@runa-ai/runa-cli 0.10.3 → 0.10.5

package/dist/chunk-TXXGDJYB.js

@@ -0,0 +1,3636 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { acquireAdvisoryLock, releaseAdvisoryLock, checkPasswordSecurity, setRolePasswords, handleFreshDbCase, detectAppSchemas, tryReuseDbPlanArtifact, cleanPartitionAclsForPgSchemaDiff, parsePlanOutput, bootstrapTempDbFromSource, isNoChangePlanOutput, handleHazardsWithContext, getIdempotentProtectedTables, getIdempotentProtectedObjects, validateDependencyOrder, getTableRowEstimates, verifyDataIntegrity, parseExpectedPartitions, queryActualPartitions, detectPartitionDrift, formatPartitionWarnings, detectPlannerSchemas, buildTargetFingerprint, normalizeDatabaseUrlForDdl, DbApplyOutputSchema, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, prefilterPartitionStubs, needsShadowDb, cleanupOrphanShadowDatabases, createShadowDbWithExtensions, createPlanAnalysisSession, analyzePlanStatement, checkDataCompatibility, displayDataCompatibilityResults, filterCheckModePlanStatements, buildCheckModePlanSummary, displayCheckModeResults, backupIdempotentTables, buildAllowedHazards, executePlanSqlWithRetry, persistDbPlanArtifact, stripLeadingSetStatements, calculateBackoffDelay, sleep, getTransactionStrategy, wrapInTransaction, isLockTimeoutError, maskDbCredentials, normalizeFunctionDefinitionAst, DbPreviewProfileSchema } from './chunk-WHVJ4JMQ.js';
+import { resolveDatabaseUrl, resolveDatabaseTarget } from './chunk-ZDETCPCE.js';
+import { verifyPgSchemaDiffBinary, verifyDatabaseConnection, freeConnectionSlotsForPgSchemaDiff, executePgSchemaDiffPlan, detectDropTableStatements, analyzeDeclarativeDependencyContract, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, formatDeclarativeDependencyViolation, summarizeDeclarativeDependencyWarnings, MAX_DETAILED_DECLARATIVE_WARNINGS, formatDeclarativeDependencyWarning } from './chunk-HWR5NUUZ.js';
+import { generateTablesManifest } from './chunk-O3M7A73M.js';
+import { psqlSyncQuery, psqlSyncFile } from './chunk-A6A7JIRD.js';
+import { loadEnvFiles } from './chunk-IWVXI5O4.js';
+import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
+import { init_local_supabase, buildLocalDatabaseUrl } from './chunk-F2AQ3EYJ.js';
+import { loadRunaConfig } from './chunk-OERS32LW.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { createCLILogger, CLIError, buildCommandOutcomeSummary, deriveCommandExitMode, isTimeoutLikeMessage, formatDuration } from '@runa-ai/runa';
+import { Command } from 'commander';
+import { fromPromise, setup, assign, createActor } from 'xstate';
+import { existsSync, readdirSync, mkdtempSync, readFileSync, writeFileSync, rmSync, unlinkSync } from 'fs';
+import { randomUUID } from 'crypto';
+import { tmpdir } from 'os';
+import path2, { join } from 'path';
+import { z } from 'zod';
+
+createRequire(import.meta.url);
+
+// src/commands/db/commands/db-apply.ts
+init_esm_shims();
+
+// src/commands/db/apply/index.ts
+init_esm_shims();
+
+// src/commands/db/apply/actors.ts
+init_esm_shims();
+
+// src/commands/db/apply/actors/lock-actors.ts
+init_esm_shims();
+
+// src/commands/db/apply/actors/shared.ts
+init_esm_shims();
+var logger = createCLILogger("db:apply");
+function isLocalHostname(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "host.docker.internal";
+}
+function getDbUrl(input) {
+  if (input.databaseUrl) {
+    try {
+      const parsed = new URL(input.databaseUrl);
+      const isLocal = isLocalHostname(parsed.hostname);
+      if (input.env === "local" && !isLocal) {
+        throw new Error(
+          `--env local but --databaseUrl points to remote host (${parsed.hostname}). Use --env preview or --env production for remote databases.`
+        );
+      }
+      if (input.env === "production" && isLocal) {
+        throw new Error(
+          "--env production but --databaseUrl points to localhost. Use --env local for local Supabase operations."
+        );
+      }
+    } catch (error) {
+      if (error instanceof Error && error.message.includes("--env")) throw error;
+    }
+    return normalizeDatabaseUrlForDdl(input.databaseUrl);
+  }
+  const resolvedUrl = resolveDatabaseUrl(input.env);
+  return normalizeDatabaseUrlForDdl(resolvedUrl);
+}
+
+// src/commands/db/apply/actors/lock-actors.ts
+var acquireLock = fromPromise(
+  async ({ input: { input } }) => {
+    const dbUrl = getDbUrl(input);
+    const acquired = await acquireAdvisoryLock(dbUrl, input.verbose);
+    if (!acquired) {
+      throw new Error(
+        "Could not acquire migration lock. Another migration may be running. Wait for it to complete or manually release the lock."
+      );
+    }
+    return { acquired };
+  }
+);
+var releaseLock = fromPromise(
+  async ({ input: { input } }) => {
+    const dbUrl = getDbUrl(input);
+    releaseAdvisoryLock(dbUrl, input.verbose);
+  }
+);
+
+// src/commands/db/apply/actors/idempotent-actors.ts
+init_esm_shims();
+var DEFERRABLE_ERROR_PATTERNS = [
+  /relation ".*" does not exist/i,
+  /schema ".*" does not exist/i,
+  /type ".*" does not exist/i,
+  /function ".*" does not exist/i,
+  /table ".*" does not exist/i,
+  /column ".*" does not exist/i,
+  /view ".*" does not exist/i,
+  /sequence ".*" does not exist/i,
+  /index ".*" does not exist/i,
+  /trigger ".*" does not exist/i,
+  /role ".*" does not exist/i,
+  /extension ".*" does not exist/i,
+  /operator(?:\s+(?:class|family))?\s+".*" does not exist/i
+];
+var NON_DEFERRABLE_ERROR_PATTERNS = [
+  /syntax error/i,
+  /unterminated/i,
+  /permission denied/i,
+  /must be owner/i,
+  /access denied/i,
+  /invalid input syntax/i
+];
+function isDeferrableError(stderr) {
+  if (NON_DEFERRABLE_ERROR_PATTERNS.some((p) => p.test(stderr))) {
+    return false;
+  }
+  if (DEFERRABLE_ERROR_PATTERNS.some((p) => p.test(stderr))) {
+    return true;
+  }
+  return false;
+}
+var IDEMPOTENT_MAX_RETRIES = 3;
+var IDEMPOTENT_MAX_DELAY_MS = 1e4;
+function emptyRiskSummary() {
+  return { high: 0, low: 0, medium: 0 };
+}
+function collectSortedSqlFiles(dir) {
+  return readdirSync(dir).filter((file) => file.endsWith(".sql")).sort();
+}
+function writeVerboseSqlOutput(result, verbose) {
+  if (!verbose) return;
+  if (result.stdout) process.stdout.write(result.stdout);
+  if (result.stderr) process.stderr.write(result.stderr);
+}
+async function waitBeforeIdempotentRetry(file, attempt, maxAttempts) {
+  if (attempt <= 0) return;
+  const delay = calculateBackoffDelay(attempt - 1, IDEMPOTENT_MAX_DELAY_MS);
+  logger.info(`  Retry ${attempt}/${maxAttempts - 1} for ${file} after ${Math.round(delay)}ms...`);
+  await sleep(delay);
+}
+function throwPrePassFailure(file, stderr) {
+  const errorMsg = stderr ? maskDbCredentials(stderr) : "";
+  throw new Error(
+    `Failed to apply idempotent schema (1st pass): ${file}
+This is NOT a dependency error (would be deferred). Fix the script before retrying.
+${errorMsg}`
+  );
+}
+function throwPostPassFailure(file, stderr) {
+  const errorMsg = stderr ? maskDbCredentials(stderr) : "";
+  throw new Error(`Failed to apply idempotent schema: ${file}
+${errorMsg}`);
+}
+function handlePrePassFailure(file, stderr) {
+  if (isDeferrableError(stderr)) {
+    logger.info(`  \u21A9 Deferred ${file} \u2192 will retry in 2nd pass`);
+    return false;
+  }
+  throwPrePassFailure(file, stderr);
+}
+function shouldRetryPostPass(file, stderr, attempt, maxAttempts) {
+  if (!isLockTimeoutError(stderr) || attempt >= maxAttempts - 1) {
+    return false;
+  }
+  logger.warn(`  Lock timeout on ${file} (attempt ${attempt + 1}/${maxAttempts})`);
+  return true;
+}
+function logApplySummary(pass, filesApplied, filesSkipped, filesLength) {
+  if (pass === "post") {
+    logger.success(
+      `2nd pass: Applied ${filesApplied} idempotent schema(s) \u2014 all deferred scripts resolved`
+    );
+    return;
+  }
+  if (filesSkipped > 0) {
+    logger.success(
+      `Applied ${filesApplied}/${filesApplied + filesSkipped} idempotent schema(s) (${filesSkipped} deferred to 2nd pass)`
+    );
+    if (filesSkipped === filesLength) {
+      logger.warn("ALL idempotent files skipped in 1st pass.");
+      logger.warn("This may indicate a syntax error. Check logs with --verbose.");
+    }
+    return;
+  }
+  logger.success(`Applied ${filesApplied} idempotent schema(s)`);
+}
+async function applyIdempotentFiles(dbUrl, schemasDir, files, verbose, pass) {
+  let filesApplied = 0;
+  let filesSkipped = 0;
+  for (const file of files) {
+    const applied = await applySingleIdempotentFile(dbUrl, schemasDir, file, verbose, pass);
+    if (applied) {
+      filesApplied += 1;
+    } else {
+      filesSkipped += 1;
+    }
+  }
+  return { filesApplied, filesSkipped };
+}
+function incrementRiskSummary(summary, level) {
+  if (level === "high") {
+    summary.high += 1;
+    return;
+  }
+  if (level === "medium") {
+    summary.medium += 1;
+    return;
+  }
+  summary.low += 1;
+}
+function logIdempotentRiskSummary(summary) {
+  if (summary.high > 0 || summary.medium > 0) {
+    logger.warn(
+      `Idempotent risk summary: ${summary.high} HIGH, ${summary.medium} MEDIUM, ${summary.low} LOW`
+    );
+    return;
+  }
+  logger.success(`Idempotent risk scan: no HIGH/MEDIUM risks detected`);
+}
+async function detectIdempotentRiskSummary(schemasDir, files, verbose) {
+  const summary = emptyRiskSummary();
+  try {
+    const { detectSchemaRisks } = await import('./risk-detector-4D5HRUMY.js');
+    for (const file of files) {
+      const filePath = join(schemasDir, file);
+      const risks = await detectSchemaRisks(filePath);
+      for (const risk of risks) {
+        incrementRiskSummary(summary, risk.level);
+      }
+    }
+    logIdempotentRiskSummary(summary);
+  } catch {
+    if (verbose) {
+      logger.debug("Could not load risk detector for idempotent preview");
+    }
+  }
+  return summary;
+}
+function executeSqlFileWithTransactionStrategy(dbUrl, filePath, verbose) {
+  const strategy = getTransactionStrategy(filePath);
+  if (strategy === "skip") {
+    if (verbose) logger.debug(`  Transaction: skip (incompatible statements detected)`);
+    const result = psqlSyncFile({ databaseUrl: dbUrl, filePath, onErrorStop: true });
+    return result;
+  }
+  const content = readFileSync(filePath, "utf-8");
+  const wrapped = wrapInTransaction(content);
+  const tempFile = join(tmpdir(), `runa-idempotent-${randomUUID()}.sql`);
+  writeFileSync(tempFile, wrapped, "utf-8");
+  try {
+    if (verbose) logger.debug(`  Transaction: wrap (BEGIN/COMMIT)`);
+    return psqlSyncFile({ databaseUrl: dbUrl, filePath: tempFile, onErrorStop: true });
+  } finally {
+    try {
+      unlinkSync(tempFile);
+    } catch {
+    }
+  }
+}
+async function applySingleIdempotentFile(dbUrl, schemasDir, file, verbose, pass) {
+  const filePath = join(schemasDir, file);
+  if (verbose) logger.debug(`Applying ${file}...`);
+  const maxAttempts = pass === "post" ? IDEMPOTENT_MAX_RETRIES : 1;
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    await waitBeforeIdempotentRetry(file, attempt, maxAttempts);
+    const result = executeSqlFileWithTransactionStrategy(dbUrl, filePath, verbose);
+    writeVerboseSqlOutput(result, verbose);
+    if (result.status === 0) {
+      return true;
+    }
+    const stderr = result.stderr?.trim() ?? "";
+    if (pass === "pre") {
+      return handlePrePassFailure(file, stderr);
+    }
+    if (shouldRetryPostPass(file, stderr, attempt, maxAttempts)) {
+      continue;
+    }
+    throwPostPassFailure(file, stderr);
+  }
+  return false;
+}
+var applyIdempotentSchemas = fromPromise(async ({ input: { input, targetDir, pass } }) => {
+  if (pass === "pre") checkPasswordSecurity();
+  const schemasDir = join(targetDir, "supabase/schemas/idempotent");
+  const dbUrl = getDbUrl(input);
+  let filesApplied = 0;
+  let filesSkipped = 0;
+  if (!existsSync(schemasDir)) {
+    logger.info("No idempotent schemas found");
+  } else {
+    const files = collectSortedSqlFiles(schemasDir);
+    if (files.length > 0) {
+      const result = await applyIdempotentFiles(dbUrl, schemasDir, files, input.verbose, pass);
+      filesApplied = result.filesApplied;
+      filesSkipped = result.filesSkipped;
+      logApplySummary(pass, filesApplied, filesSkipped, files.length);
+    }
+  }
+  const rolePasswordsSet = setRolePasswords(dbUrl, input.verbose);
+  return { filesApplied, filesSkipped, rolePasswordsSet };
+});
+var previewIdempotentSchemas = fromPromise(async ({ input: { input, targetDir } }) => {
+  const schemasDir = join(targetDir, "supabase/schemas/idempotent");
+  if (!existsSync(schemasDir)) {
+    return { files: [], riskSummary: emptyRiskSummary() };
+  }
+  const files = collectSortedSqlFiles(schemasDir);
+  if (files.length === 0) {
+    return { files: [], riskSummary: emptyRiskSummary() };
+  }
+  logger.info(`Idempotent schemas (${files.length} file(s)):`);
+  for (const file of files) {
+    logger.info(`  ${file}`);
+  }
+  const riskSummary = await detectIdempotentRiskSummary(schemasDir, files, input.verbose);
+  return { files, riskSummary };
+});
+
+// src/commands/db/apply/actors/pg-schema-diff-actors.ts
+init_esm_shims();
+
+// src/commands/db/utils/plan-size-guard.ts
+init_esm_shims();
+var PLAN_SIZE_WARNING_THRESHOLD = {
+  effectiveStatements: 200,
+  rawStatements: 500
+};
+var PLAN_SIZE_BLOCKER_THRESHOLD = {
+  effectiveStatements: 500,
+  rawStatements: 1e3
+};
+function buildThresholdReasons(summary, threshold) {
+  const reasons = [];
+  if (summary.effectiveStatements >= threshold.effectiveStatements) {
+    reasons.push(
+      `effective structural statements ${summary.effectiveStatements} >= ${threshold.effectiveStatements}`
+    );
+  }
+  if (summary.rawStatements >= threshold.rawStatements) {
+    reasons.push(`raw statements ${summary.rawStatements} >= ${threshold.rawStatements}`);
+  }
+  return reasons;
+}
+function assessPlanSize(summary) {
+  if (!summary) {
+    return { severity: "ok", reasons: [] };
+  }
+  const blockerReasons = buildThresholdReasons(summary, PLAN_SIZE_BLOCKER_THRESHOLD);
+  if (blockerReasons.length > 0) {
+    return { severity: "blocker", reasons: blockerReasons };
+  }
+  const warningReasons = buildThresholdReasons(summary, PLAN_SIZE_WARNING_THRESHOLD);
+  if (warningReasons.length > 0) {
+    return { severity: "warning", reasons: warningReasons };
+  }
+  return { severity: "ok", reasons: [] };
+}
+function formatPlanSizeSummary(summary) {
+  return `${summary.rawStatements} raw statement(s), ${summary.effectiveStatements} structural, ${summary.noiseStatements} collapsed noise`;
+}
+
+// src/commands/db/apply/actors/pg-schema-diff-actors.ts
+init_local_supabase();
+
+// src/commands/db/utils/declarative-dependency-warning-governance.ts
+init_esm_shims();
+
+// src/commands/db/utils/boundary-policy.ts
+init_esm_shims();
+
+// src/commands/db/utils/boundary-policy/types.ts
+init_esm_shims();
+var BOUNDARY_POLICY_FILENAME = ".boundary-policy.json";
+var DEFAULT_POLICY_VERSION = "1.0";
+var SAFE_REGEXP = /a^/;
+var POLICY_VERSION_PATTERN = /^[0-9]+\.[0-9]+(\.[0-9]+)?$/;
+var OBJECT_NAME_PATTERN = /^[A-Z][A-Z0-9_]*$/;
+var DATE_ISO_PATTERN = /^\d{4}-\d{2}-\d{2}$/;
+var FALLBACK_DECLARATIVE_OBJECTS = /* @__PURE__ */ new Set([
+  "SCHEMA",
+  "COLUMN",
+  "CONSTRAINT",
+  "TABLE",
+  "INDEX",
+  "MATERIALIZED_VIEW",
+  "VIEW",
+  "FUNCTION",
+  "PROCEDURE",
+  "AGGREGATE",
+  "TRIGGER",
+  "POLICY",
+  "RULE",
+  "TYPE",
+  "SEQUENCE",
+  "DOMAIN",
+  "STATISTICS",
+  "CAST",
+  "LANGUAGE",
+  "ACCESS_METHOD",
+  "COLLATION",
+  "CONVERSION",
+  "OPERATOR",
+  "OPERATOR_CLASS",
+  "OPERATOR_FAMILY",
+  "TEXT_SEARCH",
+  "TEXT_SEARCH_CONFIGURATION",
+  "TEXT_SEARCH_DICTIONARY",
+  "TEXT_SEARCH_PARSER",
+  "TEXT_SEARCH_TEMPLATE"
+]);
+var FALLBACK_IDEMPOTENT_OBJECTS = /* @__PURE__ */ new Set([
+  "EXTENSION",
+  "ROLE",
+  "USER",
+  "PUBLICATION",
+  "SUBSCRIPTION",
+  "DEFAULT_PRIVILEGES",
+  "FOREIGN_TABLE",
+  "FOREIGN_DATA_WRAPPER",
+  "USER_MAPPING",
+  "SERVER",
+  "DATABASE",
+  "TABLESPACE",
+  "EVENT_TRIGGER"
+]);
+var FALLBACK_DECLARATIVE_RISK_ALLOWLIST = [
+  {
+    id: "declarative:public-auth-wrapper",
+    filePattern: /supabase\/schemas\/declarative\/00_public\.sql$/,
+    descriptionPattern: /Direct auth\.(?:jwt|uid)\(\) usage violates/,
+    level: "high",
+    owner: "platform-platform",
+    ticket: "DB-PLATFORM-001",
+    reason: "Wrapper function intentionally keeps backward-compatibility path.",
+    active: true
+  }
+];
+var FALLBACK_DIRECTORY_PLACEMENT_ALLOWLIST = [
+  {
+    id: "placement:rbac-idempotent-bootstrap",
+    filePattern: /supabase\/schemas\/idempotent\/15_rbac_roles\.sql$/,
+    messagePattern: /Grant\/REVOKE statements are usually idempotent\/bootstrap ACL setup and should be treated as such \(idempotent exception needed if kept\)/,
+    lineStart: 110,
+    lineEnd: 169,
+    level: "medium",
+    owner: "platform-sre",
+    ticket: "DB-SEC-002",
+    reason: "RBAC bootstrap is intentional idempotent initialization logic.",
+    active: true
+  },
+  {
+    id: "placement:security-hardening-privileges",
+    filePattern: /supabase\/schemas\/idempotent\/20_security_hardening\.sql$/,
+    messagePattern: /Grant\/REVOKE statements are usually idempotent\/bootstrap ACL setup and should be treated as such \(idempotent exception needed if kept\)/,
+    lineStart: 35,
+    lineEnd: 135,
+    level: "medium",
+    owner: "platform-sre",
+    ticket: "DB-SEC-003",
+    reason: "Security hardening privilege adjustments are intentionally managed in idempotent SQL.",
+    active: true
+  },
+  {
+    id: "placement:extensions-management",
+    filePattern: /supabase\/schemas\/idempotent\/00_extensions\.sql$/,
+    messagePattern: /ALTER EXTENSION should usually be explicit and rare; review migration intent/,
+    lineStart: 39,
+    lineEnd: 111,
+    level: "high",
+    owner: "platform-db",
+    ticket: "DB-OPS-004",
+    reason: "Extensions lifecycle is intentionally centralized in idempotent SQL.",
+    active: true
+  }
+];
+var FALLBACK_DECLARATIVE_CLOSURE_WARNING_ALLOWLIST = [];
+function isObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+  return Array.isArray(value) && value.every((entry) => typeof entry === "string");
+}
+function isPastDate(value, today) {
+  return value < today;
+}
+function isAllowlistRuleUsable(rule) {
+  if (!rule.active) return false;
+  if (rule.expiresAt && isPastDate(rule.expiresAt, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10))) {
+    return false;
+  }
+  return true;
+}
+function formatBoundaryPolicyIssue(filePath, issue) {
+  const level = issue.severity === "error" ? "ERROR" : "WARN";
+  return `[boundary-policy] [${level}] ${filePath}: ${issue.field} -> ${issue.message}`;
+}
+function formatAllowlistMetadata(rule) {
+  const entries = [];
+  if (rule.owner) entries.push(`owner=${rule.owner}`);
+  if (rule.ticket) entries.push(`ticket=${rule.ticket}`);
+  if (rule.expiresAt) entries.push(`expiresAt=${rule.expiresAt}`);
+  if (rule.active === false) entries.push("active=false");
+  return entries.join(", ");
+}
+
+// src/commands/db/utils/boundary-policy/validation.ts
+init_esm_shims();
+function reportUnexpectedTopLevelKeys(raw, issues) {
+  const allowedTopLevelKeys = /* @__PURE__ */ new Set([
+    "version",
+    "description",
+    "strictByDefault",
+    "declarativePreferredObjects",
+    "idempotentPreferredObjects",
+    "declarativeRiskAllowlist",
+    "directoryPlacementAllowlist",
+    "declarativeClosureWarningAllowlist"
+  ]);
+  for (const key of Object.keys(raw)) {
+    if (allowedTopLevelKeys.has(key)) continue;
+    issues.push({
+      field: key,
+      message: `Unexpected top-level key "${key}".`,
+      severity: "error"
+    });
+  }
+}
+function validateVersion(raw, issues) {
+  if (raw.version === void 0) {
+    issues.push({
+      field: "version",
+      message: "version is required.",
+      severity: "error"
+    });
+    return;
+  }
+  if (typeof raw.version !== "string" || raw.version.trim().length === 0) {
+    issues.push({
+      field: "version",
+      message: "version must be a non-empty string.",
+      severity: "error"
+    });
+    return;
+  }
+  if (!POLICY_VERSION_PATTERN.test(raw.version.trim())) {
+    issues.push({
+      field: "version",
+      message: `version must match ${POLICY_VERSION_PATTERN.source}.`,
+      severity: "error"
+    });
+  }
+}
+function validateStrictByDefault(raw, issues) {
+  if (raw.strictByDefault !== void 0 && typeof raw.strictByDefault !== "boolean") {
+    issues.push({
+      field: "strictByDefault",
+      message: "strictByDefault must be boolean.",
+      severity: "error"
+    });
+  }
+}
+function validateDescription(raw, issues) {
+  if (raw.description !== void 0 && (typeof raw.description !== "string" || raw.description.trim().length === 0)) {
+    issues.push({
+      field: "description",
+      message: "description must be a non-empty string.",
+      severity: "error"
+    });
+  }
+}
+function validateStringArrayField(raw, field, issues) {
+  if (raw[field] !== void 0 && !isStringArray(raw[field])) {
+    issues.push({
+      field,
+      message: `${field} must be an array of strings.`,
+      severity: "error"
+    });
+  }
+}
+function validateArrayField(raw, field, issues) {
+  if (raw[field] !== void 0 && !Array.isArray(raw[field])) {
+    issues.push({
+      field,
+      message: `${field} must be an array.`,
+      severity: "error"
+    });
+  }
+}
+function validateBoundaryPolicy(raw) {
+  const issues = [];
+  if (!isObject(raw)) {
+    issues.push({ field: "root", message: "Policy root must be an object.", severity: "error" });
+    return issues;
+  }
+  reportUnexpectedTopLevelKeys(raw, issues);
+  validateVersion(raw, issues);
+  validateStrictByDefault(raw, issues);
+  validateDescription(raw, issues);
+  validateStringArrayField(raw, "declarativePreferredObjects", issues);
+  validateStringArrayField(raw, "idempotentPreferredObjects", issues);
+  validateArrayField(raw, "declarativeRiskAllowlist", issues);
+  validateArrayField(raw, "directoryPlacementAllowlist", issues);
+  validateArrayField(raw, "declarativeClosureWarningAllowlist", issues);
+  return issues;
+}
+function coercePolicyStringList(value, field, issueFormatter) {
+  if (!Array.isArray(value)) return /* @__PURE__ */ new Set();
+  const values = /* @__PURE__ */ new Set();
+  const seenRaw = /* @__PURE__ */ new Set();
+  for (const entry of value) {
+    if (typeof entry !== "string") {
+      issueFormatter(field, `Non-string value "${String(entry)}" in policy object list.`, "error");
+      continue;
+    }
+    const normalized = entry.trim().toUpperCase();
+    if (normalized.length === 0) {
+      issueFormatter(field, "Object name entry cannot be empty.", "error");
+      continue;
+    }
+    if (!OBJECT_NAME_PATTERN.test(normalized)) {
+      issueFormatter(
+        field,
+        `Object name "${normalized}" does not match expected pattern ${OBJECT_NAME_PATTERN.source}.`,
+        "warning"
+      );
+    }
+    if (seenRaw.has(normalized)) {
+      issueFormatter(
+        field,
+        `Duplicate object name "${normalized}" is accepted but de-duplicated.`,
+        "warning"
+      );
+    } else {
+      seenRaw.add(normalized);
+      values.add(normalized);
+    }
+  }
+  return values;
+}
+function coerceRiskLevel(level) {
+  if (level === "high" || level === "medium" || level === "low") return level;
+  return void 0;
+}
+function compileRegExp(pattern, issueFormatter) {
+  try {
+    return new RegExp(pattern);
+  } catch {
+    issueFormatter("compileRegExp", `Invalid regex pattern "${pattern}".`, "error");
+    return SAFE_REGEXP;
+  }
+}
+function coerceRuleId(raw, index, field, issueFormatter) {
+  if (typeof raw !== "string") {
+    issueFormatter(field, `Rule #${index} requires id string.`, "error");
+    return null;
+  }
+  const value = raw.trim();
+  if (value.length === 0) {
+    issueFormatter(field, `Rule #${index} id cannot be empty.`, "error");
+    return null;
+  }
+  return value;
+}
+function coerceRulePattern(raw, index, field, issueFormatter) {
+  if (typeof raw !== "string") {
+    issueFormatter(field, `Rule #${index} pattern must be string.`, "error");
+    return null;
+  }
+  const value = raw.trim();
+  if (value.length === 0) {
+    issueFormatter(field, `Rule #${index} pattern cannot be empty.`, "error");
+    return null;
+  }
+  return value;
+}
+function coerceOptionalString(raw, index, field, issueFormatter) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "string") {
+    issueFormatter(field, `Rule #${index} ${field} must be string if provided.`, "warning");
+    return void 0;
+  }
+  const value = raw.trim();
+  return value.length > 0 ? value : void 0;
+}
+function coerceOptionalPositiveInteger(raw, index, field, issueFormatter) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "number" || !Number.isFinite(raw) || !Number.isInteger(raw)) {
+    issueFormatter(field, `Rule #${index} ${field} must be integer if provided.`, "warning");
+    return void 0;
+  }
+  if (raw <= 0) {
+    issueFormatter(field, `Rule #${index} ${field} must be a positive integer.`, "warning");
+    return void 0;
+  }
+  return raw;
+}
+function coerceBoolean(raw, index, field, issueFormatter) {
+  if (raw === void 0) {
+    issueFormatter(field, `Rule #${index} should explicitly set active (true/false).`, "warning");
+    return true;
+  }
+  if (typeof raw !== "boolean") {
+    issueFormatter(field, `Rule #${index} active must be boolean.`, "warning");
+    return true;
+  }
+  return raw;
+}
+function coerceExpiresAt(raw, ruleId, index, field, issueFormatter) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "string") {
+    issueFormatter(field, `Rule #${index} expiresAt must be YYYY-MM-DD string.`, "warning");
+    return void 0;
+  }
+  const value = raw.trim();
+  if (!DATE_ISO_PATTERN.test(value)) {
+    issueFormatter(
+      field,
+      `Rule "${ruleId}" has invalid expiresAt "${value}" (expected YYYY-MM-DD).`,
+      "warning"
+    );
+    return void 0;
+  }
+  const parsed = (/* @__PURE__ */ new Date(`${value}T00:00:00.000Z`)).getTime();
+  if (Number.isNaN(parsed)) {
+    issueFormatter(field, `Rule "${ruleId}" has unparseable expiresAt "${value}".`, "warning");
+    return void 0;
+  }
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  if (isPastDate(value, today)) {
+    issueFormatter(
+      field,
+      `Rule "${ruleId}" expired on ${value} (today: ${today}). Add a valid owner-justified extension.`,
+      "error"
+    );
+    return value;
+  }
+  return value;
+}
+function mapPolicyVersion(rawVersion) {
+  if (typeof rawVersion === "string" && POLICY_VERSION_PATTERN.test(rawVersion.trim())) {
+    return rawVersion.trim();
+  }
+  return "1.0";
+}
+function appendValidationIssue(issues, field, message, severity, policyFile, output) {
+  const issue = { field, message, severity };
+  issues.push(issue);
+  output.push(formatBoundaryPolicyIssue(policyFile, issue));
+}
+
+// src/commands/db/utils/boundary-policy/rule-compiler.ts
+init_esm_shims();
+function toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter) {
+  if (lineStart === void 0 || lineEnd === void 0) {
+    issueFormatter(
+      section,
+      `Rule "${id}" has incomplete line scope; set both lineStart and lineEnd.`,
+      "error"
+    );
+    return void 0;
+  }
+  if (lineStart > lineEnd) {
+    issueFormatter(
+      section,
+      `Rule "${id}" has inverted line scope: lineStart (${lineStart}) > lineEnd (${lineEnd}).`,
+      "error"
+    );
+    return void 0;
+  }
+  return { lineStart, lineEnd };
+}
+var INVALID_RULE_LEVEL = /* @__PURE__ */ Symbol("invalid-rule-level");
+function asRawRule(entry, index, section, issueFormatter) {
+  if (typeof entry === "object" && entry !== null) {
+    return entry;
+  }
+  issueFormatter(section, `Entry #${index} must be an object.`, "error");
+  return null;
+}
+function claimUniqueRuleId(section, id, seenIds, issueFormatter) {
+  if (seenIds.has(id)) {
+    issueFormatter(section, `Duplicate rule id "${id}" ignored.`, "warning");
+    return false;
+  }
+  seenIds.add(id);
+  return true;
+}
+function readReason(section, id, rawReason, issueFormatter) {
+  const reason = typeof rawReason === "string" ? rawReason.trim() : "";
+  if (reason.length > 0) {
+    return reason;
+  }
+  issueFormatter(section, `Rule "${id}" requires reason for traceability.`, "error");
+  return null;
+}
+function warnMissingTraceability(section, id, owner, ticket, issueFormatter) {
+  if (!owner) {
+    issueFormatter(section, `Rule "${id}" should include owner for traceability.`, "warning");
+  }
+  if (!ticket) {
+    issueFormatter(section, `Rule "${id}" should include ticket for traceability.`, "warning");
+  }
+}
+function isRuleUsable(section, id, active, expiresAt, issueFormatter) {
+  if (isAllowlistRuleUsable({ active, expiresAt })) {
+    return true;
+  }
+  if (!active) {
+    issueFormatter(
+      section,
+      `Rule "${id}" is marked active=false and is ignored until re-enabled.`,
+      "warning"
+    );
+  }
+  return false;
+}
+function parseRuleLevel(section, id, rawLevel, issueFormatter) {
+  const level = coerceRiskLevel(rawLevel);
+  if (rawLevel === void 0 || level !== void 0) {
+    return level;
+  }
+  issueFormatter(section, `Rule "${id}" has unsupported level "${String(rawLevel)}".`, "error");
+  return INVALID_RULE_LEVEL;
+}
+function compileRulePatterns(firstPattern, secondPattern, issueFormatter) {
+  const firstRegex = compileRegExp(firstPattern, issueFormatter);
+  const secondRegex = compileRegExp(secondPattern, issueFormatter);
+  if (firstRegex === SAFE_REGEXP || secondRegex === SAFE_REGEXP) {
+    return null;
+  }
+  return [firstRegex, secondRegex];
+}
+function compileOptionalRulePattern(pattern, issueFormatter) {
+  if (!pattern) return void 0;
+  const compiled = compileRegExp(pattern, issueFormatter);
+  if (compiled === SAFE_REGEXP) {
+    return void 0;
+  }
+  return compiled;
+}
+function parseClosureWarningCode(rawCode, id, issueFormatter) {
+  if (rawCode === "UNQUALIFIED_CUSTOM_FUNCTION_CALL" || rawCode === "DYNAMIC_SQL_EXECUTE") {
+    return rawCode;
+  }
+  issueFormatter(
+    "declarativeClosureWarningAllowlist",
+    `Rule "${id}" has unsupported code "${String(rawCode)}".`,
+    "error"
+  );
+  return null;
+}
+function parseClosureWarningLevel(id, rawLevel, issueFormatter) {
+  const level = parseRuleLevel("declarativeClosureWarningAllowlist", id, rawLevel, issueFormatter);
+  if (level === INVALID_RULE_LEVEL) {
+    return INVALID_RULE_LEVEL;
+  }
+  if (level === void 0 || level === "high" || level === "medium") {
+    return level;
+  }
+  issueFormatter(
+    "declarativeClosureWarningAllowlist",
+    `Rule "${id}" has unsupported level "${String(rawLevel)}"; use "medium" or "high".`,
+    "error"
+  );
+  return INVALID_RULE_LEVEL;
+}
+function buildDeclarativeRiskRule(entry, index, seenIds, issueFormatter) {
+  const section = "declarativeRiskAllowlist";
+  const rawRule = asRawRule(entry, index, section, issueFormatter);
+  if (!rawRule) return null;
+  const id = coerceRuleId(rawRule.id, index, section, issueFormatter);
+  const filePattern = coerceRulePattern(rawRule.filePattern, index, section, issueFormatter);
+  const descriptionPattern = coerceRulePattern(
+    rawRule.descriptionPattern,
+    index,
+    section,
+    issueFormatter
+  );
+  if (!id || !filePattern || !descriptionPattern) return null;
+  if (!claimUniqueRuleId(section, id, seenIds, issueFormatter)) return null;
+  const reason = readReason(section, id, rawRule.reason, issueFormatter);
+  if (!reason) return null;
+  const owner = coerceOptionalString(
+    rawRule.owner,
+    index,
+    `declarativeRiskAllowlist[${index}]`,
+    issueFormatter
+  );
+  const ticket = coerceOptionalString(
+    rawRule.ticket,
+    index,
+    `declarativeRiskAllowlist[${index}]`,
+    issueFormatter
+  );
+  const active = coerceBoolean(
+    rawRule.active,
+    index,
+    `declarativeRiskAllowlist[${index}]`,
+    issueFormatter
+  );
+  const expiresAt = coerceExpiresAt(
+    rawRule.expiresAt,
+    id,
+    index,
+    `declarativeRiskAllowlist[${index}]`,
+    issueFormatter
+  );
+  warnMissingTraceability(section, id, owner, ticket, issueFormatter);
+  if (!isRuleUsable(section, id, active, expiresAt, issueFormatter)) return null;
+  const level = parseRuleLevel(section, id, rawRule.level, issueFormatter);
+  if (level === INVALID_RULE_LEVEL) return null;
+  const compiledPatterns = compileRulePatterns(filePattern, descriptionPattern, issueFormatter);
+  if (!compiledPatterns) return null;
+  return {
+    id,
+    filePattern: compiledPatterns[0],
+    descriptionPattern: compiledPatterns[1],
+    level,
+    reason,
+    owner,
+    ticket,
+    active,
+    expiresAt
+  };
+}
+function reportDeprecatedLineUsage(id, line, lineStart, lineEnd, issueFormatter) {
+  if (line === void 0) {
+    return;
+  }
+  issueFormatter(
+    "directoryPlacementAllowlist",
+    `Rule "${id}" uses deprecated line field. Replace with explicit lineStart and lineEnd.`,
+    "error"
+  );
+  if (lineStart !== void 0 || lineEnd !== void 0) {
+    issueFormatter(
+      "directoryPlacementAllowlist",
+      `Rule "${id}" has both deprecated line and lineStart/lineEnd. Use lineStart + lineEnd only.`,
+      "error"
+    );
+  }
+}
+function buildDirectoryPlacementRule(entry, index, seenIds, issueFormatter) {
+  const section = "directoryPlacementAllowlist";
+  const rawRule = asRawRule(entry, index, section, issueFormatter);
+  if (!rawRule) return null;
+  const id = coerceRuleId(rawRule.id, index, section, issueFormatter);
+  const filePattern = coerceRulePattern(rawRule.filePattern, index, section, issueFormatter);
+  const messagePattern = coerceRulePattern(rawRule.messagePattern, index, section, issueFormatter);
+  if (!id || !filePattern || !messagePattern) return null;
+  if (!claimUniqueRuleId(section, id, seenIds, issueFormatter)) return null;
+  const reason = readReason(section, id, rawRule.reason, issueFormatter);
+  if (!reason) return null;
+  const owner = coerceOptionalString(
+    rawRule.owner,
+    index,
+    `directoryPlacementAllowlist[${index}]`,
+    issueFormatter
+  );
+  const ticket = coerceOptionalString(
+    rawRule.ticket,
+    index,
+    `directoryPlacementAllowlist[${index}]`,
+    issueFormatter
+  );
+  const active = coerceBoolean(
+    rawRule.active,
+    index,
+    `directoryPlacementAllowlist[${index}]`,
+    issueFormatter
+  );
+  const lineStart = coerceOptionalPositiveInteger(
+    rawRule.lineStart,
+    index,
+    `directoryPlacementAllowlist[${index}].lineStart`,
+    issueFormatter
+  );
+  const lineEnd = coerceOptionalPositiveInteger(
+    rawRule.lineEnd,
+    index,
+    `directoryPlacementAllowlist[${index}].lineEnd`,
+    issueFormatter
+  );
+  const line = coerceOptionalPositiveInteger(
+    rawRule.line,
+    index,
+    `directoryPlacementAllowlist[${index}].line`,
+    issueFormatter
+  );
+  reportDeprecatedLineUsage(id, line, lineStart, lineEnd, issueFormatter);
+  const objectPatternStr = coerceOptionalString(
+    rawRule.objectPattern,
+    index,
+    `directoryPlacementAllowlist[${index}].objectPattern`,
+    issueFormatter
+  );
+  const compiledObjectPattern = compileOptionalRulePattern(
+    objectPatternStr ?? null,
+    issueFormatter
+  );
+  if (objectPatternStr && !compiledObjectPattern) return null;
+  const hasObjectPattern = compiledObjectPattern !== void 0;
+  let scopedLineRange;
+  if (!hasObjectPattern) {
+    scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
+    if (!scopedLineRange) return null;
+  } else {
+    if (lineStart !== void 0 && lineEnd !== void 0) {
+      scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
+      if (!scopedLineRange) return null;
+    }
+  }
+  const expiresAt = coerceExpiresAt(
+    rawRule.expiresAt,
+    id,
+    index,
+    `directoryPlacementAllowlist[${index}]`,
+    issueFormatter
+  );
+  warnMissingTraceability(section, id, owner, ticket, issueFormatter);
+  if (!isRuleUsable(section, id, active, expiresAt, issueFormatter)) return null;
+  const level = parseRuleLevel(section, id, rawRule.level, issueFormatter);
+  if (level === INVALID_RULE_LEVEL) return null;
+  const compiledPatterns = compileRulePatterns(filePattern, messagePattern, issueFormatter);
+  if (!compiledPatterns) return null;
+  return {
+    id,
+    filePattern: compiledPatterns[0],
+    messagePattern: compiledPatterns[1],
+    objectPattern: compiledObjectPattern,
+    level,
+    lineStart: scopedLineRange?.lineStart,
+    lineEnd: scopedLineRange?.lineEnd,
+    reason,
+    owner,
+    ticket,
+    active,
+    expiresAt
+  };
+}
+function buildDeclarativeClosureWarningRule(entry, index, seenIds, issueFormatter) {
+  const section = "declarativeClosureWarningAllowlist";
+  const rawRule = asRawRule(entry, index, section, issueFormatter);
+  if (!rawRule) return null;
+  const id = coerceRuleId(rawRule.id, index, section, issueFormatter);
+  const code = id ? parseClosureWarningCode(rawRule.code, id, issueFormatter) : null;
+  const filePattern = coerceRulePattern(rawRule.filePattern, index, section, issueFormatter);
+  const anchorPattern = coerceOptionalString(
+    rawRule.anchorPattern,
+    index,
+    `declarativeClosureWarningAllowlist[${index}].anchorPattern`,
+    issueFormatter
+  );
+  if (!id || !code || !filePattern) return null;
+  if (!claimUniqueRuleId(section, id, seenIds, issueFormatter)) return null;
+  const reason = readReason(section, id, rawRule.reason, issueFormatter);
+  if (!reason) return null;
+  const owner = coerceOptionalString(
+    rawRule.owner,
+    index,
+    `declarativeClosureWarningAllowlist[${index}]`,
+    issueFormatter
+  );
+  const ticket = coerceOptionalString(
+    rawRule.ticket,
+    index,
+    `declarativeClosureWarningAllowlist[${index}]`,
+    issueFormatter
+  );
+  const active = coerceBoolean(
+    rawRule.active,
+    index,
+    `declarativeClosureWarningAllowlist[${index}]`,
+    issueFormatter
+  );
+  const expiresAt = coerceExpiresAt(
+    rawRule.expiresAt,
+    id,
+    index,
+    `declarativeClosureWarningAllowlist[${index}]`,
+    issueFormatter
+  );
+  const lineStart = coerceOptionalPositiveInteger(
+    rawRule.lineStart,
+    index,
+    `declarativeClosureWarningAllowlist[${index}].lineStart`,
+    issueFormatter
+  );
+  const lineEnd = coerceOptionalPositiveInteger(
+    rawRule.lineEnd,
+    index,
+    `declarativeClosureWarningAllowlist[${index}].lineEnd`,
+    issueFormatter
+  );
+  warnMissingTraceability(section, id, owner, ticket, issueFormatter);
+  if (!isRuleUsable(section, id, active, expiresAt, issueFormatter)) return null;
+  const scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
+  if (!scopedLineRange) return null;
+  const level = parseClosureWarningLevel(id, rawRule.level, issueFormatter);
+  if (level === INVALID_RULE_LEVEL) return null;
+  const compiledPattern = compileRegExp(filePattern, issueFormatter);
+  if (compiledPattern === SAFE_REGEXP) return null;
+  const compiledAnchorPattern = compileOptionalRulePattern(anchorPattern ?? null, issueFormatter);
+  if (anchorPattern && !compiledAnchorPattern) return null;
+  return {
+    id,
+    code,
+    filePattern: compiledPattern,
+    anchorPattern: compiledAnchorPattern,
+    lineStart: scopedLineRange.lineStart,
+    lineEnd: scopedLineRange.lineEnd,
+    level,
+    reason,
+    owner,
+    ticket,
+    active,
+    expiresAt
+  };
+}
+function toDeclarativeRiskRules(rawList, issueFormatter) {
+  if (!Array.isArray(rawList)) return [];
+  const rules = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  for (const [index, entry] of rawList.entries()) {
+    const rule = buildDeclarativeRiskRule(entry, index, seenIds, issueFormatter);
+    if (rule) {
+      rules.push(rule);
+    }
+  }
+  return rules;
+}
+function toDirectoryPlacementRules(rawList, issueFormatter) {
+  if (!Array.isArray(rawList)) return [];
+  const rules = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  for (const [index, entry] of rawList.entries()) {
+    const rule = buildDirectoryPlacementRule(entry, index, seenIds, issueFormatter);
+    if (rule) {
+      rules.push(rule);
+    }
+  }
+  return rules;
+}
+function toDeclarativeClosureWarningRules(rawList, issueFormatter) {
+  if (!Array.isArray(rawList)) return [];
+  const rules = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  for (const [index, entry] of rawList.entries()) {
+    const rule = buildDeclarativeClosureWarningRule(entry, index, seenIds, issueFormatter);
+    if (rule) {
+      rules.push(rule);
+    }
+  }
+  return rules;
+}
+function normalizePolicySource(raw, source, sourcePath, issueFormatter) {
+  const sourcePolicy = typeof raw === "object" && raw !== null ? raw : {};
+  const declarativePreferredObjects = coercePolicyStringList(
+    sourcePolicy.declarativePreferredObjects,
+    "declarativePreferredObjects",
+    issueFormatter
+  );
+  const idempotentPreferredObjects = coercePolicyStringList(
+    sourcePolicy.idempotentPreferredObjects,
+    "idempotentPreferredObjects",
+    issueFormatter
+  );
+  const safeDeclarative = declarativePreferredObjects.size > 0 ? declarativePreferredObjects : new Set(FALLBACK_DECLARATIVE_OBJECTS);
+  const safeIdempotent = idempotentPreferredObjects.size > 0 ? idempotentPreferredObjects : new Set(FALLBACK_IDEMPOTENT_OBJECTS);
+  const overlapObjects = [...safeDeclarative].filter((entry) => safeIdempotent.has(entry));
+  if (overlapObjects.length > 0) {
+    issueFormatter(
+      "overlap",
+      `Object(s) declared in both declarative and idempotent preferred sets: ${overlapObjects.join(", ")}`,
+      "error"
+    );
+  }
+  const declarativeRiskAllowlist = toDeclarativeRiskRules(
+    sourcePolicy.declarativeRiskAllowlist,
+    issueFormatter
+  );
+  const directoryPlacementAllowlist = toDirectoryPlacementRules(
+    sourcePolicy.directoryPlacementAllowlist,
+    issueFormatter
+  );
+  const declarativeClosureWarningAllowlist = toDeclarativeClosureWarningRules(
+    sourcePolicy.declarativeClosureWarningAllowlist,
+    issueFormatter
+  );
+  const ruleIds = /* @__PURE__ */ new Set();
+  for (const rule of [
+    ...declarativeRiskAllowlist,
+    ...directoryPlacementAllowlist,
+    ...declarativeClosureWarningAllowlist
+  ]) {
+    if (ruleIds.has(rule.id)) {
+      issueFormatter(
+        "allowlist",
+        `Duplicate allowlist id "${rule.id}" appears in multiple allowlist sections.`,
+        "error"
+      );
+    }
+    ruleIds.add(rule.id);
+  }
+  return {
+    version: mapPolicyVersion(sourcePolicy.version),
+    strictByDefault: typeof sourcePolicy.strictByDefault === "boolean" ? sourcePolicy.strictByDefault : false,
+    description: typeof sourcePolicy.description === "string" ? sourcePolicy.description : "Boundary policy for declarative/idempotent SQL placement.",
+    declarativePreferredObjects: safeDeclarative,
+    idempotentPreferredObjects: safeIdempotent,
+    declarativeRiskAllowlist,
+    directoryPlacementAllowlist,
+    declarativeClosureWarningAllowlist: declarativeClosureWarningAllowlist.length > 0 ? declarativeClosureWarningAllowlist : [...FALLBACK_DECLARATIVE_CLOSURE_WARNING_ALLOWLIST],
+    __meta: {
+      source,
+      sourcePath,
+      fallbackUsed: source === "default",
+      invalidPolicy: false,
+      issues: [],
+      warningCount: 0
+    }
+  };
+}
+
+// src/commands/db/utils/boundary-policy.ts
+function loadPolicyFromFile(policyFile) {
+  const issues = [];
+  const report = [];
+  const addIssue = (field, message, severity = "warning") => {
+    appendValidationIssue(issues, field, message, severity, policyFile, report);
+  };
+  try {
+    const raw = readFileSync(policyFile, "utf-8").trim();
+    if (raw.length === 0) {
+      addIssue("root", "empty file", "error");
+      return {
+        ...normalizePolicySource({}, "policy-file", policyFile, addIssue),
+        __meta: {
+          source: "policy-file",
+          sourcePath: policyFile,
+          fallbackUsed: true,
+          invalidPolicy: true,
+          issues: [...report],
+          warningCount: issues.filter((entry) => entry.severity === "warning").length
+        }
+      };
+    }
+    const parsed = JSON.parse(raw);
+    const validationIssues = validateBoundaryPolicy(parsed);
+    for (const issue of validationIssues) {
+      appendValidationIssue(issues, issue.field, issue.message, issue.severity, policyFile, report);
+    }
+    const policy = normalizePolicySource(parsed, "policy-file", policyFile, addIssue);
+    const hasError = issues.some((entry) => entry.severity === "error");
+    return {
+      ...policy,
+      __meta: {
+        source: "policy-file",
+        sourcePath: policyFile,
+        fallbackUsed: hasError,
+        invalidPolicy: hasError,
+        issues: [...report],
+        warningCount: issues.filter((entry) => entry.severity === "warning").length
+      }
+    };
+  } catch {
+    appendValidationIssue(issues, "json", "invalid JSON", "error", policyFile, report);
+    return {
+      version: DEFAULT_POLICY_VERSION,
+      strictByDefault: false,
+      description: "Fallback boundary policy.",
+      declarativePreferredObjects: FALLBACK_DECLARATIVE_OBJECTS,
+      idempotentPreferredObjects: FALLBACK_IDEMPOTENT_OBJECTS,
+      declarativeRiskAllowlist: FALLBACK_DECLARATIVE_RISK_ALLOWLIST,
+      directoryPlacementAllowlist: FALLBACK_DIRECTORY_PLACEMENT_ALLOWLIST,
+      declarativeClosureWarningAllowlist: FALLBACK_DECLARATIVE_CLOSURE_WARNING_ALLOWLIST,
+      __meta: {
+        source: "policy-file",
+        sourcePath: policyFile,
+        fallbackUsed: true,
+        invalidPolicy: true,
+        issues: [...report],
+        warningCount: issues.filter((entry) => entry.severity === "warning").length
+      }
+    };
+  }
+}
+function loadBoundaryPolicy(projectRoot, policyPath) {
+  const policyFile = policyPath ?? path2.join(projectRoot, "supabase", "schemas", BOUNDARY_POLICY_FILENAME);
+  if (!existsSync(policyFile)) {
+    return {
+      version: DEFAULT_POLICY_VERSION,
+      strictByDefault: false,
+      description: "Fallback boundary policy.",
+      declarativePreferredObjects: FALLBACK_DECLARATIVE_OBJECTS,
+      idempotentPreferredObjects: FALLBACK_IDEMPOTENT_OBJECTS,
+      declarativeRiskAllowlist: FALLBACK_DECLARATIVE_RISK_ALLOWLIST,
+      directoryPlacementAllowlist: FALLBACK_DIRECTORY_PLACEMENT_ALLOWLIST,
+      declarativeClosureWarningAllowlist: FALLBACK_DECLARATIVE_CLOSURE_WARNING_ALLOWLIST,
+      __meta: {
+        source: "default",
+        sourcePath: policyFile,
+        fallbackUsed: true,
+        invalidPolicy: false,
+        issues: [`[boundary-policy] ${policyFile} not found; using fallback values`],
+        warningCount: 0
+      }
+    };
+  }
+  return loadPolicyFromFile(policyFile);
+}
+
+// src/commands/db/utils/boundary-policy-runtime.ts
+init_esm_shims();
+var boundaryPolicyCache = /* @__PURE__ */ new Map();
+function getBoundaryPolicy(cwd = process.cwd()) {
+  const resolved = path2.resolve(cwd);
+  let cached = boundaryPolicyCache.get(resolved);
+  if (!cached) {
+    cached = loadBoundaryPolicy(cwd);
+    boundaryPolicyCache.set(resolved, cached);
+  }
+  return cached;
+}
+function reportBoundaryPolicyState(logger2, policy) {
+  if (policy.__meta.issues.length === 0) return;
+  const issuePrefix = policy.__meta.fallbackUsed ? "Boundary policy issue (fallback in effect):" : "Boundary policy issue:";
+  logger2.warn(`
+${issuePrefix}`);
+  for (const issue of policy.__meta.issues) {
+    logger2.info(`  \u2022 ${issue}`);
+  }
+}
+function assertBoundaryPolicyUsable(logger2, policy) {
+  reportBoundaryPolicyState(logger2, policy);
+  if (!policy.__meta.invalidPolicy) return;
+  const failureMessage = policy.__meta.source === "default" ? "Boundary policy missing or unreadable" : `Boundary policy has schema issues: ${policy.__meta.sourcePath}`;
+  throw new CLIError(
+    failureMessage,
+    "DB_BOUNDARY_POLICY_INVALID",
+    [
+      ...policy.__meta.issues,
+      "Fix boundary policy JSON before running production apply precheck",
+      "Hint: check regex syntax, required fields, and allowlist entry shape in .boundary-policy.json"
+    ],
+    void 0
+  );
+}
+function assertBoundaryPolicyQualityGate(logger2, policy, strict) {
+  if (policy.__meta.warningCount === 0) return;
+  logger2.warn(`Boundary policy has ${policy.__meta.warningCount} warning(s).`);
+  for (const issue of policy.__meta.issues) {
+    logger2.info(`  \u2022 ${issue}`);
+  }
+  if (!strict) return;
+  throw new CLIError("Boundary policy quality gate failed", "DB_BOUNDARY_POLICY_QUALITY_GATE", [
+    ...policy.__meta.issues,
+    "Run `node scripts/validate-boundary-policy-allowlist.mjs` and clear warnings before strict precheck."
+  ]);
+}
+function findDeclarativeRiskAllowlistMatch(risk, policy) {
+  return policy.declarativeRiskAllowlist.find((entry) => {
+    if (entry.level !== void 0 && entry.level !== risk.level) return false;
+    return entry.filePattern.test(risk.file) && entry.descriptionPattern.test(risk.description);
+  });
+}
+function hasExplicitLineScope(rule) {
+  return rule.lineStart !== void 0 && rule.lineEnd !== void 0;
+}
+function entryLineScopeMatches(issueLine, rule) {
+  if (!hasExplicitLineScope(rule)) return false;
+  if (issueLine === void 0) return false;
+  const lineStart = rule.lineStart;
+  const lineEnd = rule.lineEnd;
+  if (lineStart === void 0 || lineEnd === void 0) return false;
+  return issueLine >= lineStart && issueLine <= lineEnd;
+}
+function findDirectoryPlacementAllowlistMatch(issue, policy) {
+  return policy.directoryPlacementAllowlist.find((entry) => {
+    if (entry.level !== void 0 && entry.level !== issue.level) return false;
+    if (!entry.filePattern.test(issue.file)) return false;
+    if (!entry.messagePattern.test(issue.message)) return false;
+    if (entry.objectPattern) {
+      if (entry.objectPattern.test(issue.message)) return true;
+      if (!hasExplicitLineScope(entry)) return false;
+    }
+    if (!hasExplicitLineScope(entry)) return false;
+    return entryLineScopeMatches(issue.line, entry);
+  });
+}
+function findDeclarativeClosureWarningAllowlistMatch(warning, policy, options = {}) {
+  const warningLineText = readWarningLineText(warning.file, warning.line, options.cwd);
+  return policy.declarativeClosureWarningAllowlist.find((entry) => {
+    if (entry.code !== warning.code) return false;
+    if (entry.level !== void 0 && entry.level !== warning.level) return false;
+    if (!entry.filePattern.test(warning.file)) return false;
+    if (entry.anchorPattern && warningLineText && entry.anchorPattern.test(warningLineText)) {
+      return true;
+    }
+    return entryLineScopeMatches(warning.line, entry);
+  });
+}
+function readWarningLineText(relativeFilePath, line, cwd) {
+  if (!cwd) return void 0;
+  try {
+    const absolutePath = path2.join(cwd, relativeFilePath);
+    const lines = readFileSync(absolutePath, "utf-8").split(/\r?\n/);
+    return lines[line - 1];
+  } catch {
+    return void 0;
+  }
+}
+function resolveProductionApplyStrictMode(policy, strictOption) {
+  if (strictOption === true) return true;
+  const envStrict = process.env.RUNA_SCHEMA_PRECHECK_STRICT;
+  if (envStrict === "1") return true;
+  if (envStrict === "0") return false;
+  return policy.strictByDefault;
+}
+
+// src/commands/db/utils/declarative-dependency-warning-governance.ts
+var SHOW_ALLOWLIST_REPORT = process.env.RUNA_DB_PRECHECK_ALLOWLIST_REPORT === "1";
+function formatAllowlistedWarningEntry(entry) {
+  const formatted = formatDeclarativeDependencyWarning(entry.warning);
+  const metadata = formatAllowlistMetadata(entry.rule);
+  const metaSuffix = metadata ? ` (${metadata})` : "";
+  return `[allowlist:closure-warning] ${entry.rule.id}: ${formatted.summary} (${entry.rule.reason})${metaSuffix}`;
+}
+function reviewDeclarativeDependencyWarnings(params) {
+  const policy = getBoundaryPolicy(params.cwd);
+  assertBoundaryPolicyUsable(params.logger, policy);
+  const strict = resolveProductionApplyStrictMode(policy, params.strictOption);
+  assertBoundaryPolicyQualityGate(params.logger, policy, strict);
+  const allowlistedWarnings = [];
+  const unreviewedWarnings = [];
+  for (const warning of params.warnings) {
+    const matched = findDeclarativeClosureWarningAllowlistMatch(warning, policy, {
+      cwd: params.cwd
+    });
+    if (matched) {
+      allowlistedWarnings.push({ warning, rule: matched });
+      continue;
+    }
+    unreviewedWarnings.push(warning);
+  }
+  return {
+    strict,
+    allowlistReportEnabled: SHOW_ALLOWLIST_REPORT,
+    allowlistedWarnings,
+    unreviewedWarnings
+  };
+}
+function logDeclarativeDependencyWarnings(logger2, review) {
+  if (review.allowlistReportEnabled) {
+    for (const allowlisted of review.allowlistedWarnings) {
+      logger2.info(`  ${formatAllowlistedWarningEntry(allowlisted)}`);
+    }
+  }
+  if (review.unreviewedWarnings.length === 0) {
+    return;
+  }
+  const lead = review.strict ? `Found ${review.unreviewedWarnings.length} unreviewed declarative dependency boundary warning(s) in strict mode:` : `Found ${review.unreviewedWarnings.length} declarative dependency boundary warning(s):`;
+  logger2.warn(lead);
+  for (const summary of summarizeDeclarativeDependencyWarnings(review.unreviewedWarnings)) {
+    logger2.info(`  [SUMMARY] ${summary.label}: ${summary.count}`);
+  }
+  for (const warning of review.unreviewedWarnings.slice(0, MAX_DETAILED_DECLARATIVE_WARNINGS)) {
+    const formatted = formatDeclarativeDependencyWarning(warning);
+    logger2.info(`  [WARN] ${formatted.summary}`);
+    logger2.info(`         ${formatted.suggestion}`);
+  }
+  if (review.unreviewedWarnings.length > MAX_DETAILED_DECLARATIVE_WARNINGS) {
+    logger2.info(
+      `  ... ${review.unreviewedWarnings.length - MAX_DETAILED_DECLARATIVE_WARNINGS} more warning(s) omitted`
+    );
+  }
+}
+function buildDeclarativeDependencyWarningFailureLines(review) {
+  if (!review.strict || review.unreviewedWarnings.length === 0) {
+    return [];
+  }
+  const lines = [
+    `Declarative dependency boundary strict mode failed (${review.unreviewedWarnings.length} unreviewed warning(s)).`
+  ];
+  for (const summary of summarizeDeclarativeDependencyWarnings(review.unreviewedWarnings)) {
+    lines.push(`- [SUMMARY] ${summary.label}: ${summary.count}`);
+  }
+  for (const warning of review.unreviewedWarnings.slice(0, MAX_DETAILED_DECLARATIVE_WARNINGS)) {
+    const formatted = formatDeclarativeDependencyWarning(warning);
+    lines.push(`- ${formatted.summary}`);
+    lines.push(`- ${formatted.suggestion}`);
+  }
+  if (review.unreviewedWarnings.length > MAX_DETAILED_DECLARATIVE_WARNINGS) {
+    lines.push(
+      `- ... ${review.unreviewedWarnings.length - MAX_DETAILED_DECLARATIVE_WARNINGS} more warning(s) omitted`
+    );
+  }
+  lines.push(
+    "- Remediation: schema-qualify helper calls, rewrite/remove EXECUTE, or add a reviewed declarativeClosureWarningAllowlist entry with owner/ticket/reason/expiresAt."
+  );
+  return lines;
+}
+
+// src/commands/db/apply/helpers/function-plan-false-positive-filter.ts
+init_esm_shims();
+var CREATE_OR_REPLACE_FUNCTION_PATTERN = /^\s*CREATE\s+OR\s+REPLACE\s+FUNCTION\b/i;
+var PLPGSQL_LANGUAGE_PATTERN = /\bLANGUAGE\s+plpgsql\b/i;
+async function normalizePlpgsqlFunctionDefinition(sql, dbProconfig, session = createPlanAnalysisSession()) {
+  const analysis = await analyzePlanStatement({ index: 0, sql, hazards: [] }, session);
+  return normalizeFunctionDefinitionAst(analysis, dbProconfig);
+}
+function escapeSqlLiteral(value) {
+  return value.replace(/'/g, "''");
+}
+function toGlobRegex(pattern) {
+  const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return new RegExp(`^${escaped.replace(/\\\*/g, ".*")}$`);
+}
+function matchesSchemaCheckExclusion(objectKey, patterns) {
+  return patterns.some((pattern) => {
+    const normalizedPattern = pattern.toLowerCase();
+    if (normalizedPattern.includes("*")) {
+      return toGlobRegex(normalizedPattern).test(objectKey);
+    }
+    return objectKey === normalizedPattern;
+  });
+}
+function serializePlanStatements(statements) {
+  if (statements.length === 0) {
+    return "";
+  }
+  return statements.map((statement) => {
+    const lines = [`-- Statement Idx. ${statement.index}`];
+    for (const hazard of statement.hazards) {
+      lines.push(`-- Hazard ${hazard.type}: ${hazard.message}`);
+    }
+    lines.push(statement.sql.trimEnd());
+    return lines.join("\n");
+  }).join("\n");
+}
+function buildFunctionMetadataQuery(references) {
+  if (references.length === 0) {
+    return null;
+  }
+  const filters = references.map(
+    (reference) => `(n.nspname = '${escapeSqlLiteral(reference.schema)}' AND p.proname = '${escapeSqlLiteral(reference.name)}')`
+  ).join(" OR ");
+  return `
+SELECT COALESCE(
+  json_agg(
+    json_build_object(
+      'schema', n.nspname,
+      'name', p.proname,
+      'definition', pg_get_functiondef(p.oid),
+      'proconfig', COALESCE(p.proconfig, ARRAY[]::text[])
+    )
+  )::text,
+  '[]'
+)
+FROM pg_proc p
+JOIN pg_namespace n ON p.pronamespace = n.oid
+WHERE p.prokind = 'f'
+  AND (${filters});
+`;
+}
+function loadExistingFunctionMetadata(dbUrl, references) {
+  const query = buildFunctionMetadataQuery(references);
+  if (!query) {
+    return /* @__PURE__ */ new Map();
+  }
+  const result = psqlSyncQuery({ databaseUrl: dbUrl, sql: query, timeout: 1e4 });
+  if (result.status !== 0) {
+    throw new Error(result.stderr || "Failed to query pg_proc metadata");
+  }
+  const parsed = JSON.parse(result.stdout.trim());
+  const grouped = /* @__PURE__ */ new Map();
+  for (const row of parsed) {
+    const key = `${row.schema.toLowerCase()}.${row.name.toLowerCase()}`;
+    const existing = grouped.get(key) ?? [];
+    existing.push(row);
+    grouped.set(key, existing);
+  }
+  return grouped;
+}
+async function isSemanticallyEquivalentPlpgsqlFunction(sql, candidates, session) {
+  const planned = await normalizePlpgsqlFunctionDefinition(sql, void 0, session);
+  if (!planned) return false;
+  const matchingCandidates = [];
+  for (const candidate of candidates) {
+    const current = await normalizePlpgsqlFunctionDefinition(
+      candidate.definition,
+      candidate.proconfig,
+      session
+    );
+    if (current !== null && current.normalizedDefinition === planned.normalizedDefinition && current.normalizedConfig === planned.normalizedConfig) {
+      matchingCandidates.push(candidate);
+    }
+  }
+  return matchingCandidates.length === 1;
+}
+function shouldInspectStatement(statement) {
+  const strippedSql = stripLeadingSetStatements(statement.sql);
+  return CREATE_OR_REPLACE_FUNCTION_PATTERN.test(strippedSql) && PLPGSQL_LANGUAGE_PATTERN.test(strippedSql);
+}
+async function suppressFunctionSchemaCheckFalsePositives(params) {
+  const plan = parsePlanOutput(params.planOutput);
+  const session = createPlanAnalysisSession();
+  if (plan.statements.length === 0) {
+    return { planOutput: params.planOutput, suppressedStatements: [], warnings: [] };
+  }
+  const excludePatterns = params.excludeFromSchemaCheck ?? [];
+  const suppressedStatements = [];
+  const warnings = [];
+  const pendingStatements = [];
+  const retainedStatements = [];
+  for (const statement of plan.statements) {
+    if (!shouldInspectStatement(statement)) {
+      retainedStatements.push(statement);
+      continue;
+    }
+    const analysis = await analyzePlanStatement(statement, session);
+    if (!analysis.targetFunctionKey) {
+      retainedStatements.push(statement);
+      continue;
+    }
+    const [schema, name] = analysis.targetFunctionKey.split(".");
+    const reference = { schema, name, key: analysis.targetFunctionKey };
+    if (matchesSchemaCheckExclusion(reference.key, excludePatterns)) {
+      suppressedStatements.push(statement);
+      warnings.push(
+        `Suppressed pg-schema-diff schema check for ${reference.key} via database.pgSchemaDiff.excludeFromSchemaCheck.`
+      );
+      continue;
+    }
+    pendingStatements.push({ statement, reference });
+  }
+  if (pendingStatements.length === 0) {
+    return {
+      planOutput: serializePlanStatements(retainedStatements),
+      suppressedStatements,
+      warnings
+    };
+  }
+  const metadataByFunction = loadExistingFunctionMetadata(
+    params.dbUrl,
+    pendingStatements.map(({ reference }) => reference)
+  );
+  for (const { statement, reference } of pendingStatements) {
+    const candidates = metadataByFunction.get(reference.key) ?? [];
+    if (await isSemanticallyEquivalentPlpgsqlFunction(statement.sql, candidates, session)) {
+      suppressedStatements.push(statement);
+      warnings.push(
+        `Suppressed likely pg-schema-diff false positive for ${reference.key}: current pg_proc.proconfig matches the declarative function config semantically, so repeated CREATE OR REPLACE was removed from schema check output.`
+      );
+      continue;
+    }
+    retainedStatements.push(statement);
+  }
+  return {
+    planOutput: serializePlanStatements(retainedStatements),
+    suppressedStatements,
+    warnings
+  };
+}
+
+// src/commands/db/apply/helpers/temp-db-dsn.ts
+init_esm_shims();
+function resolvePgSchemaDiffTempDbDsn(params) {
+  if (params.shadowDbDsn) {
+    return params.shadowDbDsn;
+  }
+  const envTempDbDsn = params.envTempDbDsn?.trim();
+  if (envTempDbDsn) {
+    return envTempDbDsn;
+  }
+  const localTempDbDsn = params.localTempDbDsn?.trim();
+  return localTempDbDsn ? localTempDbDsn : void 0;
+}
+
+// src/commands/db/apply/actors/pg-schema-diff-actors.ts
+var PROGRESS_HEARTBEAT_MS = 3e4;
+function formatElapsed(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  if (ms < 6e4) return `${(ms / 1e3).toFixed(1)}s`;
+  const minutes = Math.floor(ms / 6e4);
+  const seconds = Math.round(ms % 6e4 / 1e3);
+  return `${minutes}m ${seconds}s`;
+}
+async function withProgress(label, operation) {
+  const startedAt = Date.now();
+  logger.info(`[db apply] ${label}...`);
+  const heartbeat = setInterval(() => {
+    logger.info(`[db apply] ${label} still running (${formatElapsed(Date.now() - startedAt)})`);
+  }, PROGRESS_HEARTBEAT_MS);
+  heartbeat.unref?.();
+  try {
+    const result = await operation();
+    logger.info(`[db apply] ${label} completed (${formatElapsed(Date.now() - startedAt)})`);
+    return result;
+  } catch (error) {
+    logger.warn(`[db apply] ${label} failed after ${formatElapsed(Date.now() - startedAt)}`);
+    throw error;
+  } finally {
+    clearInterval(heartbeat);
+  }
+}
+async function applyWithRetry(params) {
+  const {
+    dbUrl,
+    targetDir,
+    schemasDir,
+    includeSchemas,
+    input,
+    planOutput,
+    hazards,
+    protectedTables,
+    protectedObjects,
+    tempDbDsn,
+    pgSchemaDiffDir
+  } = params;
+  logger.step("Applying schema changes (plan+psql)...");
+  const allowedHazardTypes = buildAllowedHazards(input);
+  const result = await executePlanSqlWithRetry(dbUrl, planOutput, input.verbose, {
+    maxDelayMs: input.maxLockWaitMs,
+    allowedHazardTypes,
+    protectedTables,
+    protectedObjects,
+    failOnLowParseConfidence: input.env === "production",
+    retryRequiresReplanMessage: params.disableRePlanOnRetry ? "artifact_retry_requires_replan: Checked planner artifact hit retryable lock contention during apply. Re-run `runa db plan production` to generate a fresh checked plan before retrying." : void 0,
+    rePlanFn: params.disableRePlanOnRetry ? void 0 : () => {
+      const { planOutput: freshPlan } = executePgSchemaDiffPlan(
+        dbUrl,
+        pgSchemaDiffDir ?? schemasDir,
+        includeSchemas,
+        input.verbose,
+        { tempDbDsn, targetDir }
+      );
+      if (!freshPlan.trim() || freshPlan.includes("No changes")) {
+        return null;
+      }
+      return freshPlan;
+    }
+  });
+  if (!result.success) {
+    throw result.error || new Error("Migration failed");
+  }
+  if (input.verbose && result.attempts > 0) {
+    logger.debug(`Retry metrics: ${result.attempts} attempts, ${result.totalWaitMs}ms total wait`);
+  }
+  logger.success("Schema changes applied");
+  return {
+    sql: planOutput,
+    hazards,
+    applied: true,
+    retryAttempts: result.attempts,
+    retryWaitMs: result.totalWaitMs
+  };
+}
+function autoDetectRequiredExtensions(targetDir) {
+  const EXTENSION_TYPE_KEYWORDS = {
+    geometry: "postgis",
+    geography: "postgis",
+    box2d: "postgis",
+    box3d: "postgis",
+    raster: "postgis_raster",
+    vector: "vector",
+    halfvec: "vector",
+    sparsevec: "vector",
+    citext: "citext",
+    hstore: "hstore",
+    ltree: "ltree"
+  };
+  const declarativeDir = join(targetDir, "supabase", "schemas", "declarative");
+  if (!existsSync(declarativeDir)) return [];
+  const detected = /* @__PURE__ */ new Set();
+  try {
+    const files = readdirSync(declarativeDir).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const content = readFileSync(join(declarativeDir, file), "utf-8").toLowerCase();
+      for (const [typeName, extName] of Object.entries(EXTENSION_TYPE_KEYWORDS)) {
+        if (content.includes(typeName)) {
+          detected.add(extName);
+        }
+      }
+    }
+  } catch {
+  }
+  return [...detected].sort();
+}
+function resolveEffectiveShadowExtensions(configured, targetDir, verbose) {
+  if (configured && configured.length > 0) return configured;
+  const autoDetected = autoDetectRequiredExtensions(targetDir);
+  if (autoDetected.length > 0 && verbose) {
+    logger.debug(`Auto-detected shadow DB extensions from SQL: ${autoDetected.join(", ")}`);
+  }
+  return autoDetected.length > 0 ? autoDetected : void 0;
+}
+function loadPgSchemaDiffConfigState(targetDir, verbose) {
+  try {
+    const config = loadRunaConfig(targetDir);
+    return {
+      shadowExtensions: resolveEffectiveShadowExtensions(
+        config.database?.pgSchemaDiff?.shadowDbExtensions,
+        targetDir,
+        verbose
+      ),
+      configExclusions: config.database?.pgSchemaDiff?.excludeFromOrphanDetection ? [...config.database.pgSchemaDiff.excludeFromOrphanDetection] : void 0,
+      schemaCheckExclusions: config.database?.pgSchemaDiff?.excludeFromSchemaCheck ? [...config.database.pgSchemaDiff.excludeFromSchemaCheck] : void 0
+    };
+  } catch {
+    if (verbose) {
+      logger.debug("Could not load runa.config.ts - continuing without extension support");
+    }
+    return {
+      shadowExtensions: resolveEffectiveShadowExtensions(void 0, targetDir, verbose)
+    };
+  }
+}
+function createPrefilterState(schemasDir, verbose, configExclusions) {
+  try {
+    const prefilter = prefilterPartitionStubs(schemasDir);
+    if (!prefilter) {
+      return { prefilter: null, pgSchemaDiffDir: schemasDir, configExclusions };
+    }
+    if (verbose) {
+      logger.debug(`Prefiltered ${prefilter.detectedStubs.length} partition stub(s)`);
+    }
+    return {
+      prefilter,
+      pgSchemaDiffDir: prefilter.filteredDir,
+      configExclusions: [...configExclusions ?? [], ...prefilter.autoProtectedTables]
+    };
+  } catch {
+    return { prefilter: null, pgSchemaDiffDir: schemasDir, configExclusions };
+  }
+}
+function collectSchemaFiles(schemasDir) {
+  return readdirSync(schemasDir).filter((file) => file.endsWith(".sql")).sort().map((file) => join(schemasDir, file));
+}
+function assertDeclarativeDependencyBoundary(targetDir, input) {
+  logger.step("Checking declarative dependency boundary");
+  const analysis = analyzeDeclarativeDependencyContract(targetDir);
+  if (input.check) {
+    logger.info(DB_APPLY_CHECK_MODE_CONTRACT_NOTE);
+  }
+  if (analysis.violations.length === 0) {
+    logger.success("Declarative dependency boundary is consistent");
+  } else {
+    const lines = [
+      `Declarative dependency boundary check failed (${analysis.violations.length} violation(s)).`,
+      analysis.contractNote
+    ];
+    for (const violation of analysis.violations) {
+      const formatted = formatDeclarativeDependencyViolation(violation);
+      lines.push(`- ${formatted.summary}`);
+      lines.push(`- ${formatted.callee}`);
+      if (formatted.definedIn) {
+        lines.push(`- ${formatted.definedIn}`);
+      }
+      lines.push(`- ${formatted.suggestion}`);
+    }
+    throw new Error(lines.join("\n"));
+  }
+  const warningReview = reviewDeclarativeDependencyWarnings({
+    cwd: targetDir,
+    logger,
+    warnings: analysis.warnings,
+    strictOption: input.strict
+  });
+  logDeclarativeDependencyWarnings(logger, warningReview);
+  if (warningReview.strict && warningReview.unreviewedWarnings.length > 0) {
+    throw new Error(buildDeclarativeDependencyWarningFailureLines(warningReview).join("\n"));
+  }
+}
+function warnDuplicateFunctionOwnership(targetDir) {
+  const analysis = analyzeDuplicateFunctionOwnership(targetDir);
+  if (analysis.findings.length === 0) {
+    return;
+  }
+  logger.warn(`Duplicate function ownership detected (${analysis.findings.length} finding(s))`);
+  logger.info(`  ${analysis.contractNote}`);
+  for (const finding of analysis.findings) {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    logger.info(`  [WARN] ${formatted.summary}`);
+    for (const location of formatted.declarativeLocations) {
+      logger.info(`         declarative: ${location}`);
+    }
+    for (const location of formatted.idempotentLocations) {
+      logger.info(`         idempotent: ${location}`);
+    }
+    logger.info(`         ${formatted.suggestion}`);
+  }
+}
+function createCombinedSchemaBundle(schemaFiles, verbose) {
+  const tmpDir = mkdtempSync(join(tmpdir(), "runa_pg_schema_diff_"));
+  const combinedSchemaPath = join(tmpDir, "desired_schema.sql");
+  const schemaContents = schemaFiles.map((filePath) => {
+    const content = readFileSync(filePath, "utf-8");
+    return `-- Source: ${filePath}
+${content}`;
+  });
+  writeFileSync(combinedSchemaPath, schemaContents.join("\n\n"), "utf-8");
+  if (verbose) {
+    logger.debug(`Combined ${schemaFiles.length} schema files`);
+  }
+  return tmpDir;
+}
+async function createShadowDbForRun(dbUrl, shadowExtensions, verbose) {
+  if (!needsShadowDb(shadowExtensions)) {
+    return null;
+  }
+  cleanupOrphanShadowDatabases(dbUrl);
+  logger.step(`Creating shadow DB with extensions: ${shadowExtensions.join(", ")}`);
+  const shadowDb = await createShadowDbWithExtensions({
+    extensions: shadowExtensions,
+    sourceDbUrl: dbUrl
+  });
+  if (verbose) {
+    logger.debug(`Shadow DB created: ${shadowDb.dbName}`);
+  }
+  return shadowDb;
+}
+function buildNoChangesResult(planOutput) {
+  if (isNoChangePlanOutput(planOutput)) {
+    logger.success("No schema changes detected");
+    return { sql: "", hazards: [], applied: true };
+  }
+  return null;
+}
+function enforceDropSafety(input, droppedTables) {
+  if (droppedTables.length === 0) {
+    return;
+  }
+  logger.warn("");
+  logger.warn(`Plan will DROP ${droppedTables.length} table(s):`);
+  for (const table of droppedTables) {
+    logger.warn(`  - ${table}`);
+  }
+  logger.warn("Verify these tables were intentionally removed from declarative/*.sql");
+  if (input.env === "production" && !input.allowDataLoss) {
+    throw new Error(
+      `Production deployment blocked: ${droppedTables.length} table(s) would be dropped. Use --allow-data-loss to proceed.`
+    );
+  }
+  logger.warn("");
+}
+function runPreApplyDataCompatibility(dbUrl, planOutput, input) {
+  if (input.skipDataCheck || input.compareOnly) {
+    return 0;
+  }
+  const plan = parsePlanOutput(planOutput);
+  const compatResult = checkDataCompatibility(dbUrl, plan, {
+    verbose: input.verbose,
+    timeout: 1e4
+  });
+  const dataViolationCount = compatResult.violations.length;
+  if (dataViolationCount > 0) {
+    displayDataCompatibilityResults(compatResult, input.verbose);
+    if (input.check) return dataViolationCount;
+    if (input.env === "production" && !input.allowDataLoss) {
+      throw new Error(
+        `Pre-apply data validation: ${dataViolationCount} violation(s).
+  Fix data issues or use --allow-data-loss / --skip-data-check.`
+      );
+    }
+    if (!input.autoApprove) {
+      throw new Error(
+        `Pre-apply data validation: ${dataViolationCount} violation(s).
+  Fix data issues or use --auto-approve / --skip-data-check.`
+      );
+    }
+    return dataViolationCount;
+  }
+  if (compatResult.checkedStatements > 0) {
+    displayDataCompatibilityResults(compatResult, input.verbose);
+  }
+  return 0;
+}
+function buildCheckModeResult(input, planOutput, hazards, protectedTables, protectedObjects, dataViolationCount, schemasDir, options) {
+  if (!input.check) {
+    return null;
+  }
+  const plan = parsePlanOutput(planOutput);
+  const { filteredPlan, removedDropStatements, removedAuthzStatements, removedRlsStatements } = filterCheckModePlanStatements(plan, protectedTables, protectedObjects, schemasDir);
+  const planSummary = buildCheckModePlanSummary({
+    rawStatementCount: options?.rawStatementCount ?? plan.statements.length,
+    filteredPlan,
+    removedDropStatements,
+    removedAuthzStatements,
+    removedRlsStatements,
+    suppressedFunctionStatements: options?.suppressedFunctionStatements
+  });
+  displayCheckModeResults(planOutput, {
+    verbose: input.verbose,
+    filterInfo: {
+      filteredPlanSql: filteredPlan.rawSql,
+      removedDropStatements,
+      removedAuthzStatements,
+      removedRlsStatements,
+      suppressedFunctionStatements: options?.suppressedFunctionStatements,
+      planSummary
+    }
+  });
+  const planSizeAssessment = assessPlanSize(planSummary);
+  if (planSizeAssessment.severity !== "ok") {
+    logger.warn(`Large plan warning: ${formatPlanSizeSummary(planSummary)}`);
+    for (const reason of planSizeAssessment.reasons) {
+      logger.info(`  \u2022 ${reason}`);
+    }
+    logger.info("  Small production instances may see elevated load during apply.");
+  }
+  return {
+    sql: planOutput,
+    filteredPlanSql: filteredPlan.rawSql,
+    planSummary,
+    hazards,
+    applied: false,
+    dataViolations: dataViolationCount > 0 ? dataViolationCount : void 0
+  };
+}
+function backupProtectedTablesForProduction(dbUrl, protectedTables, input) {
+  if (input.env !== "production") {
+    return;
+  }
+  const { backupPath } = backupIdempotentTables(dbUrl, protectedTables, input.verbose);
+  if (backupPath) {
+    logger.info(`Recovery: pg_restore -d <DATABASE_URL> ${backupPath}`);
+    return;
+  }
+  if (protectedTables.length > 0 && !input.allowDataLoss) {
+    throw new Error(
+      "Pre-apply backup failed for production deployment.\n  Protected tables exist but could not be backed up.\n  Use --allow-data-loss to proceed without backup (emergency only)."
+    );
+  }
+}
+async function cleanupApplyResources(params) {
+  if (params.shadowDb) {
+    try {
+      await params.shadowDb.cleanup();
+      if (params.verbose) {
+        logger.debug("Shadow DB cleaned up");
+      }
+    } catch (cleanupError) {
+      logger.warn(`Failed to cleanup shadow DB: ${cleanupError}`);
+    }
+  }
+  if (params.prefilter) {
+    try {
+      rmSync(params.prefilter.filteredDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+  if (params.tmpDir) {
+    try {
+      rmSync(params.tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+var applyPgSchemaDiff = fromPromise(async ({ input: { input, targetDir, preIdempotentTargetFingerprint } }) => {
+  const schemasDir = join(targetDir, "supabase/schemas/declarative");
+  if (!existsSync(schemasDir)) {
+    logger.info("No declarative schemas found");
+    return { sql: "", hazards: [], applied: false };
+  }
+  warnDuplicateFunctionOwnership(targetDir);
+  assertDeclarativeDependencyBoundary(targetDir, input);
+  const dbUrl = getDbUrl(input);
+  const configState = loadPgSchemaDiffConfigState(targetDir, input.verbose);
+  const prefilterState = createPrefilterState(
+    schemasDir,
+    input.verbose,
+    configState.configExclusions
+  );
+  if (!input.compareOnly) {
+    const freshDbResult = handleFreshDbCase(
+      input,
+      dbUrl,
+      targetDir,
+      prefilterState.pgSchemaDiffDir
+    );
+    if (freshDbResult) return freshDbResult;
+  }
+  const schemaFiles = collectSchemaFiles(schemasDir);
+  if (schemaFiles.length === 0) {
+    logger.info("No schema files to apply");
+    return { sql: "", hazards: [], applied: false };
+  }
+  let shadowDb = null;
+  let tmpDir = null;
+  try {
+    verifyPgSchemaDiffBinary({ strictVersion: input.env === "production" });
+    await withProgress(
+      "checking target database connection",
+      () => verifyDatabaseConnection(dbUrl, { maxRetries: input.compareOnly ? 2 : void 0 })
+    );
+    const includeSchemas = detectAppSchemas(schemasDir, input.verbose);
+    const artifactDecision = !input.check && input.plannerArtifactPath ? tryReuseDbPlanArtifact({
+      repoRoot: targetDir,
+      artifactPath: input.plannerArtifactPath,
+      input,
+      precomputedTargetFingerprint: preIdempotentTargetFingerprint ?? void 0
+    }) : {
+      artifact: null,
+      planner: {
+        source: "inline",
+        path: input.plannerArtifactPath,
+        reuseAttempted: Boolean(input.plannerArtifactPath)
+      }
+    };
+    const plannerMetadata = artifactDecision.planner;
+    if (!artifactDecision.artifact && input.plannerArtifactRequired) {
+      const reason = plannerMetadata.reuseMessage ?? "unknown";
+      const isTargetMismatch = reason.includes("target fingerprint mismatch");
+      if (isTargetMismatch) {
+        logger.warn(
+          `Checked plan artifact stale (${reason}). Production DB state changed between plan and apply. Falling back to fresh plan.`
+        );
+        input.plannerArtifactPath = void 0;
+      } else {
+        throw new Error(`Checked plan artifact could not be reused: ${reason}`);
+      }
+    }
+    if (!input.check) {
+      cleanPartitionAclsForPgSchemaDiff(dbUrl, includeSchemas, input.verbose);
+    }
+    let tempDbDsn;
+    let rawPlanStatementCount = 0;
+    let effectivePlanOutput = artifactDecision.artifact?.planSql ?? "";
+    const filteredPlanSql = artifactDecision.artifact?.filteredPlanSql;
+    const planSummary = artifactDecision.artifact?.planSummary;
+    let hazards = [...artifactDecision.artifact?.hazards ?? []];
+    let suppressedPlan = {
+      planOutput: effectivePlanOutput,
+      suppressedStatements: [],
+      warnings: []
+    };
+    if (artifactDecision.artifact) {
+      logger.step(`Reusing checked planner artifact: ${artifactDecision.artifact.previewProfile}`);
+      rawPlanStatementCount = artifactDecision.artifact.planSummary?.rawStatements ?? parsePlanOutput(artifactDecision.artifact.planSql).statements.length;
+      if (!artifactDecision.artifact.hasChanges) {
+        logger.success("No schema changes detected (planner artifact)");
+        return {
+          sql: "",
+          hazards: [...artifactDecision.artifact.hazards],
+          applied: false,
+          filteredPlanSql: filteredPlanSql || void 0,
+          planSummary,
+          planner: plannerMetadata
+        };
+      }
+    } else {
+      tmpDir = createCombinedSchemaBundle(schemaFiles, input.verbose);
+      logger.step("Running pg-schema-diff (incremental changes)...");
+      if (!input.compareOnly) {
+        shadowDb = await withProgress(
+          "preparing shadow database",
+          () => createShadowDbForRun(dbUrl, configState.shadowExtensions, input.verbose)
+        );
+      }
+      freeConnectionSlotsForPgSchemaDiff(dbUrl, input.verbose);
+      let localTempDbDsn;
+      if (!shadowDb && !process.env.PG_SCHEMA_DIFF_TEMP_DB_DSN && input.env !== "local") {
+        const candidateLocalTempDbDsn = buildLocalDatabaseUrl(process.cwd());
+        try {
+          await verifyDatabaseConnection(candidateLocalTempDbDsn, { maxRetries: 0 });
+          localTempDbDsn = candidateLocalTempDbDsn;
+          if (input.verbose) {
+            logger.step("Using local Supabase as pg-schema-diff temp DB fallback");
+          }
+        } catch {
+        }
+      }
+      tempDbDsn = resolvePgSchemaDiffTempDbDsn({
+        shadowDbDsn: shadowDb?.dsn,
+        envTempDbDsn: process.env.PG_SCHEMA_DIFF_TEMP_DB_DSN,
+        localTempDbDsn
+      });
+      if (!shadowDb && tempDbDsn) {
+        const resolvedTempDbDsn = tempDbDsn;
+        await withProgress(
+          "bootstrapping external temp database",
+          () => bootstrapTempDbFromSource({
+            sourceDbUrl: dbUrl,
+            tempDbDsn: resolvedTempDbDsn
+          })
+        );
+      }
+      const { planOutput } = await withProgress(
+        "running pg-schema-diff plan",
+        () => executePgSchemaDiffPlan(
+          dbUrl,
+          prefilterState.pgSchemaDiffDir,
+          includeSchemas,
+          input.verbose,
+          {
+            tempDbDsn,
+            targetDir
+          }
+        )
+      );
+      rawPlanStatementCount = parsePlanOutput(planOutput).statements.length;
+      effectivePlanOutput = planOutput;
+      suppressedPlan = {
+        planOutput,
+        suppressedStatements: [],
+        warnings: []
+      };
+      if (!input.compareOnly) {
+        try {
+          suppressedPlan = await withProgress(
+            "reviewing plan false positives",
+            () => suppressFunctionSchemaCheckFalsePositives({
+              dbUrl,
+              planOutput,
+              excludeFromSchemaCheck: configState.schemaCheckExclusions
+            })
+          );
+        } catch (error) {
+          logger.warn(
+            `Skipping pg-schema-diff false-positive suppression due to metadata lookup failure: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+        for (const warning of suppressedPlan.warnings) {
+          logger.warn(warning);
+        }
+        effectivePlanOutput = suppressedPlan.planOutput;
+      }
+    }
+    const noChangesResult = rawPlanStatementCount === 0 || isNoChangePlanOutput(effectivePlanOutput) ? buildNoChangesResult(effectivePlanOutput) : null;
+    if (noChangesResult) return { ...noChangesResult, planner: plannerMetadata };
+    if (!artifactDecision.artifact) {
+      const extracted = await withProgress(
+        "extracting migration hazards",
+        () => handleHazardsWithContext(effectivePlanOutput, input, schemasDir)
+      );
+      hazards = extracted.hazards;
+    }
+    const droppedTables = detectDropTableStatements(effectivePlanOutput);
+    enforceDropSafety(input, droppedTables);
+    const dataViolationCount = await withProgress(
+      "checking data compatibility",
+      () => runPreApplyDataCompatibility(dbUrl, effectivePlanOutput, input)
+    );
+    const protectedTables = getIdempotentProtectedTables(
+      schemasDir,
+      prefilterState.configExclusions
+    );
+    const protectedObjects = getIdempotentProtectedObjects(
+      schemasDir,
+      prefilterState.configExclusions
+    );
+    const planForValidation = parsePlanOutput(effectivePlanOutput);
+    const orderIssues = validateDependencyOrder(planForValidation);
+    if (orderIssues.length > 0) {
+      for (const issue of orderIssues) {
+        logger.error(issue);
+      }
+      throw new Error(
+        `DDL ordering issue detected: ${orderIssues.length} policy/function dependency problem(s).
+` + orderIssues.map((i) => `  \u2022 ${i}`).join("\n") + "\n\nThis plan would fail on production. Ensure CREATE FUNCTION is defined before policies that reference it."
+      );
+    }
+    const checkModeResult = buildCheckModeResult(
+      input,
+      effectivePlanOutput,
+      hazards,
+      protectedTables,
+      protectedObjects,
+      dataViolationCount,
+      schemasDir,
+      {
+        rawStatementCount: rawPlanStatementCount,
+        suppressedFunctionStatements: !input.compareOnly ? suppressedPlan.suppressedStatements : void 0
+      }
+    );
+    if (checkModeResult) {
+      return {
+        ...checkModeResult,
+        planner: plannerMetadata
+      };
+    }
+    backupProtectedTablesForProduction(dbUrl, protectedTables, input);
+    const preApplyCounts = getTableRowEstimates(dbUrl, schemasDir, input.verbose);
+    const applyResult = await applyWithRetry({
+      dbUrl,
+      targetDir,
+      schemasDir,
+      includeSchemas,
+      input,
+      planOutput: effectivePlanOutput,
+      hazards,
+      protectedTables,
+      protectedObjects,
+      tempDbDsn,
+      pgSchemaDiffDir: prefilterState.pgSchemaDiffDir,
+      disableRePlanOnRetry: artifactDecision.artifact != null
+    });
+    if (applyResult.applied) {
+      verifyDataIntegrity(dbUrl, schemasDir, preApplyCounts, input.verbose, input.allowDataLoss);
+    }
+    return {
+      ...applyResult,
+      filteredPlanSql: filteredPlanSql || void 0,
+      planSummary,
+      planner: plannerMetadata,
+      dataViolations: dataViolationCount > 0 ? dataViolationCount : void 0
+    };
+  } finally {
+    await cleanupApplyResources({
+      shadowDb,
+      prefilter: prefilterState.prefilter,
+      tmpDir,
+      verbose: input.verbose
+    });
+  }
+});
+var validatePartitions = fromPromise(async ({ input: { input, targetDir } }) => {
+  if (input.check) return { warnings: [] };
+  const idempotentDir = join(targetDir, "supabase/schemas/idempotent");
+  if (!existsSync(idempotentDir)) return { warnings: [] };
+  const expected = parseExpectedPartitions(idempotentDir);
+  if (expected.length === 0) return { warnings: [] };
+  const dbUrl = getDbUrl(input);
+  const schemas = [...new Set(expected.map((e) => e.parent.split(".")[0] ?? ""))];
+  const actual = queryActualPartitions(dbUrl, schemas);
+  const drift = detectPartitionDrift(expected, actual);
+  if (drift.missing.length === 0) {
+    logger.success(`All ${expected.length} expected partition(s) verified`);
+    return { warnings: [] };
+  }
+  const warnings = formatPartitionWarnings(drift);
+  for (const w of warnings) logger.warn(w);
+  return { warnings };
+});
+
+// src/commands/db/apply/actors/seed-actors.ts
+init_esm_shims();
+var DESTRUCTIVE_SEED_PATTERNS = [
+  { pattern: /\bDELETE\s+FROM\b/i, description: "DELETE FROM" },
+  { pattern: /\bTRUNCATE\b/i, description: "TRUNCATE" },
+  { pattern: /\bDROP\s+TABLE\b/i, description: "DROP TABLE" },
+  { pattern: /\bDROP\s+SCHEMA\b/i, description: "DROP SCHEMA" }
+];
+function detectDestructiveSeedPatterns(seedFilePath) {
+  const content = readFileSync(seedFilePath, "utf-8");
+  const detected = [];
+  for (const { pattern, description } of DESTRUCTIVE_SEED_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(content)) {
+      detected.push(description);
+    }
+  }
+  return detected;
+}
+function isUnsafeProductionSeed(input, seedFile) {
+  if (input.env !== "production") return false;
+  const destructivePatterns = detectDestructiveSeedPatterns(seedFile);
+  if (destructivePatterns.length === 0) {
+    return false;
+  }
+  logger.warn("");
+  logger.warn("\u26A0\uFE0F  DANGER: Seed file contains destructive SQL for PRODUCTION");
+  logger.warn(`   Detected: ${destructivePatterns.join(", ")}`);
+  logger.warn("   This WILL delete real user data. Aborting seed application.");
+  logger.warn("   If this is intentional, review and apply seeds manually.");
+  logger.warn("");
+  return true;
+}
+function parseSeedErrorDiagnostics(stderr) {
+  const psqlLocation = stderr.match(/psql:([^:]+):(\d+):\s*ERROR:/);
+  const locationInfo = psqlLocation ? { file: psqlLocation[1], line: Number(psqlLocation[2]) } : {};
+  const columnMissing = stderr.match(/column "([^"]+)" of relation "([^"]+)" does not exist/);
+  if (columnMissing) {
+    return {
+      ...locationInfo,
+      table: columnMissing[2],
+      errorType: "missing_column",
+      hint: `Column "${columnMissing[1]}" missing from ${columnMissing[2]}. Schema may have changed. Regenerate seeds: pnpm generate:seeds ci`
+    };
+  }
+  const relationMissing = stderr.match(/relation "([^"]+)" does not exist/);
+  if (relationMissing) {
+    return {
+      ...locationInfo,
+      table: relationMissing[1],
+      errorType: "missing_relation",
+      hint: `Table ${relationMissing[1]} does not exist. Regenerate seeds: pnpm generate:seeds ci`
+    };
+  }
+  const fkViolation = stderr.match(
+    /insert or update on table "([^"]+)" violates foreign key constraint/
+  );
+  if (fkViolation) {
+    return {
+      ...locationInfo,
+      table: fkViolation[1],
+      errorType: "fk_violation",
+      hint: `FK constraint failed on ${fkViolation[1]}. Check seed insertion order or missing parent records.`
+    };
+  }
+  const checkViolation = stderr.match(/new row for relation "([^"]+)" violates check constraint/);
+  if (checkViolation) {
+    return {
+      ...locationInfo,
+      table: checkViolation[1],
+      errorType: "check_violation",
+      hint: `CHECK constraint failed on ${checkViolation[1]}. Seed data may not match column constraints. Regenerate seeds: pnpm generate:seeds ci`
+    };
+  }
+  const uniqueViolation = stderr.match(
+    /duplicate key value violates unique constraint.*?on table "([^"]+)"/s
+  );
+  if (uniqueViolation) {
+    return {
+      ...locationInfo,
+      table: uniqueViolation[1],
+      errorType: "unique_violation",
+      hint: `Duplicate key on ${uniqueViolation[1]}. Seeds may have been partially applied. Try: runa db reset`
+    };
+  }
+  return { ...locationInfo };
+}
+function createSeedFailureMessage(diagnostics, locationSuffix) {
+  if (diagnostics.table) {
+    const summary = `Seed apply failed on table: ${diagnostics.table} (${diagnostics.errorType})${locationSuffix}`;
+    return {
+      summary,
+      hint: diagnostics.hint
+    };
+  }
+  if (locationSuffix) {
+    return { summary: `Seed apply failed${locationSuffix} (non-blocking)` };
+  }
+  return { summary: "Seed apply failed (non-blocking)" };
+}
+function logSeedFailureSummary(seedFailure) {
+  logger.warn(seedFailure.summary);
+  if (seedFailure.hint) {
+    logger.info(`  Hint: ${seedFailure.hint}`);
+  }
+}
+function buildSeedLocationSuffix(diagnostics) {
+  if (diagnostics.line == null) return "";
+  const fileSuffix = diagnostics.file ? ` of ${diagnostics.file}` : "";
+  return ` at line ${diagnostics.line}${fileSuffix}`;
+}
+function handleFailedSeed(result, verbose) {
+  const errorMsg = result.stderr ? maskDbCredentials(result.stderr) : "";
+  const diagnostics = parseSeedErrorDiagnostics(result.stderr);
+  const failure = createSeedFailureMessage(diagnostics, buildSeedLocationSuffix(diagnostics));
+  logSeedFailureSummary(failure);
+  if (errorMsg && !verbose) {
+    logger.debug(`  Error: ${errorMsg.split("\n")[0]}`);
+  }
+  return false;
+}
+function applySeedFile(dbUrl, seedFile, verbose) {
+  logger.step("Applying seeds...");
+  const result = psqlSyncFile({
+    databaseUrl: dbUrl,
+    filePath: seedFile,
+    onErrorStop: true
+  });
+  const stdout = result.stdout || "";
+  const stderr = result.stderr || "";
+  if (verbose) {
+    if (stdout) process.stdout.write(stdout);
+    if (stderr) process.stderr.write(stderr);
+  }
+  if (result.status === 0) {
+    logger.success("Seeds applied");
+    return true;
+  }
+  return handleFailedSeed(result, verbose);
+}
+function runSeeds(input, targetDir, dbUrl) {
+  if (input.noSeed) {
+    logger.info("Skipping seeds (--no-seed)");
+    return false;
+  }
+  const seedFile = join(targetDir, "supabase/seeds/ci.sql");
+  if (!existsSync(seedFile)) {
+    logger.info("No seed file found (supabase/seeds/ci.sql)");
+    return false;
+  }
+  if (isUnsafeProductionSeed(input, seedFile)) {
+    return false;
+  }
+  return applySeedFile(dbUrl, seedFile, input.verbose);
+}
+async function generateTablesManifestSafely(targetDir, dbUrl) {
+  try {
+    await generateTablesManifest(targetDir, { databaseUrl: dbUrl });
+    return void 0;
+  } catch (error) {
+    return `Failed to generate tables manifest: ${error}`;
+  }
+}
+var applySeeds = fromPromise(async ({ input: { input, targetDir } }) => {
+  const dbUrl = getDbUrl(input);
+  const seedsApplied = runSeeds(input, targetDir, dbUrl);
+  const manifestWarning = await generateTablesManifestSafely(targetDir, dbUrl);
+  return { applied: seedsApplied, warnings: manifestWarning ? [manifestWarning] : [] };
+});
+
+// src/commands/db/apply/machine.ts
+init_esm_shims();
+var e2eMeta = {
+  idle: {
+    description: "Waiting for START event to begin db apply workflow",
+    severity: "non-critical",
+    observables: {
+      log: "Starting db apply"
+    },
+    assertions: ["expect(log).toContain('Starting db apply')", "expect(state).toBe('idle')"],
+    nextStates: ["acquiringLock", "previewingIdempotent"]
+  },
+  acquiringLock: {
+    description: "Acquire advisory lock to prevent concurrent migrations",
+    severity: "blocking",
+    observables: {
+      log: "Advisory lock acquired"
+    },
+    assertions: ["expect(log).toContain('Advisory lock')"],
+    nextStates: ["capturingTargetFingerprint", "applyingIdempotentPre", "failed"]
+  },
+  capturingTargetFingerprint: {
+    description: "Capture target DB fingerprint before idempotent pre-pass mutates state",
+    severity: "non-critical",
+    observables: {
+      log: "Target fingerprint captured"
+    },
+    assertions: ["expect(log).toContain('Target fingerprint')"],
+    nextStates: ["applyingIdempotentPre"]
+  },
+  previewingIdempotent: {
+    description: "Preview idempotent schema files and risks (check mode)",
+    severity: "non-critical",
+    observables: {
+      log: "Idempotent schemas"
+    },
+    assertions: ["expect(log).toContain('Idempotent')"],
+    nextStates: ["applyingPgSchemaDiff"]
+  },
+  applyingIdempotentPre: {
+    description: "Apply idempotent schemas (1st pass: extensions, roles)",
+    severity: "blocking",
+    observables: {
+      log: "Applied idempotent schema",
+      db: "Extensions enabled, roles created"
+    },
+    assertions: [
+      "expect(log).toContain('idempotent')",
+      "expect(ctx.idempotentPreApplied).toBeGreaterThanOrEqual(0)"
+    ],
+    nextStates: ["applyingPgSchemaDiff", "failed"]
+  },
+  applyingPgSchemaDiff: {
+    description: "Run pg-schema-diff to apply schema changes",
+    severity: "blocking",
+    observables: {
+      log: "pg-schema-diff",
+      db: "Schema changes applied"
+    },
+    assertions: [
+      "expect(log).toContain('pg-schema-diff')",
+      "expect(ctx.schemaChangesApplied).toBeDefined()"
+    ],
+    nextStates: ["applyingIdempotentPost", "validatingPartitions", "done", "failed"]
+  },
+  applyingIdempotentPost: {
+    description: "Apply idempotent schemas (2nd pass: dependent tables, RLS)",
+    severity: "non-critical",
+    observables: {
+      log: "Applied idempotent schema",
+      db: "Dependent tables created, RLS applied"
+    },
+    assertions: [
+      "expect(log).toContain('idempotent')",
+      "expect(ctx.idempotentPostApplied).toBeGreaterThanOrEqual(0)"
+    ],
+    nextStates: ["validatingPartitions", "failed"]
+  },
+  validatingPartitions: {
+    description: "Validate expected partitions exist in the database",
+    severity: "non-critical",
+    observables: {
+      log: "partition"
+    },
+    assertions: ["expect(log).toContain('partition')"],
+    nextStates: ["releasingLock"]
+  },
+  releasingLock: {
+    description: "Release advisory lock after migration lifecycle completes",
+    severity: "non-critical",
+    observables: {
+      log: "Advisory lock released"
+    },
+    assertions: ["expect(log).toContain('Advisory lock')"],
+    nextStates: ["applyingSeeds"]
+  },
+  applyingSeeds: {
+    description: "Apply seed data to database",
+    severity: "non-critical",
+    observables: {
+      log: "Applying seeds",
+      db: "Seed data inserted"
+    },
+    assertions: ["expect(log).toContain('Applying seeds')"],
+    nextStates: ["done"]
+  },
+  done: {
+    description: "Database apply completed successfully",
+    severity: "final",
+    observables: {
+      log: "db apply complete",
+      exit: 0
+    },
+    assertions: ["expect(log).toContain('db apply complete')", "expect(exitCode).toBe(0)"],
+    nextStates: []
+  },
+  failed: {
+    description: "Database apply failed with error",
+    severity: "final",
+    observables: {
+      log: "db apply failed",
+      exit: 1
+    },
+    assertions: ["expect(log).toContain('db apply failed')", "expect(exitCode).toBe(1)"],
+    nextStates: []
+  }
+};
+function classifyDbApplyFailure(errorMessage) {
+  if (isTimeoutLikeMessage(errorMessage)) {
+    return {
+      code: "PHASE_TIMEOUT",
+      retryable: true
+    };
+  }
+  if (errorMessage.startsWith("artifact_retry_requires_replan:")) {
+    return {
+      code: "artifact_retry_requires_replan",
+      retryable: false
+    };
+  }
+  return {
+    code: "DB_APPLY_FAILED",
+    retryable: false
+  };
+}
+function getDurationMs(startTime, endTime) {
+  if (startTime === null || endTime === null) {
+    return void 0;
+  }
+  return endTime - startTime;
+}
+function toOptionalPositive(value) {
+  return value > 0 ? value : void 0;
+}
+function toOptionalTrue(value) {
+  return value ? true : void 0;
+}
+function toOptionalArray(value) {
+  return value.length > 0 ? value : void 0;
+}
+function buildDbApplyMetrics(context, endTime) {
+  const idempotentPreMs = getDurationMs(context.idempotentPreStartTime, context.idempotentPreEndTime) ?? 0;
+  const idempotentPostMs = getDurationMs(context.idempotentPostStartTime, context.idempotentPostEndTime) ?? 0;
+  const totalIdempotentMs = idempotentPreMs + idempotentPostMs;
+  return {
+    totalMs: endTime - context.startTime,
+    idempotentMs: toOptionalPositive(totalIdempotentMs),
+    applyMs: getDurationMs(context.pgSchemaDiffStartTime, context.pgSchemaDiffEndTime),
+    seedMs: getDurationMs(context.seedStartTime, context.seedEndTime),
+    retryAttempts: toOptionalPositive(context.retryAttempts),
+    retryWaitMs: toOptionalPositive(context.retryWaitMs)
+  };
+}
+function createMachineWarning(code, message, phase) {
+  return { code, message, phase };
+}
+function createDbApplyOutput(context, endTime) {
+  const metrics = buildDbApplyMetrics(context, endTime);
+  const totalIdempotentApplied = context.idempotentPreApplied + context.idempotentPostApplied;
+  const totalIdempotentSkipped = context.idempotentPreSkipped + context.idempotentPostSkipped;
+  const failureMetadata = context.error ? classifyDbApplyFailure(context.error) : null;
+  const phases = context.error ? [
+    {
+      id: "dbApply",
+      label: "Database apply",
+      status: failureMetadata?.retryable ? "timeout" : "failed",
+      error: {
+        code: failureMetadata?.code ?? "DB_APPLY_FAILED",
+        message: context.error,
+        retryable: failureMetadata?.retryable ?? false,
+        phase: "dbApply"
+      }
+    }
+  ] : [];
+  return {
+    success: !context.error,
+    idempotentSchemasApplied: totalIdempotentApplied,
+    idempotentSchemasSkipped: toOptionalPositive(totalIdempotentSkipped),
+    rolePasswordsSet: toOptionalPositive(context.rolePasswordsSet),
+    schemaChangesApplied: context.schemaChangesApplied,
+    hazards: context.hazards,
+    seedsApplied: context.seedsApplied,
+    error: context.error ?? void 0,
+    ssotWarning: context.ssotWarning ?? void 0,
+    dataViolations: toOptionalPositive(context.dataViolations),
+    planSql: context.planSql ?? void 0,
+    filteredPlanSql: context.filteredPlanSql ?? void 0,
+    planSummary: context.planSummary ?? void 0,
+    planner: context.planner ?? void 0,
+    checkOnly: toOptionalTrue(context.input.check === true),
+    previewProfile: context.input.check === true ? context.input.compareOnly === true ? "compare-only" : "full" : void 0,
+    partitionWarnings: toOptionalArray(context.partitionWarnings),
+    idempotentFiles: toOptionalArray(context.idempotentFiles),
+    idempotentRisks: context.idempotentRisks ?? void 0,
+    metrics,
+    outcome: {
+      command: `runa db apply ${context.input.env}${context.input.check ? " --check" : ""}`,
+      exitMode: deriveCommandExitMode(phases),
+      startedAt: new Date(context.startTime).toISOString(),
+      endedAt: new Date(endTime).toISOString(),
+      durationMs: endTime - context.startTime,
+      phases,
+      warnings: context.nonCriticalWarnings,
+      errors: phases.map((phase) => phase.error).filter((value) => value != null),
+      summary: buildCommandOutcomeSummary(phases)
+    }
+  };
+}
+var dbApplyMachine = setup({
+  types: {},
+  actions: {
+    assignPgSchemaDiffResult: assign(({ event }) => {
+      if (!("output" in event)) {
+        return {};
+      }
+      const output = event.output;
+      return {
+        schemaChangesApplied: output.applied,
+        dataViolations: output.dataViolations ?? 0,
+        hazards: output.hazards,
+        planSql: output.sql ?? null,
+        filteredPlanSql: output.filteredPlanSql ?? null,
+        planSummary: output.planSummary ?? null,
+        planner: output.planner ?? null,
+        ssotWarning: output.ssotWarning ?? null,
+        pgSchemaDiffEndTime: Date.now(),
+        retryAttempts: output.retryAttempts ?? 0,
+        retryWaitMs: output.retryWaitMs ?? 0
+      };
+    }),
+    releaseAdvisoryLockOnFailure: ({ context }) => {
+      if (context.lockAcquired) {
+        try {
+          const dbUrl = context.input.databaseUrl ? normalizeDatabaseUrlForDdl(context.input.databaseUrl) : normalizeDatabaseUrlForDdl(resolveDatabaseUrl(context.input.env));
+          releaseAdvisoryLock(dbUrl, context.input.verbose);
+        } catch {
+        }
+      }
+    }
+  },
+  actors: {
+    acquireLock,
+    releaseLock,
+    captureTargetFingerprint: fromPromise(async ({ input: { input, targetDir } }) => {
+      if (!input.plannerArtifactPath) {
+        return null;
+      }
+      const dbUrl = getDbUrl(input);
+      const includeSchemas = detectPlannerSchemas(targetDir);
+      if (includeSchemas.length === 0) {
+        return null;
+      }
+      return buildTargetFingerprint({ databaseUrl: dbUrl, includeSchemas });
+    }),
+    previewIdempotentSchemas,
+    applyIdempotentSchemas,
+    applyPgSchemaDiff,
+    validatePartitions,
+    applySeeds
+  }
+}).createMachine({
+  id: "dbApply",
+  initial: "idle",
+  context: ({ input }) => ({
+    input: input.input,
+    targetDir: input.targetDir,
+    // Advisory lock
+    lockAcquired: false,
+    // Pre-idempotent target fingerprint
+    preIdempotentTargetFingerprint: null,
+    // 2-pass idempotent
+    idempotentPreApplied: 0,
+    idempotentPreSkipped: 0,
+    idempotentPostApplied: 0,
+    idempotentPostSkipped: 0,
+    rolePasswordsSet: 0,
+    schemaChangesApplied: false,
+    dataViolations: 0,
+    hazards: [],
+    seedsApplied: false,
+    partitionWarnings: [],
+    error: null,
+    planSql: null,
+    filteredPlanSql: null,
+    planSummary: null,
+    planner: null,
+    ssotWarning: null,
+    nonCriticalWarnings: [],
+    // Idempotent preview (check mode)
+    idempotentFiles: [],
+    idempotentRisks: null,
+    // Initialize metrics
+    startTime: Date.now(),
+    idempotentPreStartTime: null,
+    idempotentPreEndTime: null,
+    pgSchemaDiffStartTime: null,
+    pgSchemaDiffEndTime: null,
+    idempotentPostStartTime: null,
+    idempotentPostEndTime: null,
+    seedStartTime: null,
+    seedEndTime: null,
+    retryAttempts: 0,
+    retryWaitMs: 0
+  }),
+  states: {
+    idle: {
+      meta: { e2e: e2eMeta.idle },
+      on: {
+        START: [
+          // Check mode: preview idempotent files then dry-run pg-schema-diff
+          {
+            guard: ({ context }) => context.input.check === true && context.input.compareOnly === true,
+            target: "applyingPgSchemaDiff"
+          },
+          {
+            guard: ({ context }) => context.input.check === true,
+            target: "previewingIdempotent"
+          },
+          // Normal mode: acquire lock first, then run full migration
+          { target: "acquiringLock" }
+        ]
+      }
+    },
+    acquiringLock: {
+      meta: { e2e: e2eMeta.acquiringLock },
+      invoke: {
+        src: "acquireLock",
+        input: ({ context }) => ({ input: context.input }),
+        onDone: {
+          target: "capturingTargetFingerprint",
+          actions: assign({ lockAcquired: true })
+        },
+        onError: {
+          target: "failed",
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Failed to acquire advisory lock"
+          })
+        }
+      }
+    },
+    capturingTargetFingerprint: {
+      meta: { e2e: e2eMeta.capturingTargetFingerprint },
+      invoke: {
+        src: "captureTargetFingerprint",
+        input: ({ context }) => ({ input: context.input, targetDir: context.targetDir }),
+        onDone: {
+          target: "applyingIdempotentPre",
+          actions: assign({
+            preIdempotentTargetFingerprint: ({ event }) => event.output ?? null
+          })
+        },
+        onError: {
+          // Non-blocking: fingerprint capture failure should not block migration
+          target: "applyingIdempotentPre"
+        }
+      }
+    },
+    previewingIdempotent: {
+      meta: { e2e: e2eMeta.previewingIdempotent },
+      invoke: {
+        src: "previewIdempotentSchemas",
+        input: ({ context }) => ({ input: context.input, targetDir: context.targetDir }),
+        onDone: {
+          target: "applyingPgSchemaDiff",
+          actions: assign({
+            idempotentFiles: ({ event }) => event.output.files,
+            idempotentRisks: ({ event }) => event.output.riskSummary
+          })
+        },
+        onError: {
+          // Non-blocking: continue to pg-schema-diff even if preview fails
+          target: "applyingPgSchemaDiff"
+        }
+      }
+    },
+    applyingIdempotentPre: {
+      meta: { e2e: e2eMeta.applyingIdempotentPre },
+      entry: assign({ idempotentPreStartTime: () => Date.now() }),
+      invoke: {
+        src: "applyIdempotentSchemas",
+        input: ({ context }) => ({
+          input: context.input,
+          targetDir: context.targetDir,
+          pass: "pre"
+        }),
+        onDone: {
+          target: "applyingPgSchemaDiff",
+          actions: assign({
+            idempotentPreApplied: ({ event }) => event.output.filesApplied,
+            idempotentPreSkipped: ({ event }) => event.output.filesSkipped,
+            rolePasswordsSet: ({ event }) => event.output.rolePasswordsSet,
+            idempotentPreEndTime: () => Date.now()
+          })
+        },
+        onError: {
+          target: "failed",
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Idempotent schemas (pre) failed",
+            idempotentPreEndTime: () => Date.now()
+          })
+        }
+      }
+    },
+    applyingPgSchemaDiff: {
+      meta: { e2e: e2eMeta.applyingPgSchemaDiff },
+      entry: assign({ pgSchemaDiffStartTime: () => Date.now() }),
+      invoke: {
+        src: "applyPgSchemaDiff",
+        input: ({ context }) => ({
+          input: context.input,
+          targetDir: context.targetDir,
+          preIdempotentTargetFingerprint: context.preIdempotentTargetFingerprint
+        }),
+        onDone: [
+          // In check mode, skip 2nd pass idempotent and seeds, go directly to done
+          {
+            guard: ({ context }) => context.input.check === true,
+            target: "done",
+            actions: "assignPgSchemaDiffResult"
+          },
+          // Normal mode: always run 2nd pass to apply post-declarative grants/revokes.
+          // DO-block guards (RAISE NOTICE + RETURN) allow 1st-pass files to succeed
+          // without applying REVOKEs, so we cannot rely on idempotentPreSkipped to
+          // decide whether the 2nd pass is needed.
+          {
+            target: "applyingIdempotentPost",
+            actions: "assignPgSchemaDiffResult"
+          }
+        ],
+        onError: {
+          target: "failed",
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "pg-schema-diff failed",
+            pgSchemaDiffEndTime: () => Date.now()
+          })
+        }
+      }
+    },
+    applyingIdempotentPost: {
+      meta: { e2e: e2eMeta.applyingIdempotentPost },
+      entry: assign({ idempotentPostStartTime: () => Date.now() }),
+      invoke: {
+        src: "applyIdempotentSchemas",
+        input: ({ context }) => ({
+          input: context.input,
+          targetDir: context.targetDir,
+          pass: "post"
+        }),
+        onDone: {
+          target: "validatingPartitions",
+          actions: assign({
+            idempotentPostApplied: ({ event }) => event.output.filesApplied,
+            idempotentPostSkipped: ({ event }) => event.output.filesSkipped,
+            idempotentPostEndTime: () => Date.now()
+          })
+        },
+        onError: {
+          target: "failed",
+          actions: assign({
+            error: ({ event }) => event.error instanceof Error ? event.error.message : "Idempotent schemas (post) failed",
+            idempotentPostEndTime: () => Date.now()
+          })
+        }
+      }
+    },
+    validatingPartitions: {
+      meta: { e2e: e2eMeta.validatingPartitions },
+      invoke: {
+        src: "validatePartitions",
+        input: ({ context }) => ({ input: context.input, targetDir: context.targetDir }),
+        onDone: {
+          target: "releasingLock",
+          actions: assign({
+            partitionWarnings: ({ event }) => event.output.warnings
+          })
+        },
+        onError: {
+          // Non-blocking: skip on error, continue to lock release
+          target: "releasingLock",
+          actions: assign({
+            partitionWarnings: ({ context, event }) => [
+              ...context.partitionWarnings,
+              `Partition validation failed: ${event.error instanceof Error ? event.error.message : "Unknown error"}`
+            ]
+          })
+        }
+      }
+    },
+    releasingLock: {
+      meta: { e2e: e2eMeta.releasingLock },
+      invoke: {
+        src: "releaseLock",
+        input: ({ context }) => ({ input: context.input }),
+        onDone: {
+          target: "applyingSeeds",
+          actions: assign({ lockAcquired: false })
+        },
+        onError: {
+          // Non-blocking: continue to seeds even if lock release fails
+          target: "applyingSeeds",
+          actions: assign({ lockAcquired: false })
+        }
+      }
+    },
+    applyingSeeds: {
+      meta: { e2e: e2eMeta.applyingSeeds },
+      entry: assign({ seedStartTime: () => Date.now() }),
+      invoke: {
+        src: "applySeeds",
+        input: ({ context }) => ({ input: context.input, targetDir: context.targetDir }),
+        onDone: {
+          target: "done",
+          actions: assign({
+            seedsApplied: ({ event }) => event.output.applied,
+            nonCriticalWarnings: ({ context, event }) => [
+              ...context.nonCriticalWarnings,
+              ...event.output.warnings.map(
+                (warning) => createMachineWarning("TABLES_MANIFEST_WARNING", warning, "applyingSeeds")
+              )
+            ],
+            seedEndTime: () => Date.now()
+          })
+        },
+        onError: {
+          // Seeds are non-blocking - continue to done
+          target: "done",
+          actions: assign({
+            seedsApplied: false,
+            seedEndTime: () => Date.now()
+          })
+        }
+      }
+    },
+    done: {
+      meta: { e2e: e2eMeta.done },
+      type: "final"
+    },
+    failed: {
+      meta: { e2e: e2eMeta.failed },
+      type: "final",
+      entry: "releaseAdvisoryLockOnFailure"
+    }
+  },
+  output: ({ context }) => createDbApplyOutput(context, Date.now())
+});
+function getDbApplyStateName(snapshot) {
+  return snapshot.value;
+}
+function isDbApplyComplete(snapshot) {
+  return snapshot.status === "done";
+}
+
+// src/commands/db/commands/db-apply-error.ts
+init_esm_shims();
+
+// src/commands/db/commands/db-sync/error-classifier.ts
+init_esm_shims();
+
+// src/utils/type-guards.ts
+init_esm_shims();
+function isExecaError(error) {
+  return error instanceof Error && ("stdout" in error || "stderr" in error || "exitCode" in error);
+}
+
+// src/commands/db/commands/db-sync/error-classifier.ts
+var DNS_RESOLUTION_PATTERNS = [
+  "could not translate host name",
+  "could not resolve host",
+  "name or service not known",
+  "nodename nor servname provided",
+  "temporary failure in name resolution"
+];
+var CONNECTION_PATTERNS = [
+  "econnrefused",
+  "connection refused",
+  "could not connect to server",
+  "connection timed out",
+  "timeout expired",
+  "no pg_hba.conf entry",
+  "the database system is starting up",
+  "the database system is shutting down"
+];
+var FALLBACK_SUGGESTIONS = [
+  "Check database connectivity",
+  "Verify psql is installed and accessible",
+  "Ensure packages/database exists"
+];
+function getEnvironmentLabel(environment) {
+  switch (environment) {
+    case "production":
+      return "production";
+    case "main":
+      return "main";
+    case "preview":
+      return "preview";
+    case "local":
+      return "local";
+  }
+}
+function buildCombinedMessage(error) {
+  if (isExecaError(error)) {
+    return [error.message, error.stderr, error.stdout].filter(Boolean).join("\n");
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+function findRelevantLine(message, patterns) {
+  const lines = message.split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
+  const matched = lines.find((line) => {
+    const lower = line.toLowerCase();
+    return patterns.some((pattern) => lower.includes(pattern));
+  });
+  return matched ?? null;
+}
+function classifyDbSyncCommandFailure(error, environment) {
+  const message = buildCombinedMessage(error);
+  const messageLower = message.toLowerCase();
+  const environmentLabel = getEnvironmentLabel(environment);
+  if (DNS_RESOLUTION_PATTERNS.some((pattern) => messageLower.includes(pattern))) {
+    const detail = findRelevantLine(message, DNS_RESOLUTION_PATTERNS);
+    return {
+      code: "DB_HOST_RESOLUTION_FAILED",
+      message: detail ? `Could not resolve the ${environmentLabel} database host: ${detail}` : `Could not resolve the ${environmentLabel} database host`,
+      suggestions: [
+        "Verify the database host in DATABASE_URL / DATABASE_URL_ADMIN",
+        "Check DNS resolution and outbound network access to the database host",
+        "Re-run from an environment that can reach the target database"
+      ]
+    };
+  }
+  if (CONNECTION_PATTERNS.some((pattern) => messageLower.includes(pattern))) {
+    const detail = findRelevantLine(message, CONNECTION_PATTERNS);
+    return {
+      code: "DB_CONNECTION_FAILED",
+      message: detail ? `Could not connect to the ${environmentLabel} database: ${detail}` : `Could not connect to the ${environmentLabel} database`,
+      suggestions: [
+        "Verify the database is reachable from this environment",
+        "Check DATABASE_URL / DATABASE_URL_ADMIN credentials and firewall settings",
+        "Retry after confirming the target database is accepting connections"
+      ]
+    };
+  }
+  return null;
+}
+function getDbSyncFallbackSuggestions() {
+  return [...FALLBACK_SUGGESTIONS];
+}
+
+// src/commands/db/commands/db-apply-error.ts
+var DEFAULT_DB_APPLY_SUGGESTIONS = [
+  "Check the error message above",
+  "Verify DATABASE_URL / DATABASE_URL_ADMIN is correct",
+  "Check pg-schema-diff output for details"
+];
+function buildDbApplySuggestions(environment, suggestions, options) {
+  const merged = [...suggestions];
+  if (environment !== "local") {
+    merged.push(
+      "db apply prefers DATABASE_URL_ADMIN for DDL; verify that admin host resolves and targets the intended database"
+    );
+  }
+  if (environment !== "local" && options.previewProfile === "full") {
+    merged.push(
+      "Full preview may need a writable pg-schema-diff temp DB. Set `PG_SCHEMA_DIFF_TEMP_DB_DSN` to a Postgres instance you can bootstrap (CI: postgres service container, local: local Supabase)."
+    );
+  }
+  if (options.fromPlan) {
+    merged.push(`Re-run \`runa db plan ${environment}\` to generate a fresh checked plan artifact`);
+  }
+  return [...new Set(merged)];
+}
+function buildDbApplyCliError(errorMessage, environment, options = {}) {
+  const cause = new Error(errorMessage);
+  const classified = classifyDbSyncCommandFailure(cause, environment);
+  if (classified) {
+    return new CLIError(
+      classified.message,
+      classified.code,
+      buildDbApplySuggestions(environment, classified.suggestions, options),
+      cause
+    );
+  }
+  return new CLIError(
+    errorMessage,
+    "DB_APPLY_FAILED",
+    buildDbApplySuggestions(environment, DEFAULT_DB_APPLY_SUGGESTIONS, options),
+    cause
+  );
+}
+
+// src/commands/db/commands/db-preview-profile.ts
+init_esm_shims();
+var DEFAULT_DB_PREVIEW_PROFILE = "compare-only";
+var DbPreviewEnvironmentSchema = z.enum(["local", "preview", "production"]);
+var LEGACY_DB_APPLY_CHECK_REMOVAL_TARGET = "the next major CLI release";
+function parseDbPreviewProfile(value) {
+  return DbPreviewProfileSchema.parse(value);
+}
+function resolveDbPreviewEnvironment(value) {
+  const parsed = DbPreviewEnvironmentSchema.safeParse(value.trim());
+  return parsed.success ? parsed.data : null;
+}
+function resolveDbPreviewProfile(params) {
+  if (params.check !== true) {
+    return null;
+  }
+  return params.compareOnly === true ? "compare-only" : "full";
+}
+function isCompareOnlyPreviewProfile(profile) {
+  return profile === "compare-only";
+}
+function getDbPreviewModeLabel(profile) {
+  return profile === "compare-only" ? "compare-only preview (read-only)" : "full preview (read-only)";
+}
+function buildDbPreviewCommandLabel(env, profile) {
+  return `runa db preview ${env} --profile ${profile}`;
+}
+function buildDbPlanCommandLabel(env) {
+  return `runa db plan ${env}`;
+}
+function getDbPreviewIdempotentSchemaCount(result) {
+  return result.idempotentFiles?.length ?? result.idempotentSchemasApplied;
+}
+function buildLegacyDbApplyCheckWarning(profile) {
+  return `\`runa db apply --check\` is deprecated for preview workflows. Use \`runa db preview <env> --profile ${profile}\` instead. Legacy check flags will remain supported until ${LEGACY_DB_APPLY_CHECK_REMOVAL_TARGET}.`;
+}
+
+// src/commands/db/commands/db-apply.ts
+function isCliErrorLike(error) {
+  if (!(error instanceof Error)) {
+    return false;
+  }
+  const candidate = error;
+  return typeof candidate.code === "string" && Array.isArray(candidate.suggestions);
+}
+var PHASE_LABELS = {
+  acquiringLock: "Acquire advisory lock",
+  previewingIdempotent: "Preview idempotent schemas",
+  applyingIdempotentPre: "Apply idempotent schemas (pre-pass)",
+  applyingPgSchemaDiff: "Apply pg-schema-diff",
+  applyingIdempotentPost: "Apply idempotent schemas (post-pass)",
+  validatingPartitions: "Validate partitions",
+  releasingLock: "Release advisory lock",
+  applyingSeeds: "Apply seeds"
+};
+function isTrackedPhase(state) {
+  return state in PHASE_LABELS;
+}
+function finalizeTrackedPhase(phases, current, status, options = {}) {
+  if (!current) return;
+  phases.push({
+    id: current.id,
+    label: current.label,
+    status,
+    startedAt: new Date(current.startedAtMs).toISOString(),
+    endedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    durationMs: Math.max(0, Date.now() - current.startedAtMs),
+    warningCount: options.warnings?.length,
+    error: options.error,
+    warnings: options.warnings && options.warnings.length > 0 ? options.warnings : void 0
+  });
+}
+function buildDbApplyOutcome(params) {
+  const warnings = [...params.result.outcome.warnings];
+  const phases = [...params.phases];
+  if (params.result.partitionWarnings && params.result.partitionWarnings.length > 0) {
+    const warningList = params.result.partitionWarnings.map(
+      (warning) => createMachineWarning("PARTITION_WARNING", warning, "validatingPartitions")
+    );
+    warnings.push(...warningList);
+    const target = phases.find((phase) => phase.id === "validatingPartitions");
+    if (target) {
+      target.status = "warning";
+      target.warningCount = warningList.length;
+      target.warnings = warningList;
+    }
+  }
+  const seedPhase = phases.find((phase) => phase.id === "applyingSeeds");
+  if (seedPhase) {
+    if (params.result.checkOnly || params.noSeed) {
+      seedPhase.status = "skipped";
+    } else if (!params.result.seedsApplied) {
+      const seedWarning = createMachineWarning(
+        "SEED_APPLY_WARNING",
+        "Seed apply failed in non-blocking mode",
+        "applyingSeeds"
+      );
+      warnings.push(seedWarning);
+      seedPhase.status = "warning";
+      seedPhase.warningCount = (seedPhase.warningCount ?? 0) + 1;
+      seedPhase.warnings = [...seedPhase.warnings ?? [], seedWarning];
+    }
+  }
+  for (const warning of params.result.outcome.warnings) {
+    const target = phases.find((phase) => phase.id === warning.phase);
+    if (!target) {
+      continue;
+    }
+    if (target.status === "passed") {
+      target.status = "warning";
+    }
+    target.warningCount = (target.warningCount ?? 0) + 1;
+    target.warnings = [...target.warnings ?? [], warning];
+  }
+  const errors = phases.map((phase) => phase.error).filter((value) => value != null);
+  return {
+    command: params.command,
+    exitMode: deriveCommandExitMode(phases),
+    startedAt: new Date(params.startedAtMs).toISOString(),
+    endedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    durationMs: Math.max(0, Date.now() - params.startedAtMs),
+    phases,
+    warnings,
+    errors,
+    summary: buildCommandOutcomeSummary(phases)
+  };
+}
+function resolveNoSeed(env, seedFlag) {
+  if (seedFlag === true) return false;
+  if (seedFlag === false) return true;
+  return env === "production";
+}
+function logStateChange(logger2, snapshot) {
+  const state = getDbApplyStateName(snapshot);
+  switch (state) {
+    case "idle":
+      logger2.info("Starting db apply...");
+      break;
+    case "applyingIdempotentPre":
+      logger2.step("Applying idempotent schemas (extensions, cleanup, pre-pass)", 1);
+      break;
+    case "applyingIdempotentPost":
+      logger2.step("Applying idempotent schemas (dependencies, post-pass)", 3);
+      break;
+    case "applyingPgSchemaDiff":
+      logger2.step(
+        "Running pg-schema-diff (current DB \u2192 desired state)",
+        snapshot.context.input.check ? 1 : 2
+      );
+      break;
+    case "applyingSeeds":
+      logger2.step("Applying seeds", snapshot.context.input.check ? 2 : 3);
+      break;
+  }
+}
+function describeSeedStatus(env, _noSeed, seedFlag) {
+  if (env === "production") {
+    if (seedFlag === true) return "enabled (--seed)";
+    if (seedFlag === false) return "disabled (--no-seed)";
+    return "disabled (production default)";
+  }
+  if (seedFlag === false) return "disabled (--no-seed)";
+  return "enabled";
+}
+function getDbApplyCommandLabel(env, previewProfile, fromPlan) {
+  if (fromPlan) {
+    return `runa db apply ${env} --from-plan ${fromPlan}`;
+  }
+  if (!previewProfile) {
+    return `runa db apply ${env}`;
+  }
+  return previewProfile === "compare-only" ? `runa db apply ${env} --check --compare-only` : `runa db apply ${env} --check`;
+}
+async function runDbApply(env, options) {
+  const logger2 = createCLILogger("db:apply");
+  const resolvedEnv = env === "preview" ? "preview" : env === "production" ? "production" : "local";
+  loadEnvFiles({ runaEnv: resolvedEnv, silent: true });
+  const noSeed = resolveNoSeed(resolvedEnv, options.seed);
+  const previewProfile = resolveDbPreviewProfile(options);
+  const compareOnly = previewProfile === "compare-only";
+  const fromPlan = options.fromPlan;
+  if (fromPlan && options.check) {
+    throw new CLIError(
+      "`--from-plan` can only be used in apply mode",
+      "DB_APPLY_FROM_PLAN_REQUIRES_APPLY_MODE",
+      [
+        "Remove `--check` when reusing a checked plan artifact",
+        `Use \`runa db plan ${resolvedEnv}\` to generate a fresh checked plan artifact`
+      ]
+    );
+  }
+  if (resolvedEnv === "production" && !noSeed) {
+    logger2.warn("");
+    logger2.warn("\u26A0\uFE0F  WARNING: Seeds will be applied to PRODUCTION database");
+    logger2.warn("   Seeds may contain DELETE/TRUNCATE statements that destroy real data.");
+    logger2.warn("   Only use --seed with production if you are absolutely certain.");
+    logger2.warn("");
+  }
+  const input = {
+    env: resolvedEnv,
+    verbose: options.verbose ?? false,
+    noSeed,
+    autoApprove: options.autoApprove ?? false,
+    allowDataLoss: options.allowDataLoss ?? false,
+    confirmAuthzUpdate: options.confirmAuthzUpdate ?? false,
+    check: options.check ?? false,
+    strict: options.strict ?? false,
+    skipDataCheck: options.skipDataCheck ?? false,
+    compareOnly,
+    databaseUrl: options.databaseUrl,
+    maxLockWaitMs: options.maxLockWaitMs ?? 3e4,
+    freshDbCheckSql: options.freshDbCheckSql,
+    plannerArtifactPath: fromPlan,
+    plannerArtifactRequired: Boolean(fromPlan)
+  };
+  const result = await new Promise((resolve, reject) => {
+    const startedAtMs = Date.now();
+    const actor = createActor(dbApplyMachine, {
+      input: { input, targetDir: process.cwd() }
+    });
+    let previousState = "";
+    let activePhase = null;
+    const completedPhases = [];
+    actor.subscribe((snapshot) => {
+      const currentState = getDbApplyStateName(snapshot);
+      if (currentState !== previousState) {
+        if (activePhase && currentState !== "done" && currentState !== "failed") {
+          finalizeTrackedPhase(completedPhases, activePhase, "passed");
+          activePhase = null;
+        }
+        if (isTrackedPhase(currentState)) {
+          activePhase = {
+            id: currentState,
+            label: PHASE_LABELS[currentState],
+            startedAtMs: Date.now()
+          };
+        }
+        logStateChange(logger2, snapshot);
+        previousState = currentState;
+      }
+      if (isDbApplyComplete(snapshot)) {
+        const output = snapshot.output;
+        if (output) {
+          if (activePhase) {
+            const failureMetadata = output.error ? classifyDbApplyFailure(output.error) : null;
+            finalizeTrackedPhase(
+              completedPhases,
+              activePhase,
+              output.error ? failureMetadata?.retryable ? "timeout" : "failed" : "passed",
+              output.error ? {
+                error: {
+                  code: failureMetadata?.code ?? "DB_APPLY_FAILED",
+                  message: output.error,
+                  retryable: failureMetadata?.retryable ?? false,
+                  phase: activePhase.id
+                }
+              } : {}
+            );
+            activePhase = null;
+          }
+          resolve({
+            ...output,
+            previewProfile: output.previewProfile ?? previewProfile ?? void 0,
+            outcome: buildDbApplyOutcome({
+              command: options.commandLabel ?? getDbApplyCommandLabel(resolvedEnv, previewProfile, fromPlan),
+              startedAtMs,
+              phases: completedPhases,
+              result: output,
+              noSeed
+            })
+          });
+        }
+        actor.stop();
+      }
+    });
+    actor.subscribe({
+      error: (error) => {
+        reject(error);
+        actor.stop();
+      }
+    });
+    actor.start();
+    actor.send({ type: "START" });
+  });
+  if (!result.error && options.persistPlanArtifact === true) {
+    try {
+      result.planner = persistDbPlanArtifact({
+        repoRoot: process.cwd(),
+        input,
+        output: result
+      });
+    } catch (error) {
+      logger2.warn(
+        `Planner artifact was not persisted: ${error instanceof Error ? error.message : "unknown error"}`
+      );
+    }
+  }
+  return result;
+}
+function printCheckSummary(logger2, result) {
+  logger2.success("db apply check complete!");
+  logger2.info("\n\u{1F4CA} Check Summary (Dry-Run):");
+  logger2.info(`  Result: ${result.outcome.exitMode}`);
+  if (result.previewProfile) {
+    logger2.info(`  \u2713 Preview profile: ${result.previewProfile}`);
+  }
+  logger2.info(`  \u2713 Idempotent schemas: ${getDbPreviewIdempotentSchemaCount(result)} files`);
+  logger2.info(`  \u2713 Schema changes: ${result.planSql ? "detected" : "none"}`);
+  if (result.planSummary) {
+    logger2.info(
+      `  \u2713 Plan summary: ${result.planSummary.rawStatements} raw / ${result.planSummary.effectiveStatements} structural / ${result.planSummary.noiseStatements} collapsed noise`
+    );
+  }
+  if (result.hazards.length > 0) logger2.info(`  \u26A0 Hazards: ${result.hazards.join(", ")}`);
+  logger2.info("  \u2139 No changes were applied (check mode)");
+}
+function buildMetricsString(metrics) {
+  const parts = [];
+  if (metrics.idempotentMs) parts.push(`idempotent=${formatDuration(metrics.idempotentMs)}`);
+  if (metrics.applyMs) parts.push(`apply=${formatDuration(metrics.applyMs)}`);
+  if (metrics.seedMs) parts.push(`seed=${formatDuration(metrics.seedMs)}`);
+  if (metrics.retryAttempts) parts.push(`retries=${metrics.retryAttempts}`);
+  return `  \u23F1 Total: ${formatDuration(metrics.totalMs)} (${parts.join(", ")})`;
+}
+function printApplySummary(logger2, result) {
+  logger2.success("db apply complete!");
+  logger2.info("\n\u{1F4CA} Summary (SQL-First Architecture):");
+  logger2.info(`  Result: ${result.outcome.exitMode}`);
+  logger2.info(`  \u2713 Idempotent schemas: ${result.idempotentSchemasApplied} files`);
+  if (result.rolePasswordsSet && result.rolePasswordsSet > 0) {
+    logger2.info(`  \u2713 RBAC role passwords: ${result.rolePasswordsSet} set`);
+  }
+  logger2.info(`  \u2713 Schema changes: ${result.schemaChangesApplied ? "applied" : "no changes"}`);
+  if (result.hazards.length > 0) logger2.info(`  \u26A0 Hazards: ${result.hazards.join(", ")}`);
+  logger2.info(`  \u2713 Seeds: ${result.seedsApplied ? "applied" : "skipped"}`);
+  if (result.outcome.summary.warnings > 0) {
+    logger2.info(`  \u26A0 Warnings: ${result.outcome.summary.warnings}`);
+  }
+  if (result.metrics) logger2.info(buildMetricsString(result.metrics));
+  if (result.outcome.warnings.length > 0) {
+    logger2.warn("\nNon-critical warnings:");
+    for (const warning of result.outcome.warnings) {
+      logger2.info(`  \u2022 [${warning.phase}] ${warning.message}`);
+    }
+  }
+}
+function printSummary(logger2, result) {
+  if (result.error) {
+    logger2.error(`db apply failed: ${result.error}`);
+    logger2.info(`  Result: ${result.outcome.exitMode}`);
+    const failedPhase = result.outcome.phases.find(
+      (phase) => phase.status === "failed" || phase.status === "timeout"
+    );
+    if (failedPhase) {
+      logger2.info(`  Failed phase: ${failedPhase.id}`);
+    }
+    return;
+  }
+  if (result.checkOnly) {
+    printCheckSummary(logger2, result);
+  } else {
+    printApplySummary(logger2, result);
+  }
+}
+var applyCommand = new Command("apply").description("Apply schema changes to any DB using pg-schema-diff (SQL-First Architecture)").argument("[env]", "Environment: local, preview, or production", "preview").option("--verbose", "Show detailed output").option("--seed", "Explicitly enable seed application (required for production)").option("--no-seed", "Skip seed application").option("--auto-approve", "Auto-approve hazards (CI mode)").option("--allow-data-loss", "Allow DELETES_DATA hazard in production (DANGEROUS)").option("--confirm-authz-update", "Confirm RLS policy changes in production").option("--check", "Check mode: show what would be applied without making changes (dry-run)").option(
+  "--compare-only",
+  "Lightweight compare-only dry-run: skip idempotent preview and data validation"
+).option(
+  "--strict",
+  "Treat declarative closure warnings as blockers when they are not reviewed in boundary policy"
+).option("--skip-data-check", "Skip pre-apply data compatibility validation").option("--database-url <url>", "Override DATABASE_URL").option("--from-plan <path>", "Reuse a checked plan artifact generated by `runa db plan`").option(
+  "--max-lock-wait-ms <ms>",
+  "Maximum time to wait for lock acquisition (default: 30000)",
+  (value) => Number.parseInt(value, 10)
+).option("--fresh-db-check-sql <sql>", "Custom SQL to check if DB is fresh").action(async (env, options) => {
+  const logger2 = createCLILogger("db:apply");
+  const resolvedEnv = env === "preview" ? "preview" : env === "production" ? "production" : "local";
+  loadEnvFiles({ runaEnv: resolvedEnv, silent: true });
+  try {
+    const noSeed = resolveNoSeed(env, options.seed);
+    const previewProfile = resolveDbPreviewProfile(options);
+    const connectionSource = options.databaseUrl ? "--database-url" : resolveDatabaseTarget(resolvedEnv).source;
+    logger2.section(
+      options.check ? "Database Apply Check (Dry-Run)" : "Database Apply (SQL-First Architecture)"
+    );
+    logger2.info(`Environment: ${env}`);
+    logger2.info(`Mode: ${previewProfile ? getDbPreviewModeLabel(previewProfile) : "apply"}`);
+    logger2.info(`Strict: ${options.strict ? "enabled" : "disabled"}`);
+    logger2.info(`Seeds: ${describeSeedStatus(env, noSeed, options.seed)}`);
+    logger2.info(`Auto-approve: ${options.autoApprove ? "enabled" : "disabled"}`);
+    logger2.info(`Connection source: ${connectionSource}`);
+    if (options.fromPlan) {
+      logger2.info(`Plan artifact: ${options.fromPlan}`);
+    }
+    if (previewProfile && process.env.RUNA_OUTPUT_FORMAT !== "json") {
+      logger2.warn(buildLegacyDbApplyCheckWarning(previewProfile));
+    }
+    const result = await runDbApply(env, options);
+    printSummary(logger2, result);
+    emitJsonSuccess(applyCommand, DbApplyOutputSchema, result);
+    if (result.error) {
+      throw buildDbApplyCliError(result.error, resolvedEnv, {
+        previewProfile,
+        fromPlan: Boolean(options.fromPlan)
+      });
+    }
+  } catch (error) {
+    if (error instanceof CLIError || isCliErrorLike(error)) {
+      throw error;
+    }
+    throw new CLIError(
+      "db apply failed with unknown error",
+      "DB_APPLY_UNKNOWN_ERROR",
+      ["Check the error output above", "Verify database connection"],
+      error instanceof Error ? error : void 0
+    );
+  }
+});
+
+export { DEFAULT_DB_PREVIEW_PROFILE, applyCommand, assertBoundaryPolicyQualityGate, assertBoundaryPolicyUsable, assessPlanSize, buildDbApplyCliError, buildDbPlanCommandLabel, buildDbPreviewCommandLabel, buildDeclarativeDependencyWarningFailureLines, classifyDbSyncCommandFailure, findDeclarativeRiskAllowlistMatch, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, formatPlanSizeSummary, getBoundaryPolicy, getDbPreviewIdempotentSchemaCount, getDbPreviewModeLabel, getDbSyncFallbackSuggestions, isCompareOnlyPreviewProfile, isExecaError, logDeclarativeDependencyWarnings, parseDbPreviewProfile, resolveDbPreviewEnvironment, resolveProductionApplyStrictMode, reviewDeclarativeDependencyWarnings, runDbApply };