@runa-ai/runa-cli 0.5.71 → 0.5.72

package/dist/commands/db/apply/actors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/apply/actors.ts"],"names":[],"mappings":"AAwCA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AA8FlD,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wFAAwF;IACxF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAohCD;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB;WAExB,YAAY;eAAa,MAAM;UAAQ,KAAK,GAAG,MAAM;gCA+C9D,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB;WAEnB,YAAY;eAAa,MAAM;gCAqQxC,CAAC;AAkCH;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;cACjB,MAAM,EAAE;;WACX,YAAY;eAAa,MAAM;gCAwBxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;aACV,OAAO;;WACT,YAAY;eAAa,MAAM;gCAmExC,CAAC"}
+{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/apply/actors.ts"],"names":[],"mappings":"AAwCA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AA8FlD,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wFAAwF;IACxF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAkgCD;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB;WAExB,YAAY;eAAa,MAAM;UAAQ,KAAK,GAAG,MAAM;gCA+C9D,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB;WAEnB,YAAY;eAAa,MAAM;gCA0RxC,CAAC;AAkCH;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;cACjB,MAAM,EAAE;;WACX,YAAY;eAAa,MAAM;gCAwBxC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;aACV,OAAO;;WACT,YAAY;eAAa,MAAM;gCAmExC,CAAC"}

package/dist/commands/db/apply/helpers/index.d.ts

@@ -5,7 +5,7 @@
  */
 export { acquireAdvisoryLock, MIGRATION_LOCK_ID, releaseAdvisoryLock, } from './advisory-lock.js';
 export type { FilterResult, PlanHazard, PlanStatement, ValidatedPlan } from './plan-validator.js';
-export { filterIdempotentProtectedStatements, isDropStatementForProtectedObject, parsePlanOutput, validatePlanForExecution, } from './plan-validator.js';
+export { ALLOWED_DDL_PREFIXES, BLOCKED_SQL_PATTERNS, filterIdempotentProtectedStatements, isDropStatementForProtectedObject, parsePlanOutput, validatePlanForExecution, validateStatementTypes, } from './plan-validator.js';
 export type { IdempotentProtectedObjects, ParsedHazard, PartitionPrivilegeDetection, PgSchemaDiffPlanOptions, } from './pg-schema-diff-helpers.js';
 export type { ShadowDbConfig, ShadowDbResult } from './shadow-db-manager.js';
 export { buildAllowedHazards, detectDropTableStatements, detectPartitionPrivilegeError, displayCheckModeResults, displayHazardsWithContext, executePgSchemaDiffPlan, filterFalsePositiveHazards, formatPartitionPrivilegeHint, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, isIdempotentRoleHazard, parseHazardsWithContext, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, resetIdempotentRolesCache, verifyDatabaseConnection, verifyPgSchemaDiffBinary, } from './pg-schema-diff-helpers.js';

package/dist/commands/db/apply/helpers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EACL,mCAAmC,EACnC,iCAAiC,EACjC,eAAe,EACf,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAE7B,YAAY,EACV,0BAA0B,EAC1B,YAAY,EACZ,2BAA2B,EAC3B,uBAAuB,GACxB,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE7E,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,6BAA6B,EAC7B,uBAAuB,EACvB,yBAAyB,EACzB,uBAAuB,EACvB,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,EAC7B,4BAA4B,EAC5B,kBAAkB,EAClB,wBAAwB,EACxB,+BAA+B,EAC/B,8BAA8B,EAC9B,sBAAsB,EACtB,uBAAuB,EACvB,+BAA+B,EAC/B,yBAAyB,EACzB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,kBAAkB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAErF,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,EAClB,WAAW,EACX,KAAK,GACN,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,4BAA4B,EAC5B,4BAA4B,EAC5B,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,YAAY,EACV,uBAAuB,EACvB,aAAa,EACb,iBAAiB,GAClB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,sBAAsB,EACtB,+BAA+B,EAC/B,aAAa,EACb,cAAc,EACd,cAAc,EACd,sBAAsB,EACtB,eAAe,GAChB,MAAM,iCAAiC,CAAC;AAEzC,YAAY,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACzF,OAAO,EAAE,iCAAiC,EAAE,MAAM,4BAA4B,CAAC;AAE/E,YAAY,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAEnE,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAClF,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mCAAmC,EACnC,iCAAiC,EACjC,eAAe,EACf,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAE7B,YAAY,EACV,0BAA0B,EAC1B,YAAY,EACZ,2BAA2B,EAC3B,uBAAuB,GACxB,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE7E,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,6BAA6B,EAC7B,uBAAuB,EACvB,yBAAyB,EACzB,uBAAuB,EACvB,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,EAC7B,4BAA4B,EAC5B,kBAAkB,EAClB,wBAAwB,EACxB,+BAA+B,EAC/B,8BAA8B,EAC9B,sBAAsB,EACtB,uBAAuB,EACvB,+BAA+B,EAC/B,yBAAyB,EACzB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,kBAAkB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAErF,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,EAClB,WAAW,EACX,KAAK,GACN,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,4BAA4B,EAC5B,4BAA4B,EAC5B,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,YAAY,EACV,uBAAuB,EACvB,aAAa,EACb,iBAAiB,GAClB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,sBAAsB,EACtB,+BAA+B,EAC/B,aAAa,EACb,cAAc,EACd,cAAc,EACd,sBAAsB,EACtB,eAAe,GAChB,MAAM,iCAAiC,CAAC;AAEzC,YAAY,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACzF,OAAO,EAAE,iCAAiC,EAAE,MAAM,4BAA4B,CAAC;AAE/E,YAAY,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAEnE,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAClF,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,0BAA0B,CAAC"}

package/dist/commands/db/apply/helpers/plan-validator.d.ts

@@ -95,6 +95,32 @@ export declare function filterIdempotentProtectedStatements(plan: ValidatedPlan,
 export { isDropStatementForProtected as _isDropStatementForProtected };
 export { extractProtectedSchemas as _extractProtectedSchemas };
 export { isDropSchemaForProtected as _isDropSchemaForProtected };
+/**
+ * Allowed DDL statement prefixes. Only these statement types are permitted
+ * in pg-schema-diff plan output. Checked against the normalized first keyword(s)
+ * of each statement's SQL.
+ */
+export declare const ALLOWED_DDL_PREFIXES: readonly ["CREATE TABLE", "ALTER TABLE", "DROP TABLE", "CREATE INDEX", "CREATE UNIQUE INDEX", "DROP INDEX", "CREATE SCHEMA", "ALTER SCHEMA", "DROP SCHEMA", "CREATE FUNCTION", "CREATE OR REPLACE FUNCTION", "ALTER FUNCTION", "DROP FUNCTION", "CREATE TRIGGER", "ALTER TRIGGER", "DROP TRIGGER", "CREATE VIEW", "CREATE OR REPLACE VIEW", "CREATE MATERIALIZED VIEW", "ALTER VIEW", "DROP VIEW", "DROP MATERIALIZED VIEW", "CREATE TYPE", "ALTER TYPE", "DROP TYPE", "CREATE SEQUENCE", "ALTER SEQUENCE", "DROP SEQUENCE", "CREATE POLICY", "ALTER POLICY", "DROP POLICY", "CREATE ROLE", "ALTER ROLE", "DROP ROLE", "CREATE EXTENSION", "ALTER EXTENSION", "DROP EXTENSION", "GRANT", "REVOKE", "SET", "COMMENT ON"];
+/**
+ * Explicitly blocked SQL patterns. These are DML or dangerous statements
+ * that should never appear as the leading keyword of a plan statement.
+ *
+ * Note: SELECT/INSERT inside CREATE FUNCTION bodies are safe because
+ * the leading keyword is CREATE FUNCTION, not SELECT/INSERT.
+ */
+export declare const BLOCKED_SQL_PATTERNS: ReadonlyArray<{
+    pattern: RegExp;
+    label: string;
+}>;
+/**
+ * Validate that all statements in the plan use allowed DDL types.
+ *
+ * Defense-in-depth: blocks DML (INSERT/UPDATE/DELETE) and dangerous SQL
+ * (DO $$, COPY, EXECUTE) that should never appear in a schema migration plan.
+ *
+ * @throws Error if any statement uses a blocked or unrecognized SQL type
+ */
+export declare function validateStatementTypes(plan: ValidatedPlan): void;
 /**
  * Validate that all hazards in the plan are in the allowed list.
  *

package/dist/commands/db/apply/helpers/plan-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"plan-validator.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/plan-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AAM9E,eAAO,MAAM,gBAAgB;;;iBAG3B,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;iBAI9B,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;iBAI9B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAiFhE;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,CAgBjE;AAMD,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,aAAa,CAAC;IAC5B,iBAAiB,EAAE,aAAa,EAAE,CAAC;CACpC;AAED;;;;;;;;;GASG;AACH,iBAAS,2BAA2B,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAgEpF;AAwBD;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,MAAM,EACX,gBAAgB,EAAE,0BAA0B,GAC3C,OAAO,CA2CT;AAED;;;GAGG;AACH,iBAAS,uBAAuB,CAAC,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CASpE;AAED;;;GAGG;AACH,iBAAS,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAYvF;AAED;;;;;;;GAOG;AACH,wBAAgB,mCAAmC,CACjD,IAAI,EAAE,aAAa,EACnB,eAAe,EAAE,MAAM,EAAE,EACzB,gBAAgB,CAAC,EAAE,0BAA0B,GAC5C,YAAY,CAoEd;AAGD,OAAO,EAAE,2BAA2B,IAAI,4BAA4B,EAAE,CAAC;AACvE,OAAO,EAAE,uBAAuB,IAAI,wBAAwB,EAAE,CAAC;AAC/D,OAAO,EAAE,wBAAwB,IAAI,yBAAyB,EAAE,CAAC;AAMjE;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,IAAI,CAehG"}
+{"version":3,"file":"plan-validator.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/plan-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AAM9E,eAAO,MAAM,gBAAgB;;;iBAO3B,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;iBAI9B,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;iBAI9B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAiFhE;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,CAgBjE;AAMD,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,aAAa,CAAC;IAC5B,iBAAiB,EAAE,aAAa,EAAE,CAAC;CACpC;AAED;;;;;;;;;GASG;AACH,iBAAS,2BAA2B,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAgEpF;AAwBD;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,MAAM,EACX,gBAAgB,EAAE,0BAA0B,GAC3C,OAAO,CA2CT;AAED;;;GAGG;AACH,iBAAS,uBAAuB,CAAC,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CASpE;AAED;;;GAGG;AACH,iBAAS,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAYvF;AAED;;;;;;;GAOG;AACH,wBAAgB,mCAAmC,CACjD,IAAI,EAAE,aAAa,EACnB,eAAe,EAAE,MAAM,EAAE,EACzB,gBAAgB,CAAC,EAAE,0BAA0B,GAC5C,YAAY,CAoEd;AAGD,OAAO,EAAE,2BAA2B,IAAI,4BAA4B,EAAE,CAAC;AACvE,OAAO,EAAE,uBAAuB,IAAI,wBAAwB,EAAE,CAAC;AAC/D,OAAO,EAAE,wBAAwB,IAAI,yBAAyB,EAAE,CAAC;AAMjE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,yrBA0CvB,CAAC;AAEX;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE,aAAa,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAUlF,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,CA2ChE;AAMD;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,IAAI,CAehG"}

package/dist/commands/db/apply/helpers/retry-logic.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"retry-logic.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/retry-logic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,EAAE,KAAK,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AAS9E,eAAO,MAAM,WAAW,IAAI,CAAC;AAC7B,eAAO,MAAM,aAAa,OAAO,CAAC;AAClC,eAAO,MAAM,oBAAoB,QAAQ,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE/C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,SAAuB,GAAG,MAAM,CAIhG;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO/D;AAMD;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKnD;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAC/B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,0BAA0B,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,kBAAkB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAqHtB"}
+{"version":3,"file":"retry-logic.d.ts","sourceRoot":"","sources":["../../../../../src/commands/db/apply/helpers/retry-logic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,EAAE,KAAK,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AAU9E,eAAO,MAAM,WAAW,IAAI,CAAC;AAC7B,eAAO,MAAM,aAAa,OAAO,CAAC;AAClC,eAAO,MAAM,oBAAoB,QAAQ,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE/C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,SAAuB,GAAG,MAAM,CAIhG;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO/D;AAMD;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKnD;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAC/B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,0BAA0B,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,kBAAkB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAsHtB"}

package/dist/index.js

@@ -5,7 +5,7 @@ import path12__default, { join, dirname, resolve, basename, isAbsolute, relative
 import { fileURLToPath } from 'url';
 import * as fs5 from 'fs';
 import fs5__default, { existsSync, readFileSync, unlinkSync, rmSync, readdirSync, mkdtempSync, writeFileSync, mkdirSync, copyFileSync, createWriteStream, statSync, lstatSync, realpathSync, promises, accessSync, constants, chmodSync } from 'fs';
-import { execSync, spawnSync, execFileSync, spawn, exec } from 'child_process';
+import { execSync, spawnSync, spawn, execFileSync, exec } from 'child_process';
 import { createCLILogger, cacheClear, CacheClearOutputSchema, CLIError, cachePrune, CachePruneOutputSchema, cacheStats, CacheStatsOutputSchema, cacheList, CacheListOutputSchema, cacheInvalidate, CacheInvalidateOutputSchema, syncFromProduction, SUPABASE_SYSTEM_SCHEMAS, dbGenerateDiagram, DbDiagramGenerateOutputSchema, createDbSnapshot, syncDatabase, emitDbPushFailureCapsule, emitDbAnnotations, writeDbPushStepSummary, exportDbReportJson, DbSyncOutputSchema, databasePaths, detectRequiredServices, formatDetectionResults, dbStart, DbLifecycleStartOutputSchema, dbStop, DbLifecycleStopOutputSchema, dbReset, DbLifecycleResetOutputSchema, dbValidateSchemas, DbSchemaValidateOutputSchema, DbSchemaRisksOutputSchema, dbDetectSchemaRisks, dbApplySchemas, DbSchemaApplyOutputSchema, dbGenerateTypes, DbSchemaGenerateOutputSchema, extractSchemaFilter, dbSeedInit, DbSeedInitOutputSchema, dbSeedValidate, DbSeedValidateOutputSchema, dbSeedGenerate, DbSeedGenerateOutputSchema, dbVerifySeeds, DbSeedVerifyOutputSchema, DbSnapshotCreateOutputSchema, restoreDbSnapshot, DbSnapshotRestoreOutputSchema, listDbSnapshots, DbSnapshotListOutputSchema, dbGeneratePgTapTests, DbTestGenOutputSchema, dbUpdateGoldenRecord, DbTestUpdateGoldenOutputSchema, repairRunaConfig, detectExistingInitConfig, initProject, validateInitResult, linkCliGlobally, LinkCliOutputSchema, unlinkCliGlobally, UnlinkCliOutputSchema, checkRepoStatus, CheckRepoStatusOutputSchema, enableTelemetry, disableTelemetry, getTelemetryStatus, uploadTelemetry, TelemetryUploadOutputSchema, runTest, TestRunOutputSchema, runTestService, TestServiceOutputSchema, runTestIntegration, TestIntegrationOutputSchema, runTestStatic, TestStaticOutputSchema, generateOwaspTop10Tests, TestOwaspGenerateOutputSchema, updateGoldenRecord, generateE2ETests, generateSecurityTests, generateUnitTests, generateApiTests, generateComponentTests, generateE2EScaffold, validateConfig, ValidateConfigOutputSchema, deploySchemaToProduction, WorkflowNotifyOutputSchema, devopsSync, workflowSync, validateInfrastructure, emitWorkflowValidateFailureCapsule, emitWorkflowAnnotations, writeWorkflowValidateStepSummary, exportWorkflowReportJson, WorkflowValidateInfrastructureOutputSchema, createSuccessEnvelopeSchema, CLI_CONTRACT_VERSION, BASE_PORTS, runChecks, RunCheckOutputSchema, formatDuration as formatDuration$1, GITHUB_API, loadRunaConfig, getClassificationForProfile, loadRunaConfigOrThrow, recordSchemaAudit, RecordSchemaAuditOutputSchema, createBackup, CreateBackupOutputSchema, listBackups, ListBackupsOutputSchema, getBackupMetadata, restoreBackup, RestoreBackupOutputSchema, deleteBackup, DeleteBackupOutputSchema, detectSchemaNames, resolveAvailablePorts, calculatePortOffset, dbSeedApply, writeDbSeedStepSummary, DbSeedApplyOutputSchema, emitDbSeedFailureCapsule, syncEnvironment, EnvSyncOutputSchema, detectDatabasePackage, findProjectRoot as findProjectRoot$1, TelemetryEnableOutputSchema, TelemetryDisableOutputSchema, TelemetryStatusOutputSchema, workflowNotify, DevOpsSyncOutputSchema, WorkflowSyncOutputSchema, formatCLIError, getStatusIcon as getStatusIcon$1, findWorkspaceRoot as findWorkspaceRoot$1, checkExtensionConfig, getPortsWithOffset, UpgradeTransaction, readRunaVersion, syncTemplates, SyncOutputSchema, DATABASE_PACKAGE_CANDIDATES, ErrorEnvelopeSchema, preCheckSync, findConflictFiles, TestUnitGenOutputSchema, TestE2EGenerateOutputSchema, TestSecurityGenOutputSchema, TestApiGenOutputSchema, TestComponentGenOutputSchema } from '@runa-ai/runa';
 import { z } from 'zod';
 import fs9, { mkdir, writeFile, appendFile, readFile, rm, stat, realpath, cp, readdir, lstat } from 'fs/promises';
@@ -1161,7 +1161,7 @@ var CLI_VERSION, HAS_ADMIN_COMMAND;
 var init_version = __esm({
   "src/version.ts"() {
     init_esm_shims();
-    CLI_VERSION = "0.5.71";
+    CLI_VERSION = "0.5.72";
     HAS_ADMIN_COMMAND = false;
   }
 });
@@ -20454,8 +20454,8 @@ function releaseAdvisoryLock(_dbUrl, verbose) {
 // src/commands/db/apply/helpers/plan-validator.ts
 init_esm_shims();
 var PlanHazardSchema = z.object({
-  type: z.string().min(1),
-  message: z.string()
+  type: z.string().min(1).max(100).regex(/^[\w-]+$/),
+  message: z.string().max(1e3)
 });
 var PlanStatementSchema = z.object({
   index: z.number().int().nonnegative(),
@@ -20677,6 +20677,93 @@ function filterIdempotentProtectedStatements(plan, protectedTables, protectedObj
     removedStatements: removed
   };
 }
+var ALLOWED_DDL_PREFIXES = [
+  "CREATE TABLE",
+  "ALTER TABLE",
+  "DROP TABLE",
+  "CREATE INDEX",
+  "CREATE UNIQUE INDEX",
+  "DROP INDEX",
+  "CREATE SCHEMA",
+  "ALTER SCHEMA",
+  "DROP SCHEMA",
+  "CREATE FUNCTION",
+  "CREATE OR REPLACE FUNCTION",
+  "ALTER FUNCTION",
+  "DROP FUNCTION",
+  "CREATE TRIGGER",
+  "ALTER TRIGGER",
+  "DROP TRIGGER",
+  "CREATE VIEW",
+  "CREATE OR REPLACE VIEW",
+  "CREATE MATERIALIZED VIEW",
+  "ALTER VIEW",
+  "DROP VIEW",
+  "DROP MATERIALIZED VIEW",
+  "CREATE TYPE",
+  "ALTER TYPE",
+  "DROP TYPE",
+  "CREATE SEQUENCE",
+  "ALTER SEQUENCE",
+  "DROP SEQUENCE",
+  "CREATE POLICY",
+  "ALTER POLICY",
+  "DROP POLICY",
+  "CREATE ROLE",
+  "ALTER ROLE",
+  "DROP ROLE",
+  "CREATE EXTENSION",
+  "ALTER EXTENSION",
+  "DROP EXTENSION",
+  "GRANT",
+  "REVOKE",
+  "SET",
+  "COMMENT ON"
+];
+var BLOCKED_SQL_PATTERNS = [
+  { pattern: /^\s*INSERT\s+INTO\b/i, label: "INSERT" },
+  { pattern: /^\s*UPDATE\s+\S/i, label: "UPDATE" },
+  { pattern: /^\s*DELETE\s+FROM\b/i, label: "DELETE" },
+  { pattern: /^\s*TRUNCATE\b/i, label: "TRUNCATE" },
+  { pattern: /^\s*COPY\b/i, label: "COPY" },
+  { pattern: /^\s*DO\s+\$/i, label: "DO (anonymous block)" },
+  { pattern: /^\s*EXECUTE\b/i, label: "EXECUTE" },
+  { pattern: /^\s*SELECT\b/i, label: "SELECT" },
+  { pattern: /^\s*CALL\b/i, label: "CALL" }
+];
+function validateStatementTypes(plan) {
+  if (plan.totalStatements === 0) return;
+  const violations = [];
+  for (const stmt of plan.statements) {
+    const normalized = stmt.sql.replace(/\s+/g, " ").trim();
+    const upper = normalized.toUpperCase();
+    for (const blocked of BLOCKED_SQL_PATTERNS) {
+      if (blocked.pattern.test(stmt.sql)) {
+        violations.push(
+          `Statement ${stmt.index}: Blocked SQL type "${blocked.label}" \u2014 ${normalized.slice(0, 80)}`
+        );
+        break;
+      }
+    }
+    if (violations.length > 0 && violations[violations.length - 1].startsWith(`Statement ${stmt.index}:`)) {
+      continue;
+    }
+    const isAllowed = ALLOWED_DDL_PREFIXES.some((prefix) => upper.startsWith(prefix));
+    if (!isAllowed) {
+      violations.push(
+        `Statement ${stmt.index}: Unrecognized SQL type \u2014 ${normalized.slice(0, 80)}`
+      );
+    }
+  }
+  if (violations.length > 0) {
+    throw new Error(
+      `Plan contains non-DDL or dangerous SQL statements:
+${violations.map((v) => `  - ${v}`).join("\n")}
+
+Only DDL statements (CREATE, ALTER, DROP, GRANT, REVOKE, SET, COMMENT ON) are allowed in schema migration plans.`
+    );
+  }
+}
 function validatePlanForExecution(plan, allowedHazardTypes) {
   if (plan.totalStatements === 0) return;
   const allHazards = plan.statements.flatMap((s) => s.hazards);
@@ -21503,6 +21590,7 @@ async function executePlanSqlWithRetry(dbUrl, initialPlanSql, verbose, config) {
     if (config?.allowedHazardTypes) {
       validatePlanForExecution(plan, config.allowedHazardTypes);
     }
+    validateStatementTypes(plan);
     if (verbose) {
       logger5.debug(`Plan validated: ${plan.totalStatements} statement(s)`);
     }
@@ -22468,60 +22556,42 @@ function verifyDataIntegrity(dbUrl, schemasDir, preApplyCounts, verbose, allowDa
     logger8.debug(`Data integrity check passed (${preApplyCounts.size} table(s) verified)`);
   }
 }
-async function applyWithLockAndRetry(dbUrl, schemasDir, includeSchemas, input3, planOutput, hazards, protectedTables, protectedObjects, tempDbDsn, pgSchemaDiffDir) {
+async function applyWithRetry(dbUrl, schemasDir, includeSchemas, input3, planOutput, hazards, protectedTables, protectedObjects, tempDbDsn, pgSchemaDiffDir) {
   logger8.step("Applying schema changes (plan+psql)...");
-  const lockAcquired = await acquireAdvisoryLock(dbUrl, input3.verbose);
-  if (!lockAcquired) {
-    throw new Error(
-      "Could not acquire migration lock. Another migration may be running. Wait for it to complete or manually release the lock."
-    );
-  }
-  try {
-    const allowedHazardTypes = buildAllowedHazards(input3);
-    const result = await executePlanSqlWithRetry(dbUrl, planOutput, input3.verbose, {
-      maxDelayMs: input3.maxLockWaitMs,
-      allowedHazardTypes,
-      protectedTables,
-      protectedObjects,
-      rePlanFn: () => {
-        const { planOutput: freshPlan } = executePgSchemaDiffPlan(
-          dbUrl,
-          pgSchemaDiffDir ?? schemasDir,
-          includeSchemas,
-          input3.verbose,
-          { tempDbDsn }
-        );
-        if (!freshPlan.trim() || freshPlan.includes("No changes")) {
-          return null;
-        }
-        return freshPlan;
-      }
-    });
-    if (!result.success) {
-      throw result.error || new Error("Migration failed");
-    }
-    if (input3.verbose && result.attempts > 0) {
-      logger8.debug(
-        `Retry metrics: ${result.attempts} attempts, ${result.totalWaitMs}ms total wait`
-      );
-    }
-    logger8.success("Schema changes applied");
-    return {
-      sql: planOutput,
-      hazards,
-      applied: true,
-      retryAttempts: result.attempts,
-      retryWaitMs: result.totalWaitMs
-    };
-  } finally {
-    try {
-      releaseAdvisoryLock(dbUrl, input3.verbose);
-    } catch (lockError) {
-      logger8.warn(
-        `Failed to release advisory lock: ${lockError instanceof Error ? lockError.message : "Unknown error"}`
+  const allowedHazardTypes = buildAllowedHazards(input3);
+  const result = await executePlanSqlWithRetry(dbUrl, planOutput, input3.verbose, {
+    maxDelayMs: input3.maxLockWaitMs,
+    allowedHazardTypes,
+    protectedTables,
+    protectedObjects,
+    rePlanFn: () => {
+      const { planOutput: freshPlan } = executePgSchemaDiffPlan(
+        dbUrl,
+        pgSchemaDiffDir ?? schemasDir,
+        includeSchemas,
+        input3.verbose,
+        { tempDbDsn }
       );
+      if (!freshPlan.trim() || freshPlan.includes("No changes")) {
+        return null;
+      }
+      return freshPlan;
     }
+  });
+  if (!result.success) {
+    throw result.error || new Error("Migration failed");
   }
+  if (input3.verbose && result.attempts > 0) {
+    logger8.debug(`Retry metrics: ${result.attempts} attempts, ${result.totalWaitMs}ms total wait`);
+  }
+  logger8.success("Schema changes applied");
+  return {
+    sql: planOutput,
+    hazards,
+    applied: true,
+    retryAttempts: result.attempts,
+    retryWaitMs: result.totalWaitMs
+  };
 }
 var ROLE_PASSWORD_CONFIGS = [
   {
@@ -22760,6 +22830,12 @@ ${content}`;
       }
     }
     const includeSchemas = detectAppSchemas(schemasDir, input3.verbose);
+    const lockAcquired = await acquireAdvisoryLock(dbUrl, input3.verbose);
+    if (!lockAcquired) {
+      throw new Error(
+        "Could not acquire migration lock. Another migration may be running. Wait for it to complete or manually release the lock."
+      );
+    }
     cleanPartitionAclsForPgSchemaDiff(dbUrl, includeSchemas, input3.verbose);
     const { planOutput } = executePgSchemaDiffPlan(
       dbUrl,
@@ -22847,7 +22923,7 @@ ${content}`;
       }
     }
     const preApplyCounts = getTableRowEstimates(dbUrl, schemasDir, input3.verbose);
-    const applyResult = await applyWithLockAndRetry(
+    const applyResult = await applyWithRetry(
       dbUrl,
       schemasDir,
       includeSchemas,
@@ -22867,6 +22943,13 @@ ${content}`;
       dataViolations: dataViolationCount > 0 ? dataViolationCount : void 0
     };
   } finally {
+    try {
+      releaseAdvisoryLock(dbUrl, input3.verbose);
+    } catch (lockError) {
+      logger8.warn(
+        `Failed to release advisory lock: ${lockError instanceof Error ? lockError.message : "Unknown error"}`
+      );
+    }
     if (shadowDb) {
       try {
         await shadowDb.cleanup();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runa-ai/runa-cli",
-  "version": "0.5.71",
+  "version": "0.5.72",
   "private": false,
   "description": "AI-powered DevOps CLI",
   "type": "module",