@runa-ai/runa-cli 0.10.1 → 0.10.3

package/dist/{db-PRGL7PBX.js → db-BQOVOQXU.js}

@@ -1,16 +1,16 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { detectDatabaseStack, getStackPaths } from './chunk-MILCC3B6.js';
-import { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
-import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-XRLIZKB2.js';
+import { categorizeRisks, detectSchemaRisks } from './chunk-XFXGFUAM.js';
+import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH, functionAclManifestHasEntries, validateFunctionAclMigration, isManagedFunctionAclFileContentStale, renderFunctionAclFile, assessPlanSize, formatPlanSizeSummary, buildFunctionAclManifestFromSqlFiles, buildFunctionAclIdempotentTouchMetadata, stableSorted, normalizePolicyCommand, normalizeFileList, extractFunctionOwnershipDefinition, SECURITY_DEFINER_RE, MANAGED_BOUNDARY_SCHEMAS, currentIsoTimestamp, makeGraphVersion, GENERATOR_VERSION, MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE, QUALIFIED_SQL_OBJECT_RE, SEARCH_PATH_LOCK_RE, TRIGGER_GUIDANCE_SUPPRESSED_FUNCTIONS, SQL_EXTENSION_IDENTIFIER_PATTERN, SQL_IDENTIFIER_PATTERN } from './chunk-S7VGVFYF.js';
 import { createError } from './chunk-NIS77243.js';
 import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
 export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
 import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, ALLOW_DYNAMIC_SQL_ANNOTATION, extractFirstDollarBody, sanitizeExecutableCode, detectExtensionFilePath, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-HWR5NUUZ.js';
 import './chunk-UHDAYPHH.js';
-import './chunk-Y5ANTCKE.js';
+import './chunk-EZ46JIEO.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import './chunk-ZPE52NEK.js';
+import './chunk-SS7RIWW3.js';
 import { diagnoseSupabaseStart } from './chunk-AAIE4F2U.js';
 import { validateUserFilePath, filterSafePaths, resolveSafePath } from './chunk-B7C7CLW2.js';
 import { runMachine } from './chunk-QDF7QXBL.js';
@@ -1145,7 +1145,8 @@ z.object({
 });
 var SchemaManagedBlockKindSchema = z.enum([
   "file-header",
-  "table-header"
+  "table-header",
+  "generated-file"
 ]);
 var SchemaGuardrailPhaseIdSchema = z.enum([
   "load_sources",
@@ -1166,6 +1167,7 @@ var SchemaGuardrailFailureCodeSchema = z.enum([
   "dynamic_sql_blocked",
   "extension_placement_blocked",
   "stale_generated_header",
+  "function_acl_migration_required",
   "generated_header_validation_failed",
   "generated_header_rewrite_failed",
   "static_graph_build_failed",
@@ -1509,39 +1511,46 @@ function buildGuardrailConflictEntries(report, entries) {
   pushSemanticEvidenceEntries(entries, report);
   pushBoundaryGuidanceEntries(entries, report);
 }
-function buildGuardrailHeaderEntries(report, entries) {
-  if (report.staleBlocks.length > 0) {
-    const byFile = /* @__PURE__ */ new Map();
-    for (const block of report.staleBlocks) {
-      const kinds = byFile.get(block.file) ?? [];
-      kinds.push(block.kind === "file-header" ? "file metadata" : `table: ${block.target}`);
-      byFile.set(block.file, kinds);
-    }
+function describeStaleBlock(block) {
+  return block.kind === "file-header" ? "file metadata" : block.kind === "generated-file" ? "managed file body" : `table: ${block.target}`;
+}
+function pushStaleArtifactEntries(report, entries) {
+  if (report.staleBlocks.length === 0) {
+    return;
+  }
+  const byFile = /* @__PURE__ */ new Map();
+  for (const block of report.staleBlocks) {
+    const kinds = byFile.get(block.file) ?? [];
+    kinds.push(describeStaleBlock(block));
+    byFile.set(block.file, kinds);
+  }
+  entries.push({
+    level: "warn",
+    message: `Generated SQL artifacts are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
+  });
+  for (const [file, kinds] of byFile) {
     entries.push({
-      level: "warn",
-      message: `Generated headers are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
+      level: "info",
+      message: `  ${file}: ${kinds.join(", ")}`
+    });
+  }
+  if (!report.failure) {
+    entries.push({
+      level: "info",
+      message: "Auto-fix: Run `runa db sync` to regenerate managed SQL artifacts automatically."
+    });
+    entries.push({
+      level: "info",
+      message: "Managed SQL artifacts track: FK references, RLS policies, triggers, function ownership, schema dependencies, and function ACL reconciliation."
     });
-    for (const [file, kinds] of byFile) {
-      entries.push({
-        level: "info",
-        message: `  ${file}: ${kinds.join(", ")}`
-      });
-    }
-    if (!report.failure) {
-      entries.push({
-        level: "info",
-        message: "Auto-fix: Run `runa db sync` to regenerate all headers automatically."
-      });
-      entries.push({
-        level: "info",
-        message: "Headers track: FK references, RLS policies, triggers, function ownership, and schema dependencies."
-      });
-    }
   }
+}
+function buildGuardrailHeaderEntries(report, entries) {
+  pushStaleArtifactEntries(report, entries);
   if (report.headersRewritten.length > 0) {
     entries.push({
       level: "info",
-      message: `Generated headers refreshed in ${report.headersRewritten.length} file(s).`
+      message: `Generated SQL artifacts refreshed in ${report.headersRewritten.length} file(s).`
     });
   }
 }
@@ -1848,6 +1857,10 @@ async function collectSchemaRisks(sqlDir, sqlFiles) {
   }
   return allRisks;
 }
+function filterAllowlistedSchemaRisks(risks) {
+  const policy = getBoundaryPolicy();
+  return risks.filter((risk) => !findDeclarativeRiskAllowlistMatch(risk, policy));
+}
 function summarizeRisks(risks) {
   const summaries = /* @__PURE__ */ new Map();
   for (const risk of risks) {
@@ -1966,7 +1979,7 @@ async function runSqlSchemaRiskCheck(result, logger4, step) {
   const sqlFiles = getDeclarativeSqlFiles(sqlDir, logger4);
   if (!sqlFiles) return;
   try {
-    const allRisks = await collectSchemaRisks(sqlDir, sqlFiles);
+    const allRisks = filterAllowlistedSchemaRisks(await collectSchemaRisks(sqlDir, sqlFiles));
     if (allRisks.length === 0) {
       logger4.success(`Scanned ${sqlFiles.length} SQL file(s) - no violations`);
       return;
@@ -2653,193 +2666,501 @@ async function runDeclarativeDependencyCheck(result, logger4, step, strictOption
 
 // src/commands/db/utils/preflight-checks/duplicate-function-ownership-checks.ts
 init_esm_shims();
-async function runDuplicateFunctionOwnershipCheck(result, logger4, step) {
-  logger4.step("Checking duplicate function ownership", step.next());
-  const analysis = analyzeDuplicateFunctionOwnership(process.cwd());
-  if (analysis.findings.length === 0) {
-    logger4.success("No duplicate declarative/idempotent function ownership detected");
-    return;
-  }
-  result.passed = false;
-  result.errors.push(`Found ${analysis.findings.length} duplicate function ownership finding(s)`);
-  logger4.error(`Found ${analysis.findings.length} duplicate function ownership finding(s):`);
-  logger4.info(`  ${analysis.contractNote}`);
-  for (const finding of analysis.findings) {
-    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
-    logger4.info(`  [ERROR] ${formatted.summary}`);
-    for (const location of formatted.declarativeLocations) {
-      logger4.info(`          declarative: ${location}`);
-    }
-    for (const location of formatted.idempotentLocations) {
-      logger4.info(`          idempotent: ${location}`);
-    }
-    logger4.info(`          ${formatted.suggestion}`);
-  }
-}
-
-// src/commands/db/utils/preflight-checks/schema-boundary-checks.ts
-init_esm_shims();
 
-// src/commands/db/commands/db-sync/precheck-helpers.ts
+// src/commands/db/utils/duplicate-function-ownership-allowlist.ts
 init_esm_shims();
-var SHOW_ALLOWLIST_REPORT = process.env.RUNA_DB_PRECHECK_ALLOWLIST_REPORT === "1";
-var DIRECTORY_PLACEMENT_WARNING_PREFIX = "  [misplacement] ";
-function applyStrictModeToReport(report, strict) {
-  if (!strict) return report;
-  return {
-    blockers: [...report.blockers, ...report.warnings],
-    warnings: []
-  };
-}
-function formatAllowlistReason({
-  label,
-  ruleId,
-  reason,
-  rule
-}) {
-  const meta = rule ? formatAllowlistMetadata(rule) : "";
-  return meta ? `[allowlist:${label}] ${ruleId}: ${reason} (${meta})` : `[allowlist:${label}] ${ruleId}: ${reason}`;
-}
 
-// src/commands/db/commands/db-sync/directory-placement-check.ts
+// src/commands/db/sync/schema-guardrail-config.ts
 init_esm_shims();
 
-// src/commands/db/utils/schema-precheck-budget.ts
+// src/commands/db/sync/schema-guardrail-config-test-support.ts
 init_esm_shims();
-var ONE_MB = 1024 * 1024;
-var ONE_GB = 1024 * ONE_MB;
-function parseIntEnv(name, fallback, min, max) {
-  const raw = process.env[name];
-  if (!raw) return fallback;
-  const value = Number.parseInt(raw, 10);
-  if (!Number.isFinite(value) || Number.isNaN(value)) return fallback;
-  const normalized = Math.trunc(value);
-  if (normalized < min) return min;
-  if (normalized > max) return max;
-  return normalized;
-}
-var RUNA_SCHEMA_PRECHECK_MAX_FILES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_FILES",
-  3e3,
-  100,
-  2e4
-);
-var RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES",
-  512 * ONE_MB,
-  32 * ONE_MB,
-  20 * ONE_GB
-);
-var RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES = parseIntEnv(
-  "RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES",
-  64 * ONE_MB,
-  1 * ONE_MB,
-  512 * ONE_MB
-);
-var RUNA_PLAN_PRECHECK_MAX_BYTES = parseIntEnv(
-  "RUNA_PLAN_PRECHECK_MAX_BYTES",
-  128 * ONE_MB,
-  8 * ONE_MB,
-  4 * ONE_GB
-);
-var RUNA_PLAN_PRECHECK_MAX_STATEMENTS = parseIntEnv(
-  "RUNA_PLAN_PRECHECK_MAX_STATEMENTS",
-  4e3,
-  100,
-  5e4
-);
-function formatBytes2(value) {
-  if (value >= ONE_MB * 1024) return `${(value / (ONE_MB * 1024)).toFixed(1)} GB`;
-  if (value >= ONE_MB) return `${(value / ONE_MB).toFixed(1)} MB`;
-  return `${(value / 1024).toFixed(1)} KB`;
-}
-function buildBudgetExceededReason(context, files, bytes, maxFiles, maxBytes) {
-  return `${context}: budget exceeded (files=${files}/${maxFiles}, bytes=${formatBytes2(bytes)}/${formatBytes2(maxBytes)}). Stop and review with stricter scoping or increase RUNA_SCHEMA_PRECHECK_MAX_* settings only after approval.`;
-}
-function createSchemaPrecheckBudgetState() {
-  return {
-    scannedFiles: 0,
-    scannedBytes: 0,
-    maxFiles: RUNA_SCHEMA_PRECHECK_MAX_FILES,
-    maxBytes: RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES,
-    maxFileBytes: RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES
-  };
+function extractFirstStringMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*['"]([^'"]+)['"]`));
+  return match?.[1];
 }
-function shouldAbortSchemaPrecheckForBudget(state, filePath) {
-  const size = statSync(filePath).size;
-  if (size > state.maxFileBytes) {
-    return `Unscanned schema file ${filePath}: ${formatBytes2(size)} exceeds per-file limit ${formatBytes2(
-      state.maxFileBytes
-    )}`;
-  }
-  if (state.scannedFiles + 1 > state.maxFiles) {
-    return `Schema file scan budget exceeds ${state.maxFiles} files at ${path12.basename(filePath)}.`;
-  }
-  const projectedBytes = state.scannedBytes + size;
-  if (projectedBytes > state.maxBytes) {
-    return `Schema scan budget exceeds total size limit ${formatBytes2(state.maxBytes)}.`;
+function extractFirstNumberMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*(-?\\d+(?:\\.\\d+)?)`));
+  if (!match?.[1]) {
+    return void 0;
   }
-  state.scannedBytes = projectedBytes;
-  state.scannedFiles += 1;
-  return null;
+  const parsed = Number(match[1]);
+  return Number.isFinite(parsed) ? parsed : void 0;
 }
-
-// src/commands/db/utils/sql-file-collector.ts
-init_esm_shims();
-var IGNORED_DIRECTORY_NAMES = /* @__PURE__ */ new Set([
-  "compat",
-  "archive",
-  "legacy",
-  "deprecated",
-  "backup",
-  "node_modules",
-  ".git",
-  "dist",
-  "build"
-]);
-function shouldSkipDirectory(name) {
-  return IGNORED_DIRECTORY_NAMES.has(name.toLowerCase());
+function extractStringArrayMatch(content, fieldName) {
+  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*\\[([\\s\\S]*?)\\]`));
+  if (!match?.[1]) {
+    return [];
+  }
+  return Array.from(match[1].matchAll(/['"]([^'"]+)['"]/g), (entry) => entry[1] ?? "").filter(
+    (value) => value.length > 0
+  );
 }
-function scanDirectory(dir, queue, sqlFiles) {
-  try {
-    const entries = readdirSync(dir, { withFileTypes: true });
-    for (const entry of entries) {
-      const fullPath = path12.join(dir, entry.name);
-      if (entry.isDirectory()) {
-        if (!shouldSkipDirectory(entry.name)) queue.push(fullPath);
-      } else if (entry.isFile() && entry.name.endsWith(".sql")) {
-        sqlFiles.push(fullPath);
+function extractNamedObjectBlock(content, fieldName) {
+  const nameMatch = new RegExp(`${fieldName}\\s*:\\s*\\{`).exec(content);
+  if (!nameMatch) {
+    return null;
+  }
+  const startIndex = nameMatch.index + nameMatch[0].length - 1;
+  let depth = 0;
+  for (let index = startIndex; index < content.length; index += 1) {
+    const current = content[index];
+    if (current === "{") {
+      depth += 1;
+    } else if (current === "}") {
+      depth -= 1;
+      if (depth === 0) {
+        return content.slice(startIndex + 1, index);
       }
     }
-  } catch {
   }
+  return null;
 }
-function* collectSqlFilesRecursively(baseDir) {
-  const queue = [baseDir];
-  const sqlFiles = [];
-  let index = 0;
-  while (index < queue.length) {
-    const currentDir = queue[index++];
-    if (!currentDir) continue;
-    scanDirectory(currentDir, queue, sqlFiles);
+function extractAllowedDuplicateFunctions(content, normalizers) {
+  const match = content.match(/allowedDuplicateFunctions\s*:\s*\[([\s\S]*?)\]/);
+  if (!match?.[1]) {
+    return [];
   }
-  for (const file of sqlFiles) {
-    yield file;
+  const entries = [];
+  for (const objectMatch of match[1].matchAll(/\{([\s\S]*?)\}/g)) {
+    const objectBody = objectMatch[1] ?? "";
+    const qualifiedName = extractFirstStringMatch(objectBody, "qualifiedName");
+    const signature = extractFirstStringMatch(objectBody, "signature");
+    const reason = extractFirstStringMatch(objectBody, "reason");
+    if (!qualifiedName || !signature || !reason) {
+      continue;
+    }
+    entries.push({
+      qualifiedName: normalizers.normalizeFunctionQualifiedName(qualifiedName),
+      signature: normalizers.normalizeAllowlistSignature(signature),
+      reason,
+      declarativeFile: extractFirstStringMatch(objectBody, "declarativeFile"),
+      idempotentFile: extractFirstStringMatch(objectBody, "idempotentFile"),
+      expectedBodyHash: extractFirstStringMatch(objectBody, "expectedBodyHash")
+    });
   }
+  return entries;
+}
+function tryLoadSchemaGuardrailConfigFromText(params) {
+  const configPath = findRunaConfig(params.targetDir);
+  if (!configPath || !existsSync(configPath)) {
+    return null;
+  }
+  try {
+    const content = readFileSync(configPath, "utf-8");
+    const schemaGuardrailsBlock = extractNamedObjectBlock(content, "schemaGuardrails") ?? "";
+    const pgSchemaDiffBlock = extractNamedObjectBlock(content, "pgSchemaDiff") ?? "";
+    return {
+      ...params.defaults,
+      declarativeSqlDir: extractFirstStringMatch(schemaGuardrailsBlock, "declarativeSqlDir") ?? params.defaults.declarativeSqlDir,
+      allowedDuplicateFunctions: extractAllowedDuplicateFunctions(
+        schemaGuardrailsBlock,
+        params.normalizers
+      ),
+      generatedHeaderRewriteTargets: params.normalizers.normalizeFileList(
+        extractStringArrayMatch(schemaGuardrailsBlock, "generatedHeaderRewriteTargets").map(
+          (value) => params.normalizers.normalizePathForMatch(value)
+        )
+      ),
+      semanticWarnings: {
+        threshold: extractFirstNumberMatch(schemaGuardrailsBlock, "threshold") ?? params.defaults.semanticWarnings.threshold,
+        maxCandidates: extractFirstNumberMatch(schemaGuardrailsBlock, "maxCandidates") ?? params.defaults.semanticWarnings.maxCandidates,
+        ignorePairs: new Set(
+          extractStringArrayMatch(schemaGuardrailsBlock, "ignorePairs").map(
+            (value) => params.normalizers.normalizeSuppressionPair(value)
+          )
+        )
+      },
+      tableHeaderMaxWidth: extractFirstNumberMatch(schemaGuardrailsBlock, "tableHeaderMaxWidth") ?? params.defaults.tableHeaderMaxWidth,
+      excludeFromOrphanDetection: extractStringArrayMatch(
+        pgSchemaDiffBlock,
+        "excludeFromOrphanDetection"
+      ),
+      idempotentSqlDir: extractFirstStringMatch(pgSchemaDiffBlock, "idempotentSqlDir") ?? params.defaults.idempotentSqlDir
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/commands/db/sync/schema-guardrail-config.ts
+var DEFAULT_TABLE_HEADER_MAX_WIDTH = 160;
+var DEFAULT_SEMANTIC_WARNING_THRESHOLD = 0.55;
+var DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES = 3;
+var GENERIC_SIMILARITY_COLUMNS = /* @__PURE__ */ new Set([
+  "id",
+  "created_at",
+  "updated_at",
+  "deleted_at",
+  "scope_id"
+]);
+function normalizePathForMatch(filePath) {
+  return filePath.replaceAll("\\", "/");
+}
+function normalizeFunctionQualifiedName(value) {
+  return value.trim().toLowerCase();
+}
+function normalizeAllowlistSignature(value) {
+  return value.replace(/\s+/g, " ").trim();
+}
+function normalizeSuppressionPair(value) {
+  return value.split("::").map((part) => part.trim().toLowerCase()).filter((part) => part.length > 0).sort((left, right) => left.localeCompare(right)).join("::");
+}
+function normalizeFileList2(files) {
+  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
+}
+function isSchemaGuardrailTextFallbackAllowed() {
+  return Boolean(process.env.VITEST);
+}
+function createDefaultSchemaGuardrailConfig() {
+  return {
+    declarativeSqlDir: "supabase/schemas/declarative",
+    allowedDuplicateFunctions: [],
+    generatedHeaderRewriteTargets: [],
+    semanticWarnings: {
+      threshold: DEFAULT_SEMANTIC_WARNING_THRESHOLD,
+      maxCandidates: DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES,
+      ignorePairs: /* @__PURE__ */ new Set()
+    },
+    tableHeaderMaxWidth: DEFAULT_TABLE_HEADER_MAX_WIDTH,
+    excludeFromOrphanDetection: [],
+    idempotentSqlDir: "supabase/schemas/idempotent"
+  };
+}
+function loadAllowedDuplicatesFromSchemaOwnership(targetDir) {
+  const candidates = [
+    join(targetDir, "supabase", "schemas", "schema-ownership.json"),
+    join(targetDir, "schema-ownership.json")
+  ];
+  for (const filePath of candidates) {
+    if (!existsSync(filePath)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(filePath, "utf-8"));
+      const allowedDuplicates = raw?.rules?.allowed_duplicates;
+      if (!Array.isArray(allowedDuplicates)) continue;
+      return allowedDuplicates.filter(
+        (entry) => typeof entry === "object" && entry !== null && "qualifiedName" in entry && typeof entry.qualifiedName === "string"
+      ).map((entry) => ({
+        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+        signature: normalizeAllowlistSignature(entry.signature ?? ""),
+        reason: entry.reason ?? "Loaded from schema-ownership.json"
+      }));
+    } catch {
+    }
+  }
+  return [];
+}
+function loadSchemaGuardrailConfig(targetDir) {
+  const defaults = createDefaultSchemaGuardrailConfig();
+  try {
+    const config = loadRunaConfig(targetDir);
+    const databaseConfig = config.database ?? {};
+    return {
+      declarativeSqlDir: databaseConfig.schemaGuardrails?.declarativeSqlDir ?? defaults.declarativeSqlDir,
+      allowedDuplicateFunctions: [
+        ...databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
+          ...entry,
+          qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+          signature: normalizeAllowlistSignature(entry.signature),
+          declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
+          idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
+        })) ?? [],
+        // Fallback: merge schema-ownership.json allowed_duplicates if present
+        ...loadAllowedDuplicatesFromSchemaOwnership(targetDir)
+      ],
+      generatedHeaderRewriteTargets: normalizeFileList2(
+        (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
+          (value) => normalizePathForMatch(value)
+        )
+      ),
+      semanticWarnings: {
+        threshold: databaseConfig.schemaGuardrails?.semanticWarnings?.threshold ?? defaults.semanticWarnings.threshold,
+        maxCandidates: databaseConfig.schemaGuardrails?.semanticWarnings?.maxCandidates ?? defaults.semanticWarnings.maxCandidates,
+        ignorePairs: new Set(
+          (databaseConfig.schemaGuardrails?.semanticWarnings?.ignorePairs ?? []).map(
+            (value) => normalizeSuppressionPair(value)
+          )
+        )
+      },
+      tableHeaderMaxWidth: databaseConfig.schemaGuardrails?.tableHeaderMaxWidth ?? defaults.tableHeaderMaxWidth,
+      excludeFromOrphanDetection: databaseConfig.pgSchemaDiff?.excludeFromOrphanDetection ?? [],
+      idempotentSqlDir: databaseConfig.pgSchemaDiff?.idempotentSqlDir ?? defaults.idempotentSqlDir
+    };
+  } catch (error) {
+    if (isSchemaGuardrailTextFallbackAllowed()) {
+      return tryLoadSchemaGuardrailConfigFromText({
+        targetDir,
+        defaults,
+        normalizers: {
+          normalizeAllowlistSignature,
+          normalizeFileList: normalizeFileList2,
+          normalizeFunctionQualifiedName,
+          normalizePathForMatch,
+          normalizeSuppressionPair
+        }
+      }) ?? defaults;
+    }
+    throw error;
+  }
+}
+
+// src/commands/db/utils/duplicate-function-ownership-allowlist.ts
+function matchesDuplicateFunctionSignature(params) {
+  return normalizeFunctionQualifiedName(params.entry.qualifiedName) === normalizeFunctionQualifiedName(params.finding.qualifiedName) && normalizeAllowlistSignature(params.entry.signature) === normalizeAllowlistSignature(params.finding.signature ?? "");
+}
+function matchesOptionalFilePath(params) {
+  if (!params.configuredPath) {
+    return true;
+  }
+  return params.definitionFiles.some(
+    (filePath) => normalizePathForMatch(filePath) === params.configuredPath
+  );
+}
+function matchesExpectedBodyHash(params) {
+  if (!params.entry.expectedBodyHash || !params.bodyHashes) {
+    return true;
+  }
+  const definitions = [
+    ...params.finding.declarativeDefinitions,
+    ...params.finding.idempotentDefinitions
+  ];
+  if (definitions.length === 0) {
+    return false;
+  }
+  return definitions.every((definition) => {
+    const key = `${definition.layer}:${definition.file}:${definition.line}`;
+    return params.bodyHashes?.get(key) === params.entry.expectedBodyHash;
+  });
+}
+function isAllowlistedDuplicateFunction(params) {
+  const { finding, allowlist, bodyHashes } = params;
+  if (!finding.signature) return false;
+  return allowlist.some((entry) => {
+    if (!matchesDuplicateFunctionSignature({ entry, finding })) {
+      return false;
+    }
+    if (!matchesOptionalFilePath({
+      configuredPath: entry.declarativeFile,
+      definitionFiles: finding.declarativeDefinitions.map((definition) => definition.file)
+    })) {
+      return false;
+    }
+    if (!matchesOptionalFilePath({
+      configuredPath: entry.idempotentFile,
+      definitionFiles: finding.idempotentDefinitions.map((definition) => definition.file)
+    })) {
+      return false;
+    }
+    return matchesExpectedBodyHash({ entry, finding, bodyHashes });
+  });
+}
+function filterAllowlistedDuplicateFunctions(params) {
+  return params.findings.filter(
+    (finding) => !isAllowlistedDuplicateFunction({
+      finding,
+      allowlist: params.allowlist,
+      bodyHashes: params.bodyHashes
+    })
+  );
+}
+
+// src/commands/db/utils/preflight-checks/duplicate-function-ownership-checks.ts
+async function runDuplicateFunctionOwnershipCheck(result, logger4, step) {
+  logger4.step("Checking duplicate function ownership", step.next());
+  const analysis = analyzeDuplicateFunctionOwnership(process.cwd());
+  let findings = analysis.findings;
+  try {
+    const allowlist = loadSchemaGuardrailConfig(process.cwd()).allowedDuplicateFunctions;
+    findings = filterAllowlistedDuplicateFunctions({
+      findings,
+      allowlist
+    });
+  } catch {
+  }
+  if (findings.length === 0) {
+    logger4.success("No duplicate declarative/idempotent function ownership detected");
+    return;
+  }
+  result.passed = false;
+  result.errors.push(`Found ${findings.length} duplicate function ownership finding(s)`);
+  logger4.error(`Found ${findings.length} duplicate function ownership finding(s):`);
+  logger4.info(`  ${analysis.contractNote}`);
+  for (const finding of findings) {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    logger4.info(`  [ERROR] ${formatted.summary}`);
+    for (const location of formatted.declarativeLocations) {
+      logger4.info(`          declarative: ${location}`);
+    }
+    for (const location of formatted.idempotentLocations) {
+      logger4.info(`          idempotent: ${location}`);
+    }
+    logger4.info(`          ${formatted.suggestion}`);
+  }
+}
+
+// src/commands/db/utils/preflight-checks/schema-boundary-checks.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/precheck-helpers.ts
+init_esm_shims();
+var SHOW_ALLOWLIST_REPORT = process.env.RUNA_DB_PRECHECK_ALLOWLIST_REPORT === "1";
+var DIRECTORY_PLACEMENT_WARNING_PREFIX = "  [misplacement] ";
+function applyStrictModeToReport(report, strict) {
+  if (!strict) return report;
+  return {
+    blockers: [...report.blockers, ...report.warnings],
+    warnings: []
+  };
+}
+function formatAllowlistReason({
+  label,
+  ruleId,
+  reason,
+  rule
+}) {
+  const meta = rule ? formatAllowlistMetadata(rule) : "";
+  return meta ? `[allowlist:${label}] ${ruleId}: ${reason} (${meta})` : `[allowlist:${label}] ${ruleId}: ${reason}`;
+}
+
+// src/commands/db/commands/db-sync/directory-placement-check.ts
+init_esm_shims();
+
+// src/commands/db/utils/schema-precheck-budget.ts
+init_esm_shims();
+var ONE_MB = 1024 * 1024;
+var ONE_GB = 1024 * ONE_MB;
+function parseIntEnv(name, fallback, min, max) {
+  const raw = process.env[name];
+  if (!raw) return fallback;
+  const value = Number.parseInt(raw, 10);
+  if (!Number.isFinite(value) || Number.isNaN(value)) return fallback;
+  const normalized = Math.trunc(value);
+  if (normalized < min) return min;
+  if (normalized > max) return max;
+  return normalized;
+}
+var RUNA_SCHEMA_PRECHECK_MAX_FILES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_FILES",
+  3e3,
+  100,
+  2e4
+);
+var RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES",
+  512 * ONE_MB,
+  32 * ONE_MB,
+  20 * ONE_GB
+);
+var RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES = parseIntEnv(
+  "RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES",
+  64 * ONE_MB,
+  1 * ONE_MB,
+  512 * ONE_MB
+);
+var RUNA_PLAN_PRECHECK_MAX_BYTES = parseIntEnv(
+  "RUNA_PLAN_PRECHECK_MAX_BYTES",
+  128 * ONE_MB,
+  8 * ONE_MB,
+  4 * ONE_GB
+);
+var RUNA_PLAN_PRECHECK_MAX_STATEMENTS = parseIntEnv(
+  "RUNA_PLAN_PRECHECK_MAX_STATEMENTS",
+  4e3,
+  100,
+  5e4
+);
+function formatBytes2(value) {
+  if (value >= ONE_MB * 1024) return `${(value / (ONE_MB * 1024)).toFixed(1)} GB`;
+  if (value >= ONE_MB) return `${(value / ONE_MB).toFixed(1)} MB`;
+  return `${(value / 1024).toFixed(1)} KB`;
+}
+function buildBudgetExceededReason(context, files, bytes, maxFiles, maxBytes) {
+  return `${context}: budget exceeded (files=${files}/${maxFiles}, bytes=${formatBytes2(bytes)}/${formatBytes2(maxBytes)}). Stop and review with stricter scoping or increase RUNA_SCHEMA_PRECHECK_MAX_* settings only after approval.`;
+}
+function createSchemaPrecheckBudgetState() {
+  return {
+    scannedFiles: 0,
+    scannedBytes: 0,
+    maxFiles: RUNA_SCHEMA_PRECHECK_MAX_FILES,
+    maxBytes: RUNA_SCHEMA_PRECHECK_MAX_TOTAL_BYTES,
+    maxFileBytes: RUNA_SCHEMA_PRECHECK_MAX_FILE_BYTES
+  };
+}
+function shouldAbortSchemaPrecheckForBudget(state, filePath) {
+  const size = statSync(filePath).size;
+  if (size > state.maxFileBytes) {
+    return `Unscanned schema file ${filePath}: ${formatBytes2(size)} exceeds per-file limit ${formatBytes2(
+      state.maxFileBytes
+    )}`;
+  }
+  if (state.scannedFiles + 1 > state.maxFiles) {
+    return `Schema file scan budget exceeds ${state.maxFiles} files at ${path12.basename(filePath)}.`;
+  }
+  const projectedBytes = state.scannedBytes + size;
+  if (projectedBytes > state.maxBytes) {
+    return `Schema scan budget exceeds total size limit ${formatBytes2(state.maxBytes)}.`;
+  }
+  state.scannedBytes = projectedBytes;
+  state.scannedFiles += 1;
+  return null;
+}
+
+// src/commands/db/utils/sql-file-collector.ts
+init_esm_shims();
+var IGNORED_DIRECTORY_NAMES = /* @__PURE__ */ new Set([
+  "compat",
+  "archive",
+  "legacy",
+  "deprecated",
+  "backup",
+  "node_modules",
+  ".git",
+  "dist",
+  "build"
+]);
+function shouldSkipDirectory(name) {
+  return IGNORED_DIRECTORY_NAMES.has(name.toLowerCase());
+}
+function scanDirectory(dir, queue, sqlFiles) {
+  try {
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path12.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (!shouldSkipDirectory(entry.name)) queue.push(fullPath);
+      } else if (entry.isFile() && entry.name.endsWith(".sql")) {
+        sqlFiles.push(fullPath);
+      }
+    }
+  } catch {
+  }
+}
+function* collectSqlFilesRecursively(baseDir) {
+  const queue = [baseDir];
+  const sqlFiles = [];
+  let index = 0;
+  while (index < queue.length) {
+    const currentDir = queue[index++];
+    if (!currentDir) continue;
+    scanDirectory(currentDir, queue, sqlFiles);
+  }
+  for (const file of sqlFiles) {
+    yield file;
+  }
+}
+
+// src/commands/db/commands/db-sync/boundary-classifier.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/sql-parser.ts
+init_esm_shims();
+function isWordChar(char) {
+  const code = char.charCodeAt(0);
+  return code >= 48 && code <= 57 || code >= 65 && code <= 90 || code >= 97 && code <= 122 || char === "_";
+}
+function isWhitespaceChar(char) {
+  return char === " " || char === "	" || char === "\n" || char === "\r" || char === "\f";
 }
-
-// src/commands/db/commands/db-sync/boundary-classifier.ts
-init_esm_shims();
-
-// src/commands/db/commands/db-sync/sql-parser.ts
-init_esm_shims();
-function isWordChar(char) {
-  const code = char.charCodeAt(0);
-  return code >= 48 && code <= 57 || code >= 65 && code <= 90 || code >= 97 && code <= 122 || char === "_";
-}
-function isWhitespaceChar(char) {
-  return char === " " || char === "	" || char === "\n" || char === "\r" || char === "\f";
-}
 function parseWordAt(statement, start) {
   if (start < 0 || start >= statement.length) return null;
   const first = statement[start];
@@ -3884,7 +4205,7 @@ init_esm_shims();
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-S7XQF4I2.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-GDDLISVE.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;
@@ -4933,437 +5254,203 @@ var dbSyncMachine = setup({
           }
         ],
         onError: {
-          target: "failed",
-          actions: assign({
-            error: ({ event }) => event.error instanceof Error ? event.error.message : "Setup failed"
-          })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 2: Reconcile (optional)
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    reconcile: {
-      meta: { e2e: e2eMeta.reconcile },
-      invoke: {
-        src: "reconcile",
-        input: ({ context }) => ({
-          ctx: assertStepCtx(context),
-          autoApprove: context.input.autoApprove ?? false,
-          force: context.input.force ?? false
-        }),
-        onDone: [
-          {
-            guard: ({ event }) => event.output.passed === false,
-            target: "failed",
-            actions: assign({
-              error: ({ event }) => event.output.error ?? "Reconcile failed"
-            })
-          },
-          {
-            target: "preflight",
-            actions: assign({ reconciled: true })
-          }
-        ],
-        onError: {
-          // Non-critical, continue to preflight
-          target: "preflight",
-          actions: assign({ reconciled: false })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 3: Preflight Checks
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    preflight: {
-      meta: { e2e: e2eMeta.preflight },
-      invoke: {
-        src: "preflight",
-        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
-        onDone: [
-          {
-            guard: ({ event }) => event.output.passed === false,
-            target: "failed",
-            actions: assign({
-              error: ({ event }) => event.output.error ?? "Preflight failed"
-            })
-          },
-          {
-            target: "snapshot",
-            actions: assign({ preflightPassed: true })
-          }
-        ],
-        onError: {
-          target: "failed",
-          actions: assign({
-            error: ({ event }) => event.error instanceof Error ? event.error.message : "Preflight failed"
-          })
-        }
-      }
-    },
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 4: Snapshot (optional)
-    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    snapshot: {
-      meta: { e2e: e2eMeta.snapshot },
-      invoke: {
-        src: "snapshot",
-        input: ({ context }) => ({
-          ctx: assertStepCtx(context),
-          autoSnapshot: context.stepCtx?.autoSnapshot ?? false
-        }),
-        onDone: {
-          target: "sync",
-          actions: assign({
-            snapshotCreated: ({ event }) => event.output.created
-          })
-        },
-        onError: {
-          // Non-critical, continue to sync
-          target: "sync",
-          actions: assign({ snapshotCreated: false })
+          target: "failed",
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Setup failed"
+          })
         }
       }
     },
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 5: Sync Schema
+    // Step 2: Reconcile (optional)
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    sync: {
-      meta: { e2e: e2eMeta.sync },
+    reconcile: {
+      meta: { e2e: e2eMeta.reconcile },
       invoke: {
-        src: "syncSchema",
-        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
+        src: "reconcile",
+        input: ({ context }) => ({
+          ctx: assertStepCtx(context),
+          autoApprove: context.input.autoApprove ?? false,
+          force: context.input.force ?? false
+        }),
         onDone: [
           {
-            guard: ({ event }) => event.output.applied === false && event.output.error != null,
-            target: "report",
+            guard: ({ event }) => event.output.passed === false,
+            target: "failed",
             actions: assign({
-              applied: false,
-              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
-              stepsCompleted: ({ event }) => event.output.stepsCompleted,
-              error: ({ event }) => event.output.error ?? "Sync failed"
+              error: ({ event }) => event.output.error ?? "Reconcile failed"
             })
           },
           {
-            target: "report",
-            actions: assign({
-              applied: ({ event }) => event.output.applied,
-              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
-              stepsCompleted: ({ event }) => event.output.stepsCompleted
-            })
+            target: "preflight",
+            actions: assign({ reconciled: true })
           }
         ],
         onError: {
-          target: "report",
-          actions: assign({
-            applied: false,
-            applyCommitted: false,
-            error: ({ event }) => event.error instanceof Error ? event.error.message : "Sync failed"
-          })
+          // Non-critical, continue to preflight
+          target: "preflight",
+          actions: assign({ reconciled: false })
         }
       }
     },
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Step 6: Write Report
+    // Step 3: Preflight Checks
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    report: {
-      meta: { e2e: e2eMeta.report },
+    preflight: {
+      meta: { e2e: e2eMeta.preflight },
       invoke: {
-        src: "writeReport",
-        input: ({ context }) => ({
-          ctx: assertStepCtx(context),
-          startTime: context.startTime,
-          stepsCompleted: context.stepsCompleted,
-          success: context.error == null,
-          error: context.error ?? void 0
-        }),
+        src: "preflight",
+        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
         onDone: [
           {
-            guard: ({ context }) => context.error != null,
+            guard: ({ event }) => event.output.passed === false,
             target: "failed",
-            actions: assign({ reportWritten: true })
+            actions: assign({
+              error: ({ event }) => event.output.error ?? "Preflight failed"
+            })
           },
           {
-            target: "done",
-            actions: assign({ reportWritten: true })
+            target: "snapshot",
+            actions: assign({ preflightPassed: true })
           }
         ],
         onError: {
           target: "failed",
-          actions: assign({ reportWritten: false })
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Preflight failed"
+          })
         }
       }
     },
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    // Final States
+    // Step 4: Snapshot (optional)
     // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-    done: {
-      meta: { e2e: e2eMeta.done },
-      type: "final"
-    },
-    failed: {
-      meta: { e2e: e2eMeta.failed },
-      type: "final"
-    }
-  },
-  output: ({ context }) => buildMachineOutput(context)
-});
-function getDbSyncStateName(snapshot2) {
-  return snapshot2.value;
-}
-function isDbSyncComplete(snapshot2) {
-  return snapshot2.status === "done";
-}
-function getDbSyncError(snapshot2) {
-  return snapshot2.context.error;
-}
-
-// src/commands/db/sync/guardrail-orchestrator.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail-config.ts
-init_esm_shims();
-
-// src/commands/db/sync/schema-guardrail-config-test-support.ts
-init_esm_shims();
-function extractFirstStringMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*['"]([^'"]+)['"]`));
-  return match?.[1];
-}
-function extractFirstNumberMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*(-?\\d+(?:\\.\\d+)?)`));
-  if (!match?.[1]) {
-    return void 0;
-  }
-  const parsed = Number(match[1]);
-  return Number.isFinite(parsed) ? parsed : void 0;
-}
-function extractStringArrayMatch(content, fieldName) {
-  const match = content.match(new RegExp(`${fieldName}\\s*:\\s*\\[([\\s\\S]*?)\\]`));
-  if (!match?.[1]) {
-    return [];
-  }
-  return Array.from(match[1].matchAll(/['"]([^'"]+)['"]/g), (entry) => entry[1] ?? "").filter(
-    (value) => value.length > 0
-  );
-}
-function extractNamedObjectBlock(content, fieldName) {
-  const nameMatch = new RegExp(`${fieldName}\\s*:\\s*\\{`).exec(content);
-  if (!nameMatch) {
-    return null;
-  }
-  const startIndex = nameMatch.index + nameMatch[0].length - 1;
-  let depth = 0;
-  for (let index = startIndex; index < content.length; index += 1) {
-    const current = content[index];
-    if (current === "{") {
-      depth += 1;
-    } else if (current === "}") {
-      depth -= 1;
-      if (depth === 0) {
-        return content.slice(startIndex + 1, index);
-      }
-    }
-  }
-  return null;
-}
-function extractAllowedDuplicateFunctions(content, normalizers) {
-  const match = content.match(/allowedDuplicateFunctions\s*:\s*\[([\s\S]*?)\]/);
-  if (!match?.[1]) {
-    return [];
-  }
-  const entries = [];
-  for (const objectMatch of match[1].matchAll(/\{([\s\S]*?)\}/g)) {
-    const objectBody = objectMatch[1] ?? "";
-    const qualifiedName = extractFirstStringMatch(objectBody, "qualifiedName");
-    const signature = extractFirstStringMatch(objectBody, "signature");
-    const reason = extractFirstStringMatch(objectBody, "reason");
-    if (!qualifiedName || !signature || !reason) {
-      continue;
-    }
-    entries.push({
-      qualifiedName: normalizers.normalizeFunctionQualifiedName(qualifiedName),
-      signature: normalizers.normalizeAllowlistSignature(signature),
-      reason,
-      declarativeFile: extractFirstStringMatch(objectBody, "declarativeFile"),
-      idempotentFile: extractFirstStringMatch(objectBody, "idempotentFile"),
-      expectedBodyHash: extractFirstStringMatch(objectBody, "expectedBodyHash")
-    });
-  }
-  return entries;
-}
-function tryLoadSchemaGuardrailConfigFromText(params) {
-  const configPath = findRunaConfig(params.targetDir);
-  if (!configPath || !existsSync(configPath)) {
-    return null;
-  }
-  try {
-    const content = readFileSync(configPath, "utf-8");
-    const schemaGuardrailsBlock = extractNamedObjectBlock(content, "schemaGuardrails") ?? "";
-    const pgSchemaDiffBlock = extractNamedObjectBlock(content, "pgSchemaDiff") ?? "";
-    return {
-      ...params.defaults,
-      declarativeSqlDir: extractFirstStringMatch(schemaGuardrailsBlock, "declarativeSqlDir") ?? params.defaults.declarativeSqlDir,
-      allowedDuplicateFunctions: extractAllowedDuplicateFunctions(
-        schemaGuardrailsBlock,
-        params.normalizers
-      ),
-      generatedHeaderRewriteTargets: params.normalizers.normalizeFileList(
-        extractStringArrayMatch(schemaGuardrailsBlock, "generatedHeaderRewriteTargets").map(
-          (value) => params.normalizers.normalizePathForMatch(value)
-        )
-      ),
-      semanticWarnings: {
-        threshold: extractFirstNumberMatch(schemaGuardrailsBlock, "threshold") ?? params.defaults.semanticWarnings.threshold,
-        maxCandidates: extractFirstNumberMatch(schemaGuardrailsBlock, "maxCandidates") ?? params.defaults.semanticWarnings.maxCandidates,
-        ignorePairs: new Set(
-          extractStringArrayMatch(schemaGuardrailsBlock, "ignorePairs").map(
-            (value) => params.normalizers.normalizeSuppressionPair(value)
-          )
-        )
-      },
-      tableHeaderMaxWidth: extractFirstNumberMatch(schemaGuardrailsBlock, "tableHeaderMaxWidth") ?? params.defaults.tableHeaderMaxWidth,
-      excludeFromOrphanDetection: extractStringArrayMatch(
-        pgSchemaDiffBlock,
-        "excludeFromOrphanDetection"
-      ),
-      idempotentSqlDir: extractFirstStringMatch(pgSchemaDiffBlock, "idempotentSqlDir") ?? params.defaults.idempotentSqlDir
-    };
-  } catch {
-    return null;
-  }
-}
-
-// src/commands/db/sync/schema-guardrail-config.ts
-var DEFAULT_TABLE_HEADER_MAX_WIDTH = 160;
-var DEFAULT_SEMANTIC_WARNING_THRESHOLD = 0.55;
-var DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES = 3;
-var GENERIC_SIMILARITY_COLUMNS = /* @__PURE__ */ new Set([
-  "id",
-  "created_at",
-  "updated_at",
-  "deleted_at",
-  "scope_id"
-]);
-function normalizePathForMatch(filePath) {
-  return filePath.replaceAll("\\", "/");
-}
-function normalizeFunctionQualifiedName(value) {
-  return value.trim().toLowerCase();
-}
-function normalizeAllowlistSignature(value) {
-  return value.replace(/\s+/g, " ").trim();
-}
-function normalizeSuppressionPair(value) {
-  return value.split("::").map((part) => part.trim().toLowerCase()).filter((part) => part.length > 0).sort((left, right) => left.localeCompare(right)).join("::");
-}
-function normalizeFileList(files) {
-  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
-}
-function isSchemaGuardrailTextFallbackAllowed() {
-  return Boolean(process.env.VITEST);
-}
-function createDefaultSchemaGuardrailConfig() {
-  return {
-    declarativeSqlDir: "supabase/schemas/declarative",
-    allowedDuplicateFunctions: [],
-    generatedHeaderRewriteTargets: [],
-    semanticWarnings: {
-      threshold: DEFAULT_SEMANTIC_WARNING_THRESHOLD,
-      maxCandidates: DEFAULT_SEMANTIC_WARNING_MAX_CANDIDATES,
-      ignorePairs: /* @__PURE__ */ new Set()
+    snapshot: {
+      meta: { e2e: e2eMeta.snapshot },
+      invoke: {
+        src: "snapshot",
+        input: ({ context }) => ({
+          ctx: assertStepCtx(context),
+          autoSnapshot: context.stepCtx?.autoSnapshot ?? false
+        }),
+        onDone: {
+          target: "sync",
+          actions: assign({
+            snapshotCreated: ({ event }) => event.output.created
+          })
+        },
+        onError: {
+          // Non-critical, continue to sync
+          target: "sync",
+          actions: assign({ snapshotCreated: false })
+        }
+      }
     },
-    tableHeaderMaxWidth: DEFAULT_TABLE_HEADER_MAX_WIDTH,
-    excludeFromOrphanDetection: [],
-    idempotentSqlDir: "supabase/schemas/idempotent"
-  };
-}
-function loadAllowedDuplicatesFromSchemaOwnership(targetDir) {
-  const candidates = [
-    join(targetDir, "supabase", "schemas", "schema-ownership.json"),
-    join(targetDir, "schema-ownership.json")
-  ];
-  for (const filePath of candidates) {
-    if (!existsSync(filePath)) continue;
-    try {
-      const raw = JSON.parse(readFileSync(filePath, "utf-8"));
-      const allowedDuplicates = raw?.rules?.allowed_duplicates;
-      if (!Array.isArray(allowedDuplicates)) continue;
-      return allowedDuplicates.filter(
-        (entry) => typeof entry === "object" && entry !== null && "qualifiedName" in entry && typeof entry.qualifiedName === "string"
-      ).map((entry) => ({
-        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
-        signature: normalizeAllowlistSignature(entry.signature ?? ""),
-        reason: entry.reason ?? "Loaded from schema-ownership.json"
-      }));
-    } catch {
-    }
-  }
-  return [];
-}
-function loadSchemaGuardrailConfig(targetDir) {
-  const defaults = createDefaultSchemaGuardrailConfig();
-  try {
-    const config = loadRunaConfig(targetDir);
-    const databaseConfig = config.database ?? {};
-    return {
-      declarativeSqlDir: databaseConfig.schemaGuardrails?.declarativeSqlDir ?? defaults.declarativeSqlDir,
-      allowedDuplicateFunctions: [
-        ...databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
-          ...entry,
-          qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
-          signature: normalizeAllowlistSignature(entry.signature),
-          declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
-          idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
-        })) ?? [],
-        // Fallback: merge schema-ownership.json allowed_duplicates if present
-        ...loadAllowedDuplicatesFromSchemaOwnership(targetDir)
-      ],
-      generatedHeaderRewriteTargets: normalizeFileList(
-        (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
-          (value) => normalizePathForMatch(value)
-        )
-      ),
-      semanticWarnings: {
-        threshold: databaseConfig.schemaGuardrails?.semanticWarnings?.threshold ?? defaults.semanticWarnings.threshold,
-        maxCandidates: databaseConfig.schemaGuardrails?.semanticWarnings?.maxCandidates ?? defaults.semanticWarnings.maxCandidates,
-        ignorePairs: new Set(
-          (databaseConfig.schemaGuardrails?.semanticWarnings?.ignorePairs ?? []).map(
-            (value) => normalizeSuppressionPair(value)
-          )
-        )
-      },
-      tableHeaderMaxWidth: databaseConfig.schemaGuardrails?.tableHeaderMaxWidth ?? defaults.tableHeaderMaxWidth,
-      excludeFromOrphanDetection: databaseConfig.pgSchemaDiff?.excludeFromOrphanDetection ?? [],
-      idempotentSqlDir: databaseConfig.pgSchemaDiff?.idempotentSqlDir ?? defaults.idempotentSqlDir
-    };
-  } catch (error) {
-    if (isSchemaGuardrailTextFallbackAllowed()) {
-      return tryLoadSchemaGuardrailConfigFromText({
-        targetDir,
-        defaults,
-        normalizers: {
-          normalizeAllowlistSignature,
-          normalizeFileList,
-          normalizeFunctionQualifiedName,
-          normalizePathForMatch,
-          normalizeSuppressionPair
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Step 5: Sync Schema
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    sync: {
+      meta: { e2e: e2eMeta.sync },
+      invoke: {
+        src: "syncSchema",
+        input: ({ context }) => ({ ctx: assertStepCtx(context) }),
+        onDone: [
+          {
+            guard: ({ event }) => event.output.applied === false && event.output.error != null,
+            target: "report",
+            actions: assign({
+              applied: false,
+              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
+              stepsCompleted: ({ event }) => event.output.stepsCompleted,
+              error: ({ event }) => event.output.error ?? "Sync failed"
+            })
+          },
+          {
+            target: "report",
+            actions: assign({
+              applied: ({ event }) => event.output.applied,
+              applyCommitted: ({ event }) => event.output.applyCommitted ?? false,
+              stepsCompleted: ({ event }) => event.output.stepsCompleted
+            })
+          }
+        ],
+        onError: {
+          target: "report",
+          actions: assign({
+            applied: false,
+            applyCommitted: false,
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Sync failed"
+          })
         }
-      }) ?? defaults;
+      }
+    },
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Step 6: Write Report
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    report: {
+      meta: { e2e: e2eMeta.report },
+      invoke: {
+        src: "writeReport",
+        input: ({ context }) => ({
+          ctx: assertStepCtx(context),
+          startTime: context.startTime,
+          stepsCompleted: context.stepsCompleted,
+          success: context.error == null,
+          error: context.error ?? void 0
+        }),
+        onDone: [
+          {
+            guard: ({ context }) => context.error != null,
+            target: "failed",
+            actions: assign({ reportWritten: true })
+          },
+          {
+            target: "done",
+            actions: assign({ reportWritten: true })
+          }
+        ],
+        onError: {
+          target: "failed",
+          actions: assign({ reportWritten: false })
+        }
+      }
+    },
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    // Final States
+    // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    done: {
+      meta: { e2e: e2eMeta.done },
+      type: "final"
+    },
+    failed: {
+      meta: { e2e: e2eMeta.failed },
+      type: "final"
     }
-    throw error;
-  }
+  },
+  output: ({ context }) => buildMachineOutput(context)
+});
+function getDbSyncStateName(snapshot2) {
+  return snapshot2.value;
 }
+function isDbSyncComplete(snapshot2) {
+  return snapshot2.status === "done";
+}
+function getDbSyncError(snapshot2) {
+  return snapshot2.context.error;
+}
+
+// src/commands/db/sync/guardrail-orchestrator.ts
+init_esm_shims();
+
+// src/commands/db/sync/schema-guardrail.ts
+init_esm_shims();
 
 // src/commands/db/sync/schema-guardrail-graph.ts
 init_esm_shims();
 
 // src/commands/db/sync/schema-guardrail-runtime.ts
 init_esm_shims();
-function stableSorted(values, map) {
+function stableSorted2(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
 function normalizeFkSet(foreignKeys) {
@@ -5485,8 +5572,8 @@ function reconcileRuntimeGraph(params) {
     });
   }
   return {
-    warnings: stableSorted(warnings, (value) => value.target),
-    contradictions: stableSorted(contradictions, (value) => `${value.code}.${value.target}`)
+    warnings: stableSorted2(warnings, (value) => value.target),
+    contradictions: stableSorted2(contradictions, (value) => `${value.code}.${value.target}`)
   };
 }
 function runSchemaGuardrailRuntime(input) {
@@ -5516,7 +5603,7 @@ function runSchemaGuardrailRuntime(input) {
 
 // src/commands/db/sync/schema-guardrail-local-blockers.ts
 init_esm_shims();
-function stableSorted2(values, keyOf) {
+function stableSorted3(values, keyOf) {
   return [...values].sort((left, right) => keyOf(left).localeCompare(keyOf(right)));
 }
 function createCrossSchemaHelperSuggestion(_filePath) {
@@ -5545,7 +5632,7 @@ function buildRawCrossSchemaRlsBlockers(params) {
       });
     }
   }
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5572,7 +5659,7 @@ function buildExtensionPlacementBlockers(params) {
       });
     }
   }
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5663,7 +5750,7 @@ function buildDynamicSqlBlockers(params) {
       blockers.push(...stmtBlockers);
     }
   }
-  return stableSorted2(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
+  return stableSorted3(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
 }
 function buildLocalBlindSpotBlockers(params) {
   const blockers = [
@@ -5680,7 +5767,7 @@ function buildLocalBlindSpotBlockers(params) {
       requiredFile: detectExtensionFilePath()
     })
   ];
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.kind}:${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5688,7 +5775,7 @@ function buildLocalBlindSpotBlockers(params) {
 
 // src/commands/db/sync/schema-guardrail-semantic-warnings.ts
 init_esm_shims();
-function stableSorted3(values, map) {
+function stableSorted4(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
 function normalizeFkSet2(foreignKeys) {
@@ -5893,50 +5980,7 @@ function buildSemanticDuplicateWarnings(params) {
       suppressionKey: createSuppressionPair(proposed.qualifiedName, primary.qualifiedName)
     });
   }
-  return stableSorted3(warnings, (value) => `${value.proposedTable}.${value.suppressionKey}`);
-}
-
-// src/commands/db/sync/schema-guardrail-graph-types.ts
-init_esm_shims();
-var GENERATOR_VERSION = "1.0.0";
-var SQL_IDENTIFIER_PATTERN = /"(?:[^"]|"")+"|[A-Za-z_][A-Za-z0-9_$]*/g;
-var SQL_EXTENSION_IDENTIFIER_PATTERN = /"(?:[^"]|"")+"|[A-Za-z0-9_-]+/g;
-var QUALIFIED_SQL_OBJECT_RE = /\b([A-Za-z_][A-Za-z0-9_$]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_$]*)\b/g;
-var SECURITY_DEFINER_RE = /\bSECURITY\s+DEFINER\b/i;
-var SEARCH_PATH_LOCK_RE = /\bSET\s+search_path\s*(?:=|TO)\s*''/i;
-var MANAGED_BOUNDARY_SCHEMAS = [
-  "auth",
-  "storage",
-  "extensions",
-  "net",
-  "supabase_functions"
-];
-var TRIGGER_GUIDANCE_SUPPRESSED_FUNCTIONS = /* @__PURE__ */ new Set(["public.handle_updated_at()"]);
-var MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE = 3;
-function makeGraphVersion(graph) {
-  const canonical = JSON.stringify(graph);
-  const hash = createHash("sha256").update(canonical).digest("hex");
-  return `sha256:${hash}`;
-}
-function currentIsoTimestamp() {
-  return (/* @__PURE__ */ new Date()).toISOString();
-}
-function stableSorted4(values, map) {
-  return [...values].sort((a, b) => map(a).localeCompare(map(b)));
-}
-function normalizeFileList2(files) {
-  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
-}
-function normalizePolicyCommand(input) {
-  switch (input.toLowerCase()) {
-    case "select":
-    case "insert":
-    case "update":
-    case "delete":
-      return input.toLowerCase();
-    default:
-      return "all";
-  }
+  return stableSorted4(warnings, (value) => `${value.proposedTable}.${value.suppressionKey}`);
 }
 
 // src/commands/db/sync/schema-guardrail-graph-nodes.ts
@@ -5960,37 +6004,6 @@ function buildFunctionBodyHashMap(files, layer) {
   }
   return hashes;
 }
-function isAllowlistedDuplicateFunction(params) {
-  const { finding, allowlist, bodyHashes } = params;
-  if (!finding.signature) return false;
-  return allowlist.some((entry) => {
-    if (normalizeFunctionQualifiedName(entry.qualifiedName) !== normalizeFunctionQualifiedName(finding.qualifiedName)) {
-      return false;
-    }
-    if (normalizeAllowlistSignature(entry.signature) !== normalizeAllowlistSignature(finding.signature ?? "")) {
-      return false;
-    }
-    if (entry.declarativeFile && !finding.declarativeDefinitions.some(
-      (definition) => normalizePathForMatch(definition.file) === entry.declarativeFile
-    )) {
-      return false;
-    }
-    if (entry.idempotentFile && !finding.idempotentDefinitions.some(
-      (definition) => normalizePathForMatch(definition.file) === entry.idempotentFile
-    )) {
-      return false;
-    }
-    if (!entry.expectedBodyHash) {
-      return true;
-    }
-    const definitions = [...finding.declarativeDefinitions, ...finding.idempotentDefinitions];
-    if (definitions.length === 0) return false;
-    return definitions.every((definition) => {
-      const key = `${definition.layer}:${definition.file}:${definition.line}`;
-      return bodyHashes.get(key) === entry.expectedBodyHash;
-    });
-  });
-}
 function normalizeQualifiedObjectRef(schema, name, isFunctionCall) {
   return `${schema}.${name}${isFunctionCall ? "()" : ""}`;
 }
@@ -6013,8 +6026,8 @@ function collectQualifiedObjectRefs(params) {
     schemas.add(schema);
   }
   return {
-    refs: stableSorted4(refs, (value) => value),
-    schemas: stableSorted4(schemas, (value) => value)
+    refs: stableSorted(refs, (value) => value),
+    schemas: stableSorted(schemas, (value) => value)
   };
 }
 function isSearchPathLocked(statement) {
@@ -6052,7 +6065,7 @@ function buildDefinedFunctionMetadataByFile(params) {
     }
     metadataByFile.set(
       file.relativePath,
-      stableSorted4(fileMetadata, (value) => value.qualifiedSignature)
+      stableSorted(fileMetadata, (value) => value.qualifiedSignature)
     );
   }
   return metadataByFile;
@@ -6146,13 +6159,13 @@ async function buildDeclarativeFileRecord(file) {
     file,
     declaredSchemas: [...declaredSchemas].sort((a, b) => a.localeCompare(b)),
     createSchemaClaims: [...createSchemaClaims].sort((a, b) => a.localeCompare(b)),
-    tables: stableSorted4(
+    tables: stableSorted(
       document.tables.map((table) => ({
         schema: table.schema,
         name: table.name,
         qualifiedName: table.qualifiedName,
         lineNumber: table.lineNumber,
-        columns: stableSorted4(table.columns, (value) => value.name).map((value) => value.name),
+        columns: stableSorted(table.columns, (value) => value.name).map((value) => value.name),
         outboundForeignKeys: table.foreignKeys.map((fk) => ({
           column: fk.column,
           referencesTable: fk.referencesTable,
@@ -6163,7 +6176,7 @@ async function buildDeclarativeFileRecord(file) {
       })),
       (value) => value.qualifiedName
     ),
-    policies: stableSorted4(
+    policies: stableSorted(
       document.policies.map((policy) => ({
         name: policy.name,
         targetTable: `${policy.schema}.${policy.table}`,
@@ -6217,10 +6230,10 @@ function collectDeclarativeClaims(records) {
   };
 }
 function createDuplicateTableOwners(tableOwnerClaims) {
-  return stableSorted4(
+  return stableSorted(
     [...tableOwnerClaims.entries()].filter(([, files]) => files.size > 1).map(([qualifiedName, files]) => ({
       qualifiedName,
-      files: normalizeFileList2(files)
+      files: normalizeFileList(files)
     })),
     (value) => value.qualifiedName
   );
@@ -6234,7 +6247,7 @@ function buildFunctionValidationArtifacts(params) {
     ...buildFunctionBodyHashMap(params.declarativeFiles, "declarative"),
     ...buildFunctionBodyHashMap(params.idempotentFiles, "idempotent")
   ]);
-  const duplicateFunctionOwners = stableSorted4(
+  const duplicateFunctionOwners = stableSorted(
     functionAnalysis.findings.filter(
       (finding) => !isAllowlistedDuplicateFunction({
         finding,
@@ -6244,16 +6257,16 @@ function buildFunctionValidationArtifacts(params) {
     ).map((finding) => ({
       qualifiedName: finding.qualifiedName,
       signature: finding.signature,
-      declarativeFiles: normalizeFileList2(
+      declarativeFiles: normalizeFileList(
         finding.declarativeDefinitions.map((value) => value.file)
       ),
-      idempotentFiles: normalizeFileList2(
+      idempotentFiles: normalizeFileList(
         finding.idempotentDefinitions.map((value) => value.file)
       )
     })),
     (value) => `${value.qualifiedName}.${value.signature ?? ""}`
   );
-  const functionClaims = stableSorted4(
+  const functionClaims = stableSorted(
     [
       ...functionAnalysis.definitions.declarative.map((definition) => ({
         qualifiedName: definition.qualifiedName,
@@ -6282,7 +6295,7 @@ function buildFunctionValidationArtifacts(params) {
 function buildOwnerFileByTable(tableOwnerClaims) {
   const ownerFileByTable = /* @__PURE__ */ new Map();
   for (const [qualifiedName, files] of tableOwnerClaims.entries()) {
-    const normalizedFiles = normalizeFileList2(files);
+    const normalizedFiles = normalizeFileList(files);
     if (normalizedFiles[0]) {
       ownerFileByTable.set(qualifiedName, normalizedFiles[0]);
     }
@@ -6302,7 +6315,7 @@ function buildPolicyOwnershipConflicts(params) {
       conflicts.push({
         policyName: policyClaim.name,
         targetTable: policyClaim.targetTable,
-        files: normalizeFileList2([policyClaim.sourceFile]),
+        files: normalizeFileList([policyClaim.sourceFile]),
         tableOwnerFile: ownerFile
       });
     }
@@ -6313,11 +6326,11 @@ function buildPolicyOwnershipConflicts(params) {
     conflicts.push({
       policyName,
       targetTable,
-      files: normalizeFileList2(files),
+      files: normalizeFileList(files),
       tableOwnerFile: params.ownerFileByTable.get(targetTable) ?? ""
     });
   }
-  return stableSorted4(
+  return stableSorted(
     conflicts,
     (value) => `${value.targetTable}.${value.policyName}.${value.files.join(",")}`
   );
@@ -6333,16 +6346,16 @@ function buildTableNodesByName(params) {
         ownerFile: record.file.relativePath,
         lineNumber: table.lineNumber,
         columns: table.columns,
-        outboundForeignKeys: stableSorted4(
+        outboundForeignKeys: stableSorted(
           table.outboundForeignKeys,
           (value) => `${value.referencesTable}.${value.column}`
         ),
         inboundForeignKeys: [],
-        policies: stableSorted4(
+        policies: stableSorted(
           params.tablePolicies.get(table.qualifiedName) ?? [],
           (value) => value.name
         ),
-        triggers: stableSorted4(
+        triggers: stableSorted(
           record.triggersByTable.get(table.qualifiedName) ?? [],
           (value) => value.name
         )
@@ -6366,7 +6379,7 @@ function attachInboundForeignKeys(tableNodesByName) {
     }
   }
   for (const tableNode of tableNodesByName.values()) {
-    tableNode.inboundForeignKeys = stableSorted4(
+    tableNode.inboundForeignKeys = stableSorted(
       tableNode.inboundForeignKeys,
       (value) => `${value.fromTable}.${value.fromColumn}`
     );
@@ -6385,12 +6398,12 @@ function buildFileDependencies(params) {
       fileDependencyMap.set(tableNode.ownerFile, edges);
     }
   }
-  return stableSorted4(
+  return stableSorted(
     [...fileDependencyMap.entries()].flatMap(
       ([fromFile, toMap]) => [...toMap.entries()].map(([toFile, viaTables]) => ({
         fromFile,
         toFile,
-        viaTables: normalizeFileList2(viaTables)
+        viaTables: normalizeFileList(viaTables)
       }))
     ),
     (value) => `${value.fromFile}->${value.toFile}`
@@ -6412,7 +6425,7 @@ function buildFileNodes(params) {
     ["22_observability_cron.sql", "cron-registration"],
     ["25_storage_seed_bucket.sql", "storage-bootstrap"]
   ]);
-  return stableSorted4(
+  return stableSorted(
     [
       ...params.records.map((record) => {
         const definedFunctions = params.definedFunctionMetadataByFile.get(record.file.relativePath) ?? [];
@@ -6422,7 +6435,7 @@ function buildFileNodes(params) {
           schemas: [],
           refs: []
         };
-        const triggerFunctions = stableSorted4(
+        const triggerFunctions = stableSorted(
           new Set(
             [...record.triggersByTable.values()].flat().map((trigger) => normalizeTriggerFunctionToken(trigger.functionName)).filter((value) => value !== null)
           ),
@@ -6435,7 +6448,7 @@ function buildFileNodes(params) {
           domainName: path12.basename(record.file.relativePath, ".sql"),
           declaredSchemas: record.declaredSchemas,
           ownedTables: record.tables.map((table) => table.qualifiedName),
-          forwardDependsOnFiles: stableSorted4(
+          forwardDependsOnFiles: stableSorted(
             params.fileDependencies.filter((edge) => edge.fromFile === record.file.relativePath).map((edge) => edge.toFile),
             (value) => value
           ),
@@ -6443,7 +6456,7 @@ function buildFileNodes(params) {
           securityDefinerFunctions: definedFunctions.filter((value) => value.securityDefiner).map((value) => value.qualifiedSignature),
           securityDefinerContracts: definedFunctions.filter((value) => value.securityDefiner && value.searchPathLocked).map((value) => value.qualifiedSignature),
           triggerFunctions,
-          functionCrossSchemaRefs: stableSorted4(
+          functionCrossSchemaRefs: stableSorted(
             new Set(definedFunctions.flatMap((value) => value.crossSchemaRefs)),
             (value) => value
           ),
@@ -6453,7 +6466,7 @@ function buildFileNodes(params) {
           touchedExtensions: [],
           touchedFunctions: [],
           touchedPolicies: [],
-          policyCrossSchemaRefs: stableSorted4(
+          policyCrossSchemaRefs: stableSorted(
             new Set(
               collectPolicyCrossSchemaReferences({
                 content: record.file.content,
@@ -6490,7 +6503,7 @@ function buildFileNodes(params) {
           securityDefinerFunctions: definedFunctions.filter((value) => value.securityDefiner).map((value) => value.qualifiedSignature),
           securityDefinerContracts: definedFunctions.filter((value) => value.securityDefiner && value.searchPathLocked).map((value) => value.qualifiedSignature),
           triggerFunctions: [],
-          functionCrossSchemaRefs: stableSorted4(
+          functionCrossSchemaRefs: stableSorted(
             new Set(definedFunctions.flatMap((value) => value.crossSchemaRefs)),
             (value) => value
           ),
@@ -6653,7 +6666,7 @@ function extractTouchedSchemas(content) {
       }
     }
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractTouchedFunctions(content) {
   const touched = /* @__PURE__ */ new Set();
@@ -6670,7 +6683,7 @@ function extractTouchedFunctions(content) {
       }
     }
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function normalizeExtensionIdentifier(identifier) {
   const trimmed = identifier.trim();
@@ -6693,7 +6706,7 @@ function extractTouchedExtensions(content) {
     }
     touched.add(normalizeExtensionIdentifier(identifier));
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractTouchedPolicies(content) {
   const touched = /* @__PURE__ */ new Set();
@@ -6707,7 +6720,7 @@ function extractTouchedPolicies(content) {
     }
     touched.add(`${schemaName}.${tableName}.${policyName}`);
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractIdempotentTouchMetadata(file) {
   const sanitizedContent = sanitizeIdempotentTouchScanContent(file.content);
@@ -6725,7 +6738,7 @@ function buildIdempotentTouchMetadata(files) {
 // src/commands/db/sync/schema-guardrail-graph-guidance.ts
 init_esm_shims();
 function summarizeBoundaryTargets(targets) {
-  const sortedTargets = stableSorted4(new Set(targets), (value) => value);
+  const sortedTargets = stableSorted(new Set(targets), (value) => value);
   if (sortedTargets.length <= 2) {
     return sortedTargets.join(", ");
   }
@@ -6878,7 +6891,7 @@ function buildUnlockedSecurityDefinerGuidanceWarnings(params) {
     return [];
   }
   const lockedContracts = new Set(params.fileNode.securityDefinerContracts);
-  const unlockedFunctions = stableSorted4(
+  const unlockedFunctions = stableSorted(
     params.fileNode.securityDefinerFunctions.filter(
       (qualifiedName) => !lockedContracts.has(qualifiedName)
     ),
@@ -6942,7 +6955,7 @@ function buildSecurityDefinerGuidanceWarnings(params) {
   if (!suggestedIdempotentFile || !targets) {
     return [];
   }
-  const touchedSecurityDefiners = stableSorted4(
+  const touchedSecurityDefiners = stableSorted(
     new Set(targets.filter((target) => securityDefinerSet.has(target))),
     (value) => value
   );
@@ -7030,7 +7043,7 @@ function buildBoundaryGuidanceWarnings(params) {
       );
       continue;
     }
-    const touchedSchemas = stableSorted4(new Set(fileNode.touchedSchemas), (value) => value);
+    const touchedSchemas = stableSorted(new Set(fileNode.touchedSchemas), (value) => value);
     if (touchedSchemas.length <= MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE) {
       for (const schema of touchedSchemas) {
         const ownerFile = schemaOwnerByName.get(schema);
@@ -7067,7 +7080,7 @@ function buildBoundaryGuidanceWarnings(params) {
       reason: "This idempotent file applies policy DDL against a table that is structurally owned in declarative SQL."
     });
   }
-  return stableSorted4(
+  return stableSorted(
     warnings,
     (value) => `${value.sourceFile}.${value.kind}.${value.suggestedDeclarativeFile ?? ""}.${value.suggestedIdempotentFile ?? ""}.${value.target}`
   );
@@ -7143,7 +7156,7 @@ function validateDispatchCoverage(argsByFunction, sources) {
       }
     }
   }
-  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+  return stableSorted(warnings, (w) => `${w.sourceFile}:${w.target}`);
 }
 var CREATE_INDEX_PATTERN = /^\s*CREATE\s+(?:UNIQUE\s+)?(?:INDEX\s+)?(?:CONCURRENTLY\s+)?(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|([A-Za-z_]\w*))\s+ON\b/gim;
 function extractIndexNames(content) {
@@ -7178,7 +7191,7 @@ function buildCrossLayerDuplicateIndexWarnings(sources) {
       }
     }
   }
-  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+  return stableSorted(warnings, (w) => `${w.sourceFile}:${w.target}`);
 }
 
 // src/commands/db/sync/schema-guardrail-graph.ts
@@ -7189,11 +7202,11 @@ function loadSqlSources(targetDir, config) {
   };
 }
 function buildSchemaNodes(params) {
-  return stableSorted4(
+  return stableSorted(
     [...params.schemaClaims.entries()].map(([name, files]) => ({
       name,
-      claimFiles: normalizeFileList2(files),
-      createSchemaFiles: normalizeFileList2(params.createSchemaClaims.get(name) ?? [])
+      claimFiles: normalizeFileList(files),
+      createSchemaFiles: normalizeFileList(params.createSchemaClaims.get(name) ?? [])
     })),
     (value) => value.name
   );
@@ -7206,9 +7219,9 @@ function createSchemaGraphManifest(params) {
     generatorVersion: GENERATOR_VERSION,
     files: params.fileNodes,
     schemas: params.schemaNodes,
-    tables: stableSorted4(params.tableNodesByName.values(), (value) => value.qualifiedName),
+    tables: stableSorted(params.tableNodesByName.values(), (value) => value.qualifiedName),
     functionClaims: params.functionClaims,
-    policyClaims: stableSorted4(
+    policyClaims: stableSorted(
       params.policyClaims,
       (value) => `${value.targetTable}.${value.name}.${value.sourceFile}`
     ),
@@ -7235,7 +7248,12 @@ async function buildStaticGraph(targetDir, config, sources) {
   const records = await Promise.all(
     declarativeFiles.map((file) => buildDeclarativeFileRecord(file))
   );
+  const functionAclManifest = buildFunctionAclManifestFromSqlFiles(declarativeFiles);
   const idempotentTouchMetadata = buildIdempotentTouchMetadata(idempotentFiles);
+  idempotentTouchMetadata.set(
+    FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+    buildFunctionAclIdempotentTouchMetadata(functionAclManifest)
+  );
   const { tableOwnerClaims, schemaClaims, createSchemaClaims, tablePolicies, policyClaims } = collectDeclarativeClaims(records);
   const duplicateTableOwners = createDuplicateTableOwners(tableOwnerClaims);
   const { duplicateFunctionOwners, functionClaims } = buildFunctionValidationArtifacts({
@@ -7297,7 +7315,7 @@ async function buildStaticGraph(targetDir, config, sources) {
     policyClaims,
     fileDependencies
   });
-  const multiFileSchemas = stableSorted4(
+  const multiFileSchemas = stableSorted(
     graph.schemas.filter((schemaNode) => schemaNode.claimFiles.length > 1).map((schemaNode) => ({
       schema: schemaNode.name,
       files: schemaNode.claimFiles
@@ -7329,6 +7347,7 @@ async function buildStaticGraph(targetDir, config, sources) {
   });
   return {
     graph,
+    functionAclManifest,
     duplicateTableOwners,
     duplicateFunctionOwners,
     policyOwnershipConflicts,
@@ -7345,8 +7364,8 @@ var GUARDRAIL_PHASE_LABELS = {
   load_sources: "Load declarative SQL sources",
   build_static_graph: "Build static SQL graph",
   validate_ownership: "Validate ownership",
-  compare_generated_headers: "Compare generated headers",
-  refresh_generated_headers: "Refresh generated headers",
+  compare_generated_headers: "Compare generated SQL artifacts",
+  refresh_generated_headers: "Refresh generated SQL artifacts",
   handoff_db_sync: "Hand off to db sync",
   runtime_reconcile: "Runtime reconcile",
   publish_report: "Publish report"
@@ -7435,7 +7454,7 @@ function createCheckModePhases(report) {
           details: {
             file: block.file,
             target: block.target,
-            repair: "Run `runa db sync` to auto-regenerate headers"
+            repair: "Run `runa db sync` to auto-regenerate managed SQL artifacts"
           }
         }))
       })
@@ -7937,12 +7956,35 @@ function buildHeaderRewritePlans(params) {
 }
 function loadHeaderRewritePlans(params) {
   try {
-    return buildHeaderRewritePlans({
+    const headerPlans = buildHeaderRewritePlans({
       targetDir: params.targetDir,
       graph: params.graph,
       tableHeaderMaxWidth: params.config.tableHeaderMaxWidth,
       generatedHeaderRewriteTargets: params.config.generatedHeaderRewriteTargets
     });
+    const generatedFileResult = buildGeneratedFileRewritePlans({
+      targetDir: params.targetDir,
+      manifest: params.functionAclManifest
+    });
+    if ("failure" in generatedFileResult) {
+      const failureMessage = generatedFileResult.failure ?? "Unknown function ACL migration failure";
+      return {
+        failure: {
+          graph: params.graph,
+          report: setFailure2(
+            params.report,
+            "compare_generated_headers",
+            "function_acl_migration_required",
+            failureMessage
+          )
+        }
+      };
+    }
+    return {
+      staleBlocks: [...headerPlans.staleBlocks, ...generatedFileResult.staleBlocks],
+      rewritePlans: headerPlans.rewritePlans,
+      generatedFileRewritePlans: generatedFileResult.rewritePlans
+    };
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     return {
@@ -7971,7 +8013,7 @@ function finalizeCheckModeReport(params) {
           params.report,
           "compare_generated_headers",
           "stale_generated_header",
-          `Generated headers are stale in ${params.report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
+          `Generated SQL artifacts are stale in ${params.report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
         )
       };
     }
@@ -7990,6 +8032,15 @@ function rewriteManagedHeaders(params) {
       writeFileSync(path12.join(params.targetDir, plan.filePath), rewrittenSql, "utf-8");
       params.report.headersRewritten.push(plan.filePath);
     }
+    for (const plan of params.generatedFileRewritePlans) {
+      const absolutePath = path12.join(params.targetDir, plan.filePath);
+      const currentSql = existsSync(absolutePath) ? readFileSync(absolutePath, "utf-8") : "";
+      if (normalizeMultilineText(currentSql) === normalizeMultilineText(plan.expectedSql)) {
+        continue;
+      }
+      writeFileSync(absolutePath, plan.expectedSql, "utf-8");
+      params.report.headersRewritten.push(plan.filePath);
+    }
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     return {
@@ -8007,6 +8058,41 @@ function rewriteManagedHeaders(params) {
   params.report.staleBlocks = [];
   return null;
 }
+function buildGeneratedFileRewritePlans(params) {
+  const absolutePath = path12.join(params.targetDir, FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH);
+  const fileExists = existsSync(absolutePath);
+  const existingSql = fileExists ? readFileSync(absolutePath, "utf-8") : "";
+  if (!fileExists && !functionAclManifestHasEntries(params.manifest)) {
+    return {
+      staleBlocks: [],
+      rewritePlans: []
+    };
+  }
+  if (fileExists) {
+    const migrationGaps = validateFunctionAclMigration(params.manifest, existingSql);
+    if (migrationGaps.length > 0) {
+      return {
+        failure: `Function ACL migration is required before auto-generation can proceed. Add declarative annotations for: ${migrationGaps.join(", ")}`
+      };
+    }
+  }
+  const staleBlocks = !fileExists || isManagedFunctionAclFileContentStale(params.manifest, existingSql) ? [
+    {
+      file: FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+      kind: "generated-file",
+      target: `file:${FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH}`
+    }
+  ] : [];
+  return {
+    staleBlocks,
+    rewritePlans: [
+      {
+        filePath: FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+        expectedSql: renderFunctionAclFile(params.manifest)
+      }
+    ]
+  };
+}
 
 // src/commands/db/sync/schema-guardrail.ts
 function createEmptyReport(mode) {
@@ -8078,7 +8164,7 @@ function validateLocalBlindSpotBlockers(report, graph) {
   if (!primary) {
     return null;
   }
-  const failureCode = primary.kind === "cross-schema-rls" ? "raw_cross_schema_rls_blocked" : primary.kind === "dynamic-sql" ? "dynamic_sql_blocked" : "extension_placement_blocked";
+  const failureCode = primary.kind === "cross-schema-rls" ? "raw_cross_schema_rls_blocked" : primary.kind === "dynamic-sql" || primary.kind === "dynamic-sql-infra" ? "dynamic_sql_blocked" : "extension_placement_blocked";
   return {
     graph,
     report: setFailure3(report, "validate_ownership", failureCode, primary.details)
@@ -8169,6 +8255,7 @@ async function runSchemaGuardrailStatic(input) {
   const headerPlanResult = loadHeaderRewritePlans({
     targetDir: input.targetDir,
     graph: staticGraphResult.graph,
+    functionAclManifest: staticGraphResult.functionAclManifest,
     config,
     report
   });
@@ -8190,6 +8277,7 @@ async function runSchemaGuardrailStatic(input) {
   const rewriteFailure = rewriteManagedHeaders({
     targetDir: input.targetDir,
     rewritePlans: headerPlanResult.rewritePlans,
+    generatedFileRewritePlans: headerPlanResult.generatedFileRewritePlans,
     report
   });
   if (rewriteFailure) {
@@ -12069,14 +12157,10 @@ async function collectLocalPrecheckBundle(strict) {
     guardrailAllowlist = loadSchemaGuardrailConfig(process.cwd()).allowedDuplicateFunctions;
   } catch {
   }
-  const duplicateOwnershipBlockers = duplicateOwnershipAnalysis.findings.filter(
-    (finding) => !isAllowlistedDuplicateFunction({
-      finding,
-      allowlist: guardrailAllowlist,
-      bodyHashes: /* @__PURE__ */ new Map()
-      // Hash check skipped; name + signature matching still works
-    })
-  ).map((finding) => {
+  const duplicateOwnershipBlockers = filterAllowlistedDuplicateFunctions({
+    findings: duplicateOwnershipAnalysis.findings,
+    allowlist: guardrailAllowlist
+  }).map((finding) => {
     const formatted = formatDuplicateFunctionOwnershipFinding(finding);
     return [
       formatted.summary,