@runa-ai/runa-cli 0.10.0 → 0.10.2

package/dist/{upgrade-QZKEI3NJ.js → upgrade-X7P6WRD5.js}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { fetchTemplates } from './chunk-IEKYTCYA.js';
+import { fetchTemplates } from './chunk-YTQS2O4H.js';
 import { updateRunaConfigSdkVersion } from './chunk-6AALH2ED.js';
 import './chunk-B7C7CLW2.js';
 import './chunk-RZLYEO4U.js';
@@ -8,7 +8,9 @@ import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
 import './chunk-WJXC4MVY.js';
 import './chunk-HKUWEGUX.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
-import { createCLILogger, CLIError, UpgradeTransaction, readRunaVersion, syncTemplates, SyncOutputSchema, findConflictFiles, preCheckSync } from '@runa-ai/runa';
+import { existsSync, readdirSync, statSync, readFileSync } from 'fs';
+import { join, extname } from 'path';
+import { createCLILogger, CLIError, loadRunaConfig, UpgradeTransaction, readRunaVersion, syncTemplates, SyncOutputSchema, findConflictFiles, preCheckSync } from '@runa-ai/runa';
 import { Command } from 'commander';
 import { execa } from 'execa';
 
@@ -36,6 +38,154 @@ function parseOnlyOption(only) {
   }
   return valid;
 }
+var MERGE_MARKER_PATTERN = /^<{7}\s|^={7}$|^>{7}\s/m;
+var MERGE_MARKER_SCAN_EXTENSIONS = [
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".md",
+  ".yml",
+  ".yaml",
+  ".json",
+  ".toml"
+];
+var MERGE_MARKER_SCAN_DIRS = [".claude", ".codex", ".github", "supabase"];
+var MERGE_MARKER_SKIP_DIRS = ["node_modules", ".git", "dist"];
+var MERGE_MARKER_ROOT_FILES = [
+  "AGENTS.md",
+  "CLAUDE.md",
+  "runa.config.ts",
+  "biome.json",
+  "turbo.json",
+  "vercel.json",
+  ".env.example",
+  ".npmrc"
+];
+function fileHasMergeMarkers(filePath) {
+  try {
+    return MERGE_MARKER_PATTERN.test(readFileSync(filePath, "utf-8"));
+  } catch {
+    return false;
+  }
+}
+function shouldScanMergeMarkerEntry(entry) {
+  return MERGE_MARKER_SCAN_EXTENSIONS.includes(extname(entry).toLowerCase());
+}
+function scanDirForMergeMarkers(dir, relativePath, results) {
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (MERGE_MARKER_SKIP_DIRS.includes(entry)) continue;
+    const fullPath = join(dir, entry);
+    const relPath = join(relativePath, entry);
+    try {
+      const stats = statSync(fullPath);
+      if (stats.isDirectory()) {
+        scanDirForMergeMarkers(fullPath, relPath, results);
+        continue;
+      }
+      if (stats.isFile() && shouldScanMergeMarkerEntry(entry) && fileHasMergeMarkers(fullPath)) {
+        results.push(relPath);
+      }
+    } catch {
+    }
+  }
+}
+function findFilesWithMergeMarkers(targetDir) {
+  const filesWithMarkers = [];
+  for (const checkDir of MERGE_MARKER_SCAN_DIRS) {
+    const dirPath = join(targetDir, checkDir);
+    if (existsSync(dirPath)) {
+      scanDirForMergeMarkers(dirPath, checkDir, filesWithMarkers);
+    }
+  }
+  for (const file of MERGE_MARKER_ROOT_FILES) {
+    const filePath = join(targetDir, file);
+    if (existsSync(filePath) && fileHasMergeMarkers(filePath)) {
+      filesWithMarkers.push(file);
+    }
+  }
+  return filesWithMarkers.sort();
+}
+function assertNoExistingMergeMarkers(targetDir) {
+  const filesWithMarkers = findFilesWithMergeMarkers(targetDir);
+  if (filesWithMarkers.length === 0) return;
+  throw new CLIError(
+    `${filesWithMarkers.length} file(s) have unresolved or partial merge markers`,
+    "UPGRADE_EXISTING_MERGE_MARKERS",
+    [
+      `Files: ${filesWithMarkers.slice(0, 5).join(", ")}${filesWithMarkers.length > 5 ? ` and ${filesWithMarkers.length - 5} more` : ""}`,
+      "Resolve previous merge markers before running `runa upgrade` again",
+      "Then run: runa check"
+    ]
+  );
+}
+function loadUpgradeConflictResolutionConfig(cwd = process.cwd()) {
+  const loaded = loadRunaConfig(cwd);
+  const conflictResolution = loaded?.config.upgrade?.conflictResolution;
+  return {
+    defaultStrategy: conflictResolution?.default ?? "manual",
+    rules: conflictResolution?.rules ?? []
+  };
+}
+async function resolveInstalledCliTemplatesVersion(cwd = process.cwd()) {
+  const script = `
+const fs = require('node:fs');
+const path = require('node:path');
+const entry = require.resolve('@runa-ai/runa-cli');
+const versionsPath = path.join(path.dirname(entry), 'constants', 'versions.js');
+const content = fs.readFileSync(versionsPath, 'utf-8');
+const match = content.match(/COMPATIBLE_TEMPLATES_VERSION\\s*=\\s*['"]([^'"]+)['"]/);
+if (!match) process.exit(2);
+process.stdout.write(match[1]);
+`;
+  try {
+    const result = await execa("pnpm", ["exec", "node", "-e", script], {
+      cwd,
+      stdio: "pipe"
+    });
+    return result.stdout.trim() || null;
+  } catch {
+    return null;
+  }
+}
+async function resolveTemplatesVersionForUpgrade(params) {
+  if (params.options.templatesVersion) {
+    return params.options.templatesVersion;
+  }
+  if (params.options.preview && params.shouldUpdatePackages) {
+    throw new CLIError(
+      "Preview cannot determine target template compatibility before package installation",
+      "UPGRADE_PREVIEW_TEMPLATE_PARITY_UNKNOWN",
+      [
+        "Run without --preview to install packages first",
+        "Or pass --templates-version <version> explicitly",
+        "Or run with --no-packages for template-only preview"
+      ]
+    );
+  }
+  const installedVersion = await resolveInstalledCliTemplatesVersion(params.cwd);
+  if (installedVersion) {
+    return installedVersion;
+  }
+  if (params.shouldUpdatePackages) {
+    throw new CLIError(
+      "Could not determine compatible templates version from the installed local CLI",
+      "UPGRADE_TEMPLATE_PARITY_UNRESOLVED",
+      [
+        "Ensure @runa-ai/runa-cli is installed locally",
+        "Re-run `runa upgrade` after package installation succeeds",
+        "Or pass --templates-version <version> explicitly"
+      ]
+    );
+  }
+  return void 0;
+}
 function logVersionInfo(logger, preCheck) {
   if (preCheck.versionJump) {
     const { from, to, isMajor, distance } = preCheck.versionJump;
@@ -381,12 +531,16 @@ async function getInstalledVersion(packageName) {
     return "unknown";
   }
 }
-async function runPreCheck(logger, options, isNonInteractive, templatesDir) {
+async function runPreCheck(logger, options, isNonInteractive, templatesDir, conflictResolution) {
   if (options.force || options.keepLocal) return;
   const preCheck = await preCheckSync({
     targetDir: process.cwd(),
     mode: "sync",
-    templatesDir
+    templatesDir,
+    conflictResolution: {
+      defaultStrategy: conflictResolution.defaultStrategy,
+      rules: conflictResolution.rules
+    }
   });
   logVersionInfo(logger, preCheck);
   logConflictSummary(logger, preCheck, isNonInteractive, options.preview === true);
@@ -451,9 +605,9 @@ async function executePackageUpdate(logger, options) {
   }
 }
 async function executeTemplateSync(ctx, templatesDir) {
-  const { logger, options, onlyCategories, isNonInteractive } = ctx;
+  const { logger, options, onlyCategories, isNonInteractive, conflictResolution } = ctx;
   logger.section("Upgrade SDK Templates");
-  await runPreCheck(logger, options, isNonInteractive, templatesDir);
+  await runPreCheck(logger, options, isNonInteractive, templatesDir, conflictResolution);
   logModeInfo(logger, options, onlyCategories);
   const result = await syncTemplates({
     targetDir: process.cwd(),
@@ -463,7 +617,11 @@ async function executeTemplateSync(ctx, templatesDir) {
     keepLocal: options.keepLocal === true,
     keepBackup: options.backup === true,
     only: onlyCategories.length > 0 ? onlyCategories : void 0,
-    templatesDir
+    templatesDir,
+    conflictResolution: {
+      defaultStrategy: conflictResolution.defaultStrategy,
+      rules: conflictResolution.rules
+    }
   });
   emitJsonSuccess(upgradeCommand, SyncOutputSchema, result);
   logHumanOutput(logger, result, options);
@@ -492,20 +650,28 @@ async function executeVerification(logger) {
   }
 }
 async function executeUpgrade(ctx) {
-  const { logger, options, shouldUpdatePackages } = ctx;
-  logger.section("Fetching Templates");
-  const templateResult = await fetchTemplates({
-    version: options.templatesVersion,
-    fresh: options.fresh,
-    verbose: process.env.DEBUG === "true"
-  });
-  logger.info(
-    templateResult.cached ? `Using ${templateResult.version === "workspace" ? "workspace" : "cached"} templates v${templateResult.version}` : `Fetched templates v${templateResult.version}`
-  );
+  const { logger, options, shouldUpdatePackages, shouldSyncTemplates } = ctx;
+  assertNoExistingMergeMarkers(process.cwd());
   if (shouldUpdatePackages) {
     await executePackageUpdate(logger, options);
   }
-  await executeTemplateSync(ctx, templateResult.templatesDir);
+  if (shouldSyncTemplates) {
+    const templatesVersion = await resolveTemplatesVersionForUpgrade({
+      cwd: process.cwd(),
+      options,
+      shouldUpdatePackages
+    });
+    logger.section("Fetching Templates");
+    const templateResult = await fetchTemplates({
+      version: templatesVersion,
+      fresh: options.fresh,
+      verbose: process.env.DEBUG === "true"
+    });
+    logger.info(
+      templateResult.cached ? `Using ${templateResult.version === "workspace" ? "workspace" : "cached"} templates v${templateResult.version}` : `Fetched templates v${templateResult.version}`
+    );
+    await executeTemplateSync(ctx, templateResult.templatesDir);
+  }
   if (options.verify && !options.preview) {
     await executeVerification(logger);
   }
@@ -607,14 +773,18 @@ var upgradeCommand = new Command("upgrade").description("Upgrade SDK packages an
   }
   const onlyCategories = parseOnlyOption(options.only);
   const shouldUpdatePackages = options.packages !== false && (onlyCategories.length === 0 || onlyCategories.includes("packages"));
+  const shouldSyncTemplates = onlyCategories.length === 0 || onlyCategories.some((category) => category !== "packages");
   const isJsonMode = process.env.RUNA_OUTPUT_FORMAT === "json";
   const isNonInteractive = options.yes || isJsonMode || !process.stdin.isTTY;
+  const conflictResolution = loadUpgradeConflictResolutionConfig(process.cwd());
   const ctx = {
     logger,
     options,
     onlyCategories,
     shouldUpdatePackages,
-    isNonInteractive
+    shouldSyncTemplates,
+    isNonInteractive,
+    conflictResolution
   };
   try {
     await executeUpgrade(ctx);
@@ -634,4 +804,4 @@ var upgradeCommand = new Command("upgrade").description("Upgrade SDK packages an
   }
 });
 
-export { upgradeCommand };
+export { assertNoExistingMergeMarkers, findFilesWithMergeMarkers, loadUpgradeConflictResolutionConfig, resolveTemplatesVersionForUpgrade, upgradeCommand };

package/dist/utils/license/index.d.ts

@@ -1,45 +1,36 @@
 /**
  * AI HINT: License Enforcement Module
  *
- * Purpose: CI access control for runa CLI
- * Pattern: Allowlist model with trusted org (r06-dev) always allowed
+ * Purpose: CI compatibility guard for runa CLI
+ * Pattern: Public CLI/SDK/plugin commands are allowed in CI for any owner
  *
  * Design decisions:
- * - r06-dev: Instant allow, NO API call, NO log (zero-impact)
- * - External org: API check via allowlist with last-known-good fallback
- * - Fail-closed strategy (Issue #542):
- *   - Owner resolution failure: Deny access (prevents bypass via manipulation)
- *   - API available: Use live response
- *   - API error + cached: Use last-known-good (24h window)
- *   - API error + no cache: Deny access (new orgs blocked during outage)
- * - Escape hatch: RUNA_SKIP_LICENSE_CHECK=1 bypasses all checks (local only)
+ * - r06-dev: Instant allow, NO extra checks, NO log (zero-impact)
+ * - External org: Also allowed for normal CLI usage in CI
+ * - Owner resolution failures: Do not block CI execution
+ * - Escape hatch: RUNA_SKIP_LICENSE_CHECK=1 still bypasses checks in local dev
  *
- * Security model:
- * - Fail-closed: Any resolution/validation error denies access
- * - Known orgs protected during outages (last-known-good)
- * - Unknown orgs cannot bypass by causing errors (fail closed)
+ * Template access is intentionally NOT handled here.
+ * `runa init` / `runa upgrade` remain restricted by private GitHub Packages auth.
  */
 import type { LicenseCheckResult } from './types.js';
 /**
- * Perform license check and return result
+ * Perform CI compatibility check and return result
  *
- * @internal Used by enforceLicenseInCI()
+ * This no longer blocks external organizations. The result is retained so callers
+ * can inspect whether the run happened in local dev, trusted org CI, or general CI.
  */
 export declare function checkLicense(): Promise<LicenseCheckResult>;
 /**
- * Enforce license check in CI environments
+ * Enforce CI compatibility check in CI environments
  *
- * Call this at CLI startup to enforce access control.
+ * Call this at CLI startup so the runtime behavior stays centralized.
  *
  * Behavior:
  * - Local dev: Skip silently
  * - r06-dev: Skip silently (no API, no log)
- * - External org in allowlist: Allow (with 4h cache)
- * - External org NOT in allowlist: Throw CLIError
- * - API error + last-known-good: Use cached result (24h window)
- * - API error + no cache: Block (fail closed for unknown orgs)
- *
- * @throws CLIError when access is denied
+ * - External org: Allow for normal CLI usage in CI
+ * - Template commands still rely on private package auth in their own code paths
  */
 export declare function enforceLicenseInCI(): Promise<void>;
 export type { LicenseCheckResult, OwnerResolutionResult, CIDetectionResult } from './types.js';

package/dist/utils/license/types.d.ts

@@ -1,8 +1,8 @@
 /**
  * AI HINT: License Check Type Definitions
  *
- * Purpose: Type definitions for CI access control
- * Pattern: Allowlist model - r06-dev always allowed, others checked via API
+ * Purpose: Type definitions for CI access compatibility checks
+ * Pattern: CI is always allowed; reasons document how the decision was made
  */
 /**
  * Result of CI environment detection
@@ -38,7 +38,6 @@ export interface LicenseCheckResult {
 /**
  * Reasons for license check decisions
  *
- * SECURITY (Issue #542): Fail-closed design - errors result in denial
  */
-export type LicenseCheckReason = 'not-ci' | 'trusted-org' | 'allowlist' | 'not-found' | 'error' | 'owner-resolution-failed' | 'skip-flag';
+export type LicenseCheckReason = 'not-ci' | 'trusted-org' | 'ci-allowed' | 'skip-flag';
 //# sourceMappingURL=types.d.ts.map

package/dist/utils/template-access.d.ts

@@ -0,0 +1,20 @@
+/**
+ * AI HINT: Template Access Verification
+ *
+ * Purpose: Ensure template operations are limited to users who can access the
+ * private runa source repository.
+ *
+ * Design:
+ * - Access is checked before cached templates are returned
+ * - NODE_AUTH_TOKEN and GitHub CLI auth are both accepted proof sources
+ * - Normal CLI/SDK/plugin commands are not gated by this module
+ */
+/**
+ * Verify the current user can access the private runa source repository.
+ *
+ * This check is intentionally separate from CI compatibility checks:
+ * - Normal CLI/SDK/plugin commands remain public
+ * - Template operations stay restricted to authorized users
+ */
+export declare function verifyTemplateRepoAccess(): Promise<void>;
+//# sourceMappingURL=template-access.d.ts.map

package/dist/utils/template-fetcher.d.ts

@@ -17,19 +17,22 @@
  *
  * Authentication Flow:
  * ┌─────────────────────────────────────────────────────────────────┐
- * │ 1. Check workspace (runa-repo development)                      │
- * │    └─ Found → Use local packages/runa-templates/ (no auth)      │
+ * │ 1. Verify access to r06-dev/runa                                │
+ * │    └─ Required before workspace/cache/fetch paths               │
  * │                                                                 │
- * │ 2. Try auto-detect NODE_AUTH_TOKEN                              │
+ * │ 2. Check workspace (runa-repo development)                      │
+ * │    └─ Found → Use local packages/runa-templates/                │
+ * │                                                                 │
+ * │ 3. Check cache (~/.cache/runa/templates/{version}/)             │
+ * │    └─ Hit → Return cached path (no network)                     │
+ * │                                                                 │
+ * │ 4. Try auto-detect NODE_AUTH_TOKEN                              │
  * │    ├─ Already set → Continue                                    │
  * │    └─ Not set → Try `gh auth token` command                     │
  * │        ├─ Success → Set NODE_AUTH_TOKEN and continue            │
  * │        └─ Fail → CLIError with setup instructions               │
  * │                                                                 │
- * │ 3. Check cache (~/.cache/runa/templates/{version}/)             │
- * │    └─ Hit → Return cached path (no network)                     │
- * │                                                                 │
- * │ 4. Fetch from GitHub Packages                                   │
+ * │ 5. Fetch from GitHub Packages                                   │
  * │    └─ Success → Cache and return path                           │
  * └─────────────────────────────────────────────────────────────────┘
  *

package/dist/{vuln-check-JRPMUHLF.js → vuln-check-LMDYYJUE.js}

@@ -71,7 +71,7 @@ var vulnCheckCommand = new Command("vuln-check").description("Run comprehensive
   const logger = createCLILogger("vuln-check");
   const isJsonMode = getOutputFormatFromEnv() === "json" || options.format === "json";
   try {
-    const { VulnChecker } = await import('./vuln-checker-Q7LSHUHJ.js');
+    const { VulnChecker } = await import('./vuln-checker-NHXLNZRM.js');
     const categoryMap = {
       code: ["injection", "auth", "crypto"],
       deps: ["dependency"],

package/dist/{vuln-checker-Q7LSHUHJ.js → vuln-checker-NHXLNZRM.js}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { CLI_VERSION } from './chunk-OXQISY3J.js';
+import { CLI_VERSION } from './chunk-IR7SA2ME.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
 import { glob } from 'glob';
 import { exec } from 'child_process';

package/dist/{watch-RFVCEQLH.js → watch-4RHXVCQ3.js}

@@ -284,7 +284,7 @@ function validateSqlSchema(content, errors, warnings) {
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-S7XQF4I2.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-GDDLISVE.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runa-ai/runa-cli",
-  "version": "0.10.0",
+  "version": "0.10.2",
   "private": false,
   "description": "AI-powered DevOps CLI",
   "type": "module",
@@ -56,8 +56,8 @@
     "typescript": "5.9.3",
     "xstate": "5.28.0",
     "zod": "4.3.6",
-    "@runa-ai/runa": "0.10.0",
-    "@runa-ai/runa-xstate-test-plugin": "0.10.0"
+    "@runa-ai/runa-xstate-test-plugin": "0.10.0",
+    "@runa-ai/runa": "0.10.0"
   },
   "engines": {
     "node": ">=20.0.0"

package/dist/chunk-ZZOXM6Q4.js

@@ -1,8 +0,0 @@
-#!/usr/bin/env node
-import { createRequire } from 'module';
-import { init_esm_shims } from './chunk-VRXHCR5K.js';
-
-createRequire(import.meta.url);
-
-// src/errors/index.ts
-init_esm_shims();

package/dist/pg-schema-diff-helpers-7377FS2D.js

@@ -1,7 +0,0 @@
-#!/usr/bin/env node
-import { createRequire } from 'module';
-export { PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, buildIdleConnectionCleanupSql, detectDropTableStatements, detectMissingExtensionType, detectMissingQualifiedFunction, detectPartitionPrivilegeError, executePgSchemaDiffPlan, formatDeclarativeDependencyBoundaryHint, formatExtensionErrorHint, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, verifyDatabaseConnection, verifyPgSchemaDiffBinary } from './chunk-ZWDWFMOX.js';
-import './chunk-A6A7JIRD.js';
-import './chunk-VRXHCR5K.js';
-
-createRequire(import.meta.url);