@runa-ai/runa-cli 0.5.52 → 0.5.57

package/dist/index.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import * as path11 from 'path';
-import path11__default, { join, dirname, resolve, relative, basename, sep, isAbsolute, normalize } from 'path';
+import path11__default, { join, dirname, resolve, isAbsolute, relative, sep, basename, normalize } from 'path';
 import { fileURLToPath } from 'url';
 import * as fs5 from 'fs';
-import fs5__default, { existsSync, readFileSync, readdirSync, mkdtempSync, writeFileSync, mkdirSync, copyFileSync, createWriteStream, statSync, rmSync, realpathSync, renameSync, promises, lstatSync, accessSync, constants, chmodSync, unlinkSync } from 'fs';
+import fs5__default, { existsSync, rmSync, readFileSync, readdirSync, mkdtempSync, writeFileSync, mkdirSync, copyFileSync, createWriteStream, statSync, realpathSync, promises, lstatSync, accessSync, constants, chmodSync, unlinkSync } from 'fs';
 import { execSync, spawnSync, execFileSync, exec, spawn } from 'child_process';
-import { createCLILogger, cacheClear, CacheClearOutputSchema, CLIError, cachePrune, CachePruneOutputSchema, cacheStats, CacheStatsOutputSchema, cacheList, CacheListOutputSchema, cacheInvalidate, CacheInvalidateOutputSchema, syncFromProduction, dbGenerateDiagram, DbDiagramGenerateOutputSchema, createDbSnapshot, syncDatabase, emitDbPushFailureCapsule, emitDbAnnotations, writeDbPushStepSummary, exportDbReportJson, DbSyncOutputSchema, databasePaths, detectRequiredServices, formatDetectionResults, dbStart, DbLifecycleStartOutputSchema, dbStop, DbLifecycleStopOutputSchema, dbReset, DbLifecycleResetOutputSchema, dbValidateSchemas, DbSchemaValidateOutputSchema, DbSchemaRisksOutputSchema, dbDetectSchemaRisks, dbApplySchemas, DbSchemaApplyOutputSchema, dbGenerateTypes, DbSchemaGenerateOutputSchema, extractSchemaFilter, dbSeedInit, DbSeedInitOutputSchema, dbSeedValidate, DbSeedValidateOutputSchema, dbSeedGenerate, DbSeedGenerateOutputSchema, dbVerifySeeds, DbSeedVerifyOutputSchema, DbSnapshotCreateOutputSchema, restoreDbSnapshot, DbSnapshotRestoreOutputSchema, listDbSnapshots, DbSnapshotListOutputSchema, dbGeneratePgTapTests, DbTestGenOutputSchema, dbUpdateGoldenRecord, DbTestUpdateGoldenOutputSchema, repairRunaConfig, detectExistingInitConfig, initProject, validateInitResult, linkCliGlobally, LinkCliOutputSchema, unlinkCliGlobally, UnlinkCliOutputSchema, checkRepoStatus, CheckRepoStatusOutputSchema, enableTelemetry, disableTelemetry, getTelemetryStatus, uploadTelemetry, TelemetryUploadOutputSchema, runTest, TestRunOutputSchema, runTestService, TestServiceOutputSchema, runTestIntegration, TestIntegrationOutputSchema, runTestStatic, TestStaticOutputSchema, generateOwaspTop10Tests, TestOwaspGenerateOutputSchema, updateGoldenRecord, generateE2ETests, generateSecurityTests, generateUnitTests, generateApiTests, generateComponentTests, generateE2EScaffold, validateConfig, ValidateConfigOutputSchema, deploySchemaToProduction, WorkflowNotifyOutputSchema, devopsSync, workflowSync, validateInfrastructure, emitWorkflowValidateFailureCapsule, emitWorkflowAnnotations, writeWorkflowValidateStepSummary, exportWorkflowReportJson, WorkflowValidateInfrastructureOutputSchema, createSuccessEnvelopeSchema, CLI_CONTRACT_VERSION, runChecks, RunCheckOutputSchema, formatDuration as formatDuration$1, GITHUB_API, loadRunaConfig, getClassificationForProfile, loadRunaConfigOrThrow, recordSchemaAudit, RecordSchemaAuditOutputSchema, createBackup, CreateBackupOutputSchema, listBackups, ListBackupsOutputSchema, getBackupMetadata, restoreBackup, RestoreBackupOutputSchema, deleteBackup, DeleteBackupOutputSchema, detectSchemaNames, SUPABASE_SYSTEM_SCHEMAS, dbSeedApply, writeDbSeedStepSummary, DbSeedApplyOutputSchema, emitDbSeedFailureCapsule, syncEnvironment, EnvSyncOutputSchema, detectDatabasePackage, findProjectRoot as findProjectRoot$1, TelemetryEnableOutputSchema, TelemetryDisableOutputSchema, TelemetryStatusOutputSchema, workflowNotify, DevOpsSyncOutputSchema, WorkflowSyncOutputSchema, formatCLIError, getStatusIcon as getStatusIcon$1, findWorkspaceRoot as findWorkspaceRoot$1, checkExtensionConfig, UpgradeTransaction, readRunaVersion, syncTemplates, SyncOutputSchema, DATABASE_PACKAGE_CANDIDATES, ErrorEnvelopeSchema, preCheckSync, findConflictFiles, TestUnitGenOutputSchema, TestE2EGenerateOutputSchema, TestSecurityGenOutputSchema, TestApiGenOutputSchema, TestComponentGenOutputSchema } from '@runa-ai/runa';
+import { createCLILogger, cacheClear, CacheClearOutputSchema, CLIError, cachePrune, CachePruneOutputSchema, cacheStats, CacheStatsOutputSchema, cacheList, CacheListOutputSchema, cacheInvalidate, CacheInvalidateOutputSchema, syncFromProduction, SUPABASE_SYSTEM_SCHEMAS, dbGenerateDiagram, DbDiagramGenerateOutputSchema, createDbSnapshot, syncDatabase, emitDbPushFailureCapsule, emitDbAnnotations, writeDbPushStepSummary, exportDbReportJson, DbSyncOutputSchema, databasePaths, detectRequiredServices, formatDetectionResults, dbStart, DbLifecycleStartOutputSchema, dbStop, DbLifecycleStopOutputSchema, dbReset, DbLifecycleResetOutputSchema, dbValidateSchemas, DbSchemaValidateOutputSchema, DbSchemaRisksOutputSchema, dbDetectSchemaRisks, dbApplySchemas, DbSchemaApplyOutputSchema, dbGenerateTypes, DbSchemaGenerateOutputSchema, extractSchemaFilter, dbSeedInit, DbSeedInitOutputSchema, dbSeedValidate, DbSeedValidateOutputSchema, dbSeedGenerate, DbSeedGenerateOutputSchema, dbVerifySeeds, DbSeedVerifyOutputSchema, DbSnapshotCreateOutputSchema, restoreDbSnapshot, DbSnapshotRestoreOutputSchema, listDbSnapshots, DbSnapshotListOutputSchema, dbGeneratePgTapTests, DbTestGenOutputSchema, dbUpdateGoldenRecord, DbTestUpdateGoldenOutputSchema, repairRunaConfig, detectExistingInitConfig, initProject, validateInitResult, linkCliGlobally, LinkCliOutputSchema, unlinkCliGlobally, UnlinkCliOutputSchema, checkRepoStatus, CheckRepoStatusOutputSchema, enableTelemetry, disableTelemetry, getTelemetryStatus, uploadTelemetry, TelemetryUploadOutputSchema, runTest, TestRunOutputSchema, runTestService, TestServiceOutputSchema, runTestIntegration, TestIntegrationOutputSchema, runTestStatic, TestStaticOutputSchema, generateOwaspTop10Tests, TestOwaspGenerateOutputSchema, updateGoldenRecord, generateE2ETests, generateSecurityTests, generateUnitTests, generateApiTests, generateComponentTests, generateE2EScaffold, validateConfig, ValidateConfigOutputSchema, deploySchemaToProduction, WorkflowNotifyOutputSchema, devopsSync, workflowSync, validateInfrastructure, emitWorkflowValidateFailureCapsule, emitWorkflowAnnotations, writeWorkflowValidateStepSummary, exportWorkflowReportJson, WorkflowValidateInfrastructureOutputSchema, createSuccessEnvelopeSchema, CLI_CONTRACT_VERSION, runChecks, RunCheckOutputSchema, formatDuration as formatDuration$1, GITHUB_API, loadRunaConfig, getClassificationForProfile, BASE_PORTS, loadRunaConfigOrThrow, recordSchemaAudit, RecordSchemaAuditOutputSchema, createBackup, CreateBackupOutputSchema, listBackups, ListBackupsOutputSchema, getBackupMetadata, restoreBackup, RestoreBackupOutputSchema, deleteBackup, DeleteBackupOutputSchema, detectSchemaNames, resolveAvailablePorts, calculatePortOffset, dbSeedApply, writeDbSeedStepSummary, DbSeedApplyOutputSchema, emitDbSeedFailureCapsule, syncEnvironment, EnvSyncOutputSchema, detectDatabasePackage, findProjectRoot as findProjectRoot$1, TelemetryEnableOutputSchema, TelemetryDisableOutputSchema, TelemetryStatusOutputSchema, workflowNotify, DevOpsSyncOutputSchema, WorkflowSyncOutputSchema, formatCLIError, getStatusIcon as getStatusIcon$1, findWorkspaceRoot as findWorkspaceRoot$1, checkExtensionConfig, getPortsWithOffset, UpgradeTransaction, readRunaVersion, syncTemplates, SyncOutputSchema, DATABASE_PACKAGE_CANDIDATES, ErrorEnvelopeSchema, preCheckSync, findConflictFiles, TestUnitGenOutputSchema, TestE2EGenerateOutputSchema, TestSecurityGenOutputSchema, TestApiGenOutputSchema, TestComponentGenOutputSchema } from '@runa-ai/runa';
 import { z } from 'zod';
 import fs9, { mkdir, writeFile, appendFile, readFile, rm, stat, realpath, cp, readdir, lstat } from 'fs/promises';
 import { promisify } from 'util';
@@ -24,7 +24,7 @@ import { expand } from 'dotenv-expand';
 import { resolve4 } from 'dns/promises';
 import { isIP } from 'net';
 import postgres from 'postgres';
-import crypto, { randomBytes, createHash } from 'crypto';
+import crypto, { randomBytes } from 'crypto';
 import os, { tmpdir } from 'os';
 import { introspectDatabase, HonoRouteAnalyzer } from '@runa-ai/runa/test-generators';
 import { isTable, getTableUniqueName, getTableName } from 'drizzle-orm';
@@ -33,7 +33,7 @@ import { createJiti } from 'jiti';
 import ora from 'ora';
 import { stdout, stdin } from 'process';
 import * as readline from 'readline/promises';
-import { clearInjectionRegistry, clearUnifiedRegistry, postProcessRegistries, isPageFile, collectPageInfo, isLayoutFile, collectLayoutInfo, isApiRouteFile, collectApiRouteInfo, isMiddlewareFile, collectAuthBoundaries, hasMachineDefinition, collectMachineDefinition, createReadAndParseFile, createResolveImportPath, transformSync, getInjectionRegistry, buildManifest, getAllMachineDefinitions, generateSelectorTypeScript, getUnifiedRegistry, buildMachineLinks, registerInjection } from '@runa-ai/runa-xstate-test-plugin/standalone';
+import { clearInjectionRegistry, clearUnifiedRegistry, postProcessRegistries, isPageFile, isLayoutFile, isApiRouteFile, isMiddlewareFile, collectPageInfo, collectLayoutInfo, collectApiRouteInfo, collectAuthBoundaries, hasMachineDefinition, collectMachineDefinition, collectComponentInfo, createReadAndParseFile, createResolveImportPath, transformSync, getInjectionRegistry, buildManifest, getAllMachineDefinitions, generateSelectorTypeScript, getUnifiedRegistry, buildMachineLinks, registerInjection } from '@runa-ai/runa-xstate-test-plugin/standalone';
 import { listSessions, formatDuration as formatDuration$2, cleanupStaleSessions, removeSession, isSessionCheckDisabled, getCurrentSessionId, checkActiveSessions, createSession, addActivity, checkConflicts, formatConflictDetails } from '@runa-ai/runa/session';
 import { render, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
@@ -124,7 +124,7 @@ function extractPort(rawUrl) {
   }
 }
 function parseTomlPort(content, section, key) {
-  const sectionRegex = new RegExp(`\\[${section}\\]([\\s\\S]*?)(?=\\n\\[|$)`, "m");
+  const sectionRegex = new RegExp(`\\[${section}\\]([\\s\\S]*?)(?=\\n\\[|$)`);
   const sectionMatch = sectionRegex.exec(content);
   if (!sectionMatch) return null;
   const sectionContent = sectionMatch[1];
@@ -287,9 +287,9 @@ var init_local_supabase = __esm({
   "src/commands/env/constants/local-supabase.ts"() {
     init_esm_shims();
     DEFAULT_HOST = "127.0.0.1";
-    DEFAULT_API_PORT = 54321;
-    DEFAULT_DB_PORT = 54322;
-    DEFAULT_STUDIO_PORT = 54323;
+    DEFAULT_API_PORT = BASE_PORTS.api;
+    DEFAULT_DB_PORT = BASE_PORTS.db;
+    DEFAULT_STUDIO_PORT = BASE_PORTS.studio;
     LOCAL_SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0";
     LOCAL_SUPABASE_SERVICE_ROLE_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU";
     LOCAL_SUPABASE_ENV_VALUES = getLocalSupabaseEnvValues();
@@ -1161,7 +1161,7 @@ var CLI_VERSION, HAS_ADMIN_COMMAND;
 var init_version = __esm({
   "src/version.ts"() {
     init_esm_shims();
-    CLI_VERSION = "0.5.52";
+    CLI_VERSION = "0.5.57";
     HAS_ADMIN_COMMAND = false;
   }
 });
@@ -4425,9 +4425,19 @@ var ERROR_CATALOG = {
     title: "Docker is not running",
     template: "Docker daemon is not running or not accessible",
     suggestions: [
-      "Start Docker Desktop",
-      "Run: open -a Docker (macOS)",
-      "Run: systemctl start docker (Linux)"
+      "Start Colima: colima start --cpu 4 --memory 8 --disk 60 --vm-type vz --mount-type virtiofs",
+      "Install Colima: brew install colima docker"
+    ],
+    docUrl: "https://runa.dev/docs/errors/docker"
+  },
+  DOCKER_DESKTOP_FORBIDDEN: {
+    code: "ERR_RUNA_DOCKER_DESKTOP_FORBIDDEN",
+    exitCode: EXIT_CODES.EXTERNAL_TOOL_ERROR,
+    title: "Docker Desktop is not supported",
+    template: "Docker Desktop is not supported. runa requires Colima.",
+    suggestions: [
+      "Install Colima: brew install colima docker",
+      "Start Colima: colima start --cpu 4 --memory 8 --disk 60 --vm-type vz --mount-type virtiofs"
     ],
     docUrl: "https://runa.dev/docs/errors/docker"
   },
@@ -4441,7 +4451,7 @@ var ERROR_CATALOG = {
         supabase: "brew install supabase/tap/supabase",
         vercel: "pnpm add -g vercel",
         gh: "brew install gh",
-        docker: "Install Docker Desktop from https://docker.com",
+        docker: "Install Colima: brew install colima docker",
         dotenvx: "pnpm add -g @dotenvx/dotenvx",
         "pg-schema-diff": "brew install pg-schema-diff"
       };
@@ -5290,7 +5300,7 @@ function emitJsonSuccess(cmd, dataSchema, data) {
 init_esm_shims();
 var BuildPhaseSchema = z.enum(["types", "lint", "build", "db", "manifest"]);
 var VALID_BUILD_PHASES = ["types", "lint", "build", "db", "manifest"];
-z.object({
+var BuildInputSchema = z.object({
   /** Enable E2E mode (NEXT_PUBLIC_E2E_TEST=true, TURBO_FORCE=true) */
   e2e: z.boolean().default(false),
   /** Clear build caches (.next, .turbo, .runa/manifests) */
@@ -5351,6 +5361,87 @@ var BuildOutputSchema = z.object({
 // src/commands/build/machine.ts
 init_esm_shims();
 
+// src/internal/machines/index.ts
+init_esm_shims();
+
+// src/internal/machines/machine-runner.ts
+init_esm_shims();
+function getOutputOrThrow(snapshot2) {
+  const s = snapshot2;
+  if (s.output === void 0) {
+    throw new CLIError("Machine completed without output", "MACHINE_NO_OUTPUT", [
+      "Ensure the machine defines an `output:` function."
+    ]);
+  }
+  return s.output;
+}
+async function runMachine(params) {
+  const timeoutMs = params.timeoutMs ?? 10 * 60 * 1e3;
+  return new Promise((resolve12, reject) => {
+    const actor = createActor(params.machine, { input: params.input });
+    const timer = setTimeout(() => {
+      try {
+        actor.stop?.();
+      } catch {
+      }
+      reject(
+        new CLIError("Machine execution timed out", "MACHINE_TIMEOUT", [
+          `Timeout: ${timeoutMs}ms`,
+          "Consider increasing timeoutMs for long-running operations."
+        ])
+      );
+    }, timeoutMs);
+    const sub = actor.subscribe((snapshot2) => {
+      try {
+        params.onSnapshot?.(snapshot2);
+        const stateName = params.helpers.getStateName(snapshot2);
+        params.onTransition?.(stateName);
+        if (params.helpers.isComplete(snapshot2)) {
+          clearTimeout(timer);
+          sub.unsubscribe();
+          const out = getOutputOrThrow(snapshot2);
+          resolve12(out);
+        }
+      } catch (err) {
+        clearTimeout(timer);
+        sub.unsubscribe();
+        reject(err);
+      }
+    });
+    try {
+      actor.start();
+      actor.send({ type: "START" });
+    } catch (err) {
+      clearTimeout(timer);
+      sub.unsubscribe();
+      reject(err);
+    }
+  });
+}
+
+// src/internal/machines/snapshot-helpers.ts
+init_esm_shims();
+function getSnapshotStateName(snapshot2) {
+  if (typeof snapshot2.value === "string") {
+    return snapshot2.value;
+  }
+  if (!snapshot2.value || typeof snapshot2.value !== "object") {
+    return "unknown";
+  }
+  const entries = Object.entries(snapshot2.value);
+  if (entries.length === 0) {
+    return "unknown";
+  }
+  const [parent, child] = entries[0];
+  if (typeof child === "string") {
+    return `${parent}.${child}`;
+  }
+  return parent;
+}
+function isSnapshotComplete(snapshot2) {
+  return snapshot2.status === "done";
+}
+
 // src/commands/build/actors/index.ts
 init_esm_shims();
 
@@ -6738,6 +6829,14 @@ var e2eMeta = {
     nextStates: []
   }
 };
+function normalizeBuildMachineInput(input3) {
+  const normalizedInput = BuildInputSchema.parse(input3?.input ?? {});
+  const repoRoot = input3?.repoRoot ?? normalizedInput.targetDir ?? process.cwd();
+  return {
+    input: normalizedInput,
+    repoRoot
+  };
+}
 var buildMachine = setup({
   types: {},
   actors: {
@@ -6771,9 +6870,10 @@ var buildMachine = setup({
   id: "build",
   initial: "idle",
   context: ({ input: input3 }) => {
-    const repoRoot = input3.repoRoot;
+    const normalizedInput = normalizeBuildMachineInput(input3);
+    const repoRoot = normalizedInput.repoRoot;
     return {
-      input: input3.input,
+      input: normalizedInput.input,
       repoRoot,
       tmpDir: ".runa/tmp/build",
       hasDatabase: detectDatabase(repoRoot),
@@ -7350,20 +7450,10 @@ var buildMachine = setup({
   output: ({ context }) => createOutput(context)
 });
 function getStateName(snapshot2) {
-  if (typeof snapshot2.value === "string") {
-    return snapshot2.value;
-  }
-  const topLevel = Object.keys(snapshot2.value)[0];
-  if (topLevel && typeof snapshot2.value === "object") {
-    const nested = snapshot2.value[topLevel];
-    if (nested && typeof nested === "string") {
-      return `${topLevel}.${nested}`;
-    }
-  }
-  return topLevel ?? "unknown";
+  return getSnapshotStateName(snapshot2);
 }
 function isComplete(snapshot2) {
-  return snapshot2.status === "done";
+  return isSnapshotComplete(snapshot2);
 }
 
 // src/commands/build/commands/build.ts
@@ -7508,15 +7598,15 @@ function printSummary(logger16, output3) {
   }
 }
 function findRepoRoot(startDir) {
-  const { existsSync: existsSync52, readFileSync: readFileSync29 } = __require("fs");
+  const { existsSync: existsSync53, readFileSync: readFileSync29 } = __require("fs");
   const { join: join23, dirname: dirname5 } = __require("path");
   let current = startDir;
   while (current !== dirname5(current)) {
-    if (existsSync52(join23(current, "turbo.json"))) {
+    if (existsSync53(join23(current, "turbo.json"))) {
       return current;
     }
     const pkgPath = join23(current, "package.json");
-    if (existsSync52(pkgPath)) {
+    if (existsSync53(pkgPath)) {
       try {
         const pkg = JSON.parse(readFileSync29(pkgPath, "utf-8"));
         if (pkg.workspaces) {
@@ -7707,7 +7797,7 @@ init_esm_shims();
 
 // src/commands/dev/contract.ts
 init_esm_shims();
-z.object({
+var DevInputSchema = z.object({
   /** Port for Next.js dev server (default: 3000) */
   port: z.number().int().positive().default(3e3),
   /** Skip Supabase start */
@@ -8099,48 +8189,6 @@ function determineAppCommand(mode, isMonorepo2, rootScripts, appScripts, repoRoo
     useRootScript: false
   };
 }
-var NEXT_CRITICAL_FILES = ["routes-manifest.json", "build-manifest.json"];
-function cleanStaleNextDevState(appDir) {
-  const nextDir = path11__default.join(appDir, ".next");
-  if (!existsSync(nextDir)) {
-    return { cleaned: false };
-  }
-  for (const file of NEXT_CRITICAL_FILES) {
-    if (!existsSync(path11__default.join(nextDir, file))) {
-      cleanNextDir(nextDir, `Missing ${file}`);
-      return { cleaned: true, reason: `Missing ${file}` };
-    }
-  }
-  const serverDir = path11__default.join(nextDir, "server");
-  if (!existsSync(serverDir)) {
-    try {
-      const nextStat = statSync(nextDir);
-      const ageHours = (Date.now() - nextStat.mtimeMs) / (1e3 * 60 * 60);
-      if (ageHours > 1) {
-        cleanNextDir(nextDir, "Stale .next without server directory");
-        return { cleaned: true, reason: "Stale .next without server directory" };
-      }
-    } catch {
-    }
-  }
-  return { cleaned: false };
-}
-function cleanNextDir(nextDir, reason) {
-  console.log(`[runa] Stale .next detected: ${reason}`);
-  console.log("[runa] Cleaning up .next directory...");
-  try {
-    rmSync(nextDir, { recursive: true, force: true, maxRetries: 10, retryDelay: 100 });
-    console.log("[runa] Cleanup complete");
-  } catch {
-    const staleDir = `${nextDir}-stale-${Date.now()}`;
-    console.log(`[runa] Could not remove .next, quarantining to ${path11__default.basename(staleDir)}`);
-    try {
-      renameSync(nextDir, staleDir);
-    } catch {
-      console.warn("[runa] Failed to quarantine .next. Run: rm -rf .next");
-    }
-  }
-}
 async function startAppBackground(params) {
   const mode = params.mode ?? "start";
   const isMonorepo2 = params.appDir !== params.repoRoot;
@@ -8334,7 +8382,11 @@ var appStartActor = fromPromise(
     const { repoRoot, appDir, port, tmpDir, stream } = input3;
     const fullTmpDir = path11__default.join(repoRoot, tmpDir);
     await mkdir(fullTmpDir, { recursive: true });
-    cleanStaleNextDevState(appDir);
+    const nextDir = path11__default.join(appDir, ".next");
+    if (existsSync(nextDir)) {
+      rmSync(nextDir, { recursive: true, force: true });
+      console.log("[runa dev] Cleaned .next cache for fresh start");
+    }
     const result = await startAppBackground({
       repoRoot,
       appDir,
@@ -8364,6 +8416,14 @@ var shutdownActor = fromPromise(async ({ input: input3 }) => {
     });
   }
 });
+function normalizeDevMachineInput(input3) {
+  const normalizedInput = DevInputSchema.parse(input3?.input ?? {});
+  const repoRoot = input3?.repoRoot ?? normalizedInput.targetDir ?? process.cwd();
+  return {
+    input: normalizedInput,
+    repoRoot
+  };
+}
 var devMachine = setup({
   types: {},
   actors: {
@@ -8381,9 +8441,10 @@ var devMachine = setup({
   id: "dev",
   initial: "idle",
   context: ({ input: input3 }) => {
-    const repoRoot = input3.repoRoot ?? process.cwd();
+    const normalizedInput = normalizeDevMachineInput(input3);
+    const repoRoot = normalizedInput.repoRoot;
     return {
-      input: input3.input,
+      input: normalizedInput.input,
       repoRoot,
       tmpDir: ".runa/tmp/dev",
       hasDatabase: detectDatabase(repoRoot),
@@ -8790,6 +8851,23 @@ function isPathContained(basePath, targetPath) {
   const realTarget = safeRealpath(normalizedTarget);
   return realTarget === realBase || realTarget.startsWith(realBase + sep);
 }
+function validateUserFilePath(filePath, baseDir) {
+  if (!filePath || filePath.trim() === "") {
+    throw new Error("File path cannot be empty");
+  }
+  if (!hasNoDangerousChars(filePath)) {
+    throw new Error(
+      "File path contains dangerous characters. Shell metacharacters and control characters are not allowed."
+    );
+  }
+  const resolvedPath = isAbsolute(filePath) ? resolve(filePath) : resolve(baseDir, filePath);
+  if (!isPathContained(baseDir, resolvedPath)) {
+    throw new Error(
+      "File path resolves outside the allowed directory. Path must be within the project root."
+    );
+  }
+  return resolvedPath;
+}
 
 // src/config/env-files.ts
 init_workspace_detector();
@@ -9741,6 +9819,89 @@ var EXCLUDED_SCHEMAS = /* @__PURE__ */ new Set([
   "pgbouncer",
   "cron"
 ]);
+function stripSqlCommentsPreserveStrings(content) {
+  let result = "";
+  let i = 0;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+  let dollarTag = "";
+  while (i < content.length) {
+    const char = content[i] ?? "";
+    const next = content[i + 1] ?? "";
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && char === "-" && next === "-") {
+      while (i < content.length && content[i] !== "\n") {
+        result += " ";
+        i++;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && char === "/" && next === "*") {
+      result += " ";
+      result += " ";
+      i += 2;
+      while (i < content.length) {
+        const blockChar = content[i] ?? "";
+        const blockNext = content[i + 1] ?? "";
+        if (blockChar === "*" && blockNext === "/") {
+          result += " ";
+          result += " ";
+          i += 2;
+          break;
+        }
+        result += blockChar === "\n" ? "\n" : " ";
+        i++;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && char === "$") {
+      if (inDollarQuote) {
+        const closeTag = `$${dollarTag}$`;
+        if (content.slice(i).startsWith(closeTag)) {
+          result += closeTag;
+          i += closeTag.length;
+          inDollarQuote = false;
+          dollarTag = "";
+          continue;
+        }
+      } else {
+        const tagMatch = content.slice(i).match(/^\$([a-zA-Z_][a-zA-Z0-9_]*)?\$/);
+        if (tagMatch) {
+          inDollarQuote = true;
+          dollarTag = tagMatch[1] ?? "";
+          result += tagMatch[0];
+          i += tagMatch[0].length;
+          continue;
+        }
+      }
+    }
+    if (!inDoubleQuote && !inDollarQuote && char === "'") {
+      if (inSingleQuote && next === "'") {
+        result += "''";
+        i += 2;
+        continue;
+      }
+      inSingleQuote = !inSingleQuote;
+      result += char;
+      i++;
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && char === '"') {
+      if (inDoubleQuote && next === '"') {
+        result += '""';
+        i += 2;
+        continue;
+      }
+      inDoubleQuote = !inDoubleQuote;
+      result += char;
+      i++;
+      continue;
+    }
+    result += char;
+    i++;
+  }
+  return result;
+}
 function detectAppSchemas(schemasDir, verbose) {
   const schemas = /* @__PURE__ */ new Set(["public"]);
   if (!existsSync(schemasDir)) {
@@ -9749,12 +9910,13 @@ function detectAppSchemas(schemasDir, verbose) {
   const files = readdirSync(schemasDir).filter((f) => f.endsWith(".sql"));
   for (const file of files) {
     const content = readFileSync(join(schemasDir, file), "utf-8");
-    const contentWithoutComments = content.replace(/--[^\n]*/g, "").replace(/\/\*[\s\S]*?\*\//g, "");
+    const contentWithoutComments = stripSqlCommentsPreserveStrings(content);
     const matches = contentWithoutComments.matchAll(
-      /^\s*CREATE\s+SCHEMA\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)/gim
+      /^\s*CREATE\s+SCHEMA\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"((?:[^"]|"")*)"|([a-zA-Z_][a-zA-Z0-9_]*))/gim
     );
     for (const match of Array.from(matches)) {
-      const schemaName = match[1].toLowerCase();
+      const schemaNameRaw = (match[1] ?? match[2] ?? "").replace(/""/g, '"');
+      const schemaName = schemaNameRaw.toLowerCase();
       if (!EXCLUDED_SCHEMAS.has(schemaName)) {
         schemas.add(schemaName);
       }
@@ -12733,6 +12895,20 @@ function getSchemaGitDiff(repoRoot) {
     return null;
   }
 }
+function extractRolesFromSql(content) {
+  const roles = [];
+  const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(\w+)\s+WITH/gi);
+  for (const match of roleMatches) {
+    if (match[1]) roles.push(match[1].toLowerCase());
+  }
+  const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
+  for (const match of existsMatches) {
+    if (match[1] && !roles.includes(match[1].toLowerCase())) {
+      roles.push(match[1].toLowerCase());
+    }
+  }
+  return roles;
+}
 function getIdempotentRoleNames2(repoRoot) {
   const idempotentDir = path11__default.join(repoRoot, "supabase", "schemas", "idempotent");
   const roles = [];
@@ -12741,17 +12917,12 @@ function getIdempotentRoleNames2(repoRoot) {
     if (!fs14.existsSync(idempotentDir)) return [];
     const files = fs14.readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
     for (const file of files) {
-      const content = fs14.readFileSync(path11__default.join(idempotentDir, file), "utf-8");
-      const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(\w+)\s+WITH/gi);
-      for (const match of roleMatches) {
-        if (match[1]) roles.push(match[1].toLowerCase());
-      }
-      const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
-      for (const match of existsMatches) {
-        if (match[1] && !roles.includes(match[1].toLowerCase())) {
-          roles.push(match[1].toLowerCase());
-        }
+      const filePath = path11__default.join(idempotentDir, file);
+      if (!isPathContained(idempotentDir, filePath)) {
+        continue;
       }
+      const content = fs14.readFileSync(filePath, "utf-8");
+      roles.push(...extractRolesFromSql(content));
     }
   } catch {
   }
@@ -15067,6 +15238,24 @@ function getSupabaseUrlWithFallback(context) {
 function getSupabaseAnonKeyWithFallback(context) {
   return context.supabase?.anonKey || DEFAULT_LOCAL_ANON_KEY;
 }
+function buildRuntimeEnv(context, options = {}) {
+  const env2 = {
+    ...context.input.runtimeEnv ?? {},
+    DATABASE_URL: getDatabaseUrlForRuntime(context),
+    NEXT_PUBLIC_SUPABASE_URL: getSupabaseUrlWithFallback(context),
+    NEXT_PUBLIC_SUPABASE_ANON_KEY: getSupabaseAnonKeyWithFallback(context)
+  };
+  if (options.enablePublicE2EFlag) {
+    env2.NEXT_PUBLIC_E2E_TEST = "true";
+  }
+  if (options.enableServerE2EFlag) {
+    env2.E2E_TEST = "true";
+  }
+  if (options.baseUrl) {
+    env2.BASE_URL = options.baseUrl;
+  }
+  return env2;
+}
 function computeExitCodeFromLayerResults(layerResults) {
   const classification = getClassificationForProfile("runa-strict");
   const classificationMap = new Map(classification.map((c) => [c.layer, c.level]));
@@ -15555,7 +15744,7 @@ ${generateProgressCommentBody(progressInput)}`;
           tmpDir: assertTmpDir(context),
           // Execute if GH_DATABASE_URL_ADMIN is set (dry-run will determine if changes exist)
           // PRD: GH_DATABASE_URL_ADMIN = postgres role (DDL capable)
-          shouldExecute: !!(process.env.GH_DATABASE_URL_ADMIN || process.env.GH_DATABASE_URL)
+          shouldExecute: Boolean(context.input.productionDatabaseUrl?.trim())
         }),
         onDone: {
           target: "collectSchemaStats",
@@ -15747,14 +15936,10 @@ ${generateProgressCommentBody(progressInput)}`;
         input: ({ context }) => ({
           repoRoot: assertRepoRoot(context),
           tmpDir: assertTmpDir(context),
-          env: {
-            ...process.env,
-            DATABASE_URL: getDatabaseUrlForRuntime(context),
-            NEXT_PUBLIC_SUPABASE_URL: getSupabaseUrlWithFallback(context),
-            NEXT_PUBLIC_SUPABASE_ANON_KEY: getSupabaseAnonKeyWithFallback(context),
-            // CRITICAL: Required for XState Test Plugin to inject data-state attributes
-            NEXT_PUBLIC_E2E_TEST: "true"
-          },
+          env: buildRuntimeEnv(context, {
+            // Required for XState Test Plugin to inject data-state attributes.
+            enablePublicE2EFlag: true
+          }),
           isCI: context.input.isCI ?? false,
           skipPlaywright: shouldSkipPlaywrightInstall(context)
         }),
@@ -15805,16 +15990,11 @@ ${generateProgressCommentBody(progressInput)}`;
           tmpDir: assertTmpDir(context),
           appDir: context.app?.appDir ?? assertRepoRoot(context),
           port: context.app?.port ?? 3e3,
-          env: {
-            ...process.env,
-            DATABASE_URL: getDatabaseUrlForRuntime(context),
-            NEXT_PUBLIC_SUPABASE_URL: getSupabaseUrlWithFallback(context),
-            NEXT_PUBLIC_SUPABASE_ANON_KEY: getSupabaseAnonKeyWithFallback(context),
-            // CRITICAL: Required for middleware to bypass auth in E2E tests
-            // E2E_TEST is server-only (proxy.ts), NEXT_PUBLIC_E2E_TEST is for build-time (xstate-test-plugin)
-            E2E_TEST: "true",
-            NEXT_PUBLIC_E2E_TEST: "true"
-          }
+          env: buildRuntimeEnv(context, {
+            // E2E_TEST is server-only (proxy.ts), NEXT_PUBLIC_E2E_TEST is for build-time.
+            enableServerE2EFlag: true,
+            enablePublicE2EFlag: true
+          })
         }),
         onDone: [
           {
@@ -15919,12 +16099,7 @@ ${generateProgressCommentBody(progressInput)}`;
           // ci-local: all selected layers, ci-pr: only core layers (1,2,3)
           layers: getLayersForCorePhase(context.selectedLayers, context.mode),
           baseUrl: context.baseUrl ?? `http://localhost:${context.app?.port ?? 3e3}`,
-          env: {
-            ...process.env,
-            DATABASE_URL: getDatabaseUrlForRuntime(context),
-            NEXT_PUBLIC_SUPABASE_URL: getSupabaseUrlWithFallback(context),
-            NEXT_PUBLIC_SUPABASE_ANON_KEY: getSupabaseAnonKeyWithFallback(context)
-          },
+          env: buildRuntimeEnv(context),
           failFast: true
         }),
         onDone: [
@@ -16078,15 +16253,10 @@ ${generateCommentBody(commentInput)}`;
                     tmpDir: assertTmpDir(context),
                     layers: [E2E_LAYER],
                     baseUrl: e2eBaseUrl,
-                    env: {
-                      ...process.env,
-                      DATABASE_URL: getDatabaseUrlForRuntime(context),
-                      NEXT_PUBLIC_SUPABASE_URL: getSupabaseUrlWithFallback(context),
-                      NEXT_PUBLIC_SUPABASE_ANON_KEY: getSupabaseAnonKeyWithFallback(context),
-                      // CRITICAL: Set BASE_URL for Playwright config and test fixtures
-                      // This ensures cookies are set on the same domain Playwright uses
-                      BASE_URL: e2eBaseUrl
-                    },
+                    env: buildRuntimeEnv(context, {
+                      // Ensures cookies are set on the same domain Playwright uses.
+                      baseUrl: e2eBaseUrl
+                    }),
                     failFast: false
                     // Don't fail-fast for E2E (warning-only)
                   };
@@ -16280,19 +16450,10 @@ ${generateCommentBody(commentInput)}`;
   output: ({ context }) => createOutput3(context)
 });
 function getStateName3(snapshot2) {
-  const value = snapshot2.value;
-  if (typeof value === "string") return value;
-  const keys = Object.keys(value);
-  if (keys.length > 0) {
-    const parent = keys[0];
-    const child = value[parent];
-    if (typeof child === "string") return `${parent}.${child}`;
-    return parent;
-  }
-  return "unknown";
+  return getSnapshotStateName(snapshot2);
 }
 function isComplete3(snapshot2) {
-  return snapshot2.status === "done";
+  return isSnapshotComplete(snapshot2);
 }
 
 // src/commands/ci/machine/commands/machine-runner.ts
@@ -16541,6 +16702,18 @@ async function flushAndExit(exitCode) {
   process.exit(exitCode);
 }
 
+// src/commands/ci/machine/commands/runtime-env.ts
+init_esm_shims();
+function captureRuntimeEnv(source = process.env) {
+  const captured = {};
+  for (const [key, value] of Object.entries(source)) {
+    if (value !== void 0) {
+      captured[key] = value;
+    }
+  }
+  return captured;
+}
+
 // src/commands/ci/machine/commands/ci-local.ts
 var isGitHubActionsMode = false;
 var currentGroup = null;
@@ -16662,7 +16835,8 @@ function buildMachineInput(options) {
     dbMode: void 0,
     // PRD: GH_DATABASE_URL_ADMIN = postgres role (DDL capable, for pg_dump)
     productionDatabaseUrl: process.env.GH_DATABASE_URL_ADMIN || process.env.GH_DATABASE_URL,
-    databaseUrl: process.env.DATABASE_URL
+    databaseUrl: process.env.DATABASE_URL,
+    runtimeEnv: captureRuntimeEnv()
   };
 }
 function handleCiError(error, logger16) {
@@ -16728,6 +16902,8 @@ z.object({
   productionDatabaseUrl: z.string().optional(),
   /** Local database URL */
   databaseUrl: z.string().optional(),
+  /** Sanitized process.env captured at entry point */
+  runtimeEnv: z.record(z.string(), z.string()).optional(),
   // === GitHub Actions Environment ===
   /** GitHub ref (e.g., refs/pull/123/merge) */
   githubRef: z.string().optional(),
@@ -17179,6 +17355,7 @@ function optionsToMachineInput(options) {
     databaseUrl: process.env.DATABASE_URL,
     // PRD: GH_DATABASE_URL_ADMIN = postgres role (DDL capable, for pg-schema-diff dry-run)
     productionDatabaseUrl: process.env.GH_DATABASE_URL_ADMIN || process.env.GH_DATABASE_URL,
+    runtimeEnv: captureRuntimeEnv(),
     githubRef: process.env.GITHUB_REF,
     // FIX: Read action from GITHUB_EVENT_PATH JSON, not non-existent GITHUB_EVENT_ACTION env var
     githubEventAction: getGitHubEventAction(),
@@ -17317,6 +17494,7 @@ function tryResolveDatabaseUrl(environment) {
 
 // src/commands/db/utils/table-registry.ts
 init_esm_shims();
+init_config_loader();
 
 // src/commands/db/utils/semantic-mapper.ts
 init_esm_shims();
@@ -17403,6 +17581,223 @@ function applyMappingToTables(tables, mapping) {
   }));
 }
 
+// src/commands/db/utils/schema-sync.ts
+init_esm_shims();
+var VALID_PG_IDENTIFIER_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/;
+function validatePgIdentifier(name, context) {
+  if (!name || typeof name !== "string") {
+    throw new Error(`Invalid ${context}: empty or not a string`);
+  }
+  if (!VALID_PG_IDENTIFIER_PATTERN.test(name)) {
+    throw new Error(
+      `Invalid ${context} "${name}": must start with letter/underscore and contain only alphanumeric/underscore characters`
+    );
+  }
+}
+function escapePgStringLiteral(value) {
+  if (typeof value !== "string") {
+    throw new Error("Value must be a string");
+  }
+  return value.replace(/\\/g, "\\\\").replace(/'/g, "''");
+}
+function buildSafeSchemaInClause(schemas) {
+  if (schemas.length === 0) {
+    throw new Error("No schemas provided for IN clause");
+  }
+  const safeSchemas = [];
+  for (const schema of schemas) {
+    validatePgIdentifier(schema, "schema name");
+    safeSchemas.push(`'${escapePgStringLiteral(schema)}'`);
+  }
+  return safeSchemas.join(",");
+}
+var ERROR_MESSAGES2 = {
+  PATH_TRAVERSAL: "Schema path validation failed",
+  SCHEMA_NOT_FOUND: "Schema file not found"
+};
+function containsPathTraversal2(inputPath) {
+  const normalized = path11__default.normalize(inputPath);
+  return normalized.includes("..") || inputPath.includes("\0");
+}
+function isPathWithinBase(filePath, baseDir) {
+  try {
+    const resolvedFile = path11__default.resolve(filePath);
+    const resolvedBase = path11__default.resolve(baseDir);
+    const normalizedFile = path11__default.normalize(resolvedFile);
+    const normalizedBase = path11__default.normalize(resolvedBase);
+    return normalizedFile === normalizedBase || normalizedFile.startsWith(normalizedBase + path11__default.sep);
+  } catch {
+    return false;
+  }
+}
+function validateSchemaPath(dbPackagePath, projectRoot = process.cwd()) {
+  if (containsPathTraversal2(dbPackagePath)) {
+    throw new Error(ERROR_MESSAGES2.PATH_TRAVERSAL);
+  }
+  const schemaEntry = path11__default.join(dbPackagePath, "src", "schema", "index.ts");
+  const absoluteSchemaPath = path11__default.resolve(projectRoot, schemaEntry);
+  let resolvedProjectRoot;
+  try {
+    resolvedProjectRoot = realpathSync(projectRoot);
+  } catch {
+    resolvedProjectRoot = path11__default.resolve(projectRoot);
+  }
+  if (!isPathWithinBase(absoluteSchemaPath, resolvedProjectRoot)) {
+    throw new Error(ERROR_MESSAGES2.PATH_TRAVERSAL);
+  }
+  if (!existsSync(absoluteSchemaPath)) {
+    throw new Error(ERROR_MESSAGES2.SCHEMA_NOT_FOUND);
+  }
+  return absoluteSchemaPath;
+}
+function uniqueSorted(values) {
+  return [...new Set(values)].sort((a, b) => a.localeCompare(b));
+}
+async function extractSchemaTablesAndEnums(dbPackagePath, projectRoot = process.cwd()) {
+  const validatedSchemaPath = validateSchemaPath(dbPackagePath, projectRoot);
+  const jiti = createJiti(projectRoot, { interopDefault: true });
+  let schemaModule;
+  try {
+    schemaModule = await jiti.import(validatedSchemaPath);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    const hint = errorMessage.includes("unknown is not defined") ? "\n\nHint: Add 'unknown' to drizzle-orm/pg-core imports:\n  import { unknown, ... } from 'drizzle-orm/pg-core'" : "";
+    throw new Error(`Failed to load schema from ${validatedSchemaPath}: ${errorMessage}${hint}`);
+  }
+  const expectedTables = /* @__PURE__ */ new Set();
+  const expectedEnums = /* @__PURE__ */ new Map();
+  for (const value of Object.values(schemaModule)) {
+    if (isTable(value)) {
+      const unique = String(getTableUniqueName(value));
+      if (unique.startsWith("undefined.")) {
+        expectedTables.add(`public.${getTableName(value)}`);
+      } else {
+        expectedTables.add(unique);
+      }
+      continue;
+    }
+    if (isPgEnum(value)) {
+      expectedEnums.set(value.enumName, {
+        name: value.enumName,
+        values: uniqueSorted(value.enumValues)
+      });
+    }
+  }
+  return { expectedTables, expectedEnums };
+}
+async function fetchDbTablesAndEnums(databaseUrl, options) {
+  const schemaDir = options?.schemaDir ?? "packages/database/src/schema";
+  const managedSchemas = detectSchemaNames(schemaDir, process.cwd());
+  const systemSchemas = /* @__PURE__ */ new Set([
+    ...SUPABASE_SYSTEM_SCHEMAS,
+    ...options?.additionalSystemSchemas ?? []
+  ]);
+  const filteredManagedSchemas = managedSchemas.filter((s) => !systemSchemas.has(s));
+  const schemaList = buildSafeSchemaInClause(filteredManagedSchemas);
+  const tablesSql = `
+SELECT schemaname || '.' || tablename
+FROM pg_tables
+WHERE schemaname IN (${schemaList})
+ORDER BY schemaname, tablename;`.trim();
+  const enumsSql = `
+SELECT t.typname AS enum_name, string_agg(e.enumlabel, ',' ORDER BY e.enumsortorder) AS values
+FROM pg_type t
+JOIN pg_enum e ON t.oid = e.enumtypid
+JOIN pg_namespace n ON n.oid = t.typnamespace
+WHERE n.nspname = 'public'
+GROUP BY t.typname
+ORDER BY t.typname;`.trim();
+  const tablesOut = await psqlQuery({ databaseUrl, sql: tablesSql, mode: "table" });
+  const dbTables = /* @__PURE__ */ new Set();
+  for (const line of tablesOut.split("\n")) {
+    const v = line.trim();
+    if (v.length > 0) dbTables.add(v);
+  }
+  const enumsOut = await psqlQuery({ databaseUrl, sql: enumsSql, mode: "table" });
+  const dbEnums = /* @__PURE__ */ new Map();
+  for (const line of enumsOut.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0) continue;
+    const [enumName, valuesCsv] = trimmed.split("|").map((s) => s.trim());
+    const values = valuesCsv ? valuesCsv.split(",").map((s) => s.trim()) : [];
+    dbEnums.set(enumName, { name: enumName, values: uniqueSorted(values) });
+  }
+  return { dbTables, dbEnums };
+}
+function diffSchema(params) {
+  const missingTables = uniqueSorted(
+    [...params.expectedTables].filter((t) => !params.dbTables.has(t))
+  );
+  const exclusions = new Set(params.excludeFromOrphanDetection ?? []);
+  const exclusionPatterns = [...exclusions].filter((e) => e.includes("*"));
+  const exactExclusions = [...exclusions].filter((e) => !e.includes("*"));
+  const isExcluded = (table) => {
+    if (exactExclusions.includes(table)) return true;
+    for (const pattern of exclusionPatterns) {
+      const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
+      if (regex.test(table)) return true;
+    }
+    return false;
+  };
+  const orphanTables = uniqueSorted(
+    [...params.dbTables].filter((t) => !params.expectedTables.has(t) && !isExcluded(t))
+  );
+  const expectedEnumNames = new Set(params.expectedEnums.keys());
+  const dbEnumNames = new Set(params.dbEnums.keys());
+  const missingEnums = uniqueSorted([...expectedEnumNames].filter((n) => !dbEnumNames.has(n)));
+  const extraEnums = uniqueSorted([...dbEnumNames].filter((n) => !expectedEnumNames.has(n)));
+  const enumValueMismatches = [];
+  for (const name of uniqueSorted([...expectedEnumNames].filter((n) => dbEnumNames.has(n)))) {
+    const s = params.expectedEnums.get(name);
+    const d = params.dbEnums.get(name);
+    if (!s || !d) continue;
+    const schemaValues = uniqueSorted(s.values);
+    const dbValues = uniqueSorted(d.values);
+    const same = schemaValues.length === dbValues.length && schemaValues.every((v, i) => v === dbValues[i]);
+    if (same) continue;
+    const added = schemaValues.filter((v) => !dbValues.includes(v));
+    const removed = dbValues.filter((v) => !schemaValues.includes(v));
+    enumValueMismatches.push({ name, dbValues, schemaValues, added, removed });
+  }
+  return {
+    expectedTables: params.expectedTables,
+    expectedEnums: params.expectedEnums,
+    dbTables: params.dbTables,
+    dbEnums: params.dbEnums,
+    missingTables,
+    orphanTables,
+    missingEnums,
+    extraEnums,
+    enumValueMismatches
+  };
+}
+function extractTablesFromIdempotentSql(idempotentDir, projectRoot = process.cwd()) {
+  const fullPath = path11__default.resolve(projectRoot, idempotentDir);
+  if (!existsSync(fullPath)) {
+    return [];
+  }
+  const tables = [];
+  const createTablePattern = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?\.)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?)/gi;
+  try {
+    const files = readdirSync(fullPath).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const filePath = path11__default.join(fullPath, file);
+      const content = readFileSync(filePath, "utf-8");
+      const contentWithoutComments = content.replace(/--.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+      for (const match of contentWithoutComments.matchAll(createTablePattern)) {
+        const schema = match[1] || "public";
+        const tableName = match[2];
+        if (tableName) {
+          tables.push(`${schema}.${tableName}`);
+        }
+      }
+    }
+  } catch {
+    return [];
+  }
+  return [...new Set(tables)].sort();
+}
+
 // src/commands/db/utils/sql-table-extractor.ts
 init_esm_shims();
 var sqlParserUtils = null;
@@ -17425,21 +17820,35 @@ async function getSqlParserUtils() {
   await isAstParserAvailable();
   return sqlParserUtils;
 }
+var SQL_IDENTIFIER = String.raw`(?:"(?:[^"]|"")*"|[a-zA-Z_][a-zA-Z0-9_]*)`;
 var SQL_PATTERNS = {
   // CREATE TABLE [IF NOT EXISTS] schema.table_name (
-  createTable: /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)\.(\w+)\s*\(/gi,
+  createTable: new RegExp(
+    `CREATE\\s+TABLE\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})\\s*\\(`,
+    "gi"
+  ),
   // PRIMARY KEY (columns)
   primaryKey: /PRIMARY\s+KEY\s*\(([^)]+)\)/gi,
   // FOREIGN KEY (column) REFERENCES schema.table(column) [ON DELETE|UPDATE ...]
-  foreignKey: /FOREIGN\s+KEY\s*\((\w+)\)\s*REFERENCES\s+(\w+)\.(\w+)\s*\((\w+)\)(?:\s+ON\s+DELETE\s+(\w+(?:\s+\w+)?))?(?:\s+ON\s+UPDATE\s+(\w+(?:\s+\w+)?))?/gi,
+  foreignKey: new RegExp(
+    `FOREIGN\\s+KEY\\s*\\((${SQL_IDENTIFIER})\\)\\s*REFERENCES\\s+(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})\\s*\\((${SQL_IDENTIFIER})\\)(?:\\s+ON\\s+DELETE\\s+(\\w+(?:\\s+\\w+)?))?(?:\\s+ON\\s+UPDATE\\s+(\\w+(?:\\s+\\w+)?))?`,
+    "gi"
+  ),
   // REFERENCES schema.table(column) - inline column constraint
-  inlineReference: /(\w+)\s+\w+[^,]*REFERENCES\s+(\w+)\.(\w+)\s*\((\w+)\)/gi,
+  inlineReference: new RegExp(
+    `(${SQL_IDENTIFIER})\\s+\\w+[\\w\\s()]*REFERENCES\\s+(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})\\s*\\((${SQL_IDENTIFIER})\\)`,
+    "gi"
+  ),
   // CREATE [UNIQUE] INDEX name ON schema.table (columns)
-  createIndex: /CREATE\s+(UNIQUE\s+)?INDEX\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)\s+ON\s+(\w+)\.(\w+)\s*\(([^)]+)\)/gi,
+  createIndex: new RegExp(
+    `CREATE\\s+(UNIQUE\\s+)?INDEX\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?(${SQL_IDENTIFIER})\\s+ON\\s+(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})\\s*\\(([^)]+)\\)`,
+    "gi"
+  ),
   // ALTER TABLE ... ENABLE ROW LEVEL SECURITY
-  enableRls: /ALTER\s+TABLE\s+(\w+)\.(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi,
-  // CREATE POLICY name ON schema.table FOR command USING (...) [WITH CHECK (...)]
-  createPolicy: /CREATE\s+POLICY\s+"?(\w+)"?\s+ON\s+(\w+)\.(\w+)\s+(?:AS\s+\w+\s+)?FOR\s+(\w+)\s+(?:TO\s+\w+\s+)?(?:USING\s*\(([^)]+)\))?(?:\s+WITH\s+CHECK\s*\(([^)]+)\))?/gi
+  enableRls: new RegExp(
+    `ALTER\\s+TABLE\\s+(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`,
+    "gi"
+  )
 };
 function snakeToCamel2(str) {
   return str.replace(/_([a-z])/g, (_, c) => c.toUpperCase());
@@ -17474,6 +17883,96 @@ function extractTableBody(content, startPos) {
 function normalizeType(type) {
   return type.trim().replace(/\s+/g, " ").toLowerCase().replace("character varying", "varchar").replace("timestamp with time zone", "timestamptz").replace("timestamp without time zone", "timestamp");
 }
+function unquoteIdentifier(identifier) {
+  const trimmed = identifier.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    return trimmed.slice(1, -1).replace(/""/g, '"');
+  }
+  return trimmed;
+}
+function stripSqlCommentsPreserveStrings2(content) {
+  let result = "";
+  let i = 0;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+  let dollarTag = "";
+  while (i < content.length) {
+    const char = content[i] ?? "";
+    const next = content[i + 1] ?? "";
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && char === "-" && next === "-") {
+      while (i < content.length && content[i] !== "\n") {
+        result += " ";
+        i++;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && char === "/" && next === "*") {
+      result += " ";
+      result += " ";
+      i += 2;
+      while (i < content.length) {
+        const blockChar = content[i] ?? "";
+        const blockNext = content[i + 1] ?? "";
+        if (blockChar === "*" && blockNext === "/") {
+          result += " ";
+          result += " ";
+          i += 2;
+          break;
+        }
+        result += blockChar === "\n" ? "\n" : " ";
+        i++;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && char === "$") {
+      if (inDollarQuote) {
+        const closeTag = `$${dollarTag}$`;
+        if (content.slice(i).startsWith(closeTag)) {
+          result += closeTag;
+          i += closeTag.length;
+          inDollarQuote = false;
+          dollarTag = "";
+          continue;
+        }
+      } else {
+        const tagMatch = content.slice(i).match(/^\$([a-zA-Z_][a-zA-Z0-9_]*)?\$/);
+        if (tagMatch) {
+          inDollarQuote = true;
+          dollarTag = tagMatch[1] ?? "";
+          result += tagMatch[0];
+          i += tagMatch[0].length;
+          continue;
+        }
+      }
+    }
+    if (!inDoubleQuote && !inDollarQuote && char === "'") {
+      if (inSingleQuote && next === "'") {
+        result += "''";
+        i += 2;
+        continue;
+      }
+      inSingleQuote = !inSingleQuote;
+      result += char;
+      i++;
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && char === '"') {
+      if (inDoubleQuote && next === '"') {
+        result += '""';
+        i += 2;
+        continue;
+      }
+      inDoubleQuote = !inDoubleQuote;
+      result += char;
+      i++;
+      continue;
+    }
+    result += char;
+    i++;
+  }
+  return result;
+}
 function parseIndexColumns(rawColumns) {
   return rawColumns.split(",").map((col) => {
     const trimmed = col.trim();
@@ -17510,8 +18009,8 @@ function findTablesRegex(ctx) {
   const tables = [];
   const regex = new RegExp(SQL_PATTERNS.createTable.source, "gi");
   for (const match of ctx.content.matchAll(regex)) {
-    const schema = match[1] ?? "";
-    const name = match[2] ?? "";
+    const schema = unquoteIdentifier(match[1] ?? "");
+    const name = unquoteIdentifier(match[2] ?? "");
     if (!schema || !name) continue;
     const lineNumber = getLineNumber(ctx.content, match.index ?? 0);
     const tableBody = extractTableBody(ctx.content, match.index ?? 0);
@@ -17533,10 +18032,10 @@ function parseColumnsRegex(tableBody) {
     const trimmed = line.trim();
     if (shouldSkipColumnLine(trimmed)) continue;
     const columnMatch = trimmed.match(
-      /^(\w+)\s+([\w\s()]+?)(?:\s+(NOT\s+NULL|NULL))?(?:\s+DEFAULT\s+[^,]+)?(?:\s+REFERENCES)?(?:,|$)/i
+      /^((?:"(?:[^"]|"")*"|[a-zA-Z_][a-zA-Z0-9_]*))\s+([\w\s()]+?)(?:\s+(NOT\s+NULL|NULL))?(?:\s+DEFAULT\s+[^,]+)?(?:\s+REFERENCES)?(?:,|$)/i
     );
     if (columnMatch) {
-      const name = columnMatch[1] ?? "";
+      const name = unquoteIdentifier(columnMatch[1] ?? "");
       if (!name || seen.has(name) || isReservedKeyword(name)) continue;
       seen.add(name);
       const rawType = columnMatch[2] ?? "";
@@ -17558,7 +18057,7 @@ function parsePrimaryKeyRegex(tableBody) {
   const regex = new RegExp(SQL_PATTERNS.primaryKey.source, "gi");
   const match = regex.exec(tableBody);
   if (match) {
-    return match[1]?.split(",").map((col) => col.trim());
+    return match[1]?.split(",").map((col) => unquoteIdentifier(col.trim())).filter(Boolean) ?? [];
   }
   return [];
 }
@@ -17566,12 +18065,12 @@ function parseExplicitForeignKeys(tableBody) {
   const fks = [];
   const fkRegex = new RegExp(SQL_PATTERNS.foreignKey.source, "gi");
   for (const match of tableBody.matchAll(fkRegex)) {
-    const column = match[1] ?? "";
-    const refTable = match[4] ?? "";
+    const column = unquoteIdentifier(match[1] ?? "");
+    const refTable = unquoteIdentifier(match[4] ?? "");
     if (!column || !refTable) continue;
     fks.push({
       column,
-      referencesTable: `${match[2] ?? ""}.${match[3] ?? ""}`,
+      referencesTable: `${unquoteIdentifier(match[2] ?? "")}.${unquoteIdentifier(match[3] ?? "")}`,
       referencesColumn: refTable,
       onDelete: normalizeOnAction(match[5]),
       onUpdate: normalizeOnAction(match[6])
@@ -17583,13 +18082,13 @@ function parseInlineForeignKeys(tableBody, existingColumns) {
   const fks = [];
   const inlineRegex = new RegExp(SQL_PATTERNS.inlineReference.source, "gi");
   for (const match of tableBody.matchAll(inlineRegex)) {
-    const inlineCol = match[1] ?? "";
+    const inlineCol = unquoteIdentifier(match[1] ?? "");
     if (existingColumns.has(inlineCol)) continue;
-    const inlineRefCol = match[4] ?? "";
+    const inlineRefCol = unquoteIdentifier(match[4] ?? "");
     if (!inlineCol || !inlineRefCol) continue;
     fks.push({
       column: inlineCol,
-      referencesTable: `${match[2] ?? ""}.${match[3] ?? ""}`,
+      referencesTable: `${unquoteIdentifier(match[2] ?? "")}.${unquoteIdentifier(match[3] ?? "")}`,
       referencesColumn: inlineRefCol
     });
   }
@@ -17605,8 +18104,10 @@ function parseIndexesRegex(content, schema, tableName) {
   const indexes = [];
   const regex = new RegExp(SQL_PATTERNS.createIndex.source, "gi");
   for (const match of content.matchAll(regex)) {
-    if (match[3] === schema && match[4] === tableName) {
-      const indexName = match[2] ?? "";
+    const indexSchema = unquoteIdentifier(match[3] ?? "");
+    const indexTable = unquoteIdentifier(match[4] ?? "");
+    if (indexSchema === schema && indexTable === tableName) {
+      const indexName = unquoteIdentifier(match[2] ?? "");
       if (!indexName) continue;
       const rawColumns = match[5] ?? "";
       indexes.push({
@@ -17621,26 +18122,200 @@ function parseIndexesRegex(content, schema, tableName) {
 function hasRlsEnabledRegex(content, schema, tableName) {
   const regex = new RegExp(SQL_PATTERNS.enableRls.source, "gi");
   for (const match of content.matchAll(regex)) {
-    if (match[1] === schema && match[2] === tableName) {
+    const matchSchema = unquoteIdentifier(match[1] ?? "");
+    const matchTable = unquoteIdentifier(match[2] ?? "");
+    if (matchSchema === schema && matchTable === tableName) {
       return true;
     }
   }
   return false;
 }
+function extractCreatePolicyStatements(content) {
+  const statements = [];
+  const startRegex = /\bCREATE\s+POLICY\b/gi;
+  let match;
+  while ((match = startRegex.exec(content)) !== null) {
+    const startIndex = match.index ?? 0;
+    const endIndex = findSqlStatementEndForPolicy(content, startIndex);
+    statements.push(content.slice(startIndex, endIndex).trim());
+  }
+  return statements;
+}
+function findSqlStatementEndForPolicy(content, startIndex) {
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+  let dollarTag = "";
+  for (let i = startIndex; i < content.length; i++) {
+    const char = content[i] ?? "";
+    const next = content[i + 1] ?? "";
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote) {
+      if (char === "-" && next === "-") {
+        const newlineIndex = content.indexOf("\n", i);
+        if (newlineIndex === -1) return content.length;
+        i = newlineIndex;
+        continue;
+      }
+      if (char === "/" && next === "*") {
+        const closeIndex = content.indexOf("*/", i + 2);
+        if (closeIndex === -1) return content.length;
+        i = closeIndex + 1;
+        continue;
+      }
+    }
+    if (!inSingleQuote && !inDoubleQuote && char === "$") {
+      if (inDollarQuote) {
+        const closeTag = `$${dollarTag}$`;
+        if (content.slice(i).startsWith(closeTag)) {
+          i += closeTag.length - 1;
+          inDollarQuote = false;
+          dollarTag = "";
+          continue;
+        }
+      } else {
+        const tagMatch = content.slice(i).match(/^\$([a-zA-Z_][a-zA-Z0-9_]*)?\$/);
+        if (tagMatch) {
+          inDollarQuote = true;
+          dollarTag = tagMatch[1] ?? "";
+          i += tagMatch[0].length - 1;
+          continue;
+        }
+      }
+    }
+    if (!inDoubleQuote && !inDollarQuote && char === "'") {
+      if (inSingleQuote) {
+        if (next === "'") {
+          i++;
+          continue;
+        }
+        inSingleQuote = false;
+      } else {
+        inSingleQuote = true;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && char === '"') {
+      if (inDoubleQuote) {
+        if (next === '"') {
+          i++;
+          continue;
+        }
+        inDoubleQuote = false;
+      } else {
+        inDoubleQuote = true;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && char === ";") {
+      return i + 1;
+    }
+  }
+  return content.length;
+}
+function extractBalancedClause(statement, startIndex) {
+  const openParenIndex = statement.indexOf("(", startIndex);
+  if (openParenIndex === -1) return void 0;
+  let depth = 0;
+  let clauseStart = -1;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+  let dollarTag = "";
+  for (let i = openParenIndex; i < statement.length; i++) {
+    const char = statement[i] ?? "";
+    const next = statement[i + 1] ?? "";
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote) {
+      if (char === "-" && next === "-") {
+        const newlineIndex = statement.indexOf("\n", i);
+        if (newlineIndex === -1) break;
+        i = newlineIndex;
+        continue;
+      }
+      if (char === "/" && next === "*") {
+        const closeIndex = statement.indexOf("*/", i + 2);
+        if (closeIndex === -1) break;
+        i = closeIndex + 1;
+        continue;
+      }
+    }
+    if (!inSingleQuote && !inDoubleQuote && char === "$") {
+      if (inDollarQuote) {
+        const closeTag = `$${dollarTag}$`;
+        if (statement.slice(i).startsWith(closeTag)) {
+          i += closeTag.length - 1;
+          inDollarQuote = false;
+          dollarTag = "";
+          continue;
+        }
+      } else {
+        const tagMatch = statement.slice(i).match(/^\$([a-zA-Z_][a-zA-Z0-9_]*)?\$/);
+        if (tagMatch) {
+          inDollarQuote = true;
+          dollarTag = tagMatch[1] ?? "";
+          i += tagMatch[0].length - 1;
+          continue;
+        }
+      }
+    }
+    if (!inDoubleQuote && !inDollarQuote && char === "'") {
+      if (inSingleQuote) {
+        if (next === "'") {
+          i++;
+          continue;
+        }
+        inSingleQuote = false;
+      } else {
+        inSingleQuote = true;
+      }
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && char === '"') {
+      if (inDoubleQuote) {
+        if (next === '"') {
+          i++;
+          continue;
+        }
+        inDoubleQuote = false;
+      } else {
+        inDoubleQuote = true;
+      }
+      continue;
+    }
+    if (inSingleQuote || inDoubleQuote || inDollarQuote) continue;
+    if (char === "(") {
+      if (depth === 0) clauseStart = i + 1;
+      depth++;
+    } else if (char === ")") {
+      depth--;
+      if (depth === 0 && clauseStart !== -1) {
+        return statement.slice(clauseStart, i).trim();
+      }
+    }
+  }
+  return void 0;
+}
 function parsePoliciesRegex(content, schema, tableName) {
   const policies = [];
-  const regex = new RegExp(SQL_PATTERNS.createPolicy.source, "gi");
-  for (const match of content.matchAll(regex)) {
-    const policyName = match[1] ?? "";
-    if (!policyName) continue;
-    if (match[2] === schema && match[3] === tableName) {
-      policies.push({
-        name: policyName,
-        command: match[4]?.toUpperCase(),
-        using: match[5] || void 0,
-        withCheck: match[6] || void 0
-      });
-    }
+  const statements = extractCreatePolicyStatements(content);
+  const headerRegex = new RegExp(
+    `^\\s*CREATE\\s+POLICY\\s+(?:"((?:[^"]|"")*)"|([a-zA-Z_][a-zA-Z0-9_]*))\\s+ON\\s+(${SQL_IDENTIFIER})\\.(${SQL_IDENTIFIER})(?:\\s+AS\\s+\\w+)?(?:\\s+FOR\\s+(\\w+))?`,
+    "i"
+  );
+  for (const statement of statements) {
+    const match = statement.match(headerRegex);
+    if (!match) continue;
+    const policyName = unquoteIdentifier(match[1] ?? match[2] ?? "");
+    const policySchema = unquoteIdentifier(match[3] ?? "");
+    const policyTable = unquoteIdentifier(match[4] ?? "");
+    if (!policyName || policySchema !== schema || policyTable !== tableName) continue;
+    const usingIndex = statement.search(/\bUSING\s*\(/i);
+    const withCheckIndex = statement.search(/\bWITH\s+CHECK\s*\(/i);
+    policies.push({
+      name: policyName,
+      command: (match[5] || "ALL").toUpperCase(),
+      using: usingIndex !== -1 ? extractBalancedClause(statement, usingIndex) : void 0,
+      withCheck: withCheckIndex !== -1 ? extractBalancedClause(statement, withCheckIndex) : void 0
+    });
   }
   return policies;
 }
@@ -17741,7 +18416,8 @@ function buildTableEntryRegex(table, content, filePath, opts) {
   };
 }
 function processTablesFromFileRegex(filePath, opts, seen) {
-  const content = readFileSync(filePath, "utf-8");
+  const rawContent = readFileSync(filePath, "utf-8");
+  const content = stripSqlCommentsPreserveStrings2(rawContent);
   const ctx = { content, lines: content.split("\n") };
   const tables = findTablesRegex(ctx);
   const entries = [];
@@ -17783,9 +18459,235 @@ async function extractTablesFromSqlDir(sqlDir, options = {}) {
   return tableEntries;
 }
 
+// src/commands/db/utils/table-source-classifier.ts
+init_esm_shims();
+function splitQualifiedName(qualifiedName) {
+  const [schema = "", table = ""] = qualifiedName.split(".", 2);
+  return { schema, table };
+}
+function escapeRegexLiteral(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function buildTablePatternMatcher(patterns) {
+  const compiled = patterns.map((p) => p.trim()).filter((p) => p.length > 0).map((pattern) => {
+    const target = pattern.includes(".") ? "qualified" : "table";
+    const regex = new RegExp(`^${escapeRegexLiteral(pattern).replace(/\\\*/g, ".*")}$`);
+    return { target, regex };
+  });
+  return (qualifiedName) => {
+    const { table } = splitQualifiedName(qualifiedName);
+    for (const entry of compiled) {
+      const candidate = entry.target === "qualified" ? qualifiedName : table;
+      if (entry.regex.test(candidate)) {
+        return true;
+      }
+    }
+    return false;
+  };
+}
+function findIdempotentAncestor(table, partitionParentMap, idempotentManagedTables) {
+  if (idempotentManagedTables.has(table)) {
+    return table;
+  }
+  let current = table;
+  const visited = /* @__PURE__ */ new Set();
+  while (!visited.has(current)) {
+    visited.add(current);
+    const parent = partitionParentMap.get(current);
+    if (!parent) {
+      return null;
+    }
+    if (idempotentManagedTables.has(parent)) {
+      return parent;
+    }
+    current = parent;
+  }
+  return null;
+}
+function isSystemManagedTable(params) {
+  const { schema } = splitQualifiedName(params.qualifiedName);
+  return params.systemSchemas.has(schema) || params.knownSystemTables.has(params.qualifiedName);
+}
+function classifyMissingSourceTables(params) {
+  const extensionManagedTables = params.extensionManagedTables ?? /* @__PURE__ */ new Map();
+  const partitionParentMap = params.partitionParentMap ?? /* @__PURE__ */ new Map();
+  const exclusionMatcher = buildTablePatternMatcher(params.excludeFromOrphanDetection ?? []);
+  const systemSchemas = new Set(params.systemSchemas ?? []);
+  const knownSystemTables = new Set(params.knownSystemTables ?? []);
+  const classified = {
+    definedInIdempotentDynamicDdl: [],
+    extensionManagedOrSystemTable: [],
+    trulyOrphaned: []
+  };
+  for (const qualifiedName of params.tablesWithoutSource) {
+    const idempotentAncestor = findIdempotentAncestor(
+      qualifiedName,
+      partitionParentMap,
+      params.idempotentManagedTables
+    );
+    if (idempotentAncestor) {
+      classified.definedInIdempotentDynamicDdl.push({
+        qualifiedName,
+        detail: idempotentAncestor === qualifiedName ? "matched CREATE TABLE in idempotent SQL" : `partition child of ${idempotentAncestor}`
+      });
+      continue;
+    }
+    const extensionName = extensionManagedTables.get(qualifiedName);
+    if (extensionName) {
+      classified.extensionManagedOrSystemTable.push({
+        qualifiedName,
+        detail: `managed by extension "${extensionName}"`
+      });
+      continue;
+    }
+    if (isSystemManagedTable({ qualifiedName, systemSchemas, knownSystemTables })) {
+      classified.extensionManagedOrSystemTable.push({
+        qualifiedName,
+        detail: "system-managed schema/table"
+      });
+      continue;
+    }
+    if (exclusionMatcher(qualifiedName)) {
+      classified.extensionManagedOrSystemTable.push({
+        qualifiedName,
+        detail: "allowlisted by database.pgSchemaDiff.excludeFromOrphanDetection"
+      });
+      continue;
+    }
+    classified.trulyOrphaned.push(qualifiedName);
+  }
+  return classified;
+}
+
 // src/commands/db/utils/table-registry.ts
 var MANIFEST_VERSION = 2;
 var GENERATOR_VERSION = "1.0.0";
+var DEFAULT_IDEMPOTENT_SQL_DIR = "supabase/schemas/idempotent";
+var KNOWN_EXTENSION_SYSTEM_TABLES = /* @__PURE__ */ new Set([
+  "public.spatial_ref_sys",
+  "public.geometry_columns",
+  "public.geography_columns"
+]);
+var SUPABASE_SYSTEM_SCHEMA_SET = new Set(SUPABASE_SYSTEM_SCHEMAS);
+var VALID_PG_IDENTIFIER2 = /^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/;
+function validatePgIdentifier2(name, context) {
+  if (!name || typeof name !== "string") {
+    throw new Error(`Invalid ${context}: empty or not a string`);
+  }
+  if (!VALID_PG_IDENTIFIER2.test(name)) {
+    throw new Error(
+      `Invalid ${context} "${name}": must start with letter/underscore and contain only alphanumeric/underscore characters`
+    );
+  }
+}
+function buildSafeSchemaInClause2(schemas) {
+  if (schemas.length === 0) {
+    throw new Error("No schemas provided for IN clause");
+  }
+  const safeSchemas = [];
+  for (const schema of schemas) {
+    validatePgIdentifier2(schema, "schema name");
+    safeSchemas.push(`'${schema.replace(/'/g, "''")}'`);
+  }
+  return safeSchemas.join(",");
+}
+function toRelativeSourcePath(projectRoot, sourceFile) {
+  let relativeSource = relative(projectRoot, sourceFile);
+  if (relativeSource.startsWith("/") || relativeSource.startsWith("..")) {
+    const schemaMatch = sourceFile.match(/supabase\/schemas\/[^/]+\/[^/]+$/);
+    relativeSource = schemaMatch ? schemaMatch[0] : sourceFile;
+  }
+  return relativeSource;
+}
+function resolveSourceConfig(projectRoot, options) {
+  let idempotentSqlDir = options.idempotentSqlDir ?? DEFAULT_IDEMPOTENT_SQL_DIR;
+  const exclusions = new Set(options.excludeFromOrphanDetection ?? []);
+  try {
+    const config = loadRunaConfig2(projectRoot);
+    const pgSchemaDiff = config.database?.pgSchemaDiff;
+    if (!options.idempotentSqlDir && pgSchemaDiff?.idempotentSqlDir) {
+      idempotentSqlDir = pgSchemaDiff.idempotentSqlDir;
+    }
+    if (pgSchemaDiff?.excludeFromOrphanDetection) {
+      for (const pattern of pgSchemaDiff.excludeFromOrphanDetection) {
+        exclusions.add(pattern);
+      }
+    }
+  } catch {
+  }
+  return {
+    idempotentSqlDir: isAbsolute(idempotentSqlDir) ? idempotentSqlDir : join(projectRoot, idempotentSqlDir),
+    excludeFromOrphanDetection: [...exclusions].sort((a, b) => a.localeCompare(b))
+  };
+}
+async function fetchMissingSourceMetadata(params) {
+  const { databaseUrl, schemas } = params;
+  if (schemas.length === 0) {
+    return {
+      extensionManagedTables: /* @__PURE__ */ new Map(),
+      partitionParentMap: /* @__PURE__ */ new Map()
+    };
+  }
+  const isRemoteSupabase = databaseUrl.includes(".supabase.co");
+  const sql = postgres(databaseUrl, {
+    ...isRemoteSupabase && { ssl: "require" }
+  });
+  try {
+    const schemaList = buildSafeSchemaInClause2(schemas);
+    const [extensionRows, partitionRows] = await Promise.all([
+      sql`
+        SELECT
+          n.nspname AS schema_name,
+          c.relname AS table_name,
+          ext.extname AS extension_name
+        FROM pg_class c
+        JOIN pg_namespace n ON n.oid = c.relnamespace
+        JOIN pg_depend d
+          ON d.classid = 'pg_class'::regclass
+          AND d.objid = c.oid
+          AND d.refclassid = 'pg_extension'::regclass
+          AND d.deptype = 'e'
+        JOIN pg_extension ext ON ext.oid = d.refobjid
+        WHERE c.relkind IN ('r', 'p')
+          AND n.nspname IN (${sql.unsafe(schemaList)})
+      `,
+      sql`
+        SELECT
+          child_ns.nspname AS child_schema,
+          child.relname AS child_table,
+          parent_ns.nspname AS parent_schema,
+          parent.relname AS parent_table
+        FROM pg_inherits i
+        JOIN pg_class child ON child.oid = i.inhrelid
+        JOIN pg_namespace child_ns ON child_ns.oid = child.relnamespace
+        JOIN pg_class parent ON parent.oid = i.inhparent
+        JOIN pg_namespace parent_ns ON parent_ns.oid = parent.relnamespace
+        WHERE child.relkind IN ('r', 'p')
+          AND child_ns.nspname IN (${sql.unsafe(schemaList)})
+      `
+    ]);
+    const extensionManagedTables = /* @__PURE__ */ new Map();
+    for (const row of extensionRows) {
+      extensionManagedTables.set(
+        `${String(row.schema_name)}.${String(row.table_name)}`,
+        String(row.extension_name)
+      );
+    }
+    const partitionParentMap = /* @__PURE__ */ new Map();
+    for (const row of partitionRows) {
+      partitionParentMap.set(
+        `${String(row.child_schema)}.${String(row.child_table)}`,
+        `${String(row.parent_schema)}.${String(row.parent_table)}`
+      );
+    }
+    return { extensionManagedTables, partitionParentMap };
+  } finally {
+    await sql.end();
+  }
+}
+function formatMissingSourceItems(items) {
+  return items.map((item) => item.detail ? `${item.qualifiedName} (${item.detail})` : item.qualifiedName).join(", ");
+}
 async function introspectTablesFromDb(databaseUrl, schemas) {
   try {
     const result = await introspectDatabase(databaseUrl, { schemas });
@@ -18031,14 +18933,31 @@ async function crossCheckWithDrizzle(sqlTables, drizzleSchemaPath) {
     return { matched: [], sqlOnly: sqlTables, drizzleOnly: [] };
   }
 }
-function warnTablesWithoutSource(tables) {
-  const tablesWithoutSource = tables.filter((t) => !t.sourceFile);
-  if (tablesWithoutSource.length === 0) return;
-  console.warn(
-    `[tables-manifest] \u26A0 ${tablesWithoutSource.length} table(s) exist in DB but not in SQL files:`
-  );
-  console.warn(`  ${tablesWithoutSource.map((t) => t.qualifiedName).join(", ")}`);
-  console.warn("  \u2192 These may be manually created or Supabase auto-generated tables.");
+function logMissingSourceClassification(classification) {
+  const total = classification.definedInIdempotentDynamicDdl.length + classification.extensionManagedOrSystemTable.length + classification.trulyOrphaned.length;
+  if (total === 0) return;
+  console.warn(`[tables-manifest] \u26A0 ${total} table(s) exist in DB but not in SQL files.`);
+  if (classification.definedInIdempotentDynamicDdl.length > 0) {
+    console.log(
+      `[tables-manifest] info: defined_in_idempotent_dynamic_ddl (${classification.definedInIdempotentDynamicDdl.length})`
+    );
+    console.log(`  ${formatMissingSourceItems(classification.definedInIdempotentDynamicDdl)}`);
+  }
+  if (classification.extensionManagedOrSystemTable.length > 0) {
+    console.log(
+      `[tables-manifest] info: extension_managed/system_table (${classification.extensionManagedOrSystemTable.length})`
+    );
+    console.log(`  ${formatMissingSourceItems(classification.extensionManagedOrSystemTable)}`);
+  }
+  if (classification.trulyOrphaned.length > 0) {
+    console.warn(`[tables-manifest] warn: truly_orphaned (${classification.trulyOrphaned.length})`);
+    console.warn(`  ${classification.trulyOrphaned.join(", ")}`);
+    console.warn(
+      "  \u2192 Add declarative/idempotent SQL definitions or allowlist via database.pgSchemaDiff.excludeFromOrphanDetection."
+    );
+  } else {
+    console.log("[tables-manifest] info: no truly_orphaned tables detected.");
+  }
 }
 async function logDrizzleCrossCheck(tables, drizzleSchemaPath) {
   const result = await crossCheckWithDrizzle(tables, drizzleSchemaPath);
@@ -18070,24 +18989,38 @@ async function generateTablesManifest(projectRoot, options = {}) {
     // Reserved for future metadata filtering feature
     includeMetadata: _includeMetadata = true
   } = options;
+  const sourceConfig = resolveSourceConfig(projectRoot, options);
   let tables = [];
   const source = "introspection";
-  const sqlTables = await extractTablesFromSqlDir(sqlDir, {
+  const declarativeTables = await extractTablesFromSqlDir(sqlDir, {
     includeColumns: false,
     // Don't need columns from SQL (DB introspection is more accurate)
     includeForeignKeys: false,
     includeIndexes: false,
     includeRlsPolicies: false
   });
+  const idempotentTablesForSource = await extractTablesFromSqlDir(sourceConfig.idempotentSqlDir, {
+    includeColumns: false,
+    includeForeignKeys: false,
+    includeIndexes: false,
+    includeRlsPolicies: false
+  });
+  const idempotentTablesFromRegex = extractTablesFromIdempotentSql(
+    sourceConfig.idempotentSqlDir,
+    projectRoot
+  );
+  const idempotentManagedTables = /* @__PURE__ */ new Set([
+    ...idempotentTablesFromRegex,
+    ...idempotentTablesForSource.map((t) => t.qualifiedName)
+  ]);
   const sourceFileMap = /* @__PURE__ */ new Map();
-  for (const t of sqlTables) {
-    let relativeSource = relative(projectRoot, t.sourceFile);
-    if (relativeSource.startsWith("/") || relativeSource.startsWith("..")) {
-      const schemaMatch = t.sourceFile.match(/supabase\/schemas\/[^/]+\/[^/]+$/);
-      relativeSource = schemaMatch ? schemaMatch[0] : t.sourceFile;
+  const sourceTables = [...declarativeTables, ...idempotentTablesForSource];
+  for (const t of sourceTables) {
+    if (sourceFileMap.has(t.qualifiedName)) {
+      continue;
     }
     sourceFileMap.set(t.qualifiedName, {
-      sourceFile: relativeSource,
+      sourceFile: toRelativeSourcePath(projectRoot, t.sourceFile),
       lineNumber: t.lineNumber
     });
   }
@@ -18107,7 +19040,34 @@ async function generateTablesManifest(projectRoot, options = {}) {
     };
   });
   console.log(`[tables-manifest] \u2713 Introspected ${tables.length} tables from database`);
-  warnTablesWithoutSource(tables);
+  const tablesWithoutSource = tables.filter((t) => !t.sourceFile);
+  if (tablesWithoutSource.length > 0) {
+    const missingSourceQualifiedNames = tablesWithoutSource.map((t) => t.qualifiedName);
+    const missingSchemas = [...new Set(tablesWithoutSource.map((t) => t.schema))];
+    let extensionManagedTables = /* @__PURE__ */ new Map();
+    let partitionParentMap = /* @__PURE__ */ new Map();
+    try {
+      const metadata = await fetchMissingSourceMetadata({
+        databaseUrl,
+        schemas: missingSchemas
+      });
+      extensionManagedTables = metadata.extensionManagedTables;
+      partitionParentMap = metadata.partitionParentMap;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[tables-manifest] Failed to classify extension/partition metadata: ${message}`);
+    }
+    const classification = classifyMissingSourceTables({
+      tablesWithoutSource: missingSourceQualifiedNames,
+      idempotentManagedTables,
+      extensionManagedTables,
+      partitionParentMap,
+      excludeFromOrphanDetection: sourceConfig.excludeFromOrphanDetection,
+      systemSchemas: SUPABASE_SYSTEM_SCHEMA_SET,
+      knownSystemTables: KNOWN_EXTENSION_SYSTEM_TABLES
+    });
+    logMissingSourceClassification(classification);
+  }
   if (crossCheck && existsSync(drizzleSchemaPath)) {
     await logDrizzleCrossCheck(tables, drizzleSchemaPath);
   }
@@ -20152,225 +21112,6 @@ var backupCommand = new Command("backup").description("Manage database backups (
 // src/commands/db/commands/db-cleanup.ts
 init_esm_shims();
 init_config_loader();
-
-// src/commands/db/utils/schema-sync.ts
-init_esm_shims();
-var VALID_PG_IDENTIFIER_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/;
-function validatePgIdentifier(name, context) {
-  if (!name || typeof name !== "string") {
-    throw new Error(`Invalid ${context}: empty or not a string`);
-  }
-  if (!VALID_PG_IDENTIFIER_PATTERN.test(name)) {
-    throw new Error(
-      `Invalid ${context} "${name}": must start with letter/underscore and contain only alphanumeric/underscore characters`
-    );
-  }
-}
-function escapePgStringLiteral(value) {
-  if (typeof value !== "string") {
-    throw new Error("Value must be a string");
-  }
-  return value.replace(/\\/g, "\\\\").replace(/'/g, "''");
-}
-function buildSafeSchemaInClause(schemas) {
-  if (schemas.length === 0) {
-    throw new Error("No schemas provided for IN clause");
-  }
-  const safeSchemas = [];
-  for (const schema of schemas) {
-    validatePgIdentifier(schema, "schema name");
-    safeSchemas.push(`'${escapePgStringLiteral(schema)}'`);
-  }
-  return safeSchemas.join(",");
-}
-var ERROR_MESSAGES2 = {
-  PATH_TRAVERSAL: "Schema path validation failed",
-  SCHEMA_NOT_FOUND: "Schema file not found"
-};
-function containsPathTraversal2(inputPath) {
-  const normalized = path11__default.normalize(inputPath);
-  return normalized.includes("..") || inputPath.includes("\0");
-}
-function isPathWithinBase(filePath, baseDir) {
-  try {
-    const resolvedFile = path11__default.resolve(filePath);
-    const resolvedBase = path11__default.resolve(baseDir);
-    const normalizedFile = path11__default.normalize(resolvedFile);
-    const normalizedBase = path11__default.normalize(resolvedBase);
-    return normalizedFile === normalizedBase || normalizedFile.startsWith(normalizedBase + path11__default.sep);
-  } catch {
-    return false;
-  }
-}
-function validateSchemaPath(dbPackagePath, projectRoot = process.cwd()) {
-  if (containsPathTraversal2(dbPackagePath)) {
-    throw new Error(ERROR_MESSAGES2.PATH_TRAVERSAL);
-  }
-  const schemaEntry = path11__default.join(dbPackagePath, "src", "schema", "index.ts");
-  const absoluteSchemaPath = path11__default.resolve(projectRoot, schemaEntry);
-  let resolvedProjectRoot;
-  try {
-    resolvedProjectRoot = realpathSync(projectRoot);
-  } catch {
-    resolvedProjectRoot = path11__default.resolve(projectRoot);
-  }
-  if (!isPathWithinBase(absoluteSchemaPath, resolvedProjectRoot)) {
-    throw new Error(ERROR_MESSAGES2.PATH_TRAVERSAL);
-  }
-  if (!existsSync(absoluteSchemaPath)) {
-    throw new Error(ERROR_MESSAGES2.SCHEMA_NOT_FOUND);
-  }
-  return absoluteSchemaPath;
-}
-function uniqueSorted(values) {
-  return [...new Set(values)].sort((a, b) => a.localeCompare(b));
-}
-async function extractSchemaTablesAndEnums(dbPackagePath, projectRoot = process.cwd()) {
-  const validatedSchemaPath = validateSchemaPath(dbPackagePath, projectRoot);
-  const jiti = createJiti(projectRoot, { interopDefault: true });
-  let schemaModule;
-  try {
-    schemaModule = await jiti.import(validatedSchemaPath);
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : String(error);
-    const hint = errorMessage.includes("unknown is not defined") ? "\n\nHint: Add 'unknown' to drizzle-orm/pg-core imports:\n  import { unknown, ... } from 'drizzle-orm/pg-core'" : "";
-    throw new Error(`Failed to load schema from ${validatedSchemaPath}: ${errorMessage}${hint}`);
-  }
-  const expectedTables = /* @__PURE__ */ new Set();
-  const expectedEnums = /* @__PURE__ */ new Map();
-  for (const value of Object.values(schemaModule)) {
-    if (isTable(value)) {
-      const unique = String(getTableUniqueName(value));
-      if (unique.startsWith("undefined.")) {
-        expectedTables.add(`public.${getTableName(value)}`);
-      } else {
-        expectedTables.add(unique);
-      }
-      continue;
-    }
-    if (isPgEnum(value)) {
-      expectedEnums.set(value.enumName, {
-        name: value.enumName,
-        values: uniqueSorted(value.enumValues)
-      });
-    }
-  }
-  return { expectedTables, expectedEnums };
-}
-async function fetchDbTablesAndEnums(databaseUrl, options) {
-  const schemaDir = options?.schemaDir ?? "packages/database/src/schema";
-  const managedSchemas = detectSchemaNames(schemaDir, process.cwd());
-  const systemSchemas = /* @__PURE__ */ new Set([
-    ...SUPABASE_SYSTEM_SCHEMAS,
-    ...options?.additionalSystemSchemas ?? []
-  ]);
-  const filteredManagedSchemas = managedSchemas.filter((s) => !systemSchemas.has(s));
-  const schemaList = buildSafeSchemaInClause(filteredManagedSchemas);
-  const tablesSql = `
-SELECT schemaname || '.' || tablename
-FROM pg_tables
-WHERE schemaname IN (${schemaList})
-ORDER BY schemaname, tablename;`.trim();
-  const enumsSql = `
-SELECT t.typname AS enum_name, string_agg(e.enumlabel, ',' ORDER BY e.enumsortorder) AS values
-FROM pg_type t
-JOIN pg_enum e ON t.oid = e.enumtypid
-JOIN pg_namespace n ON n.oid = t.typnamespace
-WHERE n.nspname = 'public'
-GROUP BY t.typname
-ORDER BY t.typname;`.trim();
-  const tablesOut = await psqlQuery({ databaseUrl, sql: tablesSql, mode: "table" });
-  const dbTables = /* @__PURE__ */ new Set();
-  for (const line of tablesOut.split("\n")) {
-    const v = line.trim();
-    if (v.length > 0) dbTables.add(v);
-  }
-  const enumsOut = await psqlQuery({ databaseUrl, sql: enumsSql, mode: "table" });
-  const dbEnums = /* @__PURE__ */ new Map();
-  for (const line of enumsOut.split("\n")) {
-    const trimmed = line.trim();
-    if (trimmed.length === 0) continue;
-    const [enumName, valuesCsv] = trimmed.split("|").map((s) => s.trim());
-    const values = valuesCsv ? valuesCsv.split(",").map((s) => s.trim()) : [];
-    dbEnums.set(enumName, { name: enumName, values: uniqueSorted(values) });
-  }
-  return { dbTables, dbEnums };
-}
-function diffSchema(params) {
-  const missingTables = uniqueSorted(
-    [...params.expectedTables].filter((t) => !params.dbTables.has(t))
-  );
-  const exclusions = new Set(params.excludeFromOrphanDetection ?? []);
-  const exclusionPatterns = [...exclusions].filter((e) => e.includes("*"));
-  const exactExclusions = [...exclusions].filter((e) => !e.includes("*"));
-  const isExcluded = (table) => {
-    if (exactExclusions.includes(table)) return true;
-    for (const pattern of exclusionPatterns) {
-      const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
-      if (regex.test(table)) return true;
-    }
-    return false;
-  };
-  const orphanTables = uniqueSorted(
-    [...params.dbTables].filter((t) => !params.expectedTables.has(t) && !isExcluded(t))
-  );
-  const expectedEnumNames = new Set(params.expectedEnums.keys());
-  const dbEnumNames = new Set(params.dbEnums.keys());
-  const missingEnums = uniqueSorted([...expectedEnumNames].filter((n) => !dbEnumNames.has(n)));
-  const extraEnums = uniqueSorted([...dbEnumNames].filter((n) => !expectedEnumNames.has(n)));
-  const enumValueMismatches = [];
-  for (const name of uniqueSorted([...expectedEnumNames].filter((n) => dbEnumNames.has(n)))) {
-    const s = params.expectedEnums.get(name);
-    const d = params.dbEnums.get(name);
-    if (!s || !d) continue;
-    const schemaValues = uniqueSorted(s.values);
-    const dbValues = uniqueSorted(d.values);
-    const same = schemaValues.length === dbValues.length && schemaValues.every((v, i) => v === dbValues[i]);
-    if (same) continue;
-    const added = schemaValues.filter((v) => !dbValues.includes(v));
-    const removed = dbValues.filter((v) => !schemaValues.includes(v));
-    enumValueMismatches.push({ name, dbValues, schemaValues, added, removed });
-  }
-  return {
-    expectedTables: params.expectedTables,
-    expectedEnums: params.expectedEnums,
-    dbTables: params.dbTables,
-    dbEnums: params.dbEnums,
-    missingTables,
-    orphanTables,
-    missingEnums,
-    extraEnums,
-    enumValueMismatches
-  };
-}
-function extractTablesFromIdempotentSql(idempotentDir, projectRoot = process.cwd()) {
-  const fullPath = path11__default.resolve(projectRoot, idempotentDir);
-  if (!existsSync(fullPath)) {
-    return [];
-  }
-  const tables = [];
-  const createTablePattern = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?\.)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?)/gi;
-  try {
-    const files = readdirSync(fullPath).filter((f) => f.endsWith(".sql"));
-    for (const file of files) {
-      const filePath = path11__default.join(fullPath, file);
-      const content = readFileSync(filePath, "utf-8");
-      const contentWithoutComments = content.replace(/--.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
-      for (const match of contentWithoutComments.matchAll(createTablePattern)) {
-        const schema = match[1] || "public";
-        const tableName = match[2];
-        if (tableName) {
-          tables.push(`${schema}.${tableName}`);
-        }
-      }
-    }
-  } catch {
-    return [];
-  }
-  return [...new Set(tables)].sort();
-}
-
-// src/commands/db/commands/db-cleanup.ts
 function quoteIdentifier(identifier) {
   return `"${identifier.replaceAll('"', '""')}"`;
 }
@@ -20938,64 +21679,6 @@ var diffVisualCommand = new Command("diff-visual").description("Visualize schema
 // src/commands/db/commands/db-drizzle.ts
 init_esm_shims();
 
-// src/internal/machines/index.ts
-init_esm_shims();
-
-// src/internal/machines/machine-runner.ts
-init_esm_shims();
-function getOutputOrThrow(snapshot2) {
-  const s = snapshot2;
-  if (s.output === void 0) {
-    throw new CLIError("Machine completed without output", "MACHINE_NO_OUTPUT", [
-      "Ensure the machine defines an `output:` function."
-    ]);
-  }
-  return s.output;
-}
-async function runMachine(params) {
-  const timeoutMs = params.timeoutMs ?? 10 * 60 * 1e3;
-  return new Promise((resolve12, reject) => {
-    const actor = createActor(params.machine, { input: params.input });
-    const timer = setTimeout(() => {
-      try {
-        actor.stop?.();
-      } catch {
-      }
-      reject(
-        new CLIError("Machine execution timed out", "MACHINE_TIMEOUT", [
-          `Timeout: ${timeoutMs}ms`,
-          "Consider increasing timeoutMs for long-running operations."
-        ])
-      );
-    }, timeoutMs);
-    const sub = actor.subscribe((snapshot2) => {
-      try {
-        params.onSnapshot?.(snapshot2);
-        const stateName = params.helpers.getStateName(snapshot2);
-        params.onTransition?.(stateName);
-        if (params.helpers.isComplete(snapshot2)) {
-          clearTimeout(timer);
-          sub.unsubscribe();
-          const out = getOutputOrThrow(snapshot2);
-          resolve12(out);
-        }
-      } catch (err) {
-        clearTimeout(timer);
-        sub.unsubscribe();
-        reject(err);
-      }
-    });
-    try {
-      actor.start();
-      actor.send({ type: "START" });
-    } catch (err) {
-      clearTimeout(timer);
-      sub.unsubscribe();
-      reject(err);
-    }
-  });
-}
-
 // src/utils/execution-plan.ts
 init_esm_shims();
 function getChangeIcon(type) {
@@ -21266,6 +21949,10 @@ var RISK_PATTERNS = [
 function normalizeContent(content) {
   return content.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ").replace(/\s+/g, " ").trim();
 }
+function stripSqlCommentsPreserveLines(content) {
+  const lineMasked = content.replace(/--[^\n]*/g, (match) => " ".repeat(match.length));
+  return lineMasked.replace(/\/\*[\s\S]*?\*\//g, (match) => match.replace(/[^\n]/g, " "));
+}
 function maskWrapperFunctions(content) {
   const wrapperPattern = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?runa_auth_\w+\s*\([^)]*\)[^$]*(\$[a-zA-Z_]*\$)[\s\S]*?\1;?/gi;
   return content.replace(wrapperPattern, "/* WRAPPER_FUNCTION_MASKED */");
@@ -21280,6 +21967,9 @@ function findLineNumber(originalContent, matchText) {
   const beforeMatch = originalContent.substring(0, match.index);
   return beforeMatch.split("\n").length;
 }
+function lineNumberFromIndex(content, index) {
+  return content.substring(0, Math.max(0, index)).split("\n").length;
+}
 function detectRisksFromContent(normalizedContent, originalContent) {
   const risks = [];
   const seenDescriptions = /* @__PURE__ */ new Set();
@@ -21302,18 +21992,18 @@ function detectRisksFromContent(normalizedContent, originalContent) {
   }
   return risks;
 }
-function detectForeignKeyRisks(lines) {
+function detectForeignKeyRisks(originalContent) {
   const risks = [];
-  const fkPattern = /REFERENCES\s+[\w."]+\s*\(/i;
-  for (let i = 0; i < lines.length; i++) {
-    if (fkPattern.test(lines[i])) {
-      risks.push({
-        level: "low",
-        description: "Foreign key columns should have indexes",
-        mitigation: "Add index on foreign key column for better performance",
-        line: i + 1
-      });
-    }
+  const fkPattern = /REFERENCES\s+[\w."]+\s*\(/gi;
+  const contentWithoutComments = stripSqlCommentsPreserveLines(originalContent);
+  let match;
+  while ((match = fkPattern.exec(contentWithoutComments)) !== null) {
+    risks.push({
+      level: "low",
+      description: "Foreign key columns should have indexes",
+      mitigation: "Add index on foreign key column for better performance",
+      line: lineNumberFromIndex(originalContent, match.index ?? 0)
+    });
   }
   return risks;
 }
@@ -21325,9 +22015,8 @@ async function detectSchemaRisks(filePath) {
     const content = await readFile(filePath, "utf-8");
     const maskedContent = maskWrapperFunctions(content);
     const normalizedContent = normalizeContent(maskedContent);
-    const lines = content.split("\n");
     const contentRisks = detectRisksFromContent(normalizedContent, content);
-    const fkRisks = detectForeignKeyRisks(lines);
+    const fkRisks = detectForeignKeyRisks(content);
     return [...contentRisks, ...fkRisks];
   } catch (_error) {
     return [];
@@ -21833,11 +22522,18 @@ var setupContext = fromPromise(
     const dbPackagePath = await getDatabasePackagePath();
     const databaseUrl = resolveDatabaseUrl(env2);
     const tmpDir = `${repoRoot}/.runa-tmp`;
+    let configTimeoutMs;
+    try {
+      const config = loadRunaConfig2();
+      configTimeoutMs = config.database?.sync?.timeoutMs;
+    } catch {
+    }
     return {
       repoRoot,
       tmpDir,
       databaseUrl,
-      dbPackagePath
+      dbPackagePath,
+      configTimeoutMs
     };
   }
 );
@@ -21982,7 +22678,9 @@ var syncSchema = fromPromise(
         skipCodegen: ctx.skipCodegen,
         reportJson: ctx.reportJson,
         invokedAs: "runa db sync",
-        fromProduction: ctx.fromProduction
+        fromProduction: ctx.fromProduction,
+        timeoutMs: ctx.timeoutMs,
+        configTimeoutMs: ctx.configTimeoutMs
       });
       return {
         applied: result.applied,
@@ -22132,7 +22830,11 @@ z.object({
   skipCodegen: z.boolean(),
   fromProduction: z.boolean(),
   autoSnapshot: z.boolean(),
-  reportJson: z.string().optional()
+  reportJson: z.string().optional(),
+  /** Subprocess timeout in milliseconds (from CLI flag) */
+  timeoutMs: z.number().int().positive().optional(),
+  /** Config-level timeout from runa.config.ts (lower priority than timeoutMs and env var) */
+  configTimeoutMs: z.number().int().positive().optional()
 });
 z.object({
   /** Target environment */
@@ -22168,8 +22870,10 @@ z.object({
   autoSnapshot: z.boolean().optional(),
   reportJson: z.string().optional(),
   /** Pre-clean orphan empty tables + unused enums before sync */
-  reconcile: z.boolean().optional()
-});
+  reconcile: z.boolean().optional(),
+  /** Subprocess timeout in milliseconds */
+  timeoutMs: z.number().int().positive().optional()
+}).strict();
 
 // src/commands/db/sync/machine.ts
 init_esm_shims();
@@ -22341,7 +23045,9 @@ var dbSyncMachine = setup({
                 skipCodegen: context.input.skipCodegen ?? false,
                 fromProduction: context.input.fromProduction ?? false,
                 autoSnapshot: context.input.autoSnapshot ?? false,
-                reportJson: context.input.reportJson
+                reportJson: context.input.reportJson,
+                timeoutMs: context.input.timeoutMs,
+                configTimeoutMs: event.output.configTimeoutMs
               })
             })
           },
@@ -22361,7 +23067,9 @@ var dbSyncMachine = setup({
                 skipCodegen: context.input.skipCodegen ?? false,
                 fromProduction: context.input.fromProduction ?? false,
                 autoSnapshot: context.input.autoSnapshot ?? false,
-                reportJson: context.input.reportJson
+                reportJson: context.input.reportJson,
+                timeoutMs: context.input.timeoutMs,
+                configTimeoutMs: event.output.configTimeoutMs
               })
             })
           }
@@ -22581,7 +23289,8 @@ function optionsToMachineInput2(env2, options) {
     fromProduction: options.fromProduction === true || typeof options.fromProduction === "string",
     reportJson: options.reportJson,
     targetDir: process.cwd(),
-    reconcile: options.reconcile === true
+    reconcile: options.reconcile === true,
+    timeoutMs: options.timeout
   };
 }
 var dbSyncHelpers = {
@@ -22773,6 +23482,14 @@ var syncCommand = new Command("sync").description("Sync SQL schemas to database
 ).option(
   "--bootstrap",
   "Bootstrap mode: Auto-start Supabase with --ignore-health-check if not running"
+).option(
+  "--timeout <ms>",
+  "Subprocess timeout in ms (default: 180000 local, 600000 production)",
+  (val) => {
+    const n = Number.parseInt(val, 10);
+    if (Number.isNaN(n) || n <= 0) throw new Error("--timeout must be a positive integer");
+    return n;
+  }
 ).action(
   async (env2, options) => await runSyncCommandAction(env2, options)
 );
@@ -23451,9 +24168,9 @@ async function checkDocker() {
       severity: "error",
       message: "Docker is not running or not installed",
       fixInstructions: [
-        "Start Docker Desktop (macOS/Windows)",
-        "Or start Docker daemon: sudo systemctl start docker (Linux)",
-        "Install Docker: https://docs.docker.com/get-docker/"
+        "Start Colima: colima start --cpu 4 --memory 8 --disk 60 --vm-type vz --mount-type virtiofs",
+        "Install Colima: brew install colima docker",
+        "Linux: sudo systemctl start docker"
       ]
     };
   }
@@ -23485,24 +24202,24 @@ async function checkPort(port) {
 }
 function detectSupabasePortsFromConfig() {
   const configPath = path11__default.join(process.cwd(), "supabase", "config.toml");
-  const BASE_PORTS = { api: 54321, db: 54322, studio: 54323, inbucket: 54324 };
+  const BASE_PORTS2 = { api: 54321, db: 54322, studio: 54323, inbucket: 54324 };
   if (!existsSync(configPath)) {
-    return Object.values(BASE_PORTS);
+    return Object.values(BASE_PORTS2);
   }
   try {
     const content = readFileSync(configPath, "utf-8");
     const ports = [];
     const apiMatch = content.match(/\[api\][\s\S]*?port\s*=\s*(\d+)/);
-    ports.push(apiMatch ? Number.parseInt(apiMatch[1], 10) : BASE_PORTS.api);
+    ports.push(apiMatch ? Number.parseInt(apiMatch[1], 10) : BASE_PORTS2.api);
     const dbMatch = content.match(/\[db\][\s\S]*?port\s*=\s*(\d+)/);
-    ports.push(dbMatch ? Number.parseInt(dbMatch[1], 10) : BASE_PORTS.db);
+    ports.push(dbMatch ? Number.parseInt(dbMatch[1], 10) : BASE_PORTS2.db);
     const studioMatch = content.match(/\[studio\][\s\S]*?port\s*=\s*(\d+)/);
-    ports.push(studioMatch ? Number.parseInt(studioMatch[1], 10) : BASE_PORTS.studio);
+    ports.push(studioMatch ? Number.parseInt(studioMatch[1], 10) : BASE_PORTS2.studio);
     const inbucketMatch = content.match(/\[inbucket\][\s\S]*?port\s*=\s*(\d+)/);
-    ports.push(inbucketMatch ? Number.parseInt(inbucketMatch[1], 10) : BASE_PORTS.inbucket);
+    ports.push(inbucketMatch ? Number.parseInt(inbucketMatch[1], 10) : BASE_PORTS2.inbucket);
     return ports;
   } catch {
-    return Object.values(BASE_PORTS);
+    return Object.values(BASE_PORTS2);
   }
 }
 async function checkSupabasePorts() {
@@ -23569,68 +24286,56 @@ function diagnoseInitFailure(errorMessage) {
 
 // src/utils/port-allocator.ts
 init_esm_shims();
-var BASE_PORT = 54321;
-var PORTS_PER_SLOT = 10;
-var TOTAL_SLOTS = 100;
-function calculatePortOffset(projectPath) {
-  const normalizedPath = path11__default.resolve(projectPath);
-  const hash = createHash("md5").update(normalizedPath).digest("hex");
-  return parseInt(hash.slice(0, 8), 16) % TOTAL_SLOTS;
-}
 function getSupabasePorts(projectPath) {
   const offset = calculatePortOffset(projectPath);
-  const basePort = BASE_PORT + offset * PORTS_PER_SLOT;
-  return {
-    api: basePort + 0,
-    db: basePort + 1,
-    studio: basePort + 2,
-    inbucket: basePort + 3,
-    auth: basePort + 4,
-    rest: basePort + 5,
-    realtime: basePort + 6,
-    storage: basePort + 7,
-    shadow: basePort + 8
-  };
+  return getPortsWithOffset(offset);
 }
-function updateSupabaseConfigPorts(projectPath) {
-  const ports = getSupabasePorts(projectPath);
+async function updateSupabaseConfigPortsSafe(projectPath) {
   const configPath = path11__default.join(projectPath, "supabase", "config.toml");
+  const resolved = await resolveAvailablePorts(projectPath);
+  if (!resolved) {
+    const ports = getSupabasePorts(projectPath);
+    return { updated: false, ports, configPath, retried: false };
+  }
   if (!existsSync(configPath)) {
-    return { updated: false, ports, configPath };
+    return { updated: false, ports: resolved.ports, configPath, retried: resolved.retried };
   }
+  const updated = writePortsToConfig(configPath, resolved.ports);
+  return { updated, ports: resolved.ports, configPath, retried: resolved.retried };
+}
+function writePortsToConfig(configPath, ports) {
   let content = readFileSync(configPath, "utf-8");
-  let updated = false;
+  let changed = false;
   const portMappings = [
     { section: "api", key: "port", value: ports.api },
     { section: "db", key: "port", value: ports.db },
     { section: "db", key: "shadow_port", value: ports.shadow },
     { section: "studio", key: "port", value: ports.studio },
-    { section: "inbucket", key: "port", value: ports.inbucket },
-    { section: "auth", key: "port", value: ports.auth }
-    // Note: rest, realtime, storage ports are internal and not in config.toml
+    { section: "inbucket", key: "port", value: ports.inbucket }
   ];
   for (const { section, key, value } of portMappings) {
     const sectionRegex = new RegExp(`(\\[${section}\\][^\\[]*?)(${key}\\s*=\\s*)(\\d+)`, "gs");
+    sectionRegex.lastIndex = 0;
     const newContent = content.replace(sectionRegex, (match, prefix, keyPart, oldValue) => {
       if (parseInt(oldValue, 10) !== value) {
-        updated = true;
+        changed = true;
         return `${prefix}${keyPart}${value}`;
       }
       return match;
     });
     content = newContent;
   }
-  if (updated) {
+  if (changed) {
     writeFileSync(configPath, content, "utf-8");
   }
-  return { updated, ports, configPath };
+  return changed;
 }
 function getPortAllocationSummary(projectPath) {
   const ports = getSupabasePorts(projectPath);
   const offset = calculatePortOffset(projectPath);
   return [
     `Port allocation for: ${path11__default.basename(projectPath)}`,
-    `  Slot: ${offset} (hash-based)`,
+    `  Slot: ${offset / 10} (hash-based, offset=${offset})`,
     `  API:     ${ports.api}`,
     `  DB:      ${ports.db}`,
     `  Studio:  ${ports.studio}`,
@@ -23788,11 +24493,14 @@ var startCommand = new Command("start").description("Start local Supabase with a
         logger16.info(output3);
         return;
       }
-      const portResult = updateSupabaseConfigPorts(projectRoot);
+      const portResult = await updateSupabaseConfigPortsSafe(projectRoot);
       if (portResult.updated) {
         logger16.info("\u{1F522} Port allocation updated for this project:");
         logger16.info(getPortAllocationSummary(projectRoot));
       }
+      if (portResult.retried) {
+        logger16.warn("\u26A0\uFE0F Hash-based port slot was occupied; using fallback slot.");
+      }
       logStartModeInfo(logger16, options, detectionResult, finalExcluded);
       const result = await dbStart({
         exclude: finalExcluded,
@@ -23879,11 +24587,14 @@ var resetCommand = new Command("reset").description("Reset local database with s
   try {
     logger16.section("Database Reset");
     const projectRoot = process.cwd();
-    const portResult = updateSupabaseConfigPorts(projectRoot);
+    const portResult = await updateSupabaseConfigPortsSafe(projectRoot);
     if (portResult.updated) {
       logger16.info("\u{1F522} Port allocation updated for this project:");
       logger16.info(getPortAllocationSummary(projectRoot));
     }
+    if (portResult.retried) {
+      logger16.warn("\u26A0\uFE0F Hash-based port slot was occupied; using fallback slot.");
+    }
     logger16.step("Stopping Supabase...", 1);
     const resetResult = await dbReset({
       env: "local",
@@ -24733,9 +25444,15 @@ async function readSeedMetadataFile(metadataPath) {
   }
 }
 var seedMetadataCommand = new Command("metadata").description("Extract seed metadata (primary root anchor) for CI workflows").option("--file <path>", "Path to metadata JSON file (optional; prefer --from-db)").option("--from-db", "Infer metadata from applied database state (preferred)", false).option("--github-output", "Write outputs to $GITHUB_OUTPUT (GitHub Actions)", false).action(async (options) => {
-  const metadataPath = options.file?.trim();
-  const shouldUseDb = options.fromDb === true || !metadataPath;
-  const out = shouldUseDb ? await inferPrimaryIdsFromDatabase() : await readSeedMetadataFile(metadataPath);
+  const rawMetadataPath = options.file?.trim();
+  const shouldUseDb = options.fromDb === true || !rawMetadataPath;
+  let out;
+  if (shouldUseDb) {
+    out = await inferPrimaryIdsFromDatabase();
+  } else {
+    const validatedPath = validateUserFilePath(rawMetadataPath, process.cwd());
+    out = await readSeedMetadataFile(validatedPath);
+  }
   if (options.githubOutput === true) {
     await writeGitHubOutput({
       ...out.primary?.root?.id ? { root_id: out.primary.root.id } : {},
@@ -26518,9 +27235,7 @@ async function getVercelRootDirectory() {
 init_local_supabase();
 var ERROR_MESSAGES3 = {
   INVALID_PATH: "Invalid working directory path",
-  PATH_TRAVERSAL: "Working directory path validation failed",
-  APP_NOT_FOUND: "App directory not found"
-};
+  PATH_TRAVERSAL: "Working directory path validation failed"};
 function sanitizeErrorMessage(message) {
   if (!message || typeof message !== "string") {
     return "Unknown error";
@@ -26580,23 +27295,6 @@ function validateCustomWorkingDir(cwdPath, projectRoot) {
   }
   return absolutePath;
 }
-function validateAppDirectory2(appName, projectRoot) {
-  if (containsPathTraversal3(appName) || appName.includes("/") || appName.includes("\\")) {
-    throw new CLIError(ERROR_MESSAGES3.PATH_TRAVERSAL, "ENV_PULL_PATH_TRAVERSAL");
-  }
-  const appsDir = resolve(projectRoot, "apps");
-  const appDir = resolve(appsDir, appName);
-  if (!isPathWithinBase2(appDir, appsDir)) {
-    throw new CLIError(ERROR_MESSAGES3.PATH_TRAVERSAL, "ENV_PULL_PATH_TRAVERSAL");
-  }
-  if (!existsSync(appDir)) {
-    throw new CLIError(ERROR_MESSAGES3.APP_NOT_FOUND, "ENV_PULL_APP_NOT_FOUND", [
-      `Available apps: ${getAvailableApps().join(", ") || "none"}`,
-      "Specify full path with --cwd instead"
-    ]);
-  }
-  return appDir;
-}
 var LOCAL_BOOTSTRAP_REQUIRED_KEYS = [
   "LOCAL_SUPABASE_HOST",
   "LOCAL_SUPABASE_API_PORT",
@@ -26693,22 +27391,18 @@ function resolveVercelAuth(workDir, options, logger16) {
 }
 function resolveWorkingDir(options) {
   const projectRoot = process.cwd();
+  if (options.app) {
+    console.warn(
+      `\u26A0\uFE0F  --app is deprecated. Environment files are managed at the monorepo root only.
+   Turbo auto-propagates root .env.* files to all workspaces.
+   Writing to project root instead of apps/${options.app}/.`
+    );
+  }
   if (options.cwd) {
     return validateCustomWorkingDir(options.cwd, projectRoot);
   }
-  if (options.app) {
-    return validateAppDirectory2(options.app, projectRoot);
-  }
   return projectRoot;
 }
-function getAvailableApps() {
-  const appsDir = resolve(process.cwd(), "apps");
-  if (!existsSync(appsDir)) return [];
-  return readdirSync(appsDir).filter((name) => {
-    const fullPath = resolve(appsDir, name);
-    return statSync(fullPath).isDirectory();
-  });
-}
 function getOutputPath(workDir, environment) {
   return resolve(workDir, `.env.${environment}`);
 }
@@ -28941,7 +29635,11 @@ async function listArchivedHotfixes(input3 = {}) {
   const hotfixes = [];
   for (const file of files.filter((f) => f.endsWith(".json"))) {
     try {
-      const content = await readFile(path11__default.join(archiveDir, file), "utf-8");
+      const filePath = path11__default.join(archiveDir, file);
+      if (!isPathContained(archiveDir, filePath)) {
+        continue;
+      }
+      const content = await readFile(filePath, "utf-8");
       hotfixes.push(HotfixMetadataSchema.parse(JSON.parse(content)));
     } catch {
     }
@@ -30278,10 +30976,10 @@ Fix:
 Docker is not running or not installed.
 
 Fix:
-  1. Start Docker Desktop (macOS/Windows)
-  2. Or start Docker daemon (Linux): sudo systemctl start docker
-  3. Verify Docker is running: docker ps
-  4. Install Docker if needed: https://docs.docker.com/get-docker/
+  1. Start Colima: colima start --cpu 4 --memory 8 --vm-type vz --mount-type virtiofs
+  2. Install Colima: brew install colima docker
+  3. Linux: sudo systemctl start docker
+  4. Verify Docker is running: docker ps
     `,
     relatedCommands: ["runa check"]
   },
@@ -30407,7 +31105,7 @@ init_esm_shims();
 
 // src/constants/versions.ts
 init_esm_shims();
-var COMPATIBLE_TEMPLATES_VERSION = "0.5.44";
+var COMPATIBLE_TEMPLATES_VERSION = "0.5.56";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";
 
@@ -31371,21 +32069,28 @@ function collectRouteInfo(relativePath, code, _verbose) {
   if (isExcludedScope(relativePath)) {
     return;
   }
-  if (isPageFile(relativePath)) {
+  const isPage = isPageFile(relativePath);
+  const isLayout = isLayoutFile(relativePath);
+  const isApiRoute = isApiRouteFile(relativePath);
+  const isMiddleware = isMiddlewareFile(relativePath);
+  if (isPage) {
     collectPageInfo(relativePath, code);
   }
-  if (isLayoutFile(relativePath)) {
+  if (isLayout) {
     collectLayoutInfo(relativePath, code);
   }
-  if (isApiRouteFile(relativePath)) {
+  if (isApiRoute) {
     collectApiRouteInfo(relativePath, code);
   }
-  if (isMiddlewareFile(relativePath)) {
+  if (isMiddleware) {
     collectAuthBoundaries(relativePath, code);
   }
   if (hasMachineDefinition(code)) {
     collectMachineDefinition(relativePath, code);
   }
+  if (!isPage && !isLayout && !isApiRoute && !isMiddleware) {
+    collectComponentInfo(relativePath, code);
+  }
 }
 function emptyResult(filePath) {
   return {
@@ -31826,6 +32531,12 @@ async function preprocessFile(filePath, repoRoot, options) {
     const attrs = extractInjectedAttributes(code);
     const machineIdMatches = code.matchAll(/data-machine-id="([^"]+)"/g);
     const machineIds = [...new Set([...machineIdMatches].map((m) => m[1]).filter(Boolean))];
+    const resolutionDetails = machineIds.map((machineId) => ({
+      filePath: relativePath,
+      machineRef: machineId,
+      resolvedId: machineId,
+      source: "explicit"
+    }));
     if (machineIds.length === 0 && mightContainMachineHooks(code)) {
       if (options.verbose) {
         console.log(`  [recovery] Marker found but no attributes in ${relativePath}, re-injecting`);
@@ -31844,7 +32555,7 @@ async function preprocessFile(filePath, repoRoot, options) {
         machineIds,
         changed: false,
         ...attrs,
-        resolutionDetails: []
+        resolutionDetails
       }
     };
   }
@@ -34984,15 +35695,15 @@ function printActionsNeeded(logger16, actions) {
   );
 }
 function findRepoRoot3(startDir) {
-  const { existsSync: existsSync52, readFileSync: readFileSync29 } = __require("fs");
+  const { existsSync: existsSync53, readFileSync: readFileSync29 } = __require("fs");
   const { join: join23, dirname: dirname5 } = __require("path");
   let current = startDir;
   while (current !== dirname5(current)) {
-    if (existsSync52(join23(current, "turbo.json"))) {
+    if (existsSync53(join23(current, "turbo.json"))) {
       return current;
     }
     const pkgPath = join23(current, "package.json");
-    if (existsSync52(pkgPath)) {
+    if (existsSync53(pkgPath)) {
       try {
         const pkg = JSON.parse(readFileSync29(pkgPath, "utf-8"));
         if (pkg.workspaces) {
@@ -35060,10 +35771,10 @@ function generateReportOutput(output3, isJsonMode) {
   };
 }
 function validateRunaRepo(repoRoot) {
-  const { existsSync: existsSync52 } = __require("fs");
+  const { existsSync: existsSync53 } = __require("fs");
   const { join: join23 } = __require("path");
   const templateDir = join23(repoRoot, "packages/runa-templates/templates");
-  if (!existsSync52(templateDir)) {
+  if (!existsSync53(templateDir)) {
     throw new CLIError("template-check is a runa-repo only command", "NOT_RUNA_REPO", [
       "This command compares runa-repo with pj-repo templates",
       "It should only be run in the runa repository",