@runa-ai/runa-cli 0.5.28 → 0.5.31

package/dist/commands/ci/commands/ci-prod-apply.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ci-prod-apply.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/commands/ci-prod-apply.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAsRpC,eAAO,MAAM,kBAAkB,SA0G3B,CAAC"}
+{"version":3,"file":"ci-prod-apply.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/commands/ci-prod-apply.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmUpC,eAAO,MAAM,kBAAkB,SA0G3B,CAAC"}

package/dist/commands/ci/commands/ci-prod-db-operations.d.ts

@@ -3,6 +3,10 @@
  *
  * Purpose: Schema operations, snapshots, risks, audit
  * Used by: ci-prod-apply.ts
+ *
+ * Security (Issue #458):
+ * - Uses getFilteredEnv() instead of ...process.env to prevent secret leakage
+ * - Database URLs passed as required secrets only to commands that need them
  */
 export declare function detectStack(repoRoot: string, tmpDir: string, productionDbUrlAdmin: string): Promise<string>;
 /**

package/dist/commands/ci/commands/ci-prod-db-operations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ci-prod-db-operations.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/commands/ci-prod-db-operations.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,kEAAkE;IAClE,mBAAmB,EAAE,OAAO,CAAC;IAC7B,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,mCAAmC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,GACtB,sBAAsB,CA8ExB;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA8DpF;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqCjF;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAaf;AAED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,IAAI,CAAC,CAaf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8CAA8C;IAC9C,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,qDAAqD;IACrD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,gCAAgC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,oCAAoC;IACpC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oCAAoC;IACpC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,uEAAuE;IACvE,aAAa,EAAE,MAAM,CAAC;IACtB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAqED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,eAAe,EAAE,MAAM,EACvB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CAmE5B;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,MAAM,EAAE;IACN,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC,IAAI,CAAC,CAsEf;AAED,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;IACN,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC,IAAI,CAAC,CA2Bf"}
+{"version":3,"file":"ci-prod-db-operations.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/commands/ci-prod-db-operations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,MAAM,CAAC,CAejB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,kEAAkE;IAClE,mBAAmB,EAAE,OAAO,CAAC;IAC7B,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,mCAAmC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,GACtB,sBAAsB,CAmFxB;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAgEpF;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAuCjF;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAcf;AAED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,IAAI,CAAC,CAcf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8CAA8C;IAC9C,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,qDAAqD;IACrD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,gCAAgC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,oCAAoC;IACpC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oCAAoC;IACpC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,uEAAuE;IACvE,aAAa,EAAE,MAAM,CAAC;IACtB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAqED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,eAAe,EAAE,MAAM,EACvB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CAoE5B;AAED,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,MAAM,EAC5B,MAAM,EAAE;IACN,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC,IAAI,CAAC,CA0Ef;AAED,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;IACN,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC,IAAI,CAAC,CA4Bf"}

package/dist/commands/ci/utils/env-security.d.ts

@@ -0,0 +1,58 @@
+/**
+ * AI HINT: Environment Variable Security Utilities
+ *
+ * Purpose: Protect sensitive environment variables in CI contexts
+ * Security (Issue #458):
+ * - Filter sensitive env vars before passing to child processes
+ * - Redact secrets from debug logs
+ * - Centralized secret pattern definitions
+ *
+ * Usage:
+ * - Use `getSafeEnv()` instead of `...process.env` for child processes
+ * - Use `redactSecrets()` before logging any strings that may contain secrets
+ */
+/**
+ * Check if an environment variable name is sensitive.
+ */
+export declare function isSensitiveEnvVar(name: string): boolean;
+/**
+ * Get a filtered environment object safe for child processes.
+ * Only includes whitelisted variables.
+ *
+ * @param additionalSafe - Additional variable names to include
+ * @param requiredSecrets - Secret names explicitly required (will be included but logged)
+ */
+export declare function getSafeEnv(additionalSafe?: string[], requiredSecrets?: string[]): NodeJS.ProcessEnv;
+/**
+ * Get environment with all variables EXCEPT sensitive ones.
+ * Use this when you need most env vars but want to exclude secrets.
+ *
+ * CAUTION: This is less secure than getSafeEnv() but may be needed
+ * for compatibility with tools that require specific env vars.
+ */
+export declare function getFilteredEnv(): NodeJS.ProcessEnv;
+/**
+ * Redact sensitive values from a string for safe logging.
+ *
+ * @param input - The string to redact
+ * @returns The string with sensitive values replaced
+ */
+export declare function redactSecrets(input: string): string;
+/**
+ * Create a safe debug logger that redacts secrets.
+ * Only logs when RUNA_DEBUG is set.
+ *
+ * @param prefix - Prefix for log messages
+ */
+export declare function createSafeDebugLogger(prefix: string): (message: string, data?: unknown) => void;
+/**
+ * Mask a value in GitHub Actions logs.
+ * The value will be replaced with *** in all subsequent logs.
+ */
+export declare function maskInGitHub(value: string | undefined): void;
+/**
+ * Mask all sensitive environment variables in GitHub Actions.
+ * Call this early in CI execution.
+ */
+export declare function maskSensitiveEnvVars(): void;
+//# sourceMappingURL=env-security.d.ts.map

package/dist/commands/ci/utils/env-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-security.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/env-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAmHH;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,cAAc,GAAE,MAAM,EAAO,EAC7B,eAAe,GAAE,MAAM,EAAO,GAC7B,MAAM,CAAC,UAAU,CAmBnB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAAC,UAAU,CAUlD;AAqDD;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAYnD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAmB/F;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAI5D;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAQ3C"}

package/dist/commands/ci/utils/execa-helpers.d.ts

@@ -1,5 +1,9 @@
 /**
  * AI HINT: Execa helpers for CI orchestration
+ *
+ * Security (Issue #458):
+ * - Uses redactSecrets for comprehensive secret redaction in logs
+ * - Uses shell: false for all execa calls (defense in depth)
  */
 import { type ResultPromise } from 'execa';
 export declare function ensureRunaTmpDir(cwd?: string): Promise<string>;

package/dist/commands/ci/utils/execa-helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"execa-helpers.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/execa-helpers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAAS,KAAK,aAAa,EAAE,MAAM,OAAO,CAAC;AAyDlD,wBAAsB,gBAAgB,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKpE;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,aAAa,CAsBhB"}
+{"version":3,"file":"execa-helpers.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/execa-helpers.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAS,KAAK,aAAa,EAAE,MAAM,OAAO,CAAC;AA4ClD,wBAAsB,gBAAgB,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKpE;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,aAAa,CAwBhB"}

package/dist/commands/ci/utils/github.d.ts

@@ -8,7 +8,13 @@
  * - PR context parsing
  *
  * All functions are no-op when not running in GitHub Actions.
+ *
+ * Security (Issue #458):
+ * - Re-exports maskSensitiveEnvVars for early CI initialization
+ * - Use addGithubMask for individual values
+ * - NEVER write secrets to GITHUB_OUTPUT
  */
+export { maskSensitiveEnvVars, maskInGitHub } from './env-security.js';
 /**
  * Append markdown to GitHub Actions step summary.
  * No-op when not running in GitHub Actions.

package/dist/commands/ci/utils/github.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAUH;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAMD;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAOrF;AAMD;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAOlF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAI7D;AAeD,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,eAAe,CAAC,CAcpE"}
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAOH,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAMvE;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI7E;AAMD;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAOrF;AAMD;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAOlF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAI7D;AAeD,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,eAAe,CAAC,CAcpE"}

package/dist/commands/ci/utils/pgtap-installer.d.ts

@@ -8,6 +8,9 @@
  * - Avoid hardcoding repo-specific roles/tables
  * - Only probe standard Supabase roles (authenticated, service_role)
  * - Best-effort: never fail CI if pgTAP is unavailable
+ *
+ * Security (Issue #458):
+ * - Uses getSafeEnv() to avoid passing secrets to child processes
  */
 export interface PgTapInstallResult {
     available: boolean;

package/dist/commands/ci/utils/pgtap-installer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pgtap-installer.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/pgtap-installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,kBAAkB,CAAC,CA6G7B"}
+{"version":3,"file":"pgtap-installer.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/pgtap-installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,kBAAkB,CAAC,CA6G7B"}

package/dist/commands/ci/utils/rls-verification.d.ts

@@ -8,6 +8,9 @@
  * - Only probe standard Supabase roles (authenticated, service_role)
  * - Avoid hardcoding repo-specific roles/tables
  * - Best-effort remediation: grant privileges when possible, skip when not
+ *
+ * Security (Issue #458):
+ * - Uses getSafeEnv() to avoid passing secrets to child processes
  */
 export interface QueryScalarParams {
     repoRoot: string;

package/dist/commands/ci/utils/rls-verification.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rls-verification.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/rls-verification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAU5E;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoF9F;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA4BD;;;;;;;;;GASG;AACH,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,IAAI,CAAC,CAwDf;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,OAAO,CAAC,CAazF"}
+{"version":3,"file":"rls-verification.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/rls-verification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAOH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAU5E;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoF9F;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA4BD;;;;;;;;;GASG;AACH,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,IAAI,CAAC,CAwDf;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,OAAO,CAAC,CAazF"}

package/dist/commands/ci/utils/workflow-idempotency.d.ts

@@ -0,0 +1,90 @@
+/**
+ * AI HINT: Workflow Idempotency Check
+ *
+ * Purpose: Prevent duplicate production deployments via commit-based idempotency
+ * Security: Uses PostgreSQL advisory lock + audit table check
+ *
+ * Pattern:
+ * 1. Acquire advisory lock to ensure single execution
+ * 2. Check audit table for existing deployment of this commit
+ * 3. Proceed only if this is a new deployment
+ *
+ * @see Issue #451 - Race condition in production schema deployment
+ */
+/** Unique lock ID for production deployments (distinct from migration lock) */
+export declare const PROD_DEPLOY_LOCK_ID = 88889;
+/** Unique lock ID for snapshot operations */
+export declare const SNAPSHOT_LOCK_ID = 88890;
+interface AdvisoryLockResult {
+    acquired: boolean;
+    error?: string;
+}
+/**
+ * Acquire an advisory lock for a specific operation.
+ * Uses pg_try_advisory_lock for non-blocking acquisition.
+ *
+ * @param dbUrl - Database URL
+ * @param lockId - Unique lock identifier
+ * @returns Lock acquisition result
+ */
+export declare function acquireWorkflowLock(dbUrl: string, lockId: number): AdvisoryLockResult;
+/**
+ * Release an advisory lock.
+ *
+ * @param dbUrl - Database URL
+ * @param lockId - Unique lock identifier
+ */
+export declare function releaseWorkflowLock(dbUrl: string, lockId: number): void;
+interface IdempotencyCheckResult {
+    alreadyDeployed: boolean;
+    deployedAt?: string;
+    checkSuccessful: boolean;
+    error?: string;
+}
+/**
+ * Check if a commit has already been deployed to production.
+ * Queries the audit table (if configured) to detect duplicate deployments.
+ *
+ * @param dbUrl - Database URL
+ * @param commit - Commit SHA to check
+ * @returns Idempotency check result
+ */
+export declare function checkDeploymentIdempotency(dbUrl: string, commit: string): IdempotencyCheckResult;
+interface WorkflowGuardResult {
+    canProceed: boolean;
+    lockAcquired: boolean;
+    alreadyDeployed: boolean;
+    message: string;
+}
+/**
+ * Guard function for production deployment workflow.
+ * Combines lock acquisition and idempotency check.
+ *
+ * @param dbUrl - Database URL
+ * @param commit - Commit SHA being deployed
+ * @returns Guard result indicating if workflow can proceed
+ */
+export declare function guardProductionDeployment(dbUrl: string, commit: string): WorkflowGuardResult;
+/**
+ * Cleanup function to ensure lock is released.
+ * Should be called in finally block or error handler.
+ *
+ * @param dbUrl - Database URL
+ * @param lockAcquired - Whether lock was acquired (from guardProductionDeployment)
+ */
+export declare function releaseProductionDeploymentLock(dbUrl: string, lockAcquired: boolean): void;
+/**
+ * Guard for snapshot operations to prevent concurrent snapshots.
+ *
+ * @param dbUrl - Database URL
+ * @returns Whether lock was acquired
+ */
+export declare function acquireSnapshotLock(dbUrl: string): boolean;
+/**
+ * Release snapshot operation lock.
+ *
+ * @param dbUrl - Database URL
+ */
+export declare function releaseSnapshotLock(dbUrl: string): void;
+export {};
+//# sourceMappingURL=workflow-idempotency.d.ts.map

package/dist/commands/ci/utils/workflow-idempotency.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow-idempotency.d.ts","sourceRoot":"","sources":["../../../../src/commands/ci/utils/workflow-idempotency.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,+EAA+E;AAC/E,eAAO,MAAM,mBAAmB,QAAQ,CAAC;AAEzC,6CAA6C;AAC7C,eAAO,MAAM,gBAAgB,QAAQ,CAAC;AAEtC,UAAU,kBAAkB;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,kBAAkB,CA0BrF;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAYvE;AAED,UAAU,sBAAsB;IAC9B,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,sBAAsB,CA0DhG;AAED,UAAU,mBAAmB;IAC3B,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,OAAO,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CA2C5F;AAED;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,GAAG,IAAI,CAI1F;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAG1D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAEvD"}

package/dist/commands/db/apply/actors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/apply/actors.ts"],"names":[],"mappings":"AA2BA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAuElD,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AA0vBD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;WAExB,YAAY;eAAa,MAAM;gCAgCxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,iBAAiB;WAEnB,YAAY;eAAa,MAAM;gCA6DxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;aACV,OAAO;;WACT,YAAY;eAAa,MAAM;gCAoDxC,CAAC"}
+{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/apply/actors.ts"],"names":[],"mappings":"AAsCA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAuElD,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAwwBD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;WAExB,YAAY;eAAa,MAAM;gCAgCxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,iBAAiB;WAEnB,YAAY;eAAa,MAAM;gCA6DxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;aACV,OAAO;;WACT,YAAY;eAAa,MAAM;gCAqDxC,CAAC"}

package/dist/commands/db/apply/helpers/advisory-lock.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"advisory-lock.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/advisory-lock.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,gFAAgF;AAChF,eAAO,MAAM,iBAAiB,QAAQ,CAAC;AAEvC;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAgB5E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAQzE"}
+{"version":3,"file":"advisory-lock.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/advisory-lock.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,gFAAgF;AAChF,eAAO,MAAM,iBAAiB,QAAQ,CAAC;AAEvC;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAsB5E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAWzE"}

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts

@@ -8,6 +8,10 @@
  * - AUTHZ_UPDATE hazards for roles defined in idempotent/*.sql are filtered
  * - Reason: idempotent files (e.g., 15_rbac_roles.sql) grant privileges that
  *   pg-schema-diff doesn't know about (it only manages declarative/*.sql)
+ *
+ * Security:
+ * - All psql calls use parsePostgresUrl + buildPsqlArgs to prevent SQL injection
+ * - Passwords are passed via PGPASSWORD env var, not command line
  */
 import type { DbApplyInput } from '../contract.js';
 /**

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pg-schema-diff-helpers.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/pg-schema-diff-helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAqBnD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CA+ChE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CA0BzF;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,YAAY,EAAE,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB;IAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAAC,cAAc,EAAE,YAAY,EAAE,CAAA;CAAE,CAa9D;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAMD;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAa/C;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAe5D;AAMD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,EAAE,CA8B1E;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAIxF;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,YAAY,EAAE,EACvB,OAAO,EAAE,OAAO,GACf;IAAE,cAAc,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAA;CAAE,CAgCtD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAOzD;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,aAAa,EAAE,OAAO,GAAG,IAAI,CAgB3E;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAmBjF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAchE;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,EAAE,CAyBjE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,YAAY,GAAG,IAAI,CAsB1E;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,YAAY,EACnB,UAAU,CAAC,EAAE,MAAM,GAClB;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,cAAc,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAA;CAAE,CAsDzE;AAMD;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EAAE,EACxB,OAAO,EAAE,OAAO,GACf;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CA2C5C"}
+{"version":3,"file":"pg-schema-diff-helpers.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/pg-schema-diff-helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAqBnD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CA+ChE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CA0BzF;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,YAAY,EAAE,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB;IAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAAC,cAAc,EAAE,YAAY,EAAE,CAAA;CAAE,CAa9D;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAMD;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAa/C;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAe5D;AAMD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,EAAE,CA8B1E;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAIxF;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,YAAY,EAAE,EACvB,OAAO,EAAE,OAAO,GACf;IAAE,cAAc,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAA;CAAE,CAgCtD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAOzD;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,aAAa,EAAE,OAAO,GAAG,IAAI,CAgB3E;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAmBjF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAchE;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,EAAE,CAyBjE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,YAAY,GAAG,IAAI,CAsB1E;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,YAAY,EACnB,UAAU,CAAC,EAAE,MAAM,GAClB;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,cAAc,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAA;CAAE,CAsDzE;AAMD;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EAAE,EACxB,OAAO,EAAE,OAAO,GACf;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CA2C5C"}

package/dist/commands/db/commands/db-derive-role-passwords.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db-derive-role-passwords.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/commands/db-derive-role-passwords.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgDpC,eAAO,MAAM,0BAA0B,SA4BnC,CAAC"}
+{"version":3,"file":"db-derive-role-passwords.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/commands/db-derive-role-passwords.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgCpC,eAAO,MAAM,0BAA0B,SA6BnC,CAAC"}

package/dist/commands/db/commands/db-derive-urls.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db-derive-urls.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/commands/db-derive-urls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAyHpC,eAAO,MAAM,iBAAiB,SAqB2D,CAAC"}
+{"version":3,"file":"db-derive-urls.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/commands/db-derive-urls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA0GpC,eAAO,MAAM,iBAAiB,SAqB2D,CAAC"}

package/dist/commands/db/utils/psql.d.ts

@@ -5,6 +5,63 @@ export interface PsqlConnectionParams {
     database: string;
     password?: string;
 }
+/**
+ * Parse a PostgreSQL URL into individual connection parameters.
+ * Used to pass parameters safely as separate arguments instead of a single URL.
+ *
+ * Security: This prevents command injection by avoiding shell interpolation
+ * of special characters in passwords or other URL components.
+ */
+export declare function parsePostgresUrl(url: string): PsqlConnectionParams;
+/**
+ * Build psql arguments from connection parameters.
+ * Avoids passing the full URL which could contain special characters.
+ *
+ * @param conn - Connection parameters
+ * @param options - Optional flags
+ * @returns Array of psql arguments
+ */
+export declare function buildPsqlArgs(conn: PsqlConnectionParams, options?: {
+    onErrorStop?: boolean;
+}): string[];
+/**
+ * Build environment with PGPASSWORD if password is provided.
+ * Passing password via env var is safer than command line arguments.
+ *
+ * Security: Env vars are still captured in some contexts, but they are
+ * not visible in process listings (ps aux) unlike command line arguments.
+ */
+export declare function buildPsqlEnv(conn: PsqlConnectionParams): NodeJS.ProcessEnv;
+/**
+ * Execute a psql command synchronously with safe parameter passing.
+ *
+ * @param params - Query parameters
+ * @returns Result with status, stdout, stderr
+ */
+export declare function psqlSyncQuery(params: {
+    databaseUrl: string;
+    sql: string;
+    timeout?: number;
+}): {
+    status: number | null;
+    stdout: string;
+    stderr: string;
+};
+/**
+ * Execute a psql file synchronously with safe parameter passing.
+ *
+ * @param params - File execution parameters
+ * @returns Result with status, stdout, stderr
+ */
+export declare function psqlSyncFile(params: {
+    databaseUrl: string;
+    filePath: string;
+    onErrorStop?: boolean;
+}): {
+    status: number | null;
+    stdout: string;
+    stderr: string;
+};
 export declare function psqlQuery(params: {
     databaseUrl: string;
     sql: string;

package/dist/commands/db/utils/psql.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"psql.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/utils/psql.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAsCD,wBAAsB,SAAS,CAAC,MAAM,EAAE;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC1B,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBlB;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAO1F"}
+{"version":3,"file":"psql.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/utils/psql.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAQlE;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,oBAAoB,EAC1B,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAE,GAClC,MAAM,EAAE,CAUV;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,oBAAoB,GAAG,MAAM,CAAC,UAAU,CAM1E;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG;IAC7F,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,CAgBA;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB,GAAG;IAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAe5D;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC1B,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBlB;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAO1F"}

package/dist/commands/db/utils/seed-manager.d.ts

@@ -3,6 +3,10 @@
  *
  * Purpose: Parse, apply, and validate seed data files
  * Design: Config.toml parsing + psql execution
+ *
+ * Security:
+ * - Path traversal protection via validateSafePath
+ * - All user-provided paths are validated before use
  */
 /**
  * Parse seed paths from config.toml

package/dist/commands/db/utils/seed-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"seed-manager.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/utils/seed-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAgC3D;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAUlF;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAcnE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAU3D"}
+{"version":3,"file":"seed-manager.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/utils/seed-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AASH;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAgC3D;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAalF;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBnE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAU3D"}

package/dist/commands/env/commands/setup/file-export.d.ts

@@ -4,10 +4,14 @@
  * Purpose: Write environment variables to file for review
  * Extracted from: env-setup.ts (lines 1517-1585)
  *
- * SECURITY NOTES:
+ * SECURITY NOTES (Issue #461):
  * - Temporary files are written with restrictive permissions (600)
  * - Files contain sensitive credentials and should be deleted after use
  * - Owner-only read/write prevents other users from accessing credentials
+ * - Cleanup registered with signal handlers for SIGINT/SIGTERM cleanup
+ * - cleanupEnvSetupFile() function exported for explicit cleanup
+ *
+ * @see Issue #461 - Sensitive data leakage in temporary files and error messages
  */
 import type { createCLILogger } from '@runa-ai/runa';
 import type { EnvVariable } from './types.js';
@@ -17,4 +21,11 @@ export declare const ENV_SETUP_TMP_FILE = ".env.setup-tmp";
  * This allows users to review and manually register the values
  */
 export declare function writeEnvSetupFile(envVars: EnvVariable[], drizzleAppPassword: string, drizzleServicePassword: string, logger: ReturnType<typeof createCLILogger>): void;
+/**
+ * SECURITY (Issue #461): Cleanup the env setup temp file.
+ * Call this when the temp file is no longer needed.
+ *
+ * @returns true if file was deleted, false if file didn't exist
+ */
+export declare function cleanupEnvSetupFile(): boolean;
 //# sourceMappingURL=file-export.d.ts.map

package/dist/commands/env/commands/setup/file-export.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"file-export.d.ts","sourceRoot":"","sources":["../../../../../src/commands/env/commands/setup/file-export.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,eAAO,MAAM,kBAAkB,mBAAmB,CAAC;AAMnD;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EAAE,EACtB,kBAAkB,EAAE,MAAM,EAC1B,sBAAsB,EAAE,MAAM,EAC9B,MAAM,EAAE,UAAU,CAAC,OAAO,eAAe,CAAC,GACzC,IAAI,CAqEN"}
+{"version":3,"file":"file-export.d.ts","sourceRoot":"","sources":["../../../../../src/commands/env/commands/setup/file-export.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,eAAO,MAAM,kBAAkB,mBAAmB,CAAC;AAYnD;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EAAE,EACtB,kBAAkB,EAAE,MAAM,EAC1B,sBAAsB,EAAE,MAAM,EAC9B,MAAM,EAAE,UAAU,CAAC,OAAO,eAAe,CAAC,GACzC,IAAI,CA4EN;AAiBD;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAgB7C"}

package/dist/commands/upgrade.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade.d.ts","sourceRoot":"","sources":["../../src/commands/upgrade.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAeH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAq3BpC,eAAO,MAAM,cAAc,SA2DvB,CAAC"}
+{"version":3,"file":"upgrade.d.ts","sourceRoot":"","sources":["../../src/commands/upgrade.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAeH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA63BpC,eAAO,MAAM,cAAc,SA2DvB,CAAC"}

package/dist/config/env-files.d.ts

@@ -20,6 +20,11 @@
  * - Works in both runa-repo (workspace) and pj-repo (standalone).
  * - Matches Next.js/Vercel environment naming convention.
  * - AI-friendly: `runa db sync` works without special wrappers.
+ *
+ * Security (Issue #462):
+ * - Maximum depth limit on directory traversal
+ * - Environment suffix validation (prevents path traversal via env names)
+ * - Path containment checks
  */
 type VercelEnvironment = 'development' | 'preview' | 'production';
 type RunaEnvironment = 'local' | 'preview' | 'main' | 'production';

package/dist/config/env-files.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env-files.d.ts","sourceRoot":"","sources":["../../src/config/env-files.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,KAAK,iBAAiB,GAAG,aAAa,GAAG,SAAS,GAAG,YAAY,CAAC;AAClE,KAAK,eAAe,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,YAAY,CAAC;AAEnE,KAAK,mBAAmB,GAAG;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,aAAa,GAAG,YAAY,GAAG,MAAM,CAAC;IAChD;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,eAAe,CAAC;IAC1B;;OAEG;IACH,SAAS,CAAC,EAAE,iBAAiB,CAAC;IAC9B,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,KAAK,kBAAkB,GAAG;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AA6EF;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,kBAAkB,CAwFlF"}
+{"version":3,"file":"env-files.d.ts","sourceRoot":"","sources":["../../src/config/env-files.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAiBH,KAAK,iBAAiB,GAAG,aAAa,GAAG,SAAS,GAAG,YAAY,CAAC;AAClE,KAAK,eAAe,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,YAAY,CAAC;AAEnE,KAAK,mBAAmB,GAAG;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,aAAa,GAAG,YAAY,GAAG,MAAM,CAAC;IAChD;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,eAAe,CAAC;IAC1B;;OAEG;IACH,SAAS,CAAC,EAAE,iBAAiB,CAAC;IAC9B,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,KAAK,kBAAkB,GAAG;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAiFF;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,kBAAkB,CAwFlF"}

package/dist/config/env.d.ts

@@ -125,6 +125,10 @@ export declare function isDebug(): boolean;
 /**
  * Sanitize sensitive data from environment variables
  * Useful for logging
+ *
+ * SECURITY (Issue #461):
+ * - Redacts known sensitive keys
+ * - Detects and redacts values that look like secrets (pattern-based)
  */
 export declare function sanitizeEnv(envVars: Partial<Env>): Record<string, string | boolean | undefined>;
 export {};

package/dist/config/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/config/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAqBxB;;;GAGG;AACH,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqDb,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAuB5C;;;;GAIG;AACH,eAAO,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAY,CAAC;AAE7B;;;GAGG;AACH,wBAAgB,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,OAAO,CAKtD;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAwBvC;AAED;;GAEG;AACH,wBAAgB,IAAI,IAAI,OAAO,CAE9B;AAED;;GAEG;AACH,wBAAgB,OAAO,IAAI,OAAO,CAEjC;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAoB/F"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/config/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAqBxB;;;GAGG;AACH,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqDb,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAuB5C;;;;GAIG;AACH,eAAO,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAY,CAAC;AAE7B;;;GAGG;AACH,wBAAgB,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,OAAO,CAKtD;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAwBvC;AAED;;GAEG;AACH,wBAAgB,IAAI,IAAI,OAAO,CAE9B;AAED;;GAEG;AACH,wBAAgB,OAAO,IAAI,OAAO,CAEjC;AA4CD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAsB/F"}