ies"} — PocketBase API rules use different syntax; phase D will report each policy for manual rewrite.`);
+        }
+    }
+    if (buckets.length > 0) {
+        warnings.push(`${buckets.length} storage bucket${buckets.length === 1 ? "" : "s"} found — bucket files need a separate storage migration script (phase C).`);
+    }
+    if (authUsersCount !== null && authUsersCount > 0) {
+        warnings.push(`${authUsersCount} auth user${authUsersCount === 1 ? "" : "s"} found — Supabase bcrypt hashes are NOT directly compatible with PocketBase; users will need to reset their password.`);
+    }
+    return warnings;
+}
+function renderSummary(args) {
+    const columnCount = args.tables.reduce((acc, t) => acc + t.columns.length, 0);
+    const policyCount = args.tables.reduce((acc, t) => acc + t.rlsPolicies.length, 0);
+    const parts = [
+        `Inspected Supabase project ${args.projectRef}:`,
+        `${args.tables.length} table${args.tables.length === 1 ? "" : "s"} (${columnCount} columns)`,
+        `${policyCount} RLS polic${policyCount === 1 ? "y" : "ies"}`,
+        `${args.storageBuckets.length} storage bucket${args.storageBuckets.length === 1 ? "" : "s"}`,
+        args.authUsersCount === null
+            ? "auth.users unavailable"
+            : `${args.authUsersCount} auth user${args.authUsersCount === 1 ? "" : "s"}`,
+    ];
+    const head = `${parts[0]} ${parts.slice(1).join(", ")}.`;
+    if (args.warnings.length === 0)
+        return head;
+    return `${head} ${args.warnings.length} warning${args.warnings.length === 1 ? "" : "s"} — see warnings[] for details.`;
+}
+/**
+ * Helper for downstream code (phases B–D) to filter tables to just the
+ * ones we'd migrate — i.e. nothing in a Supabase-managed system schema.
+ * Phase A returns these already filtered, but the predicate is exported
+ * so a caller can re-filter a result they've stored.
+ */
+export function isMigratableTable(table) {
+    return !SYSTEM_SCHEMAS.has(table.schema);
+}
+//# sourceMappingURL=migrate-supabase.js.map