@runa-ai/runa-cli 0.10.0 → 0.10.2

package/dist/{chunk-Y5ANTCKE.js → chunk-EZ46JIEO.js}

@@ -512,10 +512,13 @@ function buildExecuteExpressionInfo(body, statementStartOffset, state) {
 }
 function parseExecuteExpressionAt(body, statementStartOffset) {
   const indexCursor = skipWhitespace(body, statementStartOffset + 7);
-  if (isQuoteBoundary(body, indexCursor, "ON")) {
+  const ignoredKeyword = ["ON", "FUNCTION", "PROCEDURE"].find(
+    (keyword) => isQuoteBoundary(body, indexCursor, keyword)
+  );
+  if (ignoredKeyword) {
     return {
       info: null,
-      nextCursor: Math.max(indexCursor + 2, statementStartOffset + 1)
+      nextCursor: Math.max(indexCursor + ignoredKeyword.length, statementStartOffset + 1)
     };
   }
   const state = {

package/dist/{chunk-ZWDWFMOX.js → chunk-HWR5NUUZ.js}

@@ -2,10 +2,10 @@
 import { createRequire } from 'module';
 import { blankDollarQuotedBodies, stripSqlComments, psqlSyncQuery, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { existsSync, readdirSync, readFileSync } from 'fs';
 import path from 'path';
 import { execFileSync, spawnSync, spawn } from 'child_process';
 import { createCLILogger } from '@runa-ai/runa';
-import { existsSync, readdirSync, readFileSync } from 'fs';
 
 createRequire(import.meta.url);
 
@@ -473,6 +473,7 @@ function collectWarningsForStatement(statement, file, line, knownFunctionNames)
 
 // src/commands/db/utils/sql-boundary-parser.ts
 init_esm_shims();
+var ALLOW_DYNAMIC_SQL_ANNOTATION = /--\s*runa:allow-dynamic-sql\b/;
 var DOLLAR_QUOTE_PATTERN = /^\$([A-Za-z_][A-Za-z0-9_]*)?\$/;
 function countNewlines2(text) {
   let count = 0;
@@ -1204,6 +1205,20 @@ function detectMissingExtensionType(errorOutput) {
     suggestedExtensions: [...extensions]
   };
 }
+function detectExtensionFilePath() {
+  const defaultPath = "supabase/schemas/idempotent/00_extensions.sql";
+  const idempotentDir = path.join(process.cwd(), "supabase", "schemas", "idempotent");
+  if (!existsSync(idempotentDir)) return defaultPath;
+  try {
+    const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
+    const extensionFile = files.find((f) => /extension/i.test(f));
+    if (extensionFile) {
+      return path.posix.join("supabase", "schemas", "idempotent", extensionFile);
+    }
+  } catch {
+  }
+  return defaultPath;
+}
 function formatExtensionErrorHint(detection) {
   if (!detection.detected) return "";
   const lines = [];
@@ -1214,8 +1229,14 @@ function formatExtensionErrorHint(detection) {
     lines.push(`  type "${type}" \u2192 extension: ${ext ?? "unknown"}`);
   }
   if (detection.suggestedExtensions.length > 0) {
+    const extensionFile = detectExtensionFilePath();
+    const fileExists = existsSync(path.join(process.cwd(), extensionFile));
     lines.push("");
-    lines.push("Fix 1: Add to supabase/schemas/idempotent/00_extensions.sql:");
+    if (fileExists) {
+      lines.push(`Fix 1: Add to ${extensionFile}:`);
+    } else {
+      lines.push(`Fix 1: Create ${extensionFile} (or add to your existing extension file):`);
+    }
     for (const ext of detection.suggestedExtensions) {
       lines.push(`  CREATE EXTENSION IF NOT EXISTS ${ext};`);
     }
@@ -1511,4 +1532,4 @@ function executePgSchemaDiffPlan(dbUrl, schemasDir, includeSchemas, verbose, opt
   throw new Error("pg-schema-diff plan failed after all retries");
 }
 
-export { DB_APPLY_CHECK_MODE_CONTRACT_NOTE, FUNCTION_DEFINITION_RE, HAZARD_REGEX, MAX_DETAILED_DECLARATIVE_WARNINGS, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, PUBLIC_SCHEMA, STATEMENT_IDX_REGEX, analyzeDeclarativeDependencyContract, blankQuotedStrings, buildIdleConnectionCleanupSql, collectSqlFiles, countNewlines, detectDropTableStatements, detectMissingExtensionType, detectMissingQualifiedFunction, detectPartitionPrivilegeError, detectPgSchemaDiffVersion, executePgSchemaDiffPlan, extractDdlObject, extractFirstDollarBody, formatDeclarativeDependencyBoundaryHint, formatDeclarativeDependencyViolation, formatDeclarativeDependencyWarning, formatExtensionErrorHint, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, hasUnparsedHazardHints, isNonDdlMaintenanceStatement, isNonSchemaOperation, parseSqlFilename, sanitizeExecutableCode, sanitizeExecutableCodePreserveStrings, shouldReviewUnknownDeclarativeDdl, shouldReviewUnknownIdempotentDdl, splitSqlStatements, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, summarizeDeclarativeDependencyWarnings, verifyDatabaseConnection, verifyPgSchemaDiffBinary };
+export { ALLOW_DYNAMIC_SQL_ANNOTATION, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, FUNCTION_DEFINITION_RE, HAZARD_REGEX, MAX_DETAILED_DECLARATIVE_WARNINGS, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, PUBLIC_SCHEMA, STATEMENT_IDX_REGEX, analyzeDeclarativeDependencyContract, blankQuotedStrings, buildIdleConnectionCleanupSql, collectSqlFiles, countNewlines, detectDropTableStatements, detectExtensionFilePath, detectMissingExtensionType, detectMissingQualifiedFunction, detectPartitionPrivilegeError, detectPgSchemaDiffVersion, executePgSchemaDiffPlan, extractDdlObject, extractFirstDollarBody, formatDeclarativeDependencyBoundaryHint, formatDeclarativeDependencyViolation, formatDeclarativeDependencyWarning, formatExtensionErrorHint, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, hasUnparsedHazardHints, isNonDdlMaintenanceStatement, isNonSchemaOperation, parseSqlFilename, sanitizeExecutableCode, sanitizeExecutableCodePreserveStrings, shouldReviewUnknownDeclarativeDdl, shouldReviewUnknownIdempotentDdl, splitSqlStatements, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, summarizeDeclarativeDependencyWarnings, verifyDatabaseConnection, verifyPgSchemaDiffBinary };

package/dist/{chunk-OXQISY3J.js → chunk-IR7SA2ME.js}

@@ -6,7 +6,7 @@ createRequire(import.meta.url);
 
 // src/version.ts
 init_esm_shims();
-var CLI_VERSION = "0.10.0";
+var CLI_VERSION = "0.10.2";
 var HAS_ADMIN_COMMAND = false;
 
 export { CLI_VERSION, HAS_ADMIN_COMMAND };

package/dist/{chunk-QDOR3GTD.js → chunk-LCJNIHZY.js}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { resolveDatabaseUrl, resolveDatabaseTarget } from './chunk-WGRVAGSR.js';
-import { verifyPgSchemaDiffBinary, verifyDatabaseConnection, freeConnectionSlotsForPgSchemaDiff, executePgSchemaDiffPlan, detectDropTableStatements, analyzeDeclarativeDependencyContract, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, formatDeclarativeDependencyViolation, summarizeDeclarativeDependencyWarnings, MAX_DETAILED_DECLARATIVE_WARNINGS, formatDeclarativeDependencyWarning, detectPgSchemaDiffVersion, STATEMENT_IDX_REGEX, hasUnparsedHazardHints, collectSqlFiles, splitSqlStatements, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, HAZARD_REGEX, PUBLIC_SCHEMA, FUNCTION_DEFINITION_RE } from './chunk-ZWDWFMOX.js';
-import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, extractStaticSqlFromExpression } from './chunk-Y5ANTCKE.js';
+import { verifyPgSchemaDiffBinary, verifyDatabaseConnection, freeConnectionSlotsForPgSchemaDiff, executePgSchemaDiffPlan, detectDropTableStatements, analyzeDeclarativeDependencyContract, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, formatDeclarativeDependencyViolation, summarizeDeclarativeDependencyWarnings, MAX_DETAILED_DECLARATIVE_WARNINGS, formatDeclarativeDependencyWarning, detectPgSchemaDiffVersion, STATEMENT_IDX_REGEX, hasUnparsedHazardHints, collectSqlFiles, splitSqlStatements, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, HAZARD_REGEX, PUBLIC_SCHEMA, FUNCTION_DEFINITION_RE } from './chunk-HWR5NUUZ.js';
+import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, extractStaticSqlFromExpression } from './chunk-EZ46JIEO.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import { CLI_VERSION } from './chunk-OXQISY3J.js';
-import { generateTablesManifest } from './chunk-URWDB7YL.js';
+import { CLI_VERSION } from './chunk-IR7SA2ME.js';
+import { generateTablesManifest } from './chunk-O3M7A73M.js';
 import { parsePostgresUrl, buildPsqlEnv, buildPsqlArgs, stripSqlComments, psqlSyncQuery, blankDollarQuotedBodies, psqlSyncBatch, psqlSyncFile } from './chunk-A6A7JIRD.js';
 import { init_local_supabase, buildLocalDatabaseUrl } from './chunk-QSEF4T3Y.js';
 import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
@@ -2309,7 +2309,7 @@ function extractQualifiedNameAfterKeyword(sql, keywordPattern) {
   const rest = sql.slice(keywordMatch.index + keywordMatch[0].length);
   const nameMatch = rest.match(/^\s*["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/);
   if (!nameMatch) return null;
-  return `${nameMatch[1].replace(/"/g, "").toLowerCase()}.${nameMatch[2].replace(/"/g, "").toLowerCase()}`;
+  return `${nameMatch[1]?.replace(/"/g, "").toLowerCase()}.${nameMatch[2]?.replace(/"/g, "").toLowerCase()}`;
 }
 function extractFkReferences(sql) {
   const refs = /* @__PURE__ */ new Set();
@@ -2317,7 +2317,7 @@ function extractFkReferences(sql) {
     /REFERENCES\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?\s*\(/gi
   )) {
     refs.add(
-      `${match[1].replace(/"/g, "").toLowerCase()}.${match[2].replace(/"/g, "").toLowerCase()}`
+      `${match[1]?.replace(/"/g, "").toLowerCase()}.${match[2]?.replace(/"/g, "").toLowerCase()}`
     );
   }
   return [...refs];
@@ -2327,12 +2327,12 @@ function extractRelationRefsFromBody(sql) {
   for (const m of sql.matchAll(
     /\bFROM\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/gi
   )) {
-    refs.add(`${m[1].replace(/"/g, "").toLowerCase()}.${m[2].replace(/"/g, "").toLowerCase()}`);
+    refs.add(`${m[1]?.replace(/"/g, "").toLowerCase()}.${m[2]?.replace(/"/g, "").toLowerCase()}`);
   }
   for (const m of sql.matchAll(
     /["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?\s*%ROWTYPE/gi
   )) {
-    refs.add(`${m[1].replace(/"/g, "").toLowerCase()}.${m[2].replace(/"/g, "").toLowerCase()}`);
+    refs.add(`${m[1]?.replace(/"/g, "").toLowerCase()}.${m[2]?.replace(/"/g, "").toLowerCase()}`);
   }
   return [...refs];
 }
@@ -2404,7 +2404,7 @@ function analyzeWithRegexFallback(strippedSql) {
     const match = strippedSql.match(
       /(?:CREATE|ALTER|DROP)\s+POLICY\s+.*?\bON\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/i
     );
-    const key = match ? `${match[1].replace(/"/g, "").toLowerCase()}.${match[2].replace(/"/g, "").toLowerCase()}` : null;
+    const key = match ? `${match[1]?.replace(/"/g, "").toLowerCase()}.${match[2]?.replace(/"/g, "").toLowerCase()}` : null;
     return {
       ...buildBaseStatementAnalysis(strippedSql, "relation"),
       targetKey: key,
@@ -2565,7 +2565,7 @@ function stabilizeAnalyzedPlanOrder(analyzedPlan) {
   const groupedStatements = /* @__PURE__ */ new Set();
   const deferredTriggerStatements = [];
   const createdFunctionKeys = new Set(
-    analyzedPlan.statements.filter((s) => s.objectKind === "function" && s.targetFunctionKey).map((s) => s.targetFunctionKey.toLowerCase())
+    analyzedPlan.statements.filter((s) => s.objectKind === "function" && s.targetFunctionKey).map((s) => s.targetFunctionKey?.toLowerCase())
   );
   for (const statement of analyzedPlan.statements) {
     if (statement.phase === 50 && statement.functionDependencies.some((fn) => createdFunctionKeys.has(fn.toLowerCase()))) {
@@ -3322,7 +3322,30 @@ async function createShadowDbWithExtensions(config) {
     // Extensions like PostGIS can take time
   });
   if (extResult.status !== 0) {
-    logger7.warn(`Some extensions failed to install: ${extResult.stderr}`);
+    const stderr = extResult.stderr?.trim() ?? "";
+    logger7.error(`Shadow DB extension installation failed: ${stderr}`);
+    logger7.error("Configured extensions may not be available in the target PostgreSQL server.");
+    logger7.error("Check that the extensions are installed on the server:");
+    for (const ext of extensions) {
+      logger7.error(`  SELECT * FROM pg_available_extensions WHERE name = '${ext}';`);
+    }
+    logger7.error(
+      "If running locally with Supabase, ensure extensions are enabled in the dashboard."
+    );
+  }
+  const verifyResult = psqlSyncQuery({
+    databaseUrl: shadowDsn,
+    sql: `SELECT extname FROM pg_extension WHERE extname = ANY(ARRAY[${extensions.map((e) => `'${e}'`).join(",")}])`,
+    timeout: 1e4
+  });
+  if (verifyResult.status === 0) {
+    const installed = (verifyResult.stdout ?? "").split("\n").map((l) => l.trim()).filter(Boolean);
+    const missing = extensions.filter((ext) => !installed.includes(ext));
+    if (missing.length > 0) {
+      logger7.warn(
+        `Shadow DB missing extensions: ${missing.join(", ")}. pg-schema-diff may fail on extension-defined types (geometry, vector, etc.).`
+      );
+    }
   }
   bootstrapShadowDbSchemaPrerequisites(sourceDbUrl, shadowDsn);
   logger7.debug(`Shadow database ready with extensions: ${extensions.join(", ")}`);
@@ -5176,7 +5199,7 @@ function logIdempotentRiskSummary(summary) {
 async function detectIdempotentRiskSummary(schemasDir, files, verbose) {
   const summary = emptyRiskSummary();
   try {
-    const { detectSchemaRisks } = await import('./risk-detector-S7XQF4I2.js');
+    const { detectSchemaRisks } = await import('./risk-detector-GDDLISVE.js');
     for (const file of files) {
       const filePath = join(schemasDir, file);
       const risks = await detectSchemaRisks(filePath);
@@ -7203,11 +7226,54 @@ async function applyWithRetry(params) {
     retryWaitMs: result.totalWaitMs
   };
 }
+function autoDetectRequiredExtensions(targetDir) {
+  const EXTENSION_TYPE_KEYWORDS = {
+    geometry: "postgis",
+    geography: "postgis",
+    box2d: "postgis",
+    box3d: "postgis",
+    raster: "postgis_raster",
+    vector: "vector",
+    halfvec: "vector",
+    sparsevec: "vector",
+    citext: "citext",
+    hstore: "hstore",
+    ltree: "ltree"
+  };
+  const declarativeDir = join(targetDir, "supabase", "schemas", "declarative");
+  if (!existsSync(declarativeDir)) return [];
+  const detected = /* @__PURE__ */ new Set();
+  try {
+    const files = readdirSync(declarativeDir).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const content = readFileSync(join(declarativeDir, file), "utf-8").toLowerCase();
+      for (const [typeName, extName] of Object.entries(EXTENSION_TYPE_KEYWORDS)) {
+        if (content.includes(typeName)) {
+          detected.add(extName);
+        }
+      }
+    }
+  } catch {
+  }
+  return [...detected].sort();
+}
+function resolveEffectiveShadowExtensions(configured, targetDir, verbose) {
+  if (configured && configured.length > 0) return configured;
+  const autoDetected = autoDetectRequiredExtensions(targetDir);
+  if (autoDetected.length > 0 && verbose) {
+    logger13.debug(`Auto-detected shadow DB extensions from SQL: ${autoDetected.join(", ")}`);
+  }
+  return autoDetected.length > 0 ? autoDetected : void 0;
+}
 function loadPgSchemaDiffConfigState(targetDir, verbose) {
   try {
     const config = loadRunaConfig(targetDir);
     return {
-      shadowExtensions: config.database?.pgSchemaDiff?.shadowDbExtensions,
+      shadowExtensions: resolveEffectiveShadowExtensions(
+        config.database?.pgSchemaDiff?.shadowDbExtensions,
+        targetDir,
+        verbose
+      ),
       configExclusions: config.database?.pgSchemaDiff?.excludeFromOrphanDetection ? [...config.database.pgSchemaDiff.excludeFromOrphanDetection] : void 0,
       schemaCheckExclusions: config.database?.pgSchemaDiff?.excludeFromSchemaCheck ? [...config.database.pgSchemaDiff.excludeFromSchemaCheck] : void 0
     };
@@ -7215,7 +7281,9 @@ function loadPgSchemaDiffConfigState(targetDir, verbose) {
     if (verbose) {
       logger13.debug("Could not load runa.config.ts - continuing without extension support");
     }
-    return {};
+    return {
+      shadowExtensions: resolveEffectiveShadowExtensions(void 0, targetDir, verbose)
+    };
   }
 }
 function createPrefilterState(schemasDir, verbose, configExclusions) {

package/dist/{chunk-JQXOVCOP.js → chunk-NIS77243.js}

@@ -132,12 +132,12 @@ var ERROR_CATALOG = {
   LICENSE_UNAUTHORIZED: {
     code: "ERR_RUNA_LICENSE_UNAUTHORIZED",
     exitCode: EXIT_CODES.AUTH_ERROR,
-    title: "CI access not authorized",
-    template: 'Organization "{owner}" is not authorized to use runa CI',
+    title: "Legacy CI access policy denied command",
+    template: 'Legacy CI access policy denied runa execution for "{owner}"',
     suggestions: [
-      "Install GitHub App: https://github.com/apps/runa-app",
-      "Contact runa admin for approval",
-      "Local development is not affected"
+      "Upgrade to the latest @runa-ai/runa-cli",
+      "Public runa CLI/SDK/plugin commands should not require CI allowlist approval",
+      "Template operations use separate repository-access checks"
     ],
     docUrl: "https://runa.dev/docs/errors/license-unauthorized"
   },
@@ -571,4 +571,7 @@ function interpolateTemplate(template, params) {
   });
 }
 
+// src/errors/index.ts
+init_esm_shims();
+
 export { ERROR_CATALOG, createError };

package/dist/{chunk-URWDB7YL.js → chunk-O3M7A73M.js}

@@ -231,6 +231,32 @@ function extractTablesFromIdempotentSql(idempotentDir, projectRoot = process.cwd
   }
   return [...new Set(tables)].sort();
 }
+function extractDynamicTablePatternsFromIdempotentSql(idempotentDir, projectRoot = process.cwd()) {
+  const fullPath = path.resolve(projectRoot, idempotentDir);
+  if (!existsSync(fullPath)) {
+    return [];
+  }
+  const patterns = [];
+  const prefixInFormat = /EXECUTE\s+format\s*\(\s*'CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?\.)?([a-zA-Z_][a-zA-Z0-9_]*)%[sI]/gi;
+  try {
+    const files = readdirSync(fullPath).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const filePath = path.join(fullPath, file);
+      const content = readFileSync(filePath, "utf-8");
+      const cleaned = content.replace(/--.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+      for (const match of cleaned.matchAll(prefixInFormat)) {
+        const schema = match[1] || "public";
+        const prefix = match[2];
+        if (prefix && prefix.length >= 2) {
+          patterns.push(`${schema}.${prefix}*`);
+        }
+      }
+    }
+  } catch {
+    return [];
+  }
+  return [...new Set(patterns)].sort();
+}
 
 // src/commands/db/utils/table-registry.ts
 init_esm_shims();
@@ -1686,8 +1712,16 @@ function resolveSourceConfig(projectRoot, options) {
     }
   } catch {
   }
+  const resolvedIdempotentDir = isAbsolute(idempotentSqlDir) ? idempotentSqlDir : join(projectRoot, idempotentSqlDir);
+  const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+    resolvedIdempotentDir,
+    projectRoot
+  );
+  for (const pattern of dynamicPatterns) {
+    exclusions.add(pattern);
+  }
   return {
-    idempotentSqlDir: isAbsolute(idempotentSqlDir) ? idempotentSqlDir : join(projectRoot, idempotentSqlDir),
+    idempotentSqlDir: resolvedIdempotentDir,
     excludeFromOrphanDetection: [...exclusions].sort((a, b) => a.localeCompare(b))
   };
 }
@@ -1918,9 +1952,31 @@ async function generateTablesManifest(projectRoot, options = {}) {
   }
   writeFileSync(outputPath, `${JSON.stringify(manifest, null, 2)}
 `);
+  validateManifestSourceFiles(manifest, projectRoot);
   logManifestSummary(manifest, mappingResult.conflicts);
   return manifest;
 }
+function validateManifestSourceFiles(manifest, projectRoot) {
+  const staleEntries = [];
+  for (const table of manifest.tables) {
+    if (!table.sourceFile) continue;
+    const absolutePath = join(projectRoot, table.sourceFile);
+    if (!existsSync(absolutePath)) {
+      staleEntries.push({ table: table.qualifiedName, sourceFile: table.sourceFile });
+    }
+  }
+  if (staleEntries.length === 0) return;
+  console.warn(
+    `[tables-manifest] warn: ${staleEntries.length} table(s) reference non-existent sourceFile:`
+  );
+  for (const entry of staleEntries.slice(0, 5)) {
+    console.warn(`  ${entry.table} \u2192 ${entry.sourceFile} (file not found)`);
+  }
+  if (staleEntries.length > 5) {
+    console.warn(`  ... and ${staleEntries.length - 5} more`);
+  }
+  console.warn("  \u2192 If files were moved, re-run `runa db sync` to update sourceFile references.");
+}
 function logManifestSummary(manifest, conflicts) {
   const tableCount = manifest.tables.length;
   const schemas = [...new Set(manifest.tables.map((t) => t.schema))];
@@ -1975,4 +2031,4 @@ function logManifestSummary(manifest, conflicts) {
   console.log("   Path: .runa/manifests/tables.json\n");
 }
 
-export { buildTablePatternMatcher, diffSchema, extractSchemaTablesAndEnums, extractTablesFromIdempotentSql, fetchDbTablesAndEnums, generateTablesManifest, getSqlParserUtils };
+export { buildTablePatternMatcher, diffSchema, extractDynamicTablePatternsFromIdempotentSql, extractSchemaTablesAndEnums, extractTablesFromIdempotentSql, fetchDbTablesAndEnums, generateTablesManifest, getSqlParserUtils };

package/dist/{chunk-PAWNJA3N.js → chunk-XFXGFUAM.js}

@@ -9,7 +9,7 @@ init_esm_shims();
 var riskDetectorModulePromise = null;
 async function loadRiskDetectorModule() {
   if (!riskDetectorModulePromise) {
-    riskDetectorModulePromise = import('./risk-detector-core-TGFKWHRS.js').catch((error) => {
+    riskDetectorModulePromise = import('./risk-detector-core-YI3M6INI.js').catch((error) => {
       riskDetectorModulePromise = null;
       throw error;
     });

package/dist/{chunk-IEKYTCYA.js → chunk-YTQS2O4H.js}

@@ -19,6 +19,64 @@ init_esm_shims();
 var COMPATIBLE_TEMPLATES_VERSION = "0.7.3";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";
+var TEMPLATES_SOURCE_REPOSITORY = "r06-dev/runa";
+var TEMPLATES_SOURCE_REPOSITORY_API_URL = `https://api.github.com/repos/${TEMPLATES_SOURCE_REPOSITORY}`;
+
+// src/utils/template-access.ts
+init_esm_shims();
+var TEMPLATE_ACCESS_TIMEOUT_MS = 5e3;
+var TEMPLATE_ACCESS_USER_AGENT = "runa-cli/template-access-check";
+async function hasRepoAccessWithToken(token) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TEMPLATE_ACCESS_TIMEOUT_MS);
+  try {
+    const response = await fetch(TEMPLATES_SOURCE_REPOSITORY_API_URL, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "User-Agent": TEMPLATE_ACCESS_USER_AGENT
+      },
+      signal: controller.signal
+    });
+    return response.ok;
+  } catch {
+    return false;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function hasRepoAccessWithGh() {
+  try {
+    const result = await secureGh(["api", `repos/${TEMPLATES_SOURCE_REPOSITORY}`, "--silent"], {
+      reject: false,
+      timeout: TEMPLATE_ACCESS_TIMEOUT_MS,
+      stdio: "pipe"
+    });
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+async function verifyTemplateRepoAccess() {
+  const explicitToken = process.env.NODE_AUTH_TOKEN?.trim();
+  if (explicitToken && await hasRepoAccessWithToken(explicitToken)) {
+    return;
+  }
+  if (await hasRepoAccessWithGh()) {
+    return;
+  }
+  throw new CLIError(
+    `Template operations require access to ${TEMPLATES_SOURCE_REPOSITORY}.`,
+    "TEMPLATE_REPO_ACCESS_REQUIRED",
+    [
+      `Use a GitHub account that can access https://github.com/${TEMPLATES_SOURCE_REPOSITORY}`,
+      "Authenticate with GitHub CLI: gh auth login",
+      "Or export NODE_AUTH_TOKEN from an authorized account",
+      "Normal runa CLI/SDK/plugin commands do not require this access"
+    ]
+  );
+}
 
 // src/utils/template-fetcher.ts
 var SAFE_VERSION_PATTERN = /^[a-zA-Z0-9._-]+$/;
@@ -273,6 +331,7 @@ async function fetchTemplates(options = {}) {
   const version = options.version ?? COMPATIBLE_TEMPLATES_VERSION;
   const fresh = options.fresh ?? false;
   const verbose = options.verbose ?? false;
+  await verifyTemplateRepoAccess();
   const workspaceResult = getWorkspaceTemplatesResult(resolveWorkspaceTemplates(), verbose);
   if (workspaceResult) {
     return workspaceResult;

package/dist/{ci-FLTJ2UXB.js → ci-6XYG7XNX.js}

@@ -1,17 +1,17 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, isIdempotentRoleHazard, detectAppSchemas, formatSchemasForSql, getDbPlanArtifactPath, runDbApply } from './chunk-QDOR3GTD.js';
+import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, isIdempotentRoleHazard, detectAppSchemas, formatSchemasForSql, getDbPlanArtifactPath, runDbApply } from './chunk-LCJNIHZY.js';
 import './chunk-WGRVAGSR.js';
-import './chunk-ZWDWFMOX.js';
+import './chunk-HWR5NUUZ.js';
 import './chunk-UHDAYPHH.js';
-import './chunk-Y5ANTCKE.js';
+import './chunk-EZ46JIEO.js';
 import './chunk-IWVXI5O4.js';
-import './chunk-OXQISY3J.js';
+import './chunk-IR7SA2ME.js';
 import './chunk-B7C7CLW2.js';
 import './chunk-QDF7QXBL.js';
 import { getSnapshotStateName, getSnapshotStatePaths, isSnapshotComplete } from './chunk-XVNDDHAF.js';
 import { createInitialSummary, resolveMode, appendGithubStepSummary, buildCiProdApplyStepSummaryMarkdown, setSummaryErrorFromUnknown, writeEnvLocal, startAppBackground, waitForAppReady, executePrSetupBase, createErrorOutput, requireCiAutoApprove, resolveProdApplyInputs, parseIntOr, classifyCiProdApplyError, addGithubMask } from './chunk-EXR4J2JT.js';
-import './chunk-URWDB7YL.js';
+import './chunk-O3M7A73M.js';
 import { parsePostgresUrl, buildPsqlArgs, buildPsqlEnv, psqlSyncQuery } from './chunk-A6A7JIRD.js';
 import { ensureRunaTmpDir, runLogged } from './chunk-ELXXQIGW.js';
 import { createMachineStateChangeLogger } from './chunk-5FT3F36G.js';

package/dist/{cli-THEA6T7N.js → cli-2XL3VESS.js}

@@ -2,7 +2,7 @@
 import { createRequire } from 'module';
 import { enableNonInteractiveMode } from './chunk-6Y3LAUGL.js';
 import { getRequestedCommandNameFromArgv } from './chunk-UWWSAPDR.js';
-import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-OXQISY3J.js';
+import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-IR7SA2ME.js';
 import { emitDefaultSuccessIfNeeded } from './chunk-WJXC4MVY.js';
 import { parseOutputFormat, setOutputFormat, getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
@@ -145,7 +145,7 @@ function isTestCommand(requested) {
 async function registerProjectLifecycleCommands(program, requested, loadAllCommands) {
   if (!loadAllCommands && requested) {
     if (requested === "init") {
-      const { initCommand: initCommand2 } = await import('./init-2O6ODG5Z.js');
+      const { initCommand: initCommand2 } = await import('./init-4UAWYY75.js');
       program.addCommand(initCommand2);
       return;
     }
@@ -155,7 +155,7 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
       return;
     }
     if (requested === "upgrade") {
-      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-QZKEI3NJ.js');
+      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-X7P6WRD5.js');
       program.addCommand(upgradeCommand2);
       return;
     }
@@ -170,7 +170,7 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
       return;
     }
     if (requested === "dev") {
-      const { devCommand: devCommand2 } = await import('./dev-LGSMDFJN.js');
+      const { devCommand: devCommand2 } = await import('./dev-QR55VDNZ.js');
       program.addCommand(devCommand2);
       return;
     }
@@ -183,12 +183,12 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
     { buildCommand },
     { devCommand }
   ] = await Promise.all([
-    import('./init-2O6ODG5Z.js'),
+    import('./init-4UAWYY75.js'),
     import('./prepare-32DOVHTE.js'),
-    import('./upgrade-QZKEI3NJ.js'),
+    import('./upgrade-X7P6WRD5.js'),
     import('./validate-CAAW4Y44.js'),
     import('./build-P2A6345N.js'),
-    import('./dev-LGSMDFJN.js')
+    import('./dev-QR55VDNZ.js')
   ]);
   program.addCommand(initCommand);
   program.addCommand(prepareCommand);
@@ -462,11 +462,11 @@ async function registerFocusedStatusUtilityCommand(program, requested) {
   return false;
 }
 async function registerCiCommand(program) {
-  const { ciCommand } = await import('./ci-FLTJ2UXB.js');
+  const { ciCommand } = await import('./ci-6XYG7XNX.js');
   program.addCommand(ciCommand);
 }
 async function registerDbCommand(program) {
-  const { dbCommand } = await import('./db-IDKQ44VX.js');
+  const { dbCommand } = await import('./db-4AGPISOW.js');
   program.addCommand(dbCommand);
 }
 async function registerServicesCommand(program) {
@@ -478,7 +478,7 @@ async function registerEnvCommand(program) {
   program.addCommand(envCommand);
 }
 async function registerHotfixCommand(program) {
-  const { hotfixCommand } = await import('./hotfix-RJIAPLAM.js');
+  const { hotfixCommand } = await import('./hotfix-JYHDY2M6.js');
   program.addCommand(hotfixCommand);
 }
 async function registerSdkCommand(program) {
@@ -490,7 +490,7 @@ async function registerUiCommand(program) {
   program.addCommand(uiCommand);
 }
 async function registerWatchCommand(program) {
-  const { watchCommand } = await import('./watch-RFVCEQLH.js');
+  const { watchCommand } = await import('./watch-4RHXVCQ3.js');
   program.addCommand(watchCommand);
 }
 async function registerWorkflowCommand(program) {
@@ -498,11 +498,11 @@ async function registerWorkflowCommand(program) {
   program.addCommand(workflowCommand);
 }
 async function registerVulnCheckCommand(program) {
-  const { vulnCheckCommand } = await import('./vuln-check-JRPMUHLF.js');
+  const { vulnCheckCommand } = await import('./vuln-check-LMDYYJUE.js');
   program.addCommand(vulnCheckCommand);
 }
 async function registerTemplateCheckCommand(program) {
-  const { templateCheckCommand } = await import('./template-check-VNNQQXCX.js');
+  const { templateCheckCommand } = await import('./template-check-D35F2GDP.js');
   program.addCommand(templateCheckCommand);
 }
 async function registerSessionCommands(program) {
@@ -708,7 +708,7 @@ async function executeProgram(program) {
   if (!isHelpOrVersion && shouldRunRuntimeBootstrap(argv)) {
     const [{ loadEnvFiles }, { enforceLicenseInCI }] = await Promise.all([
       import('./env-files-ONBC47I6.js'),
-      import('./license-OB7GVJQ2.js')
+      import('./license-M6ODBV4X.js')
     ]);
     loadEnvFiles({
       silent: true

package/dist/commands/build/contract.d.ts

@@ -21,9 +21,9 @@ import { z } from 'zod';
 export declare const BuildPhaseSchema: z.ZodEnum<{
     db: "db";
     build: "build";
+    manifest: "manifest";
     lint: "lint";
     types: "types";
-    manifest: "manifest";
 }>;
 export type BuildPhase = z.infer<typeof BuildPhaseSchema>;
 /** Valid build phases for --only option */
@@ -44,9 +44,9 @@ export declare const BuildInputSchema: z.ZodObject<{
     only: z.ZodOptional<z.ZodArray<z.ZodEnum<{
         db: "db";
         build: "build";
+        manifest: "manifest";
         lint: "lint";
         types: "types";
-        manifest: "manifest";
     }>>>;
 }, z.core.$strict>;
 export type BuildInput = z.infer<typeof BuildInputSchema>;