@runa-ai/runa-cli 0.10.0 → 0.10.2

package/dist/{db-IDKQ44VX.js → db-4AGPISOW.js}

@@ -1,23 +1,22 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { detectDatabaseStack, getStackPaths } from './chunk-MILCC3B6.js';
-import { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
-import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-QDOR3GTD.js';
-import './chunk-ZZOXM6Q4.js';
-import { createError } from './chunk-JQXOVCOP.js';
+import { categorizeRisks, detectSchemaRisks } from './chunk-XFXGFUAM.js';
+import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-LCJNIHZY.js';
+import { createError } from './chunk-NIS77243.js';
 import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
 export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
-import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, extractFirstDollarBody, sanitizeExecutableCode, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-ZWDWFMOX.js';
+import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, ALLOW_DYNAMIC_SQL_ANNOTATION, extractFirstDollarBody, sanitizeExecutableCode, detectExtensionFilePath, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-HWR5NUUZ.js';
 import './chunk-UHDAYPHH.js';
-import './chunk-Y5ANTCKE.js';
+import './chunk-EZ46JIEO.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import './chunk-OXQISY3J.js';
+import './chunk-IR7SA2ME.js';
 import { diagnoseSupabaseStart } from './chunk-AAIE4F2U.js';
 import { validateUserFilePath, filterSafePaths, resolveSafePath } from './chunk-B7C7CLW2.js';
 import { runMachine } from './chunk-QDF7QXBL.js';
 import './chunk-XVNDDHAF.js';
 import { writeEnvLocalBridge, removeEnvLocalBridge } from './chunk-KUH3G522.js';
-import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-URWDB7YL.js';
+import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, extractDynamicTablePatternsFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-O3M7A73M.js';
 import { psqlExec, psqlQuery, blankDollarQuotedBodies, stripSqlComments, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { redactSecrets } from './chunk-II7VYQEM.js';
 import { init_local_supabase, init_constants, detectLocalSupabasePorts, buildLocalDatabaseUrl, DATABASE_DEFAULTS, SEED_DEFAULTS, SCRIPT_LOCATIONS } from './chunk-QSEF4T3Y.js';
@@ -441,9 +440,10 @@ async function runCleanupAction(env, options) {
     } catch {
     }
     const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-    if (idempotentTables.length > 0) {
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+    if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
       excludeFromOrphanDetection = [
-        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
       ];
     }
     const diff = diffSchema({
@@ -1511,14 +1511,30 @@ function buildGuardrailConflictEntries(report, entries) {
 }
 function buildGuardrailHeaderEntries(report, entries) {
   if (report.staleBlocks.length > 0) {
+    const byFile = /* @__PURE__ */ new Map();
+    for (const block of report.staleBlocks) {
+      const kinds = byFile.get(block.file) ?? [];
+      kinds.push(block.kind === "file-header" ? "file metadata" : `table: ${block.target}`);
+      byFile.set(block.file, kinds);
+    }
     entries.push({
       level: "warn",
-      message: `Generated headers are stale in ${report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
+      message: `Generated headers are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
     });
+    for (const [file, kinds] of byFile) {
+      entries.push({
+        level: "info",
+        message: `  ${file}: ${kinds.join(", ")}`
+      });
+    }
     if (!report.failure) {
       entries.push({
         level: "info",
-        message: "Run `runa db sync` to refresh generated headers before apply."
+        message: "Auto-fix: Run `runa db sync` to regenerate all headers automatically."
+      });
+      entries.push({
+        level: "info",
+        message: "Headers track: FK references, RLS policies, triggers, function ownership, and schema dependencies."
       });
     }
   }
@@ -1832,6 +1848,10 @@ async function collectSchemaRisks(sqlDir, sqlFiles) {
   }
   return allRisks;
 }
+function filterAllowlistedSchemaRisks(risks) {
+  const policy = getBoundaryPolicy();
+  return risks.filter((risk) => !findDeclarativeRiskAllowlistMatch(risk, policy));
+}
 function summarizeRisks(risks) {
   const summaries = /* @__PURE__ */ new Map();
   for (const risk of risks) {
@@ -1885,10 +1905,54 @@ function reportMediumRisks(result, logger4, mediumRisks) {
     logger4.info(`  \u2022 ${summary}`);
   }
 }
-function reportRiskGuidance(logger4, highRiskCount, lowRiskCount) {
-  if (lowRiskCount > 0) {
-    logger4.info(`  Found ${lowRiskCount} LOW risk suggestion(s) (informational)`);
+var SHOW_LOW_RISKS = process.env.RUNA_DB_SHOW_LOW_RISKS === "1";
+function reportLowRisks(logger4, lowRisks) {
+  if (lowRisks.length === 0) return;
+  if (SHOW_LOW_RISKS) {
+    logger4.info(`  Found ${lowRisks.length} LOW risk suggestion(s):`);
+    const summaries = summarizeRisks(lowRisks);
+    for (const summary of summaries) {
+      logger4.info(`    ${summary.replace("[MEDIUM]", "[LOW]")}`);
+    }
+  } else {
+    logger4.info(
+      `  Found ${lowRisks.length} LOW risk suggestion(s) (informational; set RUNA_DB_SHOW_LOW_RISKS=1 to see details)`
+    );
+  }
+}
+function writeRiskJson(allRisks, categorized) {
+  if (!SHOW_LOW_RISKS) return;
+  const outputDir = path12.join(process.cwd(), ".runa", "tmp");
+  const outputPath = path12.join(outputDir, "schema-risks.json");
+  try {
+    mkdirSync(outputDir, { recursive: true });
+    const json = JSON.stringify(
+      {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        summary: {
+          high: categorized.high.length,
+          medium: categorized.medium.length,
+          low: categorized.low.length,
+          total: allRisks.length
+        },
+        risks: allRisks.map((risk) => ({
+          level: risk.level,
+          file: risk.file,
+          line: risk.line,
+          description: risk.description,
+          mitigation: risk.mitigation,
+          reasonCode: risk.reasonCode
+        }))
+      },
+      null,
+      2
+    );
+    writeFileSync(outputPath, json, "utf-8");
+  } catch {
   }
+}
+function reportRiskGuidance(logger4, highRiskCount, lowRisks) {
+  reportLowRisks(logger4, lowRisks);
   if (highRiskCount > 0) {
     logger4.info("");
     logger4.info("  AGENTS.md requires Supabase Auth Schema Independence:");
@@ -1906,7 +1970,7 @@ async function runSqlSchemaRiskCheck(result, logger4, step) {
   const sqlFiles = getDeclarativeSqlFiles(sqlDir, logger4);
   if (!sqlFiles) return;
   try {
-    const allRisks = await collectSchemaRisks(sqlDir, sqlFiles);
+    const allRisks = filterAllowlistedSchemaRisks(await collectSchemaRisks(sqlDir, sqlFiles));
     if (allRisks.length === 0) {
       logger4.success(`Scanned ${sqlFiles.length} SQL file(s) - no violations`);
       return;
@@ -1914,7 +1978,8 @@ async function runSqlSchemaRiskCheck(result, logger4, step) {
     const categorized = categorizeRisks(applySyncPreflightRiskPolicy(allRisks));
     reportHighRisks(result, logger4, categorized.high);
     reportMediumRisks(result, logger4, categorized.medium);
-    reportRiskGuidance(logger4, categorized.high.length, categorized.low.length);
+    reportRiskGuidance(logger4, categorized.high.length, categorized.low);
+    writeRiskJson(allRisks, categorized);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     logger4.warn(`SQL schema risk check skipped: ${message}`);
@@ -1971,9 +2036,10 @@ async function runOrphanCheck(env, dbPackagePath, result, logger4, step) {
     } catch {
     }
     const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-    if (idempotentTables.length > 0) {
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+    if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
       excludeFromOrphanDetection = [
-        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
       ];
     }
     const diff = diffSchema({
@@ -2591,664 +2657,991 @@ async function runDeclarativeDependencyCheck(result, logger4, step, strictOption
 
 // src/commands/db/utils/preflight-checks/duplicate-function-ownership-checks.ts
 init_esm_shims();
-async function runDuplicateFunctionOwnershipCheck(result, logger4, step) {
-  logger4.step("Checking duplicate function ownership", step.next());
-  const analysis = analyzeDuplicateFunctionOwnership(process.cwd());
-  if (analysis.findings.length === 0) {
-    logger4.success("No duplicate declarative/idempotent function ownership detected");
-    return;
-  }
-  result.passed = false;
-  result.errors.push(`Found ${analysis.findings.length} duplicate function ownership finding(s)`);
-  logger4.error(`Found ${analysis.findings.length} duplicate function ownership finding(s):`);
-  logger4.info(`  ${analysis.contractNote}`);
-  for (const finding of analysis.findings) {
-    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
-    logger4.info(`  [ERROR] ${formatted.summary}`);
-    for (const location of formatted.declarativeLocations) {
-      logger4.info(`          declarative: ${location}`);
-    }
-    for (const location of formatted.idempotentLocations) {
-      logger4.info(`          idempotent: ${location}`);
-    }
-    logger4.info(`          ${formatted.suggestion}`);
-  }
-}
-
-// src/commands/db/utils/preflight-checks/schema-boundary-checks.ts
-init_esm_shims();
 
-// src/commands/db/commands/db-sync/precheck-helpers.ts
+// src/commands/db/utils/duplicate-function-ownership-allowlist.ts
 init_esm_shims();
-var SHOW_ALLOWLIST_REPORT = process.env.RUNA_DB_PRECHECK_ALLOWLIST_REPORT === "1";
-var DIRECTORY_PLACEMENT_WARNING_PREFIX = "  [misplacement] ";
-function applyStrictModeToReport(report, strict) {
-  if (!strict) return report;
-  return {
-    blockers: [...report.blockers, ...report.warnings],
-    warnings: []
-  };
-}
-function formatAllowlistReason({
-  label,
-  ruleId,
-  reason,
-  rule
-}) {
-  const meta = rule ? formatAllowlistMetadata(rule) : "";
-  return meta ? `[allowlist:${label}] ${ruleId}: ${reason} (${meta})` : `[allowlist:${label}] ${ruleId}: ${reason}`;
-}
 
-// src/commands/db/commands/db-sync/directory-placement-check.ts
+// src/commands/db/sync/schema-guardrail-config.ts
 init_esm_shims();
 
-// src/commands/db/utils/schema-precheck-budget.ts
+// src/commands/db/sync/schema-guardrail-config-test-support.ts
 init_esm_shims();
-var ONE_MB = 1024 * 1024;
-var ONE_GB = 1024 * ONE_MB;
-function parseIntEnv(name, fallback, min, max) {
-  const raw = process.env[name];
-  if (!raw) return fallback;
-  const value = Number.parseInt(raw, 10);
-  if (!Number.isFinite(value) || Number.isNaN(value)) return fallback;
-  const normalized = Math.trunc(value);
-  if (normalized < min) return min;
-  if (normalized > max) return max;
-  return normalized;
-}
-var RUNA_SCHEMA_PRECHECK_MAX_FILES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_FILES",
-  3e3,
-  100,
-  2e4
-);
-var RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES",
-  512 * ONE_MB,
-  32 * ONE_MB,
-  20 * ONE_GB
-);
-var RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES",
-  64 * ONE_MB,
-  1 * ONE_MB,
-  512 * ONE_MB
-);
-var RUNA_PLAN_PRECHECK_MAX_BYTES = parseIntEnv(
-  "RUNA_PLAN_PRECHECK_MAX_BYTES",
-  128 * ONE_MB,
-  8 * ONE_MB,
-  4 * ONE_GB
-);
-var RUNA_PLAN_PRECHECK_MAX_STATEMENTS = parseIntEnv(
-  "RUNA_PLAN_PRECHECK_MAX_STATEMENTS",
-  4e3,
-  100,
-  5e4
-);
-function formatBytes2(value) {
-  if (value >= ONE_MB * 1024) return `${(value / (ONE_MB * 1024)).toFixed(1)} GB`;
-  if (value >= ONE_MB) return `${(value / ONE_MB).toFixed(1)} MB`;
-  return `${(value / 1024).toFixed(1)} KB`;
-}
-function buildBudgetExceededReason(context, files, bytes, maxFiles, maxBytes) {
-  return `${context}: budget exceeded (files=${files}/${maxFiles}, bytes=${formatBytes2(bytes)}/${formatBytes2(maxBytes)}). Stop and review with stricter scoping or increase RUNA_SCHEMA_PRECHECK_MAX_* settings only after approval.`;
-}
-function createSchemaPrecheckBudgetState() {
-  return {
-    scannedFiles: 0,
-    scannedBytes: 0,
-    maxFiles: RUNA_SCHEMA_PRECHECK_MAX_FILES,
-    maxBytes: RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES,
-    maxFileBytes: RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES
-  };
+function extractFirstStringMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*['"]([^'"]+)['"]`));
+  return match?.[1];
 }
-function shouldAbortSchemaPrecheckForBudget(state, filePath) {
-  const size = statSync(filePath).size;
-  if (size > state.maxFileBytes) {
-    return `Unscanned schema file ${filePath}: ${formatBytes2(size)} exceeds per-file limit ${formatBytes2(
-      state.maxFileBytes
-    )}`;
-  }
-  if (state.scannedFiles + 1 > state.maxFiles) {
-    return `Schema file scan budget exceeds ${state.maxFiles} files at ${path12.basename(filePath)}.`;
+function extractFirstNumberMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*(-?\\d+(?:\\.\\d+)?)`));
+  if (!match?.[1]) {
+    return void 0;
   }
-  const projectedBytes = state.scannedBytes + size;
-  if (projectedBytes > state.maxBytes) {
-    return `Schema scan budget exceeds total size limit ${formatBytes2(state.maxBytes)}.`;
+  const parsed = Number(match[1]);
+  return Number.isFinite(parsed) ? parsed : void 0;
+}
+function extractStringArrayMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*\\[([\\s\\S]*?)\\]`));
+  if (!match?.[1]) {
+    return [];
   }
-  state.scannedBytes = projectedBytes;
-  state.scannedFiles += 1;
-  return null;
+  return Array.from(match[1].matchAll(/['"]([^'"]+)['"]/g), (entry) => entry[1] ?? "").filter(
+    (value) => value.length > 0
+  );
 }
-
-// src/commands/db/utils/sql-file-collector.ts
-init_esm_shims();
-function* collectSqlFilesRecursively(baseDir) {
-  const queue = [baseDir];
-  let index = 0;
-  while (index < queue.length) {
-    const currentDir = queue[index++];
-    if (!currentDir) continue;
-    try {
-      const entries = readdirSync(currentDir, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path12.join(currentDir, entry.name);
-        if (entry.isDirectory()) {
-          queue.push(fullPath);
-          continue;
-        }
-        if (entry.isFile() && entry.name.endsWith(".sql")) {
-          yield fullPath;
-        }
+function extractNamedObjectBlock(content, fieldName) {
+  const nameMatch = new RegExp(`${fieldName}\\s*:\\s*\\{`).exec(content);
+  if (!nameMatch) {
+    return null;
+  }
+  const startIndex = nameMatch.index + nameMatch[0].length - 1;
+  let depth = 0;
+  for (let index = startIndex; index < content.length; index += 1) {
+    const current = content[index];
+    if (current === "{") {
+      depth += 1;
+    } else if (current === "}") {
+      depth -= 1;
+      if (depth === 0) {
+        return content.slice(startIndex + 1, index);
       }
-    } catch {
     }
   }
+  return null;
 }
-
-// src/commands/db/commands/db-sync/boundary-classifier.ts
-init_esm_shims();
-
-// src/commands/db/commands/db-sync/sql-parser.ts
-init_esm_shims();
-function isWordChar(char) {
-  const code = char.charCodeAt(0);
-  return code >= 48 && code <= 57 || code >= 65 && code <= 90 || code >= 97 && code <= 122 || char === "_";
-}
-function isWhitespaceChar(char) {
-  return char === " " || char === "	" || char === "\n" || char === "\r" || char === "\f";
-}
-function parseWordAt(statement, start) {
-  if (start < 0 || start >= statement.length) return null;
-  const first = statement[start];
-  if (!first || !isWordChar(first)) return null;
-  let end = start + 1;
-  while (end < statement.length && isWordChar(statement[end] ?? "")) {
-    end += 1;
-  }
-  return { value: statement.slice(start, end), start, end };
-}
-function skipWhitespace(statement, start) {
-  let index = start;
-  while (index < statement.length && isWhitespaceChar(statement[index] ?? "")) {
-    index += 1;
+function extractAllowedDuplicateFunctions(content, normalizers) {
+  const match = content.match(/allowedDuplicateFunctions\s*:\s*\[([\s\S]*?)\]/);
+  if (!match?.[1]) {
+    return [];
   }
-  return index;
-}
-function skipLineComment(statement, start) {
-  let index = start;
-  while (index < statement.length && statement[index] !== "\n") {
-    index += 1;
+  const entries = [];
+  for (const objectMatch of match[1].matchAll(/\{([\s\S]*?)\}/g)) {
+    const objectBody = objectMatch[1] ?? "";
+    const qualifiedName = extractFirstStringMatch(objectBody, "qualifiedName");
+    const signature = extractFirstStringMatch(objectBody, "signature");
+    const reason = extractFirstStringMatch(objectBody, "reason");
+    if (!qualifiedName || !signature || !reason) {
+      continue;
+    }
+    entries.push({
+      qualifiedName: normalizers.normalizeFunctionQualifiedName(qualifiedName),
+      signature: normalizers.normalizeAllowlistSignature(signature),
+      reason,
+      declarativeFile: extractFirstStringMatch(objectBody, "declarativeFile"),
+      idempotentFile: extractFirstStringMatch(objectBody, "idempotentFile"),
+      expectedBodyHash: extractFirstStringMatch(objectBody, "expectedBodyHash")
+    });
   }
-  return index;
+  return entries;
 }
-function skipBlockComment(statement, start) {
-  let index = start;
-  while (index + 1 < statement.length && !(statement[index] === "*" && statement[index + 1] === "/")) {
-    index += 1;
+function tryLoadSchemaGuardrailConfigFromText(params) {
+  const configPath = findRunaConfig(params.targetDir);
+  if (!configPath || !existsSync(configPath)) {
+    return null;
   }
-  return index + 1 < statement.length ? index + 2 : index;
-}
-function skipWhitespaceAndComments(statement, start) {
-  let index = Math.max(0, start);
-  while (index < statement.length) {
-    const afterWhitespace = skipWhitespace(statement, index);
-    if (afterWhitespace !== index) {
-      index = afterWhitespace;
-      continue;
-    }
-    if (statement[index] === "-" && statement[index + 1] === "-") {
-      index = skipLineComment(statement, index + 2);
-      continue;
-    }
-    if (statement[index] === "/" && statement[index + 1] === "*") {
-      index = skipBlockComment(statement, index + 2);
-      continue;
-    }
-    break;
-  }
-  return index;
-}
-function getPreviousWord(statement, start) {
-  let index = start - 1;
-  while (index >= 0 && isWhitespaceChar(statement[index] ?? "")) index -= 1;
-  if (index < 0 || !isWordChar(statement[index] ?? "")) return "";
-  const end = index;
-  while (index >= 0 && isWordChar(statement[index] ?? "")) index -= 1;
-  return statement.slice(index + 1, end + 1).toUpperCase();
-}
-function parseDollarQuotedLiteral(statement, start) {
-  if (statement[start] !== "$") return null;
-  let tagEnd = start + 1;
-  if (tagEnd >= statement.length) return null;
-  if (statement[tagEnd] === "$") {
-    const delimiter2 = "$$";
-    const bodyStart2 = tagEnd + 1;
-    const bodyEnd2 = statement.indexOf(delimiter2, bodyStart2);
-    if (bodyEnd2 < 0) return null;
+  try {
+    const content = readFileSync(configPath, "utf-8");
+    const schemaGuardrailsBlock = extractNamedObjectBlock(content, "schemaGuardrails") ?? "";
+    const pgSchemaDiffBlock = extractNamedObjectBlock(content, "pgSchemaDiff") ?? "";
     return {
-      body: statement.slice(bodyStart2, bodyEnd2),
-      next: bodyEnd2 + delimiter2.length
+      ...params.defaults,
+      declarativeSqlDir: extractFirstStringMatch(schemaGuardrailsBlock, "declarativeSqlDir") ?? params.defaults.declarativeSqlDir,
+      allowedDuplicateFunctions: extractAllowedDuplicateFunctions(
+        schemaGuardrailsBlock,
+        params.normalizers
+      ),
+      generatedHeaderRewriteTargets: params.normalizers.normalizeFileList(
+        extractStringArrayMatch(schemaGuardrailsBlock, "generatedHeaderRewriteTargets").map(
+          (value) => params.normalizers.normalizePathForMatch(value)
+        )
+      ),
+      semanticWarnings: {
+        threshold: extractFirstNumberMatch(schemaGuardrailsBlock, "threshold") ?? params.defaults.semanticWarnings.threshold,
+        maxCandidates: extractFirstNumberMatch(schemaGuardrailsBlock, "maxCandidates") ?? params.defaults.semanticWarnings.maxCandidates,
+        ignorePairs: new Set(
+          extractStringArrayMatch(schemaGuardrailsBlock, "ignorePairs").map(
+            (value) => params.normalizers.normalizeSuppressionPair(value)
+          )
+        )
+      },
+      tableHeaderMaxWidth: extractFirstNumberMatch(schemaGuardrailsBlock, "tableHeaderMaxWidth") ?? params.defaults.tableHeaderMaxWidth,
+      excludeFromOrphanDetection: extractStringArrayMatch(
+        pgSchemaDiffBlock,
+        "excludeFromOrphanDetection"
+      ),
+      idempotentSqlDir: extractFirstStringMatch(pgSchemaDiffBlock, "idempotentSqlDir") ?? params.defaults.idempotentSqlDir
     };
+  } catch {
+    return null;
   }
-  const firstChar = statement[tagEnd];
-  if (!firstChar || !/[A-Za-z_]/.test(firstChar)) return null;
-  while (tagEnd < statement.length && /[A-Za-z0-9_]/.test(statement[tagEnd] ?? "")) {
-    tagEnd += 1;
-  }
-  if (statement[tagEnd] !== "$") return null;
-  const tag = statement.slice(start + 1, tagEnd);
-  const delimiter = `$${tag}$`;
-  const bodyStart = tagEnd + 1;
-  const bodyEnd = statement.indexOf(delimiter, bodyStart);
-  if (bodyEnd < 0) return null;
+}
+
+// src/commands/db/sync/schema-guardrail-config.ts
+var DEFAULT_TABLE_HEADER_MAX_WIDTH = 160;
+var DEFAULT_SEMANTIC_WARNING_THRESHOLD = 0.55;
+var DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES = 3;
+var GENERIC_SIMILARITY_COLUMNS = /* @__PURE__ */ new Set([
+  "id",
+  "created_at",
+  "updated_at",
+  "deleted_at",
+  "scope_id"
+]);
+function normalizePathForMatch(filePath) {
+  return filePath.replaceAll("\\", "/");
+}
+function normalizeFunctionQualifiedName(value) {
+  return value.trim().toLowerCase();
+}
+function normalizeAllowlistSignature(value) {
+  return value.replace(/\s+/g, " ").trim();
+}
+function normalizeSuppressionPair(value) {
+  return value.split("::").map((part) => part.trim().toLowerCase()).filter((part) => part.length > 0).sort((left, right) => left.localeCompare(right)).join("::");
+}
+function normalizeFileList(files) {
+  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
+}
+function isSchemaGuardrailTextFallbackAllowed() {
+  return Boolean(process.env.VITEST);
+}
+function createDefaultSchemaGuardrailConfig() {
   return {
-    body: statement.slice(bodyStart, bodyEnd),
-    next: bodyEnd + delimiter.length
+    declarativeSqlDir: "supabase/schemas/declarative",
+    allowedDuplicateFunctions: [],
+    generatedHeaderRewriteTargets: [],
+    semanticWarnings: {
+      threshold: DEFAULT_SEMANTIC_WARNING_THRESHOLD,
+      maxCandidates: DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES,
+      ignorePairs: /* @__PURE__ */ new Set()
+    },
+    tableHeaderMaxWidth: DEFAULT_TABLE_HEADER_MAX_WIDTH,
+    excludeFromOrphanDetection: [],
+    idempotentSqlDir: "supabase/schemas/idempotent"
   };
 }
-function parseSingleQuotedLiteral(statement, start) {
-  if (statement[start] !== "'") return null;
-  let index = start + 1;
-  let body = "";
-  while (index < statement.length) {
-    const char = statement[index];
-    const next = statement[index + 1] ?? "";
-    if (char === "'") {
-      if (next === "'") {
-        body += "'";
-        index += 2;
-        continue;
-      }
-      return { body, next: index + 1 };
-    }
-    if (char === "\\" && index + 1 < statement.length) {
-      body += next;
-      index += 2;
-      continue;
+function loadAllowedDuplicatesFromSchemaOwnership(targetDir) {
+  const candidates = [
+    join(targetDir, "supabase", "schemas", "schema-ownership.json"),
+    join(targetDir, "schema-ownership.json")
+  ];
+  for (const filePath of candidates) {
+    if (!existsSync(filePath)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(filePath, "utf-8"));
+      const allowedDuplicates = raw?.rules?.allowed_duplicates;
+      if (!Array.isArray(allowedDuplicates)) continue;
+      return allowedDuplicates.filter(
+        (entry) => typeof entry === "object" && entry !== null && "qualifiedName" in entry && typeof entry.qualifiedName === "string"
+      ).map((entry) => ({
+        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+        signature: normalizeAllowlistSignature(entry.signature ?? ""),
+        reason: entry.reason ?? "Loaded from schema-ownership.json"
+      }));
+    } catch {
     }
-    body += char;
-    index += 1;
   }
-  return null;
+  return [];
 }
-function parsePotentialEmbeddedSqlLiteral(statement, start, fragments) {
-  const index = skipWhitespaceAndComments(statement, start);
-  if (index >= statement.length) return index;
-  const maybePrefix = (statement[index] ?? "").toUpperCase();
-  if (maybePrefix === "E" && statement[index + 1] === "'") {
-    const parsed = parseSingleQuotedLiteral(statement, index + 1);
-    if (parsed && parsed.body.trim().length > 0) {
-      fragments.push(parsed.body);
-      return parsed.next;
+function loadSchemaGuardrailConfig(targetDir) {
+  const defaults = createDefaultSchemaGuardrailConfig();
+  try {
+    const config = loadRunaConfig(targetDir);
+    const databaseConfig = config.database ?? {};
+    return {
+      declarativeSqlDir: databaseConfig.schemaGuardrails?.declarativeSqlDir ?? defaults.declarativeSqlDir,
+      allowedDuplicateFunctions: [
+        ...databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
+          ...entry,
+          qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+          signature: normalizeAllowlistSignature(entry.signature),
+          declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
+          idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
+        })) ?? [],
+        // Fallback: merge schema-ownership.json allowed_duplicates if present
+        ...loadAllowedDuplicatesFromSchemaOwnership(targetDir)
+      ],
+      generatedHeaderRewriteTargets: normalizeFileList(
+        (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
+          (value) => normalizePathForMatch(value)
+        )
+      ),
+      semanticWarnings: {
+        threshold: databaseConfig.schemaGuardrails?.semanticWarnings?.threshold ?? defaults.semanticWarnings.threshold,
+        maxCandidates: databaseConfig.schemaGuardrails?.semanticWarnings?.maxCandidates ?? defaults.semanticWarnings.maxCandidates,
+        ignorePairs: new Set(
+          (databaseConfig.schemaGuardrails?.semanticWarnings?.ignorePairs ?? []).map(
+            (value) => normalizeSuppressionPair(value)
+          )
+        )
+      },
+      tableHeaderMaxWidth: databaseConfig.schemaGuardrails?.tableHeaderMaxWidth ?? defaults.tableHeaderMaxWidth,
+      excludeFromOrphanDetection: databaseConfig.pgSchemaDiff?.excludeFromOrphanDetection ?? [],
+      idempotentSqlDir: databaseConfig.pgSchemaDiff?.idempotentSqlDir ?? defaults.idempotentSqlDir
+    };
+  } catch (error) {
+    if (isSchemaGuardrailTextFallbackAllowed()) {
+      return tryLoadSchemaGuardrailConfigFromText({
+        targetDir,
+        defaults,
+        normalizers: {
+          normalizeAllowlistSignature,
+          normalizeFileList,
+          normalizeFunctionQualifiedName,
+          normalizePathForMatch,
+          normalizeSuppressionPair
+        }
+      }) ?? defaults;
     }
-    return index + 1;
-  }
-  const parsedDollar = parseDollarQuotedLiteral(statement, index);
-  if (parsedDollar) {
-    if (parsedDollar.body.trim().length > 0) fragments.push(parsedDollar.body);
-    return parsedDollar.next;
+    throw error;
   }
-  if (statement[index] === "'") {
-    const parsed = parseSingleQuotedLiteral(statement, index);
-    if (parsed && parsed.body.trim().length > 0) {
-      fragments.push(parsed.body.replace(/\\'/g, "'"));
-      return parsed.next;
-    }
-    return index + 1;
+}
+
+// src/commands/db/utils/duplicate-function-ownership-allowlist.ts
+function matchesDuplicateFunctionSignature(params) {
+  return normalizeFunctionQualifiedName(params.entry.qualifiedName) === normalizeFunctionQualifiedName(params.finding.qualifiedName) && normalizeAllowlistSignature(params.entry.signature) === normalizeAllowlistSignature(params.finding.signature ?? "");
+}
+function matchesOptionalFilePath(params) {
+  if (!params.configuredPath) {
+    return true;
   }
-  return index + 1;
+  return params.definitionFiles.some(
+    (filePath) => normalizePathForMatch(filePath) === params.configuredPath
+  );
 }
-var EMBEDDABLE_SQL_HINT_WORDS = /* @__PURE__ */ new Set(["DO", "AS", "EXECUTE", "FORMAT"]);
-var EMBEDDABLE_SQL_MAX_RECURSION_DEPTH = 3;
-var PLPGSQL_RECURSIVE_PATTERN = /\b(?:DO|EXECUTE|FORMAT)\b/i;
-function shouldRecurseIntoEmbeddableFragment(statement) {
-  return PLPGSQL_RECURSIVE_PATTERN.test(statement);
+function matchesExpectedBodyHash(params) {
+  if (!params.entry.expectedBodyHash || !params.bodyHashes) {
+    return true;
+  }
+  const definitions = [
+    ...params.finding.declarativeDefinitions,
+    ...params.finding.idempotentDefinitions
+  ];
+  if (definitions.length === 0) {
+    return false;
+  }
+  return definitions.every((definition) => {
+    const key = `${definition.layer}:${definition.file}:${definition.line}`;
+    return params.bodyHashes?.get(key) === params.entry.expectedBodyHash;
+  });
 }
-function createFragmentCollector(fragments, depth, maxDepth, seen) {
-  return (fragment) => {
-    const candidate = fragment.trim();
-    if (!candidate) return;
-    if (!seen.has(candidate)) {
-      seen.add(candidate);
-      fragments.push(candidate);
+function isAllowlistedDuplicateFunction(params) {
+  const { finding, allowlist, bodyHashes } = params;
+  if (!finding.signature) return false;
+  return allowlist.some((entry) => {
+    if (!matchesDuplicateFunctionSignature({ entry, finding })) {
+      return false;
     }
-    if (depth < maxDepth && shouldRecurseIntoEmbeddableFragment(candidate)) {
-      collectEmbeddableSqlFragments(candidate, fragments, depth + 1, maxDepth, seen);
+    if (!matchesOptionalFilePath({
+      configuredPath: entry.declarativeFile,
+      definitionFiles: finding.declarativeDefinitions.map((definition) => definition.file)
+    })) {
+      return false;
     }
-  };
+    if (!matchesOptionalFilePath({
+      configuredPath: entry.idempotentFile,
+      definitionFiles: finding.idempotentDefinitions.map((definition) => definition.file)
+    })) {
+      return false;
+    }
+    return matchesExpectedBodyHash({ entry, finding, bodyHashes });
+  });
 }
-function tryAdvanceWithinQuotedText(normalized, state) {
-  const char = normalized[state.index];
-  if (!char) return false;
-  if (state.inSingleQuote) {
-    if (char === "'" && normalized[state.index + 1] === "'") {
-      state.index += 2;
-      return true;
-    }
-    if (char === "'") {
-      state.inSingleQuote = false;
-    }
-    state.index += 1;
-    return true;
+function filterAllowlistedDuplicateFunctions(params) {
+  return params.findings.filter(
+    (finding) => !isAllowlistedDuplicateFunction({
+      finding,
+      allowlist: params.allowlist,
+      bodyHashes: params.bodyHashes
+    })
+  );
+}
+
+// src/commands/db/utils/preflight-checks/duplicate-function-ownership-checks.ts
+async function runDuplicateFunctionOwnershipCheck(result, logger4, step) {
+  logger4.step("Checking duplicate function ownership", step.next());
+  const analysis = analyzeDuplicateFunctionOwnership(process.cwd());
+  let findings = analysis.findings;
+  try {
+    const allowlist = loadSchemaGuardrailConfig(process.cwd()).allowedDuplicateFunctions;
+    findings = filterAllowlistedDuplicateFunctions({
+      findings,
+      allowlist
+    });
+  } catch {
   }
-  if (state.inDoubleQuote) {
-    if (char === '"' && normalized[state.index + 1] === '"') {
-      state.index += 2;
-      return true;
+  if (findings.length === 0) {
+    logger4.success("No duplicate declarative/idempotent function ownership detected");
+    return;
+  }
+  result.passed = false;
+  result.errors.push(`Found ${findings.length} duplicate function ownership finding(s)`);
+  logger4.error(`Found ${findings.length} duplicate function ownership finding(s):`);
+  logger4.info(`  ${analysis.contractNote}`);
+  for (const finding of findings) {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    logger4.info(`  [ERROR] ${formatted.summary}`);
+    for (const location of formatted.declarativeLocations) {
+      logger4.info(`          declarative: ${location}`);
     }
-    if (char === '"') {
-      state.inDoubleQuote = false;
+    for (const location of formatted.idempotentLocations) {
+      logger4.info(`          idempotent: ${location}`);
     }
-    state.index += 1;
-    return true;
+    logger4.info(`          ${formatted.suggestion}`);
   }
-  return false;
 }
-function tryAdvanceComment(normalized, state) {
-  if (normalized[state.index] === "-" && normalized[state.index + 1] === "-") {
-    state.index = skipLineComment(normalized, state.index + 2);
-    return true;
-  }
-  if (normalized[state.index] === "/" && normalized[state.index + 1] === "*") {
-    state.index = skipBlockComment(normalized, state.index + 2);
-    return true;
-  }
-  return false;
+
+// src/commands/db/utils/preflight-checks/schema-boundary-checks.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/precheck-helpers.ts
+init_esm_shims();
+var SHOW_ALLOWLIST_REPORT = process.env.RUNA_DB_PRECHECK_ALLOWLIST_REPORT === "1";
+var DIRECTORY_PLACEMENT_WARNING_PREFIX = "  [misplacement] ";
+function applyStrictModeToReport(report, strict) {
+  if (!strict) return report;
+  return {
+    blockers: [...report.blockers, ...report.warnings],
+    warnings: []
+  };
 }
-function tryEnterQuotedText(normalized, state) {
-  if (normalized[state.index] === "'") {
-    state.inSingleQuote = true;
-    state.index += 1;
-    return true;
-  }
-  if (normalized[state.index] === '"') {
-    state.inDoubleQuote = true;
-    state.index += 1;
-    return true;
-  }
-  return false;
+function formatAllowlistReason({
+  label,
+  ruleId,
+  reason,
+  rule
+}) {
+  const meta = rule ? formatAllowlistMetadata(rule) : "";
+  return meta ? `[allowlist:${label}] ${ruleId}: ${reason} (${meta})` : `[allowlist:${label}] ${ruleId}: ${reason}`;
 }
-function tryConsumeDollarQuotedFragment(statement, state, addFragment) {
-  if (statement[state.index] !== "$") return false;
-  const parsedDollar = parseDollarQuotedLiteral(statement, state.index);
-  if (!parsedDollar) return false;
-  const previousWord = getPreviousWord(statement, state.index);
-  if (previousWord && EMBEDDABLE_SQL_HINT_WORDS.has(previousWord)) {
-    addFragment(parsedDollar.body);
-  }
-  state.index = parsedDollar.next;
-  return true;
+
+// src/commands/db/commands/db-sync/directory-placement-check.ts
+init_esm_shims();
+
+// src/commands/db/utils/schema-precheck-budget.ts
+init_esm_shims();
+var ONE_MB = 1024 * 1024;
+var ONE_GB = 1024 * ONE_MB;
+function parseIntEnv(name, fallback, min, max) {
+  const raw = process.env[name];
+  if (!raw) return fallback;
+  const value = Number.parseInt(raw, 10);
+  if (!Number.isFinite(value) || Number.isNaN(value)) return fallback;
+  const normalized = Math.trunc(value);
+  if (normalized < min) return min;
+  if (normalized > max) return max;
+  return normalized;
 }
-function tryExtractExecuteFormatLiteral(statement, normalized, tokenEnd) {
-  let cursor = skipWhitespaceAndComments(statement, tokenEnd);
-  const maybeFormat = parseWordAt(normalized, cursor);
-  if (!maybeFormat || maybeFormat.value !== "FORMAT") return null;
-  cursor = skipWhitespaceAndComments(statement, maybeFormat.end);
-  if (statement[cursor] !== "(") return null;
-  const afterParen = skipWhitespaceAndComments(statement, cursor + 1);
-  const formatCapture = [];
-  const parsed = parsePotentialEmbeddedSqlLiteral(statement, afterParen, formatCapture);
-  if (parsed <= afterParen || formatCapture.length === 0) return null;
-  return { fragment: formatCapture[0] ?? "", nextIndex: parsed };
+var RUNA_SCHEMA_PRECHECK_MAX_FILES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_FILES",
+  3e3,
+  100,
+  2e4
+);
+var RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES",
+  512 * ONE_MB,
+  32 * ONE_MB,
+  20 * ONE_GB
+);
+var RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES",
+  64 * ONE_MB,
+  1 * ONE_MB,
+  512 * ONE_MB
+);
+var RUNA_PLAN_PRECHECK_MAX_BYTES = parseIntEnv(
+  "RUNA_PLAN_PRECHECK_MAX_BYTES",
+  128 * ONE_MB,
+  8 * ONE_MB,
+  4 * ONE_GB
+);
+var RUNA_PLAN_PRECHECK_MAX_STATEMENTS = parseIntEnv(
+  "RUNA_PLAN_PRECHECK_MAX_STATEMENTS",
+  4e3,
+  100,
+  5e4
+);
+function formatBytes2(value) {
+  if (value >= ONE_MB * 1024) return `${(value / (ONE_MB * 1024)).toFixed(1)} GB`;
+  if (value >= ONE_MB) return `${(value / ONE_MB).toFixed(1)} MB`;
+  return `${(value / 1024).toFixed(1)} KB`;
 }
-function tryExtractExecuteLiteral(statement, tokenEnd) {
-  const cursor = skipWhitespaceAndComments(statement, tokenEnd);
-  const executeCapture = [];
-  const parsed = parsePotentialEmbeddedSqlLiteral(statement, cursor, executeCapture);
-  if (parsed <= cursor || executeCapture.length === 0) return null;
-  return { fragment: executeCapture[0] ?? "", nextIndex: parsed };
+function buildBudgetExceededReason(context, files, bytes, maxFiles, maxBytes) {
+  return `${context}: budget exceeded (files=${files}/${maxFiles}, bytes=${formatBytes2(bytes)}/${formatBytes2(maxBytes)}). Stop and review with stricter scoping or increase RUNA_SCHEMA_PRECHECK_MAX_* settings only after approval.`;
 }
-function tryConsumeWordToken(statement, normalized, state, addFragment) {
-  const token = parseWordAt(normalized, state.index);
-  if (!token) return false;
-  if (token.value !== "EXECUTE") {
-    state.index = token.end;
-    return true;
-  }
-  const formatLiteral = tryExtractExecuteFormatLiteral(statement, normalized, token.end);
-  if (formatLiteral) {
-    addFragment(formatLiteral.fragment);
-    state.index = formatLiteral.nextIndex;
-    return true;
+function createSchemaPrecheckBudgetState() {
+  return {
+    scannedFiles: 0,
+    scannedBytes: 0,
+    maxFiles: RUNA_SCHEMA_PRECHECK_MAX_FILES,
+    maxBytes: RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES,
+    maxFileBytes: RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES
+  };
+}
+function shouldAbortSchemaPrecheckForBudget(state, filePath) {
+  const size = statSync(filePath).size;
+  if (size > state.maxFileBytes) {
+    return `Unscanned schema file ${filePath}: ${formatBytes2(size)} exceeds per-file limit ${formatBytes2(
+      state.maxFileBytes
+    )}`;
   }
-  const executeLiteral = tryExtractExecuteLiteral(statement, token.end);
-  if (executeLiteral) {
-    addFragment(executeLiteral.fragment);
-    state.index = executeLiteral.nextIndex;
-    return true;
+  if (state.scannedFiles + 1 > state.maxFiles) {
+    return `Schema file scan budget exceeds ${state.maxFiles} files at ${path12.basename(filePath)}.`;
   }
-  state.index = token.end;
-  return true;
-}
-function collectEmbeddableSqlFragments(statement, fragments, depth, maxDepth, seen) {
-  if (!statement || statement.trim().length === 0) return;
-  if (depth > maxDepth) return;
-  const normalized = statement.toUpperCase();
-  const state = {
-    index: 0,
-    inSingleQuote: false,
-    inDoubleQuote: false
-  };
-  const addFragment = createFragmentCollector(fragments, depth, maxDepth, seen);
-  while (state.index < normalized.length) {
-    if (tryAdvanceWithinQuotedText(normalized, state)) continue;
-    if (tryAdvanceComment(normalized, state)) continue;
-    if (tryEnterQuotedText(normalized, state)) continue;
-    if (tryConsumeDollarQuotedFragment(statement, state, addFragment)) continue;
-    if (tryConsumeWordToken(statement, normalized, state, addFragment)) continue;
-    state.index += 1;
+  const projectedBytes = state.scannedBytes + size;
+  if (projectedBytes > state.maxBytes) {
+    return `Schema scan budget exceeds total size limit ${formatBytes2(state.maxBytes)}.`;
   }
-}
-function extractEmbeddableSqlFragments(statement) {
-  const fragments = [];
-  collectEmbeddableSqlFragments(
-    statement,
-    fragments,
-    0,
-    EMBEDDABLE_SQL_MAX_RECURSION_DEPTH,
-    /* @__PURE__ */ new Set()
-  );
-  return dedupeAndSort(fragments);
-}
-function normalizeSqlForPlacementCheck(content) {
-  return blankDollarQuotedBodies(stripSqlComments(content)).toUpperCase();
-}
-function isPartitionOfCreateTable(statement) {
-  return /\bPARTITION\s+OF\b/.test(statement);
-}
-function dedupeAndSort(lines) {
-  const seen = /* @__PURE__ */ new Set();
-  return [...lines].sort((a, b) => a.localeCompare(b)).filter((line) => {
-    if (seen.has(line)) return false;
-    seen.add(line);
-    return true;
-  });
+  state.scannedBytes = projectedBytes;
+  state.scannedFiles += 1;
+  return null;
 }
 
-// src/commands/db/commands/db-sync/risk-reporter.ts
+// src/commands/db/utils/sql-file-collector.ts
 init_esm_shims();
-
-// src/commands/db/commands/db-sync/types.ts
-init_esm_shims();
-var DIRECTORY_RISK_ORDER = ["high", "medium", "low"];
-var PLAN_BOUNDARY_CONTEXT_FILE = "pg-schema-diff plan.sql";
-var GRANT_STATEMENT_RULE_TEXT = "Grant/REVOKE statements are usually idempotent/bootstrap ACL setup and should be treated as such";
-
-// src/commands/db/commands/db-sync/risk-reporter.ts
-var DIRECTORY_RISK_WEIGHT = {
-  high: 3,
-  medium: 2,
-  low: 1
-};
-function getDirectoryRiskWeight(level) {
-  return DIRECTORY_RISK_WEIGHT[level];
+var IGNORED_DIRECTORY_NAMES = /* @__PURE__ */ new Set([
+  "compat",
+  "archive",
+  "legacy",
+  "deprecated",
+  "backup",
+  "node_modules",
+  ".git",
+  "dist",
+  "build"
+]);
+function shouldSkipDirectory(name) {
+  return IGNORED_DIRECTORY_NAMES.has(name.toLowerCase());
 }
-function compareDirectoryRiskPriority(left, right) {
-  const weightDelta = getDirectoryRiskWeight(left.level) - getDirectoryRiskWeight(right.level);
-  if (weightDelta !== 0) {
-    return weightDelta;
+function scanDirectory(dir, queue, sqlFiles) {
+  try {
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path12.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (!shouldSkipDirectory(entry.name)) queue.push(fullPath);
+      } else if (entry.isFile() && entry.name.endsWith(".sql")) {
+        sqlFiles.push(fullPath);
+      }
+    }
+  } catch {
   }
-  const leftLine = left.line ?? 0;
-  const rightLine = right.line ?? 0;
-  if (leftLine !== rightLine) {
-    return leftLine - rightLine;
+}
+function* collectSqlFilesRecursively(baseDir) {
+  const queue = [baseDir];
+  const sqlFiles = [];
+  let index = 0;
+  while (index < queue.length) {
+    const currentDir = queue[index++];
+    if (!currentDir) continue;
+    scanDirectory(currentDir, queue, sqlFiles);
+  }
+  for (const file of sqlFiles) {
+    yield file;
   }
-  return left.message.localeCompare(right.message);
 }
-function selectHighestPriorityRisk(entries) {
-  if (entries.length === 0) return void 0;
-  const byPriority = [...entries].sort((left, right) => {
-    const priorityDelta = compareDirectoryRiskPriority(right, left);
-    if (priorityDelta !== 0) return priorityDelta;
-    const leftMessage = left.message.toLowerCase();
-    const rightMessage = right.message.toLowerCase();
-    return leftMessage.localeCompare(rightMessage);
-  });
-  return byPriority[0];
+
+// src/commands/db/commands/db-sync/boundary-classifier.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/sql-parser.ts
+init_esm_shims();
+function isWordChar(char) {
+  const code = char.charCodeAt(0);
+  return code >= 48 && code <= 57 || code >= 65 && code <= 90 || code >= 97 && code <= 122 || char === "_";
 }
-function buildDirectoryRiskKey(entry) {
-  return `${entry.level}:${entry.file}:${entry.line ?? 0}:${entry.message}`;
+function isWhitespaceChar(char) {
+  return char === " " || char === "	" || char === "\n" || char === "\r" || char === "\f";
 }
-function dedupeDirectoryRisksBySeverity(entries) {
-  const byLocationAndMessage = /* @__PURE__ */ new Map();
-  for (const entry of entries) {
-    const key = `${entry.file}:${entry.line ?? 0}:${entry.message}`;
-    const existing = byLocationAndMessage.get(key);
-    if (!existing || getDirectoryRiskWeight(entry.level) > getDirectoryRiskWeight(existing.level)) {
-      byLocationAndMessage.set(key, entry);
-    }
+function parseWordAt(statement, start) {
+  if (start < 0 || start >= statement.length) return null;
+  const first = statement[start];
+  if (!first || !isWordChar(first)) return null;
+  let end = start + 1;
+  while (end < statement.length && isWordChar(statement[end] ?? "")) {
+    end += 1;
   }
-  return [...byLocationAndMessage.values()].sort((left, right) => {
-    const priorityDelta = getDirectoryRiskWeight(right.level) - getDirectoryRiskWeight(left.level);
-    if (priorityDelta !== 0) return priorityDelta;
-    const levelDelta = DIRECTORY_RISK_ORDER.indexOf(right.level) - DIRECTORY_RISK_ORDER.indexOf(left.level);
-    if (levelDelta !== 0) return levelDelta;
-    const leftLine = left.line ?? 0;
-    const rightLine = right.line ?? 0;
-    if (leftLine !== rightLine) return leftLine - rightLine;
-    return left.message.localeCompare(right.message);
-  });
+  return { value: statement.slice(start, end), start, end };
 }
-function printList(title, items, logger4) {
-  if (items.length === 0) return;
-  logger4.warn(`
-${title} (${items.length}):`);
-  for (const item of items) {
-    logger4.info(`  \u2022 ${item}`);
+function skipWhitespace(statement, start) {
+  let index = start;
+  while (index < statement.length && isWhitespaceChar(statement[index] ?? "")) {
+    index += 1;
   }
+  return index;
 }
-function stripCommonPrefix(filePath) {
-  return filePath.startsWith(process.cwd()) ? filePath.replace(`${process.cwd()}/`, "") : filePath;
+function skipLineComment(statement, start) {
+  let index = start;
+  while (index < statement.length && statement[index] !== "\n") {
+    index += 1;
+  }
+  return index;
 }
-function formatDeclarativeRiskMessage(risk) {
-  const line = risk.line ? `:${risk.line}` : "";
-  return `${stripCommonPrefix(risk.file)}${line} ${risk.description}${risk.mitigation ? ` | Fix: ${risk.mitigation}` : ""}`;
+function skipBlockComment(statement, start) {
+  let index = start;
+  while (index + 1 < statement.length && !(statement[index] === "*" && statement[index + 1] === "/")) {
+    index += 1;
+  }
+  return index + 1 < statement.length ? index + 2 : index;
 }
-function buildCompactFindingSummary(rawItems) {
-  const grouped = /* @__PURE__ */ new Map();
-  for (const item of rawItems) {
-    const withoutPrefix = item.replace(/^\s*\[[^\]]+\]\s*/, "");
-    const delimiter = ": ";
-    const separator = withoutPrefix.indexOf(delimiter);
-    if (separator <= 0) {
-      const existing2 = grouped.get(withoutPrefix);
-      if (!existing2) {
-        grouped.set(withoutPrefix, { message: withoutPrefix, count: 1, samples: [] });
-      } else {
-        existing2.count += 1;
-      }
+function skipWhitespaceAndComments(statement, start) {
+  let index = Math.max(0, start);
+  while (index < statement.length) {
+    const afterWhitespace = skipWhitespace(statement, index);
+    if (afterWhitespace !== index) {
+      index = afterWhitespace;
       continue;
     }
-    const source = withoutPrefix.slice(0, separator).trim();
-    const message = withoutPrefix.slice(separator + delimiter.length).trim();
-    const existing = grouped.get(message);
-    if (!existing) {
-      grouped.set(message, { message, count: 1, samples: source ? [source] : [] });
+    if (statement[index] === "-" && statement[index + 1] === "-") {
+      index = skipLineComment(statement, index + 2);
       continue;
     }
-    existing.count += 1;
-    if (source && !existing.samples.includes(source)) {
-      existing.samples.push(source);
-    }
-  }
-  return [...grouped.values()].sort((left, right) => {
-    if (right.count !== left.count) return right.count - left.count;
-    return left.message.localeCompare(right.message);
-  });
-}
-function printCompactSummary(logger4, title, rawItems, topLimit) {
-  if (rawItems.length === 0) {
-    return;
-  }
-  const findingSummary = buildCompactFindingSummary(rawItems);
-  const top = findingSummary.slice(0, Math.max(1, topLimit));
-  logger4.warn(`
-${title} (total ${rawItems.length} item(s), ${top.length} reason pattern(s))`);
-  for (const finding of top) {
-    logger4.info(`  - ${finding.count}x ${finding.message}`);
-    if (finding.samples.length > 0) {
-      logger4.info(`      samples:`);
-      for (const sample of finding.samples.slice(0, 2)) {
-        logger4.info(`      - ${sample}`);
-      }
+    if (statement[index] === "/" && statement[index + 1] === "*") {
+      index = skipBlockComment(statement, index + 2);
+      continue;
     }
+    break;
   }
-  const extra = findingSummary.length - top.length;
-  if (extra > 0) {
-    logger4.info(`  ... and ${extra} more reason patterns`);
-  }
-}
-
-// src/commands/db/commands/db-sync/boundary-classifier.ts
-function isBoundaryRelevantDdlStatement(statement) {
-  return /^\s*(?:CREATE|ALTER|DROP|RENAME|TRUNCATE|COMMENT)\b/i.test(statement);
+  return index;
 }
-function isPlanBoundaryAmbiguous(statement) {
-  const trimmed = statement.trim();
-  if (!trimmed) return false;
-  if (/^\s*--/.test(trimmed)) return false;
-  return isBoundaryRelevantDdlStatement(trimmed);
+function getPreviousWord(statement, start) {
+  let index = start - 1;
+  while (index >= 0 && isWhitespaceChar(statement[index] ?? "")) index -= 1;
+  if (index < 0 || !isWordChar(statement[index] ?? "")) return "";
+  const end = index;
+  while (index >= 0 && isWordChar(statement[index] ?? "")) index -= 1;
+  return statement.slice(index + 1, end + 1).toUpperCase();
 }
-function classifyUnknownObjectBoundary(file, object, fileType, policy) {
-  const inDeclarative = policy.declarativePreferredObjects.has(object);
-  const inIdempotent = policy.idempotentPreferredObjects.has(object);
-  if (fileType === "declarative") {
-    if (inIdempotent && !inDeclarative) {
-      return {
-        file,
-        level: "high",
-        message: `Object "${object}" is idempotent-preferred and should be in supabase/schemas/idempotent`
-      };
-    }
-    if (!inDeclarative && !inIdempotent) {
-      return {
-        file,
-        level: "medium",
-        message: `Unrecognized declarative object "${object}" detected; review placement (runtime/setup candidate)`
-      };
-    }
-    return null;
-  }
-  if (inDeclarative && !inIdempotent) {
+function parseDollarQuotedLiteral(statement, start) {
+  if (statement[start] !== "$") return null;
+  let tagEnd = start + 1;
+  if (tagEnd >= statement.length) return null;
+  if (statement[tagEnd] === "$") {
+    const delimiter2 = "$$";
+    const bodyStart2 = tagEnd + 1;
+    const bodyEnd2 = statement.indexOf(delimiter2, bodyStart2);
+    if (bodyEnd2 < 0) return null;
     return {
-      file,
-      level: "high",
-      message: `Object "${object}" is declarative-preferred and should be in supabase/schemas/declarative`
+      body: statement.slice(bodyStart2, bodyEnd2),
+      next: bodyEnd2 + delimiter2.length
     };
   }
-  if (!inDeclarative && !inIdempotent) {
-    return {
-      file,
-      level: "high",
-      message: `Unrecognized idempotent object "${object}" detected; review placement (likely declarative SSOT object)`
-    };
+  const firstChar = statement[tagEnd];
+  if (!firstChar || !/[A-Za-z_]/.test(firstChar)) return null;
+  while (tagEnd < statement.length && /[A-Za-z0-9_]/.test(statement[tagEnd] ?? "")) {
+    tagEnd += 1;
   }
-  return null;
+  if (statement[tagEnd] !== "$") return null;
+  const tag = statement.slice(start + 1, tagEnd);
+  const delimiter = `$${tag}$`;
+  const bodyStart = tagEnd + 1;
+  const bodyEnd = statement.indexOf(delimiter, bodyStart);
+  if (bodyEnd < 0) return null;
+  return {
+    body: statement.slice(bodyStart, bodyEnd),
+    next: bodyEnd + delimiter.length
+  };
 }
-function matchesRiskRule(rule, statement) {
-  return typeof rule.pattern === "function" ? rule.pattern(statement) : rule.pattern.test(statement);
+function parseSingleQuotedLiteral(statement, start) {
+  if (statement[start] !== "'") return null;
+  let index = start + 1;
+  let body = "";
+  while (index < statement.length) {
+    const char = statement[index];
+    const next = statement[index + 1] ?? "";
+    if (char === "'") {
+      if (next === "'") {
+        body += "'";
+        index += 2;
+        continue;
+      }
+      return { body, next: index + 1 };
+    }
+    if (char === "\\" && index + 1 < statement.length) {
+      body += next;
+      index += 2;
+      continue;
+    }
+    body += char;
+    index += 1;
+  }
+  return null;
+}
+function parsePotentialEmbeddedSqlLiteral(statement, start, fragments) {
+  const index = skipWhitespaceAndComments(statement, start);
+  if (index >= statement.length) return index;
+  const maybePrefix = (statement[index] ?? "").toUpperCase();
+  if (maybePrefix === "E" && statement[index + 1] === "'") {
+    const parsed = parseSingleQuotedLiteral(statement, index + 1);
+    if (parsed && parsed.body.trim().length > 0) {
+      fragments.push(parsed.body);
+      return parsed.next;
+    }
+    return index + 1;
+  }
+  const parsedDollar = parseDollarQuotedLiteral(statement, index);
+  if (parsedDollar) {
+    if (parsedDollar.body.trim().length > 0) fragments.push(parsedDollar.body);
+    return parsedDollar.next;
+  }
+  if (statement[index] === "'") {
+    const parsed = parseSingleQuotedLiteral(statement, index);
+    if (parsed && parsed.body.trim().length > 0) {
+      fragments.push(parsed.body.replace(/\\'/g, "'"));
+      return parsed.next;
+    }
+    return index + 1;
+  }
+  return index + 1;
+}
+var EMBEDDABLE_SQL_HINT_WORDS = /* @__PURE__ */ new Set(["DO", "AS", "EXECUTE", "FORMAT"]);
+var EMBEDDABLE_SQL_MAX_RECURSION_DEPTH = 3;
+var PLPGSQL_RECURSIVE_PATTERN = /\b(?:DO|EXECUTE|FORMAT)\b/i;
+function shouldRecurseIntoEmbeddableFragment(statement) {
+  return PLPGSQL_RECURSIVE_PATTERN.test(statement);
+}
+function createFragmentCollector(fragments, depth, maxDepth, seen) {
+  return (fragment) => {
+    const candidate = fragment.trim();
+    if (!candidate) return;
+    if (!seen.has(candidate)) {
+      seen.add(candidate);
+      fragments.push(candidate);
+    }
+    if (depth < maxDepth && shouldRecurseIntoEmbeddableFragment(candidate)) {
+      collectEmbeddableSqlFragments(candidate, fragments, depth + 1, maxDepth, seen);
+    }
+  };
+}
+function tryAdvanceWithinQuotedText(normalized, state) {
+  const char = normalized[state.index];
+  if (!char) return false;
+  if (state.inSingleQuote) {
+    if (char === "'" && normalized[state.index + 1] === "'") {
+      state.index += 2;
+      return true;
+    }
+    if (char === "'") {
+      state.inSingleQuote = false;
+    }
+    state.index += 1;
+    return true;
+  }
+  if (state.inDoubleQuote) {
+    if (char === '"' && normalized[state.index + 1] === '"') {
+      state.index += 2;
+      return true;
+    }
+    if (char === '"') {
+      state.inDoubleQuote = false;
+    }
+    state.index += 1;
+    return true;
+  }
+  return false;
+}
+function tryAdvanceComment(normalized, state) {
+  if (normalized[state.index] === "-" && normalized[state.index + 1] === "-") {
+    state.index = skipLineComment(normalized, state.index + 2);
+    return true;
+  }
+  if (normalized[state.index] === "/" && normalized[state.index + 1] === "*") {
+    state.index = skipBlockComment(normalized, state.index + 2);
+    return true;
+  }
+  return false;
+}
+function tryEnterQuotedText(normalized, state) {
+  if (normalized[state.index] === "'") {
+    state.inSingleQuote = true;
+    state.index += 1;
+    return true;
+  }
+  if (normalized[state.index] === '"') {
+    state.inDoubleQuote = true;
+    state.index += 1;
+    return true;
+  }
+  return false;
+}
+function tryConsumeDollarQuotedFragment(statement, state, addFragment) {
+  if (statement[state.index] !== "$") return false;
+  const parsedDollar = parseDollarQuotedLiteral(statement, state.index);
+  if (!parsedDollar) return false;
+  const previousWord = getPreviousWord(statement, state.index);
+  if (previousWord && EMBEDDABLE_SQL_HINT_WORDS.has(previousWord)) {
+    addFragment(parsedDollar.body);
+  }
+  state.index = parsedDollar.next;
+  return true;
+}
+function tryExtractExecuteFormatLiteral(statement, normalized, tokenEnd) {
+  let cursor = skipWhitespaceAndComments(statement, tokenEnd);
+  const maybeFormat = parseWordAt(normalized, cursor);
+  if (!maybeFormat || maybeFormat.value !== "FORMAT") return null;
+  cursor = skipWhitespaceAndComments(statement, maybeFormat.end);
+  if (statement[cursor] !== "(") return null;
+  const afterParen = skipWhitespaceAndComments(statement, cursor + 1);
+  const formatCapture = [];
+  const parsed = parsePotentialEmbeddedSqlLiteral(statement, afterParen, formatCapture);
+  if (parsed <= afterParen || formatCapture.length === 0) return null;
+  return { fragment: formatCapture[0] ?? "", nextIndex: parsed };
+}
+function tryExtractExecuteLiteral(statement, tokenEnd) {
+  const cursor = skipWhitespaceAndComments(statement, tokenEnd);
+  const executeCapture = [];
+  const parsed = parsePotentialEmbeddedSqlLiteral(statement, cursor, executeCapture);
+  if (parsed <= cursor || executeCapture.length === 0) return null;
+  return { fragment: executeCapture[0] ?? "", nextIndex: parsed };
+}
+function tryConsumeWordToken(statement, normalized, state, addFragment) {
+  const token = parseWordAt(normalized, state.index);
+  if (!token) return false;
+  if (token.value !== "EXECUTE") {
+    state.index = token.end;
+    return true;
+  }
+  const formatLiteral = tryExtractExecuteFormatLiteral(statement, normalized, token.end);
+  if (formatLiteral) {
+    addFragment(formatLiteral.fragment);
+    state.index = formatLiteral.nextIndex;
+    return true;
+  }
+  const executeLiteral = tryExtractExecuteLiteral(statement, token.end);
+  if (executeLiteral) {
+    addFragment(executeLiteral.fragment);
+    state.index = executeLiteral.nextIndex;
+    return true;
+  }
+  state.index = token.end;
+  return true;
+}
+function collectEmbeddableSqlFragments(statement, fragments, depth, maxDepth, seen) {
+  if (!statement || statement.trim().length === 0) return;
+  if (depth > maxDepth) return;
+  const normalized = statement.toUpperCase();
+  const state = {
+    index: 0,
+    inSingleQuote: false,
+    inDoubleQuote: false
+  };
+  const addFragment = createFragmentCollector(fragments, depth, maxDepth, seen);
+  while (state.index < normalized.length) {
+    if (tryAdvanceWithinQuotedText(normalized, state)) continue;
+    if (tryAdvanceComment(normalized, state)) continue;
+    if (tryEnterQuotedText(normalized, state)) continue;
+    if (tryConsumeDollarQuotedFragment(statement, state, addFragment)) continue;
+    if (tryConsumeWordToken(statement, normalized, state, addFragment)) continue;
+    state.index += 1;
+  }
+}
+function extractEmbeddableSqlFragments(statement) {
+  const fragments = [];
+  collectEmbeddableSqlFragments(
+    statement,
+    fragments,
+    0,
+    EMBEDDABLE_SQL_MAX_RECURSION_DEPTH,
+    /* @__PURE__ */ new Set()
+  );
+  return dedupeAndSort(fragments);
+}
+function normalizeSqlForPlacementCheck(content) {
+  return blankDollarQuotedBodies(stripSqlComments(content)).toUpperCase();
+}
+function isPartitionOfCreateTable(statement) {
+  return /\bPARTITION\s+OF\b/.test(statement);
+}
+function dedupeAndSort(lines) {
+  const seen = /* @__PURE__ */ new Set();
+  return [...lines].sort((a, b) => a.localeCompare(b)).filter((line) => {
+    if (seen.has(line)) return false;
+    seen.add(line);
+    return true;
+  });
+}
+
+// src/commands/db/commands/db-sync/risk-reporter.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/types.ts
+init_esm_shims();
+var DIRECTORY_RISK_ORDER = ["high", "medium", "low"];
+var PLAN_BOUNDARY_CONTEXT_FILE = "pg-schema-diff plan.sql";
+var GRANT_STATEMENT_RULE_TEXT = "Grant/REVOKE statements are usually idempotent/bootstrap ACL setup and should be treated as such";
+
+// src/commands/db/commands/db-sync/risk-reporter.ts
+var DIRECTORY_RISK_WEIGHT = {
+  high: 3,
+  medium: 2,
+  low: 1
+};
+function getDirectoryRiskWeight(level) {
+  return DIRECTORY_RISK_WEIGHT[level];
+}
+function compareDirectoryRiskPriority(left, right) {
+  const weightDelta = getDirectoryRiskWeight(left.level) - getDirectoryRiskWeight(right.level);
+  if (weightDelta !== 0) {
+    return weightDelta;
+  }
+  const leftLine = left.line ?? 0;
+  const rightLine = right.line ?? 0;
+  if (leftLine !== rightLine) {
+    return leftLine - rightLine;
+  }
+  return left.message.localeCompare(right.message);
+}
+function selectHighestPriorityRisk(entries) {
+  if (entries.length === 0) return void 0;
+  const byPriority = [...entries].sort((left, right) => {
+    const priorityDelta = compareDirectoryRiskPriority(right, left);
+    if (priorityDelta !== 0) return priorityDelta;
+    const leftMessage = left.message.toLowerCase();
+    const rightMessage = right.message.toLowerCase();
+    return leftMessage.localeCompare(rightMessage);
+  });
+  return byPriority[0];
+}
+function buildDirectoryRiskKey(entry) {
+  return `${entry.level}:${entry.file}:${entry.line ?? 0}:${entry.message}`;
+}
+function dedupeDirectoryRisksBySeverity(entries) {
+  const byLocationAndMessage = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    const key = `${entry.file}:${entry.line ?? 0}:${entry.message}`;
+    const existing = byLocationAndMessage.get(key);
+    if (!existing || getDirectoryRiskWeight(entry.level) > getDirectoryRiskWeight(existing.level)) {
+      byLocationAndMessage.set(key, entry);
+    }
+  }
+  return [...byLocationAndMessage.values()].sort((left, right) => {
+    const priorityDelta = getDirectoryRiskWeight(right.level) - getDirectoryRiskWeight(left.level);
+    if (priorityDelta !== 0) return priorityDelta;
+    const levelDelta = DIRECTORY_RISK_ORDER.indexOf(right.level) - DIRECTORY_RISK_ORDER.indexOf(left.level);
+    if (levelDelta !== 0) return levelDelta;
+    const leftLine = left.line ?? 0;
+    const rightLine = right.line ?? 0;
+    if (leftLine !== rightLine) return leftLine - rightLine;
+    return left.message.localeCompare(right.message);
+  });
+}
+function printList(title, items, logger4) {
+  if (items.length === 0) return;
+  logger4.warn(`
+${title} (${items.length}):`);
+  for (const item of items) {
+    logger4.info(`  \u2022 ${item}`);
+  }
+}
+function stripCommonPrefix(filePath) {
+  return filePath.startsWith(process.cwd()) ? filePath.replace(`${process.cwd()}/`, "") : filePath;
+}
+function formatDeclarativeRiskMessage(risk) {
+  const line = risk.line ? `:${risk.line}` : "";
+  return `${stripCommonPrefix(risk.file)}${line} ${risk.description}${risk.mitigation ? ` | Fix: ${risk.mitigation}` : ""}`;
+}
+function buildCompactFindingSummary(rawItems) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const item of rawItems) {
+    const withoutPrefix = item.replace(/^\s*\[[^\]]+\]\s*/, "");
+    const delimiter = ": ";
+    const separator = withoutPrefix.indexOf(delimiter);
+    if (separator <= 0) {
+      const existing2 = grouped.get(withoutPrefix);
+      if (!existing2) {
+        grouped.set(withoutPrefix, { message: withoutPrefix, count: 1, samples: [] });
+      } else {
+        existing2.count += 1;
+      }
+      continue;
+    }
+    const source = withoutPrefix.slice(0, separator).trim();
+    const message = withoutPrefix.slice(separator + delimiter.length).trim();
+    const existing = grouped.get(message);
+    if (!existing) {
+      grouped.set(message, { message, count: 1, samples: source ? [source] : [] });
+      continue;
+    }
+    existing.count += 1;
+    if (source && !existing.samples.includes(source)) {
+      existing.samples.push(source);
+    }
+  }
+  return [...grouped.values()].sort((left, right) => {
+    if (right.count !== left.count) return right.count - left.count;
+    return left.message.localeCompare(right.message);
+  });
+}
+function printCompactSummary(logger4, title, rawItems, topLimit) {
+  if (rawItems.length === 0) {
+    return;
+  }
+  const findingSummary = buildCompactFindingSummary(rawItems);
+  const top = findingSummary.slice(0, Math.max(1, topLimit));
+  logger4.warn(`
+${title} (total ${rawItems.length} item(s), ${top.length} reason pattern(s))`);
+  for (const finding of top) {
+    logger4.info(`  - ${finding.count}x ${finding.message}`);
+    if (finding.samples.length > 0) {
+      logger4.info(`      samples:`);
+      for (const sample of finding.samples.slice(0, 2)) {
+        logger4.info(`      - ${sample}`);
+      }
+    }
+  }
+  const extra = findingSummary.length - top.length;
+  if (extra > 0) {
+    logger4.info(`  ... and ${extra} more reason patterns`);
+  }
+}
+
+// src/commands/db/commands/db-sync/boundary-classifier.ts
+function isBoundaryRelevantDdlStatement(statement) {
+  return /^\s*(?:CREATE|ALTER|DROP|RENAME|TRUNCATE|COMMENT)\b/i.test(statement);
+}
+function isPlanBoundaryAmbiguous(statement) {
+  const trimmed = statement.trim();
+  if (!trimmed) return false;
+  if (/^\s*--/.test(trimmed)) return false;
+  return isBoundaryRelevantDdlStatement(trimmed);
+}
+function classifyUnknownObjectBoundary(file, object, fileType, policy) {
+  const inDeclarative = policy.declarativePreferredObjects.has(object);
+  const inIdempotent = policy.idempotentPreferredObjects.has(object);
+  if (fileType === "declarative") {
+    if (inIdempotent && !inDeclarative) {
+      return {
+        file,
+        level: "high",
+        message: `Object "${object}" is idempotent-preferred and should be in supabase/schemas/idempotent`
+      };
+    }
+    if (!inDeclarative && !inIdempotent) {
+      return {
+        file,
+        level: "medium",
+        message: `Unrecognized declarative object "${object}" detected; review placement (runtime/setup candidate)`
+      };
+    }
+    return null;
+  }
+  if (inDeclarative && !inIdempotent) {
+    return {
+      file,
+      level: "high",
+      message: `Object "${object}" is declarative-preferred and should be in supabase/schemas/declarative`
+    };
+  }
+  if (!inDeclarative && !inIdempotent) {
+    return {
+      file,
+      level: "high",
+      message: `Unrecognized idempotent object "${object}" detected; review placement (likely declarative SSOT object)`
+    };
+  }
+  return null;
+}
+function matchesRiskRule(rule, statement) {
+  return typeof rule.pattern === "function" ? rule.pattern(statement) : rule.pattern.test(statement);
 }
 function collectRuleBasedCandidates(params) {
   const candidates = [];
@@ -3557,12 +3950,18 @@ function classifyIdempotentMisplacementRisk(file, content, boundaryPolicy) {
     skipUnknown: (statement, unknownObject) => isPartitionOfCreateTable(statement) && unknownObject === "TABLE"
   });
 }
+var DYNAMIC_SQL_DOWNGRADEABLE_PATTERNS = [
+  "Function DDL should be in declarative",
+  "Trigger DDL should be in declarative"
+];
+var DROP_IF_EXISTS_CLEANUP = /^\s*DROP\s+(?:FUNCTION|TRIGGER|VIEW|INDEX|POLICY|TYPE|SEQUENCE)\s+IF\s+EXISTS\b/i;
 function classifyFileMisplacementRisks(params) {
   const risks = [];
   const relative2 = path12.relative(process.cwd(), params.file);
   const normalized = normalizeSqlForPlacementCheck(params.content);
   const statements = splitSqlStatements(normalized);
   const seenMessages = /* @__PURE__ */ new Set();
+  const hasAllowDynamicSqlAnnotation = params.fileType === "idempotent" && ALLOW_DYNAMIC_SQL_ANNOTATION.test(params.content);
   for (const { statement, line } of statements) {
     const candidates = collectRuleBasedCandidates({
       statement,
@@ -3584,6 +3983,14 @@ function classifyFileMisplacementRisks(params) {
     }
     const best = selectHighestPriorityRisk(candidates);
     if (!best) continue;
+    if (params.fileType === "idempotent") {
+      if (DROP_IF_EXISTS_CLEANUP.test(statement)) {
+        best.level = "low";
+      }
+      if (hasAllowDynamicSqlAnnotation && DYNAMIC_SQL_DOWNGRADEABLE_PATTERNS.some((p) => best.message.includes(p))) {
+        best.level = "low";
+      }
+    }
     const key = buildDirectoryRiskKey(best);
     if (seenMessages.has(key)) continue;
     seenMessages.add(key);
@@ -3789,7 +4196,7 @@ init_esm_shims();
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-S7XQF4I2.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-GDDLISVE.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;
@@ -4388,9 +4795,10 @@ var reconcile = fromPromise(
       } catch {
       }
       const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-      if (idempotentTables.length > 0) {
+      const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+      if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
         excludeFromOrphanDetection = [
-          .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+          .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
         ];
       }
       const diff = diffSchema({
@@ -4883,357 +5291,150 @@ var dbSyncMachine = setup({
       meta: { e2e: e2eMeta.preflight },
       invoke: {
         src: "preflight",
-        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
-        onDone: [
-          {
-            guard: ({ event }) => event.output.passed === false,
-            target: "failed",
-            actions: assign({
-              error: ({ event }) => event.output.error ?? "Preflight failed"
-            })
-          },
-          {
-            target: "snapshot",
-            actions: assign({ preflightPassed: true })
-          }
-        ],
-        onError: {
-          target: "failed",
-          actions: assign({
-            error: ({ event }) => event.error instanceof Error ? event.error.message : "Preflight failed"
-          })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 4: Snapshot (optional)
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    snapshot: {
-      meta: { e2e: e2eMeta.snapshot },
-      invoke: {
-        src: "snapshot",
-        input: ({ context }) => ({
-          ctx: assertStepCtx(context),
-          autoSnapshot: context.stepCtx?.autoSnapshot ?? false
-        }),
-        onDone: {
-          target: "sync",
-          actions: assign({
-            snapshotCreated: ({ event }) => event.output.created
-          })
-        },
-        onError: {
-          // Non-critical, continue to sync
-          target: "sync",
-          actions: assign({ snapshotCreated: false })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 5: Sync Schema
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    sync: {
-      meta: { e2e: e2eMeta.sync },
-      invoke: {
-        src: "syncSchema",
-        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
-        onDone: [
-          {
-            guard: ({ event }) => event.output.applied === false && event.output.error != null,
-            target: "report",
-            actions: assign({
-              applied: false,
-              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
-              stepsCompleted: ({ event }) => event.output.stepsCompleted,
-              error: ({ event }) => event.output.error ?? "Sync failed"
-            })
-          },
-          {
-            target: "report",
-            actions: assign({
-              applied: ({ event }) => event.output.applied,
-              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
-              stepsCompleted: ({ event }) => event.output.stepsCompleted
-            })
-          }
-        ],
-        onError: {
-          target: "report",
-          actions: assign({
-            applied: false,
-            applyCommitted: false,
-            error: ({ event }) => event.error instanceof Error ? event.error.message : "Sync failed"
-          })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 6: Write Report
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    report: {
-      meta: { e2e: e2eMeta.report },
-      invoke: {
-        src: "writeReport",
-        input: ({ context }) => ({
-          ctx: assertStepCtx(context),
-          startTime: context.startTime,
-          stepsCompleted: context.stepsCompleted,
-          success: context.error == null,
-          error: context.error ?? void 0
-        }),
+        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
         onDone: [
           {
-            guard: ({ context }) => context.error != null,
+            guard: ({ event }) => event.output.passed === false,
             target: "failed",
-            actions: assign({ reportWritten: true })
+            actions: assign({
+              error: ({ event }) => event.output.error ?? "Preflight failed"
+            })
           },
           {
-            target: "done",
-            actions: assign({ reportWritten: true })
+            target: "snapshot",
+            actions: assign({ preflightPassed: true })
           }
         ],
         onError: {
           target: "failed",
-          actions: assign({ reportWritten: false })
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Preflight failed"
+          })
         }
       }
     },
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Final States
+    // Step 4: Snapshot (optional)
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    done: {
-      meta: { e2e: e2eMeta.done },
-      type: "final"
-    },
-    failed: {
-      meta: { e2e: e2eMeta.failed },
-      type: "final"
-    }
-  },
-  output: ({ context }) => buildMachineOutput(context)
-});
-function getDbSyncStateName(snapshot2) {
-  return snapshot2.value;
-}
-function isDbSyncComplete(snapshot2) {
-  return snapshot2.status === "done";
-}
-function getDbSyncError(snapshot2) {
-  return snapshot2.context.error;
-}
-
-// src/commands/db/sync/guardrail-orchestrator.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail-config.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail-config-test-support.ts
-init_esm_shims();
-function extractFirstStringMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*['"]([^'"]+)['"]`));
-  return match?.[1];
-}
-function extractFirstNumberMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*(-?\\d+(?:\\.\\d+)?)`));
-  if (!match?.[1]) {
-    return void 0;
-  }
-  const parsed = Number(match[1]);
-  return Number.isFinite(parsed) ? parsed : void 0;
-}
-function extractStringArrayMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*\\[([\\s\\S]*?)\\]`));
-  if (!match?.[1]) {
-    return [];
-  }
-  return Array.from(match[1].matchAll(/['"]([^'"]+)['"]/g), (entry) => entry[1] ?? "").filter(
-    (value) => value.length > 0
-  );
-}
-function extractNamedObjectBlock(content, fieldName) {
-  const nameMatch = new RegExp(`${fieldName}\\s*:\\s*\\{`).exec(content);
-  if (!nameMatch) {
-    return null;
-  }
-  const startIndex = nameMatch.index + nameMatch[0].length - 1;
-  let depth = 0;
-  for (let index = startIndex; index < content.length; index += 1) {
-    const current = content[index];
-    if (current === "{") {
-      depth += 1;
-    } else if (current === "}") {
-      depth -= 1;
-      if (depth === 0) {
-        return content.slice(startIndex + 1, index);
-      }
-    }
-  }
-  return null;
-}
-function extractAllowedDuplicateFunctions(content, normalizers) {
-  const match = content.match(/allowedDuplicateFunctions\s*:\s*\[([\s\S]*?)\]/);
-  if (!match?.[1]) {
-    return [];
-  }
-  const entries = [];
-  for (const objectMatch of match[1].matchAll(/\{([\s\S]*?)\}/g)) {
-    const objectBody = objectMatch[1] ?? "";
-    const qualifiedName = extractFirstStringMatch(objectBody, "qualifiedName");
-    const signature = extractFirstStringMatch(objectBody, "signature");
-    const reason = extractFirstStringMatch(objectBody, "reason");
-    if (!qualifiedName || !signature || !reason) {
-      continue;
-    }
-    entries.push({
-      qualifiedName: normalizers.normalizeFunctionQualifiedName(qualifiedName),
-      signature: normalizers.normalizeAllowlistSignature(signature),
-      reason,
-      declarativeFile: extractFirstStringMatch(objectBody, "declarativeFile"),
-      idempotentFile: extractFirstStringMatch(objectBody, "idempotentFile"),
-      expectedBodyHash: extractFirstStringMatch(objectBody, "expectedBodyHash")
-    });
-  }
-  return entries;
-}
-function tryLoadSchemaGuardrailConfigFromText(params) {
-  const configPath = findRunaConfig(params.targetDir);
-  if (!configPath || !existsSync(configPath)) {
-    return null;
-  }
-  try {
-    const content = readFileSync(configPath, "utf-8");
-    const schemaGuardrailsBlock = extractNamedObjectBlock(content, "schemaGuardrails") ?? "";
-    const pgSchemaDiffBlock = extractNamedObjectBlock(content, "pgSchemaDiff") ?? "";
-    return {
-      ...params.defaults,
-      declarativeSqlDir: extractFirstStringMatch(schemaGuardrailsBlock, "declarativeSqlDir") ?? params.defaults.declarativeSqlDir,
-      allowedDuplicateFunctions: extractAllowedDuplicateFunctions(
-        schemaGuardrailsBlock,
-        params.normalizers
-      ),
-      generatedHeaderRewriteTargets: params.normalizers.normalizeFileList(
-        extractStringArrayMatch(schemaGuardrailsBlock, "generatedHeaderRewriteTargets").map(
-          (value) => params.normalizers.normalizePathForMatch(value)
-        )
-      ),
-      semanticWarnings: {
-        threshold: extractFirstNumberMatch(schemaGuardrailsBlock, "threshold") ?? params.defaults.semanticWarnings.threshold,
-        maxCandidates: extractFirstNumberMatch(schemaGuardrailsBlock, "maxCandidates") ?? params.defaults.semanticWarnings.maxCandidates,
-        ignorePairs: new Set(
-          extractStringArrayMatch(schemaGuardrailsBlock, "ignorePairs").map(
-            (value) => params.normalizers.normalizeSuppressionPair(value)
-          )
-        )
-      },
-      tableHeaderMaxWidth: extractFirstNumberMatch(schemaGuardrailsBlock, "tableHeaderMaxWidth") ?? params.defaults.tableHeaderMaxWidth,
-      excludeFromOrphanDetection: extractStringArrayMatch(
-        pgSchemaDiffBlock,
-        "excludeFromOrphanDetection"
-      ),
-      idempotentSqlDir: extractFirstStringMatch(pgSchemaDiffBlock, "idempotentSqlDir") ?? params.defaults.idempotentSqlDir
-    };
-  } catch {
-    return null;
-  }
-}
-
-// src/commands/db/sync/schema-guardrail-config.ts
-var DEFAULT_TABLE_HEADER_MAX_WIDTH = 160;
-var DEFAULT_SEMANTIC_WARNING_THRESHOLD = 0.55;
-var DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES = 3;
-var GENERIC_SIMILARITY_COLUMNS = /* @__PURE__ */ new Set([
-  "id",
-  "created_at",
-  "updated_at",
-  "deleted_at",
-  "scope_id"
-]);
-function normalizePathForMatch(filePath) {
-  return filePath.replaceAll("\\", "/");
-}
-function normalizeFunctionQualifiedName(value) {
-  return value.trim().toLowerCase();
-}
-function normalizeAllowlistSignature(value) {
-  return value.replace(/\s+/g, " ").trim();
-}
-function normalizeSuppressionPair(value) {
-  return value.split("::").map((part) => part.trim().toLowerCase()).filter((part) => part.length > 0).sort((left, right) => left.localeCompare(right)).join("::");
-}
-function normalizeFileList(files) {
-  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
-}
-function isSchemaGuardrailTextFallbackAllowed() {
-  return Boolean(process.env.VITEST);
-}
-function createDefaultSchemaGuardrailConfig() {
-  return {
-    declarativeSqlDir: "supabase/schemas/declarative",
-    allowedDuplicateFunctions: [],
-    generatedHeaderRewriteTargets: [],
-    semanticWarnings: {
-      threshold: DEFAULT_SEMANTIC_WARNING_THRESHOLD,
-      maxCandidates: DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES,
-      ignorePairs: /* @__PURE__ */ new Set()
-    },
-    tableHeaderMaxWidth: DEFAULT_TABLE_HEADER_MAX_WIDTH,
-    excludeFromOrphanDetection: [],
-    idempotentSqlDir: "supabase/schemas/idempotent"
-  };
-}
-function loadSchemaGuardrailConfig(targetDir) {
-  const defaults = createDefaultSchemaGuardrailConfig();
-  try {
-    const config = loadRunaConfig(targetDir);
-    const databaseConfig = config.database ?? {};
-    return {
-      declarativeSqlDir: databaseConfig.schemaGuardrails?.declarativeSqlDir ?? defaults.declarativeSqlDir,
-      allowedDuplicateFunctions: databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
-        ...entry,
-        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
-        signature: normalizeAllowlistSignature(entry.signature),
-        declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
-        idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
-      })) ?? [],
-      generatedHeaderRewriteTargets: normalizeFileList(
-        (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
-          (value) => normalizePathForMatch(value)
-        )
-      ),
-      semanticWarnings: {
-        threshold: databaseConfig.schemaGuardrails?.semanticWarnings?.threshold ?? defaults.semanticWarnings.threshold,
-        maxCandidates: databaseConfig.schemaGuardrails?.semanticWarnings?.maxCandidates ?? defaults.semanticWarnings.maxCandidates,
-        ignorePairs: new Set(
-          (databaseConfig.schemaGuardrails?.semanticWarnings?.ignorePairs ?? []).map(
-            (value) => normalizeSuppressionPair(value)
-          )
-        )
-      },
-      tableHeaderMaxWidth: databaseConfig.schemaGuardrails?.tableHeaderMaxWidth ?? defaults.tableHeaderMaxWidth,
-      excludeFromOrphanDetection: databaseConfig.pgSchemaDiff?.excludeFromOrphanDetection ?? [],
-      idempotentSqlDir: databaseConfig.pgSchemaDiff?.idempotentSqlDir ?? defaults.idempotentSqlDir
-    };
-  } catch (error) {
-    if (isSchemaGuardrailTextFallbackAllowed()) {
-      return tryLoadSchemaGuardrailConfigFromText({
-        targetDir,
-        defaults,
-        normalizers: {
-          normalizeAllowlistSignature,
-          normalizeFileList,
-          normalizeFunctionQualifiedName,
-          normalizePathForMatch,
-          normalizeSuppressionPair
+    snapshot: {
+      meta: { e2e: e2eMeta.snapshot },
+      invoke: {
+        src: "snapshot",
+        input: ({ context }) => ({
+          ctx: assertStepCtx(context),
+          autoSnapshot: context.stepCtx?.autoSnapshot ?? false
+        }),
+        onDone: {
+          target: "sync",
+          actions: assign({
+            snapshotCreated: ({ event }) => event.output.created
+          })
+        },
+        onError: {
+          // Non-critical, continue to sync
+          target: "sync",
+          actions: assign({ snapshotCreated: false })
         }
-      }) ?? defaults;
+      }
+    },
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Step 5: Sync Schema
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    sync: {
+      meta: { e2e: e2eMeta.sync },
+      invoke: {
+        src: "syncSchema",
+        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
+        onDone: [
+          {
+            guard: ({ event }) => event.output.applied === false && event.output.error != null,
+            target: "report",
+            actions: assign({
+              applied: false,
+              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
+              stepsCompleted: ({ event }) => event.output.stepsCompleted,
+              error: ({ event }) => event.output.error ?? "Sync failed"
+            })
+          },
+          {
+            target: "report",
+            actions: assign({
+              applied: ({ event }) => event.output.applied,
+              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
+              stepsCompleted: ({ event }) => event.output.stepsCompleted
+            })
+          }
+        ],
+        onError: {
+          target: "report",
+          actions: assign({
+            applied: false,
+            applyCommitted: false,
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Sync failed"
+          })
+        }
+      }
+    },
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Step 6: Write Report
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    report: {
+      meta: { e2e: e2eMeta.report },
+      invoke: {
+        src: "writeReport",
+        input: ({ context }) => ({
+          ctx: assertStepCtx(context),
+          startTime: context.startTime,
+          stepsCompleted: context.stepsCompleted,
+          success: context.error == null,
+          error: context.error ?? void 0
+        }),
+        onDone: [
+          {
+            guard: ({ context }) => context.error != null,
+            target: "failed",
+            actions: assign({ reportWritten: true })
+          },
+          {
+            target: "done",
+            actions: assign({ reportWritten: true })
+          }
+        ],
+        onError: {
+          target: "failed",
+          actions: assign({ reportWritten: false })
+        }
+      }
+    },
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Final States
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    done: {
+      meta: { e2e: e2eMeta.done },
+      type: "final"
+    },
+    failed: {
+      meta: { e2e: e2eMeta.failed },
+      type: "final"
     }
-    throw error;
-  }
+  },
+  output: ({ context }) => buildMachineOutput(context)
+});
+function getDbSyncStateName(snapshot2) {
+  return snapshot2.value;
+}
+function isDbSyncComplete(snapshot2) {
+  return snapshot2.status === "done";
 }
+function getDbSyncError(snapshot2) {
+  return snapshot2.context.error;
+}
+
+// src/commands/db/sync/guardrail-orchestrator.ts
+init_esm_shims();
+
+// src/commands/db/sync/schema-guardrail.ts
+init_esm_shims();
 
 // src/commands/db/sync/schema-guardrail-graph.ts
 init_esm_shims();
@@ -5266,8 +5467,13 @@ function loadExtraTableFilters(targetDir) {
   const idempotentManagedTables = new Set(
     extractTablesFromIdempotentSql(idempotentDirectory, targetDir)
   );
+  const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+    idempotentDirectory,
+    targetDir
+  );
+  const allExclusions = [...config.excludeFromOrphanDetection, ...dynamicPatterns];
   return {
-    exclusionMatcher: buildTablePatternMatcher(config.excludeFromOrphanDetection),
+    exclusionMatcher: buildTablePatternMatcher(allExclusions),
     idempotentManagedTables
   };
 }
@@ -5480,24 +5686,36 @@ function collectExecuteOccurrencesFromBody(body, startLine) {
   }
   return occurrences.sort((left, right) => left.line - right.line);
 }
+var PARTITION_INFRA_PATTERNS = [
+  /\bPARTITION\b/i,
+  /\bATTACH\b/i,
+  /\bDETACH\b/i,
+  /\bCREATE\s+TABLE\s+IF\s+NOT\s+EXISTS\b/i,
+  /\bdefault\s*partition\b/i,
+  /\brange_partition\b/i
+];
+function isPartitionInfrastructure(body) {
+  return PARTITION_INFRA_PATTERNS.some((pattern) => pattern.test(body));
+}
 function createDynamicSqlBlockersForStatement(params) {
   const body = extractFirstDollarBody(params.statement, params.line);
   if (!body) {
     return [];
   }
   const executeOccurrences = collectExecuteOccurrencesFromBody(body.body, body.startLine);
+  const isInfra = isPartitionInfrastructure(body.body);
   return executeOccurrences.map((occurrence) => ({
-    kind: "dynamic-sql",
+    kind: isInfra ? "dynamic-sql-infra" : "dynamic-sql",
     sourceFile: params.sourceFile,
     line: occurrence.line,
     target: "EXECUTE",
-    details: occurrence.hasStaticLiteral ? "EXECUTE in SQL bodies is blocked locally. Replace it with direct guarded calls or static SQL." : "Unresolved dynamic EXECUTE is blocked locally. Replace it with explicit static SQL or explicit allowlisted statements."
+    details: isInfra ? "Dynamic SQL detected in partition/DDL infrastructure helper. Add `-- runa:allow-dynamic-sql reason: partition-helper` to suppress." : occurrence.hasStaticLiteral ? "EXECUTE in SQL bodies is blocked locally. Replace it with direct guarded calls or static SQL." : "Unresolved dynamic EXECUTE is blocked locally. Replace it with explicit static SQL or explicit allowlisted statements."
   }));
 }
 function buildDynamicSqlBlockers(params) {
   const blockers = [];
-  const allFiles = [...params.sources.declarativeFiles, ...params.sources.idempotentFiles];
-  for (const file of allFiles) {
+  for (const file of params.sources.declarativeFiles) {
+    if (ALLOW_DYNAMIC_SQL_ANNOTATION.test(file.content)) continue;
     for (const parsed of splitSqlStatements(file.content)) {
       blockers.push(
         ...createDynamicSqlBlockersForStatement({
@@ -5508,6 +5726,21 @@ function buildDynamicSqlBlockers(params) {
       );
     }
   }
+  for (const file of params.sources.idempotentFiles) {
+    if (ALLOW_DYNAMIC_SQL_ANNOTATION.test(file.content)) continue;
+    for (const parsed of splitSqlStatements(file.content)) {
+      const stmtBlockers = createDynamicSqlBlockersForStatement({
+        sourceFile: file.relativePath,
+        statement: parsed.statement,
+        line: parsed.line
+      });
+      for (const blocker of stmtBlockers) {
+        blocker.kind = "dynamic-sql-infra";
+        blocker.details = `${blocker.details} (idempotent file \u2014 add \`-- runa:allow-dynamic-sql reason: <role>\` if this is intentional infrastructure, e.g. partition-helper, runtime-infrastructure, compatibility-bootstrap)`;
+      }
+      blockers.push(...stmtBlockers);
+    }
+  }
   return stableSorted2(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
 }
 function buildLocalBlindSpotBlockers(params) {
@@ -5522,7 +5755,7 @@ function buildLocalBlindSpotBlockers(params) {
     }),
     ...buildExtensionPlacementBlockers({
       sources: params.sources,
-      requiredFile: path12.posix.join("supabase", "schemas", "idempotent", "00_extensions.sql")
+      requiredFile: detectExtensionFilePath()
     })
   ];
   return stableSorted2(
@@ -5805,37 +6038,6 @@ function buildFunctionBodyHashMap(files, layer) {
   }
   return hashes;
 }
-function isAllowlistedDuplicateFunction(params) {
-  const { finding, allowlist, bodyHashes } = params;
-  if (!finding.signature) return false;
-  return allowlist.some((entry) => {
-    if (normalizeFunctionQualifiedName(entry.qualifiedName) !== normalizeFunctionQualifiedName(finding.qualifiedName)) {
-      return false;
-    }
-    if (normalizeAllowlistSignature(entry.signature) !== normalizeAllowlistSignature(finding.signature ?? "")) {
-      return false;
-    }
-    if (entry.declarativeFile && !finding.declarativeDefinitions.some(
-      (definition) => normalizePathForMatch(definition.file) === entry.declarativeFile
-    )) {
-      return false;
-    }
-    if (entry.idempotentFile && !finding.idempotentDefinitions.some(
-      (definition) => normalizePathForMatch(definition.file) === entry.idempotentFile
-    )) {
-      return false;
-    }
-    if (!entry.expectedBodyHash) {
-      return true;
-    }
-    const definitions = [...finding.declarativeDefinitions, ...finding.idempotentDefinitions];
-    if (definitions.length === 0) return false;
-    return definitions.every((definition) => {
-      const key = `${definition.layer}:${definition.file}:${definition.line}`;
-      return bodyHashes.get(key) === entry.expectedBodyHash;
-    });
-  });
-}
 function normalizeQualifiedObjectRef(schema, name, isFunctionCall) {
   return `${schema}.${name}${isFunctionCall ? "()" : ""}`;
 }
@@ -5917,6 +6119,19 @@ function buildManagedBoundaryMetadataByFile(files) {
 }
 
 // src/commands/db/sync/schema-guardrail-graph-nodes.ts
+function extractTriggerFunctionArgs(statement) {
+  const execMatch = statement.match(
+    /\bEXECUTE\s+(?:FUNCTION|PROCEDURE)\s+(?:(?:"[^"]+"|[A-Za-z_]\w*)\s*\.\s*)?(?:"[^"]+"|[A-Za-z_]\w*)\s*\(([^)]*)\)/i
+  );
+  if (!execMatch?.[1]) return [];
+  const argsText = execMatch[1].trim();
+  if (!argsText) return [];
+  return argsText.split(",").map((arg) => arg.trim()).map((arg) => {
+    const stringMatch = arg.match(/^'([^']*)'$/);
+    if (stringMatch) return stringMatch[1];
+    return null;
+  }).filter((arg) => arg !== null);
+}
 function parseCreateTriggerStatement(statement) {
   const triggerRegex = /^\s*CREATE\s+TRIGGER\s+(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s+(BEFORE|AFTER|INSTEAD\s+OF)\s+([\s\S]+?)\s+ON\s+(?:(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s*\.\s*)?(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))[\s\S]*?\bEXECUTE\s+(?:FUNCTION|PROCEDURE)\s+(?:(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s*\.\s*)?(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))/i;
   const match = statement.match(triggerRegex);
@@ -5933,13 +6148,15 @@ function parseCreateTriggerStatement(statement) {
   const schema = (match[5] ?? match[6] ?? "public").toLowerCase();
   const functionSchema = (match[9] ?? match[10] ?? "").toLowerCase();
   const functionName = (match[11] ?? match[12] ?? "").toLowerCase();
+  const functionArgs = extractTriggerFunctionArgs(statement);
   return {
     qualifiedTable: `${schema}.${table}`,
     trigger: {
       name: triggerName,
       timing,
       event,
-      functionName: functionName ? functionSchema ? `${functionSchema}.${functionName}` : functionName : void 0
+      functionName: functionName ? functionSchema ? `${functionSchema}.${functionName}` : functionName : void 0,
+      functionArgs: functionArgs.length > 0 ? functionArgs : void 0
     }
   };
 }
@@ -6902,6 +7119,114 @@ function buildBoundaryGuidanceWarnings(params) {
     (value) => `${value.sourceFile}.${value.kind}.${value.suggestedDeclarativeFile ?? ""}.${value.suggestedIdempotentFile ?? ""}.${value.target}`
   );
 }
+function extractCaseWhenBranches(functionBody) {
+  const branches = [];
+  const whenPattern = /\bWHEN\s+'([^']+)'/gi;
+  for (const match of functionBody.matchAll(whenPattern)) {
+    if (match[1]) branches.push(match[1].toLowerCase());
+  }
+  return [...new Set(branches)];
+}
+function escapeForRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function findFunctionBody(qualifiedName, sources) {
+  const rawName = qualifiedName.includes(".") ? qualifiedName.split(".")[1] : qualifiedName;
+  if (!rawName) return null;
+  const escaped = escapeForRegex(rawName);
+  const pattern = new RegExp(
+    `CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+(?:(?:"[^"]+"|\\w+)\\.)?(?:"?${escaped}"?)\\s*\\(`,
+    "i"
+  );
+  for (const file of [...sources.declarativeFiles, ...sources.idempotentFiles]) {
+    if (!pattern.test(file.content)) continue;
+    const bodyMatch = file.content.match(
+      new RegExp(
+        `CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+(?:(?:"[^"]+"|\\w+)\\.)?(?:"?${escaped}"?)\\s*\\([^)]*\\)[\\s\\S]*?\\$\\w*\\$([\\s\\S]*?)\\$\\w*\\$`,
+        "i"
+      )
+    );
+    if (bodyMatch?.[1]) return bodyMatch[1];
+  }
+  return null;
+}
+function buildTriggerDispatchGapWarnings(params) {
+  const argsByFunction = collectTriggerArgsByFunction(params.tableNodes);
+  return validateDispatchCoverage(argsByFunction, params.sources);
+}
+function collectTriggerArgsByFunction(tableNodes) {
+  const argsByFunction = /* @__PURE__ */ new Map();
+  for (const [, tableNode] of tableNodes) {
+    for (const trigger of tableNode.triggers) {
+      if (!trigger.functionName || !trigger.functionArgs?.length) continue;
+      for (const arg of trigger.functionArgs) {
+        const entries = argsByFunction.get(trigger.functionName) ?? [];
+        entries.push({
+          arg: arg.toLowerCase(),
+          triggerName: trigger.name,
+          table: tableNode.qualifiedName
+        });
+        argsByFunction.set(trigger.functionName, entries);
+      }
+    }
+  }
+  return argsByFunction;
+}
+function validateDispatchCoverage(argsByFunction, sources) {
+  const warnings = [];
+  for (const [functionName, triggerArgs] of argsByFunction) {
+    const body = findFunctionBody(functionName, sources);
+    if (!body || !/\bCASE\b/i.test(body)) continue;
+    const coveredBranches = extractCaseWhenBranches(body);
+    if (coveredBranches.length === 0) continue;
+    for (const { arg, triggerName, table } of triggerArgs) {
+      if (!coveredBranches.includes(arg)) {
+        warnings.push({
+          sourceFile: table,
+          kind: "trigger_dispatch_gap",
+          target: `${functionName}('${arg}')`,
+          reason: `Trigger "${triggerName}" on ${table} passes '${arg}' to ${functionName}(), but the function's CASE statement does not handle this value. Add a WHEN '${arg}' branch to prevent runtime errors.`
+        });
+      }
+    }
+  }
+  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+}
+var CREATE_INDEX_PATTERN = /^\s*CREATE\s+(?:UNIQUE\s+)?(?:INDEX\s+)?(?:CONCURRENTLY\s+)?(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|([A-Za-z_]\w*))\s+ON\b/gim;
+function extractIndexNames(content) {
+  const names = /* @__PURE__ */ new Set();
+  CREATE_INDEX_PATTERN.lastIndex = 0;
+  for (const match of content.matchAll(CREATE_INDEX_PATTERN)) {
+    const name = (match[1] ?? match[2] ?? "").toLowerCase();
+    if (name) names.add(name);
+  }
+  return names;
+}
+function buildCrossLayerDuplicateIndexWarnings(sources) {
+  const declarativeIndexes = /* @__PURE__ */ new Map();
+  for (const file of sources.declarativeFiles) {
+    for (const name of extractIndexNames(file.content)) {
+      declarativeIndexes.set(name, file.relativePath);
+    }
+  }
+  const warnings = [];
+  for (const file of sources.idempotentFiles) {
+    for (const name of extractIndexNames(file.content)) {
+      const declarativeFile = declarativeIndexes.get(name);
+      if (declarativeFile) {
+        warnings.push({
+          sourceFile: file.relativePath,
+          kind: "trigger_function",
+          // reuse existing kind for index cross-layer
+          target: name,
+          suggestedDeclarativeFile: declarativeFile,
+          reason: `Index "${name}" is defined in both declarative (${declarativeFile}) and idempotent (${file.relativePath}). The idempotent copy is redundant \u2014 remove it or use a different index name.`
+        });
+      }
+    }
+  }
+  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+}
 
 // src/commands/db/sync/schema-guardrail-graph.ts
 function loadSqlSources(targetDir, config) {
@@ -7031,12 +7356,19 @@ async function buildStaticGraph(targetDir, config, sources) {
     runtimeTables: loadRuntimeTablesManifest(targetDir),
     config
   });
-  const boundaryGuidanceWarnings = buildBoundaryGuidanceWarnings({
-    fileNodes,
-    schemaNodes,
-    functionClaims,
-    ownerFileByTable
-  });
+  const boundaryGuidanceWarnings = [
+    ...buildBoundaryGuidanceWarnings({
+      fileNodes,
+      schemaNodes,
+      functionClaims,
+      ownerFileByTable
+    }),
+    ...buildTriggerDispatchGapWarnings({
+      tableNodes: tableNodesByName,
+      sources
+    }),
+    ...buildCrossLayerDuplicateIndexWarnings(sources)
+  ];
   const localBlindSpotBlockers = buildLocalBlindSpotBlockers({
     graph,
     sources,
@@ -7149,7 +7481,8 @@ function createCheckModePhases(report) {
           phase: "compare_generated_headers",
           details: {
             file: block.file,
-            target: block.target
+            target: block.target,
+            repair: "Run `runa db sync` to auto-regenerate headers"
           }
         }))
       })
@@ -7231,7 +7564,7 @@ function setFailure2(report, phase, code, message) {
 function stableSorted5(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
-function normalizeFileList4(files) {
+function normalizeFileList3(files) {
   return [...new Set(files)].sort((a, b) => a.localeCompare(b));
 }
 function renderList(values) {
@@ -7716,7 +8049,7 @@ function rewriteManagedHeaders(params) {
       )
     };
   }
-  params.report.headersRewritten = normalizeFileList4(params.report.headersRewritten);
+  params.report.headersRewritten = normalizeFileList3(params.report.headersRewritten);
   params.report.rewritesRetainedOnDisk = params.report.headersRewritten.length > 0;
   params.report.staleBlocks = [];
   return null;
@@ -8073,7 +8406,7 @@ async function runProductionDdlOrderCheck(params) {
   }
   params.logger.info("\u{1F50D} Checking production DDL ordering...");
   try {
-    const { executePgSchemaDiffPlan } = await import('./pg-schema-diff-helpers-7377FS2D.js');
+    const { executePgSchemaDiffPlan } = await import('./pg-schema-diff-helpers-JZO4GAQG.js');
     const { planOutput } = executePgSchemaDiffPlan(
       productionUrl,
       schemasDir,
@@ -11416,6 +11749,62 @@ function formatImportImpactReport(report, changedSymbols) {
 // src/commands/db/commands/db-sync/production-precheck.ts
 init_esm_shims();
 
+// src/commands/db/utils/changed-files-detector.ts
+init_esm_shims();
+function detectDefaultBranch() {
+  const result = spawnSync("git", ["rev-parse", "--verify", "main"], {
+    timeout: 5e3,
+    encoding: "utf-8"
+  });
+  return result.status === 0 ? "main" : "master";
+}
+function getChangedSqlFiles() {
+  try {
+    const defaultBranch = detectDefaultBranch();
+    const mergeBase = spawnSync("git", ["merge-base", "HEAD", defaultBranch], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    let diffOutput;
+    if (mergeBase.status === 0 && mergeBase.stdout.trim()) {
+      const diff = spawnSync("git", ["diff", "--name-only", mergeBase.stdout.trim(), "HEAD"], {
+        timeout: 5e3,
+        encoding: "utf-8"
+      });
+      diffOutput = diff.stdout ?? "";
+    } else {
+      const diff = spawnSync("git", ["diff", "--name-only", "HEAD"], {
+        timeout: 5e3,
+        encoding: "utf-8"
+      });
+      diffOutput = diff.stdout ?? "";
+    }
+    const uncommitted = spawnSync("git", ["diff", "--name-only"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    const staged = spawnSync("git", ["diff", "--name-only", "--cached"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    const allChanged = [
+      ...diffOutput.split("\n"),
+      ...(uncommitted.stdout ?? "").split("\n"),
+      ...(staged.stdout ?? "").split("\n")
+    ].map((f) => f.trim()).filter((f) => f.length > 0 && f.endsWith(".sql"));
+    return [...new Set(allChanged)].sort();
+  } catch {
+    return [];
+  }
+}
+function classifyBlockerScope(blockerMessage, changedFiles) {
+  const fileMatch = blockerMessage.match(
+    /(supabase\/schemas\/(?:declarative|idempotent)\/[^\s:]+\.sql)/
+  );
+  if (!fileMatch) return "baseline";
+  return changedFiles.has(fileMatch[1]) ? "current-change" : "baseline";
+}
+
 // src/commands/db/commands/db-sync/plan-hazard-analyzer.ts
 init_esm_shims();
 function parseHazardType(hazard) {
@@ -11722,13 +12111,22 @@ async function collectLocalPrecheckBundle(strict) {
   const adjustedPlacementRisks = applyStrictModeToReport(placementRisks, strict);
   const adjustedExtensionRisks = applyStrictModeToReport(extensionRisks, strict);
   const duplicateOwnershipAnalysis = analyzeDuplicateFunctionOwnership(process.cwd());
-  const duplicateOwnershipBlockers = duplicateOwnershipAnalysis.findings.map((finding) => {
+  let guardrailAllowlist = [];
+  try {
+    guardrailAllowlist = loadSchemaGuardrailConfig(process.cwd()).allowedDuplicateFunctions;
+  } catch {
+  }
+  const duplicateOwnershipBlockers = filterAllowlistedDuplicateFunctions({
+    findings: duplicateOwnershipAnalysis.findings,
+    allowlist: guardrailAllowlist
+  }).map((finding) => {
     const formatted = formatDuplicateFunctionOwnershipFinding(finding);
     return [
       formatted.summary,
       `declarative=${formatted.declarativeLocations.join(", ")}`,
       `idempotent=${formatted.idempotentLocations.join(", ")}`,
-      formatted.suggestion
+      formatted.suggestion,
+      "Allowlist: runa.config.ts database.schemaGuardrails.allowedDuplicateFunctions"
     ].join(" | ");
   });
   const hasLocalBlockers = duplicateOwnershipBlockers.length > 0 || hasReportBlockers(adjustedPlacementRisks) || hasReportBlockers(adjustedDeclarativeRisks) || hasReportBlockers(adjustedIdempotentRisks) || hasReportBlockers(adjustedExtensionRisks);
@@ -11795,32 +12193,185 @@ function printLocalFindingCompactSummary(logger4, local, topLimit) {
     topLimit
   );
 }
+var APPLY_BLOCKER_PATTERNS = [
+  /Extension DDL/i,
+  /DROP.*CONCURRENTLY/i,
+  /DML.*declarative/i,
+  /DO.*maintenance/i,
+  /cross.*schema.*rls/i,
+  /auth\.\*.*direct.*reference/i,
+  /Duplicate function ownership/i
+];
+var INFRA_DYNAMIC_SQL_INDICATOR = /idempotent file/i;
+function isApplyBlocker(message) {
+  if (/EXECUTE|dynamic.*sql/i.test(message)) {
+    return !INFRA_DYNAMIC_SQL_INDICATOR.test(message);
+  }
+  return APPLY_BLOCKER_PATTERNS.some((pattern) => pattern.test(message));
+}
+function categorizeBlockers(blockers) {
+  const applyBlockers = [];
+  const architectureDebt = [];
+  for (const blocker of blockers) {
+    if (isApplyBlocker(blocker)) {
+      applyBlockers.push(blocker);
+    } else {
+      architectureDebt.push(blocker);
+    }
+  }
+  return { applyBlockers, architectureDebt };
+}
 function printLocalFindingDetailedReport(logger4, local) {
-  logFindingSection(
+  logLocalWarningsSections(logger4, local);
+  const allBlockers = collectAllBlockers(local);
+  const { applyBlockers, architectureDebt } = categorizeBlockers(allBlockers);
+  const changedFiles = new Set(getChangedSqlFiles());
+  if (changedFiles.size > 0) {
+    logScopedBlockers(logger4, applyBlockers, architectureDebt, changedFiles);
+  } else {
+    logUnscopedBlockers(logger4, applyBlockers, architectureDebt);
+  }
+}
+function logLocalWarningsSections(logger4, local) {
+  logFindingSection(logger4, "Declarative risk warnings:", local.adjustedDeclarativeRisks.warnings);
+  logFindingSection(logger4, "Idempotent risk warnings:", local.adjustedIdempotentRisks.warnings);
+  logFindingSection(logger4, "Placement warnings:", local.adjustedPlacementRisks.warnings);
+  logFindingSection(logger4, "Extension warnings:", local.adjustedExtensionRisks.warnings);
+}
+function collectAllBlockers(local) {
+  return [
+    ...local.duplicateOwnershipBlockers,
+    ...local.adjustedPlacementRisks.blockers,
+    ...local.adjustedDeclarativeRisks.blockers,
+    ...local.adjustedIdempotentRisks.blockers,
+    ...local.adjustedExtensionRisks.blockers
+  ];
+}
+function logScopedBlockers(logger4, applyBlockers, architectureDebt, changedFiles) {
+  const current = applyBlockers.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "current-change"
+  );
+  const baseline = applyBlockers.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "baseline"
+  );
+  const currentDebt = architectureDebt.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "current-change"
+  );
+  const baselineDebt = architectureDebt.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "baseline"
+  );
+  logBlockerGroup(
     logger4,
-    "Duplicate function ownership blockers:",
-    local.duplicateOwnershipBlockers
+    "error",
+    "[current change] Apply blockers",
+    current,
+    "fix before merging"
   );
-  logFindingSection(
+  logBlockerGroup(logger4, "warn", "[current change] Architecture debt", currentDebt);
+  logBlockerGroup(
     logger4,
-    "Risk checks on supabase/schemas/declarative/*.sql:",
-    local.adjustedDeclarativeRisks.warnings
+    "error",
+    "[repo baseline] Apply blockers",
+    baseline,
+    "pre-existing issues"
   );
-  logFindingSection(
+  logBlockerGroup(
     logger4,
-    "Risk checks on supabase/schemas/idempotent/*.sql:",
-    local.adjustedIdempotentRisks.warnings
+    "warn",
+    "[repo baseline] Architecture debt",
+    baselineDebt,
+    "pre-existing"
   );
-  logFindingSection(
+  logImpactSummary(logger4, {
+    current: current.length + currentDebt.length,
+    currentApply: current.length,
+    currentDebt: currentDebt.length,
+    baseline: baseline.length + baselineDebt.length,
+    baselineApply: baseline.length,
+    baselineDebt: baselineDebt.length,
+    total: applyBlockers.length + architectureDebt.length
+  });
+}
+var PRECHECK_COUNTS_PATH = join(".runa", "tmp", "precheck-counts.json");
+function loadPreviousPrecheckCounts() {
+  try {
+    const fullPath = join(process.cwd(), PRECHECK_COUNTS_PATH);
+    if (!existsSync(fullPath)) return null;
+    return JSON.parse(readFileSync(fullPath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function savePrecheckCounts(counts) {
+  try {
+    const fullPath = join(process.cwd(), PRECHECK_COUNTS_PATH);
+    const dir = join(fullPath, "..");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(fullPath, JSON.stringify(counts, null, 2), "utf-8");
+  } catch {
+  }
+}
+function logImpactSummary(logger4, counts) {
+  logger4.info("");
+  logger4.info("Impact summary:");
+  if (counts.current === 0 && counts.total > 0) {
+    logger4.info("  Current change: no new issues introduced");
+  } else if (counts.current > 0) {
+    logger4.info(
+      `  Regressions:    ${counts.current} issue(s) from changed files (${counts.currentApply} apply, ${counts.currentDebt} debt)`
+    );
+  }
+  if (counts.baseline > 0) {
+    logger4.info(
+      `  Baseline debt:  ${counts.baseline} pre-existing issue(s) (${counts.baselineApply} apply, ${counts.baselineDebt} debt)`
+    );
+  }
+  if (counts.total === 0) {
+    logger4.info("  All clear \u2014 no blockers or debt detected");
+  }
+  const previous = loadPreviousPrecheckCounts();
+  if (previous) {
+    const delta = counts.total - previous.total;
+    if (delta < 0) {
+      logger4.info(`  Improvement: ${Math.abs(delta)} fewer issue(s) than previous run`);
+    } else if (delta > 0) {
+      logger4.info(`  Regression:  ${delta} more issue(s) than previous run`);
+    } else {
+      logger4.info("  No change from previous run");
+    }
+  }
+  savePrecheckCounts({
+    total: counts.total,
+    apply: counts.currentApply + counts.baselineApply,
+    debt: counts.currentDebt + counts.baselineDebt,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+function logUnscopedBlockers(logger4, applyBlockers, architectureDebt) {
+  logBlockerGroup(
     logger4,
-    "Schema-directory placement checks:",
-    local.adjustedPlacementRisks.warnings
+    "error",
+    "Apply blockers",
+    applyBlockers,
+    "deployment will fail if not fixed"
   );
-  logFindingSection(logger4, "Extension checks:", local.adjustedExtensionRisks.warnings);
-  logFindingSection(logger4, "Schema-directory blockers:", local.adjustedPlacementRisks.blockers);
-  logFindingSection(logger4, "Declarative risk blockers:", local.adjustedDeclarativeRisks.blockers);
-  logFindingSection(logger4, "Idempotent risk blockers:", local.adjustedIdempotentRisks.blockers);
-  logFindingSection(logger4, "Extension blockers:", local.adjustedExtensionRisks.blockers);
+  logBlockerGroup(
+    logger4,
+    "warn",
+    "Architecture debt",
+    architectureDebt,
+    "works but should be addressed"
+  );
+}
+function logBlockerGroup(logger4, level, title, items, subtitle) {
+  if (items.length === 0) return;
+  const suffix = subtitle ? ` \u2014 ${subtitle}` : "";
+  const logFn = level === "error" ? logger4.error.bind(logger4) : logger4.warn.bind(logger4);
+  logFn(`
+${title} (${items.length})${suffix}:`);
+  for (const item of items) {
+    logger4.info(`  ${item}`);
+  }
 }
 function logLocalFindings(logger4, local, summary) {
   if (!local.hasLocalFindings) return;
@@ -12163,9 +12714,12 @@ async function runSyncAction(env, options) {
     const { dbTables, dbEnums } = await fetchDbTablesAndEnums(databaseUrl);
     const schemaDiffConfig = loadSchemaDiffConfig();
     const idempotentTables = extractTablesFromIdempotentSql(schemaDiffConfig.idempotentSqlDir);
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+      schemaDiffConfig.idempotentSqlDir
+    );
     const excludeFromOrphanDetection = mergeExcludedTables(
       schemaDiffConfig.excludeFromOrphanDetection,
-      idempotentTables
+      [...idempotentTables, ...dynamicPatterns]
     );
     const diff = diffSchema({
       expectedTables,