@runa-ai/runa-cli 0.10.2 → 0.10.4

package/dist/{db-4AGPISOW.js → db-MB3LQIGI.js}

@@ -1,30 +1,32 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { detectDatabaseStack, getStackPaths } from './chunk-MILCC3B6.js';
-import { categorizeRisks, detectSchemaRisks } from './chunk-XFXGFUAM.js';
-import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-LCJNIHZY.js';
 import { createError } from './chunk-NIS77243.js';
-import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
-export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
-import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, ALLOW_DYNAMIC_SQL_ANNOTATION, extractFirstDollarBody, sanitizeExecutableCode, detectExtensionFilePath, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-HWR5NUUZ.js';
-import './chunk-UHDAYPHH.js';
+import { detectDatabaseStack, getStackPaths } from './chunk-MILCC3B6.js';
+import { categorizeRisks, detectSchemaRisks } from './chunk-XVGMGFKF.js';
+import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary } from './chunk-AYYHYZU7.js';
+import { DbPlanOutputSchema, DbApplyOutputSchema, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, parsePlanOutput, validateDependencyOrder, formatSchemasForSql, FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH, functionAclManifestHasEntries, validateFunctionAclMigration, isManagedFunctionAclFileContentStale, renderFunctionAclFile, buildFunctionAclManifestFromSqlFiles, buildFunctionAclIdempotentTouchMetadata, stableSorted, normalizePolicyCommand, normalizeFileList, extractFunctionOwnershipDefinition, SECURITY_DEFINER_RE, MANAGED_BOUNDARY_SCHEMAS, currentIsoTimestamp, makeGraphVersion, GENERATOR_VERSION, MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE, QUALIFIED_SQL_OBJECT_RE, SEARCH_PATH_LOCK_RE, TRIGGER_GUIDANCE_SUPPRESSED_FUNCTIONS, SQL_EXTENSION_IDENTIFIER_PATTERN, SQL_IDENTIFIER_PATTERN } from './chunk-OUMW5LKJ.js';
 import './chunk-EZ46JIEO.js';
+import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-ZDETCPCE.js';
+export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-ZDETCPCE.js';
+import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, ALLOW_DYNAMIC_SQL_ANNOTATION, extractFirstDollarBody, sanitizeExecutableCode, detectExtensionFilePath, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-HWR5NUUZ.js';
+import './chunk-47BG6DRP.js';
+import { writeEnvLocalBridge, removeEnvLocalBridge } from './chunk-KUH3G522.js';
+import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, extractDynamicTablePatternsFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-O3M7A73M.js';
+import { psqlExec, psqlQuery, blankDollarQuotedBodies, stripSqlComments, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import './chunk-IR7SA2ME.js';
+import './chunk-WIT46HVC.js';
 import { diagnoseSupabaseStart } from './chunk-AAIE4F2U.js';
 import { validateUserFilePath, filterSafePaths, resolveSafePath } from './chunk-B7C7CLW2.js';
 import { runMachine } from './chunk-QDF7QXBL.js';
 import './chunk-XVNDDHAF.js';
-import { writeEnvLocalBridge, removeEnvLocalBridge } from './chunk-KUH3G522.js';
-import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, extractDynamicTablePatternsFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-O3M7A73M.js';
-import { psqlExec, psqlQuery, blankDollarQuotedBodies, stripSqlComments, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { redactSecrets } from './chunk-II7VYQEM.js';
-import { init_local_supabase, init_constants, detectLocalSupabasePorts, buildLocalDatabaseUrl, DATABASE_DEFAULTS, SEED_DEFAULTS, SCRIPT_LOCATIONS } from './chunk-QSEF4T3Y.js';
-export { DATABASE_DEFAULTS, SCRIPT_LOCATIONS, SEED_DEFAULTS } from './chunk-QSEF4T3Y.js';
+import { init_constants, DATABASE_DEFAULTS, SEED_DEFAULTS, SCRIPT_LOCATIONS } from './chunk-NOXYPVMZ.js';
+export { DATABASE_DEFAULTS, SCRIPT_LOCATIONS, SEED_DEFAULTS } from './chunk-NOXYPVMZ.js';
 import { secureSupabase, secureDocker } from './chunk-RZLYEO4U.js';
 import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
 import './chunk-WJXC4MVY.js';
 import { getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';
+import { init_local_supabase, detectLocalSupabasePorts, buildLocalDatabaseUrl } from './chunk-F2AQ3EYJ.js';
 import { getDatabasePackagePath, loadRunaConfig, getSDKScriptsPath } from './chunk-OERS32LW.js';
 import { findRunaConfig, findWorkspaceRoot } from './chunk-GT5DMS5R.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
@@ -1145,7 +1147,8 @@ z.object({
 });
 var SchemaManagedBlockKindSchema = z.enum([
   "file-header",
-  "table-header"
+  "table-header",
+  "generated-file"
 ]);
 var SchemaGuardrailPhaseIdSchema = z.enum([
   "load_sources",
@@ -1166,6 +1169,7 @@ var SchemaGuardrailFailureCodeSchema = z.enum([
   "dynamic_sql_blocked",
   "extension_placement_blocked",
   "stale_generated_header",
+  "function_acl_migration_required",
   "generated_header_validation_failed",
   "generated_header_rewrite_failed",
   "static_graph_build_failed",
@@ -1509,39 +1513,46 @@ function buildGuardrailConflictEntries(report, entries) {
   pushSemanticEvidenceEntries(entries, report);
   pushBoundaryGuidanceEntries(entries, report);
 }
-function buildGuardrailHeaderEntries(report, entries) {
-  if (report.staleBlocks.length > 0) {
-    const byFile = /* @__PURE__ */ new Map();
-    for (const block of report.staleBlocks) {
-      const kinds = byFile.get(block.file) ?? [];
-      kinds.push(block.kind === "file-header" ? "file metadata" : `table: ${block.target}`);
-      byFile.set(block.file, kinds);
-    }
+function describeStaleBlock(block) {
+  return block.kind === "file-header" ? "file metadata" : block.kind === "generated-file" ? "managed file body" : `table: ${block.target}`;
+}
+function pushStaleArtifactEntries(report, entries) {
+  if (report.staleBlocks.length === 0) {
+    return;
+  }
+  const byFile = /* @__PURE__ */ new Map();
+  for (const block of report.staleBlocks) {
+    const kinds = byFile.get(block.file) ?? [];
+    kinds.push(describeStaleBlock(block));
+    byFile.set(block.file, kinds);
+  }
+  entries.push({
+    level: "warn",
+    message: `Generated SQL artifacts are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
+  });
+  for (const [file, kinds] of byFile) {
     entries.push({
-      level: "warn",
-      message: `Generated headers are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
+      level: "info",
+      message: `  ${file}: ${kinds.join(", ")}`
+    });
+  }
+  if (!report.failure) {
+    entries.push({
+      level: "info",
+      message: "Auto-fix: Run `runa db sync` to regenerate managed SQL artifacts automatically."
+    });
+    entries.push({
+      level: "info",
+      message: "Managed SQL artifacts track: FK references, RLS policies, triggers, function ownership, schema dependencies, and function ACL reconciliation."
     });
-    for (const [file, kinds] of byFile) {
-      entries.push({
-        level: "info",
-        message: `  ${file}: ${kinds.join(", ")}`
-      });
-    }
-    if (!report.failure) {
-      entries.push({
-        level: "info",
-        message: "Auto-fix: Run `runa db sync` to regenerate all headers automatically."
-      });
-      entries.push({
-        level: "info",
-        message: "Headers track: FK references, RLS policies, triggers, function ownership, and schema dependencies."
-      });
-    }
   }
+}
+function buildGuardrailHeaderEntries(report, entries) {
+  pushStaleArtifactEntries(report, entries);
   if (report.headersRewritten.length > 0) {
     entries.push({
       level: "info",
-      message: `Generated headers refreshed in ${report.headersRewritten.length} file(s).`
+      message: `Generated SQL artifacts refreshed in ${report.headersRewritten.length} file(s).`
     });
   }
 }
@@ -2797,7 +2808,7 @@ function normalizeAllowlistSignature(value) {
 function normalizeSuppressionPair(value) {
   return value.split("::").map((part) => part.trim().toLowerCase()).filter((part) => part.length > 0).sort((left, right) => left.localeCompare(right)).join("::");
 }
-function normalizeFileList(files) {
+function normalizeFileList2(files) {
   return [...new Set(files)].sort((a, b) => a.localeCompare(b));
 }
 function isSchemaGuardrailTextFallbackAllowed() {
@@ -2859,7 +2870,7 @@ function loadSchemaGuardrailConfig(targetDir) {
         // Fallback: merge schema-ownership.json allowed_duplicates if present
         ...loadAllowedDuplicatesFromSchemaOwnership(targetDir)
       ],
-      generatedHeaderRewriteTargets: normalizeFileList(
+      generatedHeaderRewriteTargets: normalizeFileList2(
         (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
           (value) => normalizePathForMatch(value)
         )
@@ -2884,7 +2895,7 @@ function loadSchemaGuardrailConfig(targetDir) {
         defaults,
         normalizers: {
           normalizeAllowlistSignature,
-          normalizeFileList,
+          normalizeFileList: normalizeFileList2,
           normalizeFunctionQualifiedName,
           normalizePathForMatch,
           normalizeSuppressionPair
@@ -4196,7 +4207,7 @@ init_esm_shims();
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-GDDLISVE.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-4D5HRUMY.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;
@@ -5441,7 +5452,7 @@ init_esm_shims();
 
 // src/commands/db/sync/schema-guardrail-runtime.ts
 init_esm_shims();
-function stableSorted(values, map) {
+function stableSorted2(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
 function normalizeFkSet(foreignKeys) {
@@ -5563,8 +5574,8 @@ function reconcileRuntimeGraph(params) {
     });
   }
   return {
-    warnings: stableSorted(warnings, (value) => value.target),
-    contradictions: stableSorted(contradictions, (value) => `${value.code}.${value.target}`)
+    warnings: stableSorted2(warnings, (value) => value.target),
+    contradictions: stableSorted2(contradictions, (value) => `${value.code}.${value.target}`)
   };
 }
 function runSchemaGuardrailRuntime(input) {
@@ -5594,7 +5605,7 @@ function runSchemaGuardrailRuntime(input) {
 
 // src/commands/db/sync/schema-guardrail-local-blockers.ts
 init_esm_shims();
-function stableSorted2(values, keyOf) {
+function stableSorted3(values, keyOf) {
   return [...values].sort((left, right) => keyOf(left).localeCompare(keyOf(right)));
 }
 function createCrossSchemaHelperSuggestion(_filePath) {
@@ -5623,7 +5634,7 @@ function buildRawCrossSchemaRlsBlockers(params) {
       });
     }
   }
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5650,7 +5661,7 @@ function buildExtensionPlacementBlockers(params) {
       });
     }
   }
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5741,7 +5752,7 @@ function buildDynamicSqlBlockers(params) {
       blockers.push(...stmtBlockers);
     }
   }
-  return stableSorted2(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
+  return stableSorted3(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
 }
 function buildLocalBlindSpotBlockers(params) {
   const blockers = [
@@ -5758,7 +5769,7 @@ function buildLocalBlindSpotBlockers(params) {
       requiredFile: detectExtensionFilePath()
     })
   ];
-  return stableSorted2(
+  return stableSorted3(
     blockers,
     (value) => `${value.kind}:${value.sourceFile}:${value.line ?? 0}:${value.target}`
   );
@@ -5766,7 +5777,7 @@ function buildLocalBlindSpotBlockers(params) {
 
 // src/commands/db/sync/schema-guardrail-semantic-warnings.ts
 init_esm_shims();
-function stableSorted3(values, map) {
+function stableSorted4(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
 function normalizeFkSet2(foreignKeys) {
@@ -5971,50 +5982,7 @@ function buildSemanticDuplicateWarnings(params) {
       suppressionKey: createSuppressionPair(proposed.qualifiedName, primary.qualifiedName)
     });
   }
-  return stableSorted3(warnings, (value) => `${value.proposedTable}.${value.suppressionKey}`);
-}
-
-// src/commands/db/sync/schema-guardrail-graph-types.ts
-init_esm_shims();
-var GENERATOR_VERSION = "1.0.0";
-var SQL_IDENTIFIER_PATTERN = /"(?:[^"]|"")+"|[A-Za-z_][A-Za-z0-9_$]*/g;
-var SQL_EXTENSION_IDENTIFIER_PATTERN = /"(?:[^"]|"")+"|[A-Za-z0-9_-]+/g;
-var QUALIFIED_SQL_OBJECT_RE = /\b([A-Za-z_][A-Za-z0-9_$]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_$]*)\b/g;
-var SECURITY_DEFINER_RE = /\bSECURITY\s+DEFINER\b/i;
-var SEARCH_PATH_LOCK_RE = /\bSET\s+search_path\s*(?:=|TO)\s*''/i;
-var MANAGED_BOUNDARY_SCHEMAS = [
-  "auth",
-  "storage",
-  "extensions",
-  "net",
-  "supabase_functions"
-];
-var TRIGGER_GUIDANCE_SUPPRESSED_FUNCTIONS = /* @__PURE__ */ new Set(["public.handle_updated_at()"]);
-var MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE = 3;
-function makeGraphVersion(graph) {
-  const canonical = JSON.stringify(graph);
-  const hash = createHash("sha256").update(canonical).digest("hex");
-  return `sha256:${hash}`;
-}
-function currentIsoTimestamp() {
-  return (/* @__PURE__ */ new Date()).toISOString();
-}
-function stableSorted4(values, map) {
-  return [...values].sort((a, b) => map(a).localeCompare(map(b)));
-}
-function normalizeFileList2(files) {
-  return [...new Set(files)].sort((a, b) => a.localeCompare(b));
-}
-function normalizePolicyCommand(input) {
-  switch (input.toLowerCase()) {
-    case "select":
-    case "insert":
-    case "update":
-    case "delete":
-      return input.toLowerCase();
-    default:
-      return "all";
-  }
+  return stableSorted4(warnings, (value) => `${value.proposedTable}.${value.suppressionKey}`);
 }
 
 // src/commands/db/sync/schema-guardrail-graph-nodes.ts
@@ -6060,8 +6028,8 @@ function collectQualifiedObjectRefs(params) {
     schemas.add(schema);
   }
   return {
-    refs: stableSorted4(refs, (value) => value),
-    schemas: stableSorted4(schemas, (value) => value)
+    refs: stableSorted(refs, (value) => value),
+    schemas: stableSorted(schemas, (value) => value)
   };
 }
 function isSearchPathLocked(statement) {
@@ -6099,7 +6067,7 @@ function buildDefinedFunctionMetadataByFile(params) {
     }
     metadataByFile.set(
       file.relativePath,
-      stableSorted4(fileMetadata, (value) => value.qualifiedSignature)
+      stableSorted(fileMetadata, (value) => value.qualifiedSignature)
     );
   }
   return metadataByFile;
@@ -6193,13 +6161,13 @@ async function buildDeclarativeFileRecord(file) {
     file,
     declaredSchemas: [...declaredSchemas].sort((a, b) => a.localeCompare(b)),
     createSchemaClaims: [...createSchemaClaims].sort((a, b) => a.localeCompare(b)),
-    tables: stableSorted4(
+    tables: stableSorted(
       document.tables.map((table) => ({
         schema: table.schema,
         name: table.name,
         qualifiedName: table.qualifiedName,
         lineNumber: table.lineNumber,
-        columns: stableSorted4(table.columns, (value) => value.name).map((value) => value.name),
+        columns: stableSorted(table.columns, (value) => value.name).map((value) => value.name),
         outboundForeignKeys: table.foreignKeys.map((fk) => ({
           column: fk.column,
           referencesTable: fk.referencesTable,
@@ -6210,7 +6178,7 @@ async function buildDeclarativeFileRecord(file) {
       })),
       (value) => value.qualifiedName
     ),
-    policies: stableSorted4(
+    policies: stableSorted(
       document.policies.map((policy) => ({
         name: policy.name,
         targetTable: `${policy.schema}.${policy.table}`,
@@ -6264,10 +6232,10 @@ function collectDeclarativeClaims(records) {
   };
 }
 function createDuplicateTableOwners(tableOwnerClaims) {
-  return stableSorted4(
+  return stableSorted(
     [...tableOwnerClaims.entries()].filter(([, files]) => files.size > 1).map(([qualifiedName, files]) => ({
       qualifiedName,
-      files: normalizeFileList2(files)
+      files: normalizeFileList(files)
     })),
     (value) => value.qualifiedName
   );
@@ -6281,7 +6249,7 @@ function buildFunctionValidationArtifacts(params) {
     ...buildFunctionBodyHashMap(params.declarativeFiles, "declarative"),
     ...buildFunctionBodyHashMap(params.idempotentFiles, "idempotent")
   ]);
-  const duplicateFunctionOwners = stableSorted4(
+  const duplicateFunctionOwners = stableSorted(
     functionAnalysis.findings.filter(
       (finding) => !isAllowlistedDuplicateFunction({
         finding,
@@ -6291,16 +6259,16 @@ function buildFunctionValidationArtifacts(params) {
     ).map((finding) => ({
       qualifiedName: finding.qualifiedName,
       signature: finding.signature,
-      declarativeFiles: normalizeFileList2(
+      declarativeFiles: normalizeFileList(
         finding.declarativeDefinitions.map((value) => value.file)
       ),
-      idempotentFiles: normalizeFileList2(
+      idempotentFiles: normalizeFileList(
         finding.idempotentDefinitions.map((value) => value.file)
       )
     })),
     (value) => `${value.qualifiedName}.${value.signature ?? ""}`
   );
-  const functionClaims = stableSorted4(
+  const functionClaims = stableSorted(
     [
       ...functionAnalysis.definitions.declarative.map((definition) => ({
         qualifiedName: definition.qualifiedName,
@@ -6329,7 +6297,7 @@ function buildFunctionValidationArtifacts(params) {
 function buildOwnerFileByTable(tableOwnerClaims) {
   const ownerFileByTable = /* @__PURE__ */ new Map();
   for (const [qualifiedName, files] of tableOwnerClaims.entries()) {
-    const normalizedFiles = normalizeFileList2(files);
+    const normalizedFiles = normalizeFileList(files);
     if (normalizedFiles[0]) {
       ownerFileByTable.set(qualifiedName, normalizedFiles[0]);
     }
@@ -6349,7 +6317,7 @@ function buildPolicyOwnershipConflicts(params) {
       conflicts.push({
         policyName: policyClaim.name,
         targetTable: policyClaim.targetTable,
-        files: normalizeFileList2([policyClaim.sourceFile]),
+        files: normalizeFileList([policyClaim.sourceFile]),
         tableOwnerFile: ownerFile
       });
     }
@@ -6360,11 +6328,11 @@ function buildPolicyOwnershipConflicts(params) {
     conflicts.push({
       policyName,
       targetTable,
-      files: normalizeFileList2(files),
+      files: normalizeFileList(files),
       tableOwnerFile: params.ownerFileByTable.get(targetTable) ?? ""
     });
   }
-  return stableSorted4(
+  return stableSorted(
     conflicts,
     (value) => `${value.targetTable}.${value.policyName}.${value.files.join(",")}`
   );
@@ -6380,16 +6348,16 @@ function buildTableNodesByName(params) {
         ownerFile: record.file.relativePath,
         lineNumber: table.lineNumber,
         columns: table.columns,
-        outboundForeignKeys: stableSorted4(
+        outboundForeignKeys: stableSorted(
           table.outboundForeignKeys,
           (value) => `${value.referencesTable}.${value.column}`
         ),
         inboundForeignKeys: [],
-        policies: stableSorted4(
+        policies: stableSorted(
           params.tablePolicies.get(table.qualifiedName) ?? [],
           (value) => value.name
         ),
-        triggers: stableSorted4(
+        triggers: stableSorted(
           record.triggersByTable.get(table.qualifiedName) ?? [],
           (value) => value.name
         )
@@ -6413,7 +6381,7 @@ function attachInboundForeignKeys(tableNodesByName) {
     }
   }
   for (const tableNode of tableNodesByName.values()) {
-    tableNode.inboundForeignKeys = stableSorted4(
+    tableNode.inboundForeignKeys = stableSorted(
       tableNode.inboundForeignKeys,
       (value) => `${value.fromTable}.${value.fromColumn}`
     );
@@ -6432,12 +6400,12 @@ function buildFileDependencies(params) {
       fileDependencyMap.set(tableNode.ownerFile, edges);
     }
   }
-  return stableSorted4(
+  return stableSorted(
     [...fileDependencyMap.entries()].flatMap(
       ([fromFile, toMap]) => [...toMap.entries()].map(([toFile, viaTables]) => ({
         fromFile,
         toFile,
-        viaTables: normalizeFileList2(viaTables)
+        viaTables: normalizeFileList(viaTables)
       }))
     ),
     (value) => `${value.fromFile}->${value.toFile}`
@@ -6459,7 +6427,7 @@ function buildFileNodes(params) {
     ["22_observability_cron.sql", "cron-registration"],
     ["25_storage_seed_bucket.sql", "storage-bootstrap"]
   ]);
-  return stableSorted4(
+  return stableSorted(
     [
       ...params.records.map((record) => {
         const definedFunctions = params.definedFunctionMetadataByFile.get(record.file.relativePath) ?? [];
@@ -6469,7 +6437,7 @@ function buildFileNodes(params) {
           schemas: [],
           refs: []
         };
-        const triggerFunctions = stableSorted4(
+        const triggerFunctions = stableSorted(
           new Set(
             [...record.triggersByTable.values()].flat().map((trigger) => normalizeTriggerFunctionToken(trigger.functionName)).filter((value) => value !== null)
           ),
@@ -6482,7 +6450,7 @@ function buildFileNodes(params) {
           domainName: path12.basename(record.file.relativePath, ".sql"),
           declaredSchemas: record.declaredSchemas,
           ownedTables: record.tables.map((table) => table.qualifiedName),
-          forwardDependsOnFiles: stableSorted4(
+          forwardDependsOnFiles: stableSorted(
             params.fileDependencies.filter((edge) => edge.fromFile === record.file.relativePath).map((edge) => edge.toFile),
             (value) => value
           ),
@@ -6490,7 +6458,7 @@ function buildFileNodes(params) {
           securityDefinerFunctions: definedFunctions.filter((value) => value.securityDefiner).map((value) => value.qualifiedSignature),
           securityDefinerContracts: definedFunctions.filter((value) => value.securityDefiner && value.searchPathLocked).map((value) => value.qualifiedSignature),
           triggerFunctions,
-          functionCrossSchemaRefs: stableSorted4(
+          functionCrossSchemaRefs: stableSorted(
             new Set(definedFunctions.flatMap((value) => value.crossSchemaRefs)),
             (value) => value
           ),
@@ -6500,7 +6468,7 @@ function buildFileNodes(params) {
           touchedExtensions: [],
           touchedFunctions: [],
           touchedPolicies: [],
-          policyCrossSchemaRefs: stableSorted4(
+          policyCrossSchemaRefs: stableSorted(
             new Set(
               collectPolicyCrossSchemaReferences({
                 content: record.file.content,
@@ -6537,7 +6505,7 @@ function buildFileNodes(params) {
           securityDefinerFunctions: definedFunctions.filter((value) => value.securityDefiner).map((value) => value.qualifiedSignature),
           securityDefinerContracts: definedFunctions.filter((value) => value.securityDefiner && value.searchPathLocked).map((value) => value.qualifiedSignature),
           triggerFunctions: [],
-          functionCrossSchemaRefs: stableSorted4(
+          functionCrossSchemaRefs: stableSorted(
             new Set(definedFunctions.flatMap((value) => value.crossSchemaRefs)),
             (value) => value
           ),
@@ -6700,7 +6668,7 @@ function extractTouchedSchemas(content) {
       }
     }
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractTouchedFunctions(content) {
   const touched = /* @__PURE__ */ new Set();
@@ -6717,7 +6685,7 @@ function extractTouchedFunctions(content) {
       }
     }
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function normalizeExtensionIdentifier(identifier) {
   const trimmed = identifier.trim();
@@ -6740,7 +6708,7 @@ function extractTouchedExtensions(content) {
     }
     touched.add(normalizeExtensionIdentifier(identifier));
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractTouchedPolicies(content) {
   const touched = /* @__PURE__ */ new Set();
@@ -6754,7 +6722,7 @@ function extractTouchedPolicies(content) {
     }
     touched.add(`${schemaName}.${tableName}.${policyName}`);
   }
-  return stableSorted4(touched, (value) => value);
+  return stableSorted(touched, (value) => value);
 }
 function extractIdempotentTouchMetadata(file) {
   const sanitizedContent = sanitizeIdempotentTouchScanContent(file.content);
@@ -6772,7 +6740,7 @@ function buildIdempotentTouchMetadata(files) {
 // src/commands/db/sync/schema-guardrail-graph-guidance.ts
 init_esm_shims();
 function summarizeBoundaryTargets(targets) {
-  const sortedTargets = stableSorted4(new Set(targets), (value) => value);
+  const sortedTargets = stableSorted(new Set(targets), (value) => value);
   if (sortedTargets.length <= 2) {
     return sortedTargets.join(", ");
   }
@@ -6925,7 +6893,7 @@ function buildUnlockedSecurityDefinerGuidanceWarnings(params) {
     return [];
   }
   const lockedContracts = new Set(params.fileNode.securityDefinerContracts);
-  const unlockedFunctions = stableSorted4(
+  const unlockedFunctions = stableSorted(
     params.fileNode.securityDefinerFunctions.filter(
       (qualifiedName) => !lockedContracts.has(qualifiedName)
     ),
@@ -6989,7 +6957,7 @@ function buildSecurityDefinerGuidanceWarnings(params) {
   if (!suggestedIdempotentFile || !targets) {
     return [];
   }
-  const touchedSecurityDefiners = stableSorted4(
+  const touchedSecurityDefiners = stableSorted(
     new Set(targets.filter((target) => securityDefinerSet.has(target))),
     (value) => value
   );
@@ -7077,7 +7045,7 @@ function buildBoundaryGuidanceWarnings(params) {
       );
       continue;
     }
-    const touchedSchemas = stableSorted4(new Set(fileNode.touchedSchemas), (value) => value);
+    const touchedSchemas = stableSorted(new Set(fileNode.touchedSchemas), (value) => value);
     if (touchedSchemas.length <= MAX_SCHEMA_GUIDANCE_TARGETS_PER_FILE) {
       for (const schema of touchedSchemas) {
         const ownerFile = schemaOwnerByName.get(schema);
@@ -7114,7 +7082,7 @@ function buildBoundaryGuidanceWarnings(params) {
       reason: "This idempotent file applies policy DDL against a table that is structurally owned in declarative SQL."
     });
   }
-  return stableSorted4(
+  return stableSorted(
     warnings,
     (value) => `${value.sourceFile}.${value.kind}.${value.suggestedDeclarativeFile ?? ""}.${value.suggestedIdempotentFile ?? ""}.${value.target}`
   );
@@ -7190,7 +7158,7 @@ function validateDispatchCoverage(argsByFunction, sources) {
       }
     }
   }
-  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+  return stableSorted(warnings, (w) => `${w.sourceFile}:${w.target}`);
 }
 var CREATE_INDEX_PATTERN = /^\s*CREATE\s+(?:UNIQUE\s+)?(?:INDEX\s+)?(?:CONCURRENTLY\s+)?(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|([A-Za-z_]\w*))\s+ON\b/gim;
 function extractIndexNames(content) {
@@ -7225,7 +7193,7 @@ function buildCrossLayerDuplicateIndexWarnings(sources) {
       }
     }
   }
-  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+  return stableSorted(warnings, (w) => `${w.sourceFile}:${w.target}`);
 }
 
 // src/commands/db/sync/schema-guardrail-graph.ts
@@ -7236,11 +7204,11 @@ function loadSqlSources(targetDir, config) {
   };
 }
 function buildSchemaNodes(params) {
-  return stableSorted4(
+  return stableSorted(
     [...params.schemaClaims.entries()].map(([name, files]) => ({
       name,
-      claimFiles: normalizeFileList2(files),
-      createSchemaFiles: normalizeFileList2(params.createSchemaClaims.get(name) ?? [])
+      claimFiles: normalizeFileList(files),
+      createSchemaFiles: normalizeFileList(params.createSchemaClaims.get(name) ?? [])
     })),
     (value) => value.name
   );
@@ -7253,9 +7221,9 @@ function createSchemaGraphManifest(params) {
     generatorVersion: GENERATOR_VERSION,
     files: params.fileNodes,
     schemas: params.schemaNodes,
-    tables: stableSorted4(params.tableNodesByName.values(), (value) => value.qualifiedName),
+    tables: stableSorted(params.tableNodesByName.values(), (value) => value.qualifiedName),
     functionClaims: params.functionClaims,
-    policyClaims: stableSorted4(
+    policyClaims: stableSorted(
       params.policyClaims,
       (value) => `${value.targetTable}.${value.name}.${value.sourceFile}`
     ),
@@ -7282,7 +7250,12 @@ async function buildStaticGraph(targetDir, config, sources) {
   const records = await Promise.all(
     declarativeFiles.map((file) => buildDeclarativeFileRecord(file))
   );
+  const functionAclManifest = buildFunctionAclManifestFromSqlFiles(declarativeFiles);
   const idempotentTouchMetadata = buildIdempotentTouchMetadata(idempotentFiles);
+  idempotentTouchMetadata.set(
+    FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+    buildFunctionAclIdempotentTouchMetadata(functionAclManifest)
+  );
   const { tableOwnerClaims, schemaClaims, createSchemaClaims, tablePolicies, policyClaims } = collectDeclarativeClaims(records);
   const duplicateTableOwners = createDuplicateTableOwners(tableOwnerClaims);
   const { duplicateFunctionOwners, functionClaims } = buildFunctionValidationArtifacts({
@@ -7344,7 +7317,7 @@ async function buildStaticGraph(targetDir, config, sources) {
     policyClaims,
     fileDependencies
   });
-  const multiFileSchemas = stableSorted4(
+  const multiFileSchemas = stableSorted(
     graph.schemas.filter((schemaNode) => schemaNode.claimFiles.length > 1).map((schemaNode) => ({
       schema: schemaNode.name,
       files: schemaNode.claimFiles
@@ -7376,6 +7349,7 @@ async function buildStaticGraph(targetDir, config, sources) {
   });
   return {
     graph,
+    functionAclManifest,
     duplicateTableOwners,
     duplicateFunctionOwners,
     policyOwnershipConflicts,
@@ -7392,8 +7366,8 @@ var GUARDRAIL_PHASE_LABELS = {
   load_sources: "Load declarative SQL sources",
   build_static_graph: "Build static SQL graph",
   validate_ownership: "Validate ownership",
-  compare_generated_headers: "Compare generated headers",
-  refresh_generated_headers: "Refresh generated headers",
+  compare_generated_headers: "Compare generated SQL artifacts",
+  refresh_generated_headers: "Refresh generated SQL artifacts",
   handoff_db_sync: "Hand off to db sync",
   runtime_reconcile: "Runtime reconcile",
   publish_report: "Publish report"
@@ -7482,7 +7456,7 @@ function createCheckModePhases(report) {
           details: {
             file: block.file,
             target: block.target,
-            repair: "Run `runa db sync` to auto-regenerate headers"
+            repair: "Run `runa db sync` to auto-regenerate managed SQL artifacts"
           }
         }))
       })
@@ -7984,12 +7958,35 @@ function buildHeaderRewritePlans(params) {
 }
 function loadHeaderRewritePlans(params) {
   try {
-    return buildHeaderRewritePlans({
+    const headerPlans = buildHeaderRewritePlans({
       targetDir: params.targetDir,
       graph: params.graph,
       tableHeaderMaxWidth: params.config.tableHeaderMaxWidth,
       generatedHeaderRewriteTargets: params.config.generatedHeaderRewriteTargets
     });
+    const generatedFileResult = buildGeneratedFileRewritePlans({
+      targetDir: params.targetDir,
+      manifest: params.functionAclManifest
+    });
+    if ("failure" in generatedFileResult) {
+      const failureMessage = generatedFileResult.failure ?? "Unknown function ACL migration failure";
+      return {
+        failure: {
+          graph: params.graph,
+          report: setFailure2(
+            params.report,
+            "compare_generated_headers",
+            "function_acl_migration_required",
+            failureMessage
+          )
+        }
+      };
+    }
+    return {
+      staleBlocks: [...headerPlans.staleBlocks, ...generatedFileResult.staleBlocks],
+      rewritePlans: headerPlans.rewritePlans,
+      generatedFileRewritePlans: generatedFileResult.rewritePlans
+    };
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     return {
@@ -8018,7 +8015,7 @@ function finalizeCheckModeReport(params) {
           params.report,
           "compare_generated_headers",
           "stale_generated_header",
-          `Generated headers are stale in ${params.report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
+          `Generated SQL artifacts are stale in ${params.report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
         )
       };
     }
@@ -8037,6 +8034,15 @@ function rewriteManagedHeaders(params) {
       writeFileSync(path12.join(params.targetDir, plan.filePath), rewrittenSql, "utf-8");
       params.report.headersRewritten.push(plan.filePath);
     }
+    for (const plan of params.generatedFileRewritePlans) {
+      const absolutePath = path12.join(params.targetDir, plan.filePath);
+      const currentSql = existsSync(absolutePath) ? readFileSync(absolutePath, "utf-8") : "";
+      if (normalizeMultilineText(currentSql) === normalizeMultilineText(plan.expectedSql)) {
+        continue;
+      }
+      writeFileSync(absolutePath, plan.expectedSql, "utf-8");
+      params.report.headersRewritten.push(plan.filePath);
+    }
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     return {
@@ -8054,6 +8060,41 @@ function rewriteManagedHeaders(params) {
   params.report.staleBlocks = [];
   return null;
 }
+function buildGeneratedFileRewritePlans(params) {
+  const absolutePath = path12.join(params.targetDir, FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH);
+  const fileExists = existsSync(absolutePath);
+  const existingSql = fileExists ? readFileSync(absolutePath, "utf-8") : "";
+  if (!fileExists && !functionAclManifestHasEntries(params.manifest)) {
+    return {
+      staleBlocks: [],
+      rewritePlans: []
+    };
+  }
+  if (fileExists) {
+    const migrationGaps = validateFunctionAclMigration(params.manifest, existingSql);
+    if (migrationGaps.length > 0) {
+      return {
+        failure: `Function ACL migration is required before auto-generation can proceed. Add declarative annotations for: ${migrationGaps.join(", ")}`
+      };
+    }
+  }
+  const staleBlocks = !fileExists || isManagedFunctionAclFileContentStale(params.manifest, existingSql) ? [
+    {
+      file: FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+      kind: "generated-file",
+      target: `file:${FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH}`
+    }
+  ] : [];
+  return {
+    staleBlocks,
+    rewritePlans: [
+      {
+        filePath: FUNCTION_ACL_RECONCILIATION_RELATIVE_PATH,
+        expectedSql: renderFunctionAclFile(params.manifest)
+      }
+    ]
+  };
+}
 
 // src/commands/db/sync/schema-guardrail.ts
 function createEmptyReport(mode) {
@@ -8125,7 +8166,7 @@ function validateLocalBlindSpotBlockers(report, graph) {
   if (!primary) {
     return null;
   }
-  const failureCode = primary.kind === "cross-schema-rls" ? "raw_cross_schema_rls_blocked" : primary.kind === "dynamic-sql" ? "dynamic_sql_blocked" : "extension_placement_blocked";
+  const failureCode = primary.kind === "cross-schema-rls" ? "raw_cross_schema_rls_blocked" : primary.kind === "dynamic-sql" || primary.kind === "dynamic-sql-infra" ? "dynamic_sql_blocked" : "extension_placement_blocked";
   return {
     graph,
     report: setFailure3(report, "validate_ownership", failureCode, primary.details)
@@ -8216,6 +8257,7 @@ async function runSchemaGuardrailStatic(input) {
   const headerPlanResult = loadHeaderRewritePlans({
     targetDir: input.targetDir,
     graph: staticGraphResult.graph,
+    functionAclManifest: staticGraphResult.functionAclManifest,
     config,
     report
   });
@@ -8237,6 +8279,7 @@ async function runSchemaGuardrailStatic(input) {
   const rewriteFailure = rewriteManagedHeaders({
     targetDir: input.targetDir,
     rewritePlans: headerPlanResult.rewritePlans,
+    generatedFileRewritePlans: headerPlanResult.generatedFileRewritePlans,
     report
   });
   if (rewriteFailure) {
@@ -8388,6 +8431,37 @@ function tryGetProductionAdminUrl(targetDir) {
   }
   return void 0;
 }
+function validateProductionPlan(planOutput, log) {
+  if (!planOutput.trim() || planOutput.includes("No changes")) {
+    log.info("\u2705 Production schema is up-to-date (no changes needed)");
+    return;
+  }
+  const plan = parsePlanOutput(planOutput);
+  const orderIssues = validateDependencyOrder(plan);
+  if (orderIssues.length > 0) {
+    for (const issue of orderIssues) {
+      logger3.error(issue);
+    }
+    throw new Error(
+      `\u274C Production DDL ordering issue detected (${orderIssues.length} problem(s)):
+` + orderIssues.map((i) => `  \u2022 ${i}`).join("\n") + "\n\nThis plan would fail during production deploy. The automatic reorder will attempt to fix this, but review the ordering."
+    );
+  }
+  log.info("\u2705 Production DDL ordering verified");
+}
+async function resolveTempDbDsnForProductionCheck(targetDir) {
+  const envDsn = process.env.PG_SCHEMA_DIFF_TEMP_DB_DSN?.trim();
+  if (envDsn) return envDsn;
+  try {
+    const { buildLocalDatabaseUrl: buildLocalDatabaseUrl2 } = await import('./local-supabase-KTTC3O2L.js');
+    const { verifyDatabaseConnection } = await import('./helpers-PDT3WQNF.js');
+    const localDsn = buildLocalDatabaseUrl2(targetDir);
+    await verifyDatabaseConnection(localDsn, { maxRetries: 0 });
+    return localDsn;
+  } catch {
+  }
+  return void 0;
+}
 async function runProductionDdlOrderCheck(params) {
   const productionUrl = tryGetProductionAdminUrl(params.targetDir);
   if (productionUrl) {
@@ -8407,30 +8481,16 @@ async function runProductionDdlOrderCheck(params) {
   params.logger.info("\u{1F50D} Checking production DDL ordering...");
   try {
     const { executePgSchemaDiffPlan } = await import('./pg-schema-diff-helpers-JZO4GAQG.js');
+    const tempDbDsn = await resolveTempDbDsnForProductionCheck(params.targetDir);
     const { planOutput } = executePgSchemaDiffPlan(
       productionUrl,
       schemasDir,
       includeSchemas,
       false,
       // not verbose
-      { targetDir: params.targetDir }
+      { targetDir: params.targetDir, tempDbDsn }
     );
-    if (!planOutput.trim() || planOutput.includes("No changes")) {
-      params.logger.info("\u2705 Production schema is up-to-date (no changes needed)");
-      return;
-    }
-    const plan = parsePlanOutput(planOutput);
-    const orderIssues = validateDependencyOrder(plan);
-    if (orderIssues.length > 0) {
-      for (const issue of orderIssues) {
-        logger3.error(issue);
-      }
-      throw new Error(
-        `\u274C Production DDL ordering issue detected (${orderIssues.length} problem(s)):
-` + orderIssues.map((i) => `  \u2022 ${i}`).join("\n") + "\n\nThis plan would fail during production deploy. The automatic reorder will attempt to fix this, but review the ordering."
-      );
-    }
-    params.logger.info("\u2705 Production DDL ordering verified");
+    validateProductionPlan(planOutput, params.logger);
   } catch (error) {
     if (error instanceof Error && error.message.includes("DDL ordering issue")) {
       throw error;