npm - @runa-ai/runa-cli - Versions diffs - 0.5.71 → 0.6.0 - Mend

@runa-ai/runa-cli 0.5.71 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (508) hide show

package/dist/commands/db/apply/helpers/retry-logic.d.ts CHANGED Viewed

@@ -4,7 +4,7 @@
  * Purpose: Retry pg-schema-diff operations on lock_timeout errors
  * Pattern: Exponential backoff with jitter (configurable max delay)
  */
-import { type IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
+import type { IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
 export declare const MAX_RETRIES = 5;
 export declare const BASE_DELAY_MS = 1000;
 export declare const DEFAULT_MAX_DELAY_MS = 30000;
@@ -41,7 +41,16 @@ export declare function sleep(ms: number): Promise<void>;
  */
 export declare function calculateBackoffDelay(attempt: number, maxDelayMs?: number): number;
 /**
- * Check if error is a lock_timeout error.
+ * Check if error is a lock_timeout error (retryable DDL lock contention).
+ *
+ * Matches PostgreSQL error patterns for DDL lock failures:
+ * - "lock_timeout" — GUC name appearing in error context
+ * - "canceling statement due to lock timeout" — explicit lock timeout message
+ * - "could not obtain lock on relation" — DDL lock acquisition failure
+ * - "deadlock detected" — deadlock between concurrent DDL
+ *
+ * NOTE: "could not obtain lock" (without "on relation") is intentionally NOT matched
+ * because it can fire for advisory lock failures or other non-DDL lock types.
  */
 export declare function isLockTimeoutError(errorOutput: string): boolean;
 /**
@@ -79,6 +88,11 @@ export interface PlanSqlRetryConfig extends RetryConfig {
      * Extends table protection to functions, triggers, views, types, and sequences.
      */
     protectedObjects?: IdempotentProtectedObjects;
+    /**
+     * Fail-closed when plan parser confidence is low.
+     * Recommended for production to avoid executing ambiguous SQL plans.
+     */
+    failOnLowParseConfidence?: boolean;
 }
 /**
  * Execute plan SQL via psql with retry logic.

package/dist/commands/db/apply/helpers/shadow-db-manager.d.ts CHANGED Viewed

@@ -79,5 +79,5 @@ export declare function createShadowDbWithExtensions(config: ShadowDbConfig): Pr
 /**
  * Check if shadow DB with extensions is needed based on config.
  */
-export declare function needsShadowDb(extensions: string[] | undefined): boolean;
+export declare function needsShadowDb(extensions: string[] | undefined): extensions is [string, ...string[]];
 //# sourceMappingURL=shadow-db-manager.d.ts.map

package/dist/commands/db/apply/helpers/sql-utils.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * AI HINT: Shared SQL Utility Functions
+ *
+ * Purpose: Common SQL utilities used across db apply helpers.
+ * Eliminates duplication of identifier quoting and validation.
+ */
+/**
+ * Validate that a name is a safe SQL identifier (no injection risk).
+ * Accepts: alphanumeric + underscore, must start with letter or underscore.
+ */
+export declare function isValidIdentifier(name: string): boolean;
+/**
+ * Quote an SQL identifier (double-quote escaping).
+ * Escapes embedded double-quotes by doubling them.
+ */
+export declare function quoteIdent(name: string): string;
+/**
+ * Build a fully qualified table name: "schema"."table"
+ */
+export declare function qualifiedTable(schema: string, table: string): string;
+/**
+ * Mask database credentials and sensitive information in error messages.
+ * Prevents accidental exposure of passwords, hosts, and ports in logs.
+ */
+export declare function maskDbCredentials(message: string): string;
+//# sourceMappingURL=sql-utils.d.ts.map

package/dist/commands/db/apply/machine.d.ts CHANGED Viewed

@@ -36,6 +36,7 @@ import type { DbApplyInput } from './contract.js';
 interface DbApplyContext {
     input: DbApplyInput;
     targetDir: string;
+    lockAcquired: boolean;
     idempotentPreApplied: number;
     idempotentPreSkipped: number;
     idempotentPostApplied: number;
@@ -48,7 +49,14 @@ interface DbApplyContext {
     partitionWarnings: string[];
     error: string | null;
     planSql: string | null;
+    filteredPlanSql: string | null;
     ssotWarning: string | null;
+    idempotentFiles: string[];
+    idempotentRisks: {
+        high: number;
+        medium: number;
+        low: number;
+    } | null;
     startTime: number;
     idempotentPreStartTime: number | null;
     idempotentPreEndTime: number | null;
@@ -71,6 +79,15 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     }, {
         input: DbApplyInput;
         targetDir: string;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<{
+        acquired: boolean;
+    }, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<void, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<actors.IdempotentPreviewResult, {
+        input: DbApplyInput;
+        targetDir: string;
     }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<actors.ApplyResult, {
         input: DbApplyInput;
         targetDir: string;
@@ -93,6 +110,27 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
         targetDir: string;
     }, import("xstate").EventObject>;
     id: string | undefined;
+} | {
+    src: "acquireLock";
+    logic: import("xstate").PromiseActorLogic<{
+        acquired: boolean;
+    }, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
+} | {
+    src: "releaseLock";
+    logic: import("xstate").PromiseActorLogic<void, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
+} | {
+    src: "previewIdempotentSchemas";
+    logic: import("xstate").PromiseActorLogic<actors.IdempotentPreviewResult, {
+        input: DbApplyInput;
+        targetDir: string;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
 } | {
     src: "applyIdempotentSchemas";
     logic: import("xstate").PromiseActorLogic<actors.ApplyResult, {
@@ -117,7 +155,10 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
         targetDir: string;
     }, import("xstate").EventObject>;
     id: string | undefined;
-}, never, never, never, "failed" | "done" | "idle" | "applyingIdempotentPre" | "applyingPgSchemaDiff" | "applyingIdempotentPost" | "validatingPartitions" | "applyingSeeds", string, {
+}, {
+    type: "releaseAdvisoryLockOnFailure";
+    params: unknown;
+}, never, never, "done" | "failed" | "idle" | "acquiringLock" | "previewingIdempotent" | "applyingIdempotentPre" | "applyingPgSchemaDiff" | "applyingIdempotentPost" | "validatingPartitions" | "releasingLock" | "applyingSeeds", string, {
     input: DbApplyInput;
     targetDir: string;
 }, {
@@ -130,10 +171,17 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     rolePasswordsSet?: number | undefined;
     error?: string | undefined;
     planSql?: string | undefined;
+    filteredPlanSql?: string | undefined;
     checkOnly?: boolean | undefined;
     dataViolations?: number | undefined;
     ssotWarning?: string | undefined;
     partitionWarnings?: string[] | undefined;
+    idempotentFiles?: string[] | undefined;
+    idempotentRisks?: {
+        high: number;
+        medium: number;
+        low: number;
+    } | undefined;
     metrics?: {
         totalMs: number;
         idempotentMs?: number | undefined;
@@ -145,10 +193,13 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     id: "dbApply";
     states: {
         readonly idle: {};
+        readonly acquiringLock: {};
+        readonly previewingIdempotent: {};
         readonly applyingIdempotentPre: {};
         readonly applyingPgSchemaDiff: {};
         readonly applyingIdempotentPost: {};
         readonly validatingPartitions: {};
+        readonly releasingLock: {};
         readonly applyingSeeds: {};
         readonly done: {};
         readonly failed: {};

package/dist/commands/db/commands/db-apply.d.ts CHANGED Viewed

@@ -1,4 +1,22 @@
 import { Command } from 'commander';
+import { type DbApplyOutput } from '../apply/index.js';
+export interface DbApplyOptions {
+    verbose?: boolean;
+    /** Commander pairs --seed/--no-seed into this single property */
+    seed?: boolean;
+    databaseUrl?: string;
+    autoApprove?: boolean;
+    allowDataLoss?: boolean;
+    confirmAuthzUpdate?: boolean;
+    check?: boolean;
+    skipDataCheck?: boolean;
+    maxLockWaitMs?: number;
+    freshDbCheckSql?: string;
+}
+/**
+ * Run db apply workflow
+ */
+export declare function runDbApply(env: string, options: DbApplyOptions): Promise<DbApplyOutput>;
 /**
  * db:apply command - Apply schema changes using pg-schema-diff at runtime
  */

package/dist/commands/db/commands/db-sync/boundary-classifier.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * AI HINT: Boundary Classifier for db-sync precheck
+ *
+ * Purpose: Classify DDL statements as belonging to declarative or idempotent
+ * directories, and detect misplacement risks. Works with the boundary policy
+ * to determine which DDL objects are expected in which directory.
+ */
+import type { getBoundaryPolicy } from '../../utils/boundary-policy-runtime.js';
+import type { DirectoryRiskEntry } from './types.js';
+import { GRANT_STATEMENT_RULE_TEXT, PLAN_BOUNDARY_CONTEXT_FILE } from './types.js';
+export { PLAN_BOUNDARY_CONTEXT_FILE, GRANT_STATEMENT_RULE_TEXT };
+export declare function isBoundaryRelevantDdlStatement(statement: string): boolean;
+export declare function isPlanBoundaryAmbiguous(statement: string): boolean;
+export declare function classifyUnknownObjectBoundary(file: string, object: string, fileType: 'declarative' | 'idempotent', policy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry | null;
+export declare function classifyPlanStatementBoundaryCandidates(statement: string, statementIndex: number, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>, options?: {
+    skipDefault?: boolean;
+}): DirectoryRiskEntry[];
+export declare function classifyPlanStatementBoundaryRisk(statement: string, statementIndex: number, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry | undefined;
+export declare function classifyDeclarativeMisplacementRisk(file: string, content: string, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry[];
+export declare function classifyIdempotentMisplacementRisk(file: string, content: string, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry[];
+//# sourceMappingURL=boundary-classifier.d.ts.map

package/dist/commands/db/commands/db-sync/plan-hazard-analyzer.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * AI HINT: Plan Hazard Analyzer for db-sync precheck
+ *
+ * Purpose: Analyze pg-schema-diff plan output for hazards (DELETES_DATA,
+ * AUTHZ_UPDATE, etc.) and classify their boundary risk level.
+ */
+import type { PlanHazard, PlanStatement } from '../../apply/helpers/plan-validator.js';
+import { type DirectoryRiskEntry, type DirectoryRiskLevel } from './types.js';
+export declare function parseHazardType(hazard: string): string;
+export declare function getPlanHazardBoundaryLevel(type: string): DirectoryRiskLevel;
+export declare function buildPlanHazardBoundaryMessage(statement: string, statementIndex: number, hazard: PlanHazard): string;
+export declare function classifyPlanStatementHazards(statement: PlanStatement): DirectoryRiskEntry[];
+//# sourceMappingURL=plan-hazard-analyzer.d.ts.map

package/dist/commands/db/commands/db-sync/risk-reporter.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * AI HINT: Risk Reporter for db-sync precheck
+ *
+ * Purpose: Format, deduplicate, and display risk findings from declarative
+ * risk analysis, directory placement checks, and plan boundary reconciliation.
+ */
+import type { createCLILogger } from '@runa-ai/runa';
+import type { CompactFinding, DeclarativeRiskItem, DirectoryRiskEntry, DirectoryRiskLevel } from './types.js';
+export declare function getDirectoryRiskWeight(level: DirectoryRiskLevel): number;
+export declare function compareDirectoryRiskPriority(left: DirectoryRiskEntry, right: DirectoryRiskEntry): number;
+export declare function selectHighestPriorityRisk(entries: DirectoryRiskEntry[]): DirectoryRiskEntry | undefined;
+export declare function buildDirectoryRiskKey(entry: DirectoryRiskEntry): string;
+export declare function dedupeDirectoryRisksBySeverity(entries: DirectoryRiskEntry[]): DirectoryRiskEntry[];
+export declare function printList(title: string, items: string[], logger: ReturnType<typeof createCLILogger>): void;
+export declare function stripCommonPrefix(filePath: string): string;
+export declare function formatDeclarativeRiskMessage(risk: DeclarativeRiskItem): string;
+export declare function buildCompactFindingSummary(rawItems: string[]): CompactFinding[];
+export declare function printCompactSummary(logger: ReturnType<typeof createCLILogger>, title: string, rawItems: string[], topLimit: number): void;
+//# sourceMappingURL=risk-reporter.d.ts.map

package/dist/commands/db/commands/db-sync/sql-parser.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * AI HINT: SQL Parser for db-sync precheck
+ *
+ * Purpose: Low-level SQL text parsing utilities for embedded SQL extraction
+ * and directory placement analysis. These parsers handle dollar-quoted literals,
+ * single-quoted literals, and PL/pgSQL embedded SQL patterns.
+ */
+export declare function isWordChar(char: string): boolean;
+export declare function isWhitespaceChar(char: string): boolean;
+export declare function parseWordAt(statement: string, start: number): {
+    value: string;
+    start: number;
+    end: number;
+} | null;
+export declare function skipWhitespaceAndComments(statement: string, start: number): number;
+export declare function getPreviousWord(statement: string, start: number): string;
+export declare function parseDollarQuotedLiteral(statement: string, start: number): {
+    body: string;
+    next: number;
+} | null;
+export declare function extractEmbeddableSqlFragments(statement: string): string[];
+export declare function normalizeSqlForPlacementCheck(content: string): string;
+export declare function isPartitionOfCreateTable(statement: string): boolean;
+export declare function dedupeAndSort(lines: string[]): string[];
+//# sourceMappingURL=sql-parser.d.ts.map

package/dist/commands/db/commands/db-sync/types.d.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import type { SchemaRisk } from '../../../../validators/risk-detector.js';
+export type DeclarativeRiskItem = SchemaRisk & {
+    file: string;
+};
+export type DirectoryRiskLevel = 'high' | 'medium' | 'low';
+export declare const DIRECTORY_RISK_ORDER: readonly ["high", "medium", "low"];
+export type DirectoryRiskEntry = {
+    file: string;
+    level: DirectoryRiskLevel;
+    message: string;
+    line?: number;
+};
+export type DirectoryRiskRule = {
+    level: DirectoryRiskLevel;
+    pattern: RegExp | ((statement: string) => boolean);
+    message: string;
+};
+export type ExtensionCheckReport = {
+    blockers: string[];
+    warnings: string[];
+};
+export type AllowlistAwareReport = ExtensionCheckReport & {
+    allowlist: string[];
+    stats?: {
+        parsedStatements: number;
+        planHazards: number;
+        classifiedHazardStatements: number;
+        classifiedRiskStatements: number;
+        allowlistSuppressed: number;
+        parseWarnings: number;
+        unclassifiedStatements: number;
+    };
+};
+export type CompactFinding = {
+    message: string;
+    count: number;
+    samples: string[];
+};
+export type SyncOptions = {
+    json?: boolean;
+    showImportImpact?: boolean;
+    withProductionApplyCheck?: boolean;
+    strict?: boolean;
+};
+export declare const PLAN_BOUNDARY_CONTEXT_FILE = "pg-schema-diff plan.sql";
+export declare const GRANT_STATEMENT_RULE_TEXT = "Grant/REVOKE statements are usually idempotent/bootstrap ACL setup and should be treated as such";
+//# sourceMappingURL=types.d.ts.map

package/dist/commands/db/commands/db-sync.d.ts CHANGED Viewed

@@ -1,3 +1,17 @@
+/**
+ * AI HINT: db-sync command — Schema sync check + production apply precheck
+ *
+ * Purpose: Compare TypeScript schema vs database, detect schema drift,
+ * and run production apply prechecks (declarative risk, directory placement,
+ * plan boundary reconciliation).
+ *
+ * Submodules (db-sync/):
+ *   types.ts               — Shared type definitions
+ *   sql-parser.ts          — SQL text parsing & embedded SQL extraction
+ *   boundary-classifier.ts — DDL statement boundary classification
+ *   plan-hazard-analyzer.ts— pg-schema-diff plan hazard analysis
+ *   risk-reporter.ts       — Risk formatting, deduplication, display
+ */
 import { Command } from 'commander';
 export declare const checkCommand: Command;
 //# sourceMappingURL=db-sync.d.ts.map

package/dist/commands/db/sync/contract.d.ts CHANGED Viewed

@@ -36,6 +36,7 @@ export declare const DbSyncInputSchema: z.ZodObject<{
     autoApprove: z.ZodDefault<z.ZodBoolean>;
     verbose: z.ZodDefault<z.ZodBoolean>;
     skipCodegen: z.ZodDefault<z.ZodBoolean>;
+    strictIntrospect: z.ZodDefault<z.ZodBoolean>;
     targetDir: z.ZodOptional<z.ZodString>;
     fromProduction: z.ZodDefault<z.ZodBoolean>;
     autoSnapshot: z.ZodDefault<z.ZodBoolean>;
@@ -46,9 +47,9 @@ export type DbSyncInput = z.infer<typeof DbSyncInputSchema>;
  * Step result type
  */
 export declare const StepResultSchema: z.ZodEnum<{
-    passed: "passed";
-    failed: "failed";
     skipped: "skipped";
+    failed: "failed";
+    passed: "passed";
 }>;
 export type StepResult = z.infer<typeof StepResultSchema>;
 /**
@@ -104,8 +105,10 @@ export declare const StepContextSchema: z.ZodObject<{
     }>;
     check: z.ZodBoolean;
     force: z.ZodBoolean;
+    autoApprove: z.ZodBoolean;
     verbose: z.ZodBoolean;
     skipCodegen: z.ZodBoolean;
+    strictIntrospect: z.ZodBoolean;
     fromProduction: z.ZodBoolean;
     autoSnapshot: z.ZodBoolean;
     noSeed: z.ZodBoolean;
@@ -148,6 +151,7 @@ export declare const DbSyncMachineInputSchema: z.ZodObject<{
     autoApprove: z.ZodOptional<z.ZodBoolean>;
     verbose: z.ZodOptional<z.ZodBoolean>;
     skipCodegen: z.ZodOptional<z.ZodBoolean>;
+    strictIntrospect: z.ZodOptional<z.ZodBoolean>;
     targetDir: z.ZodOptional<z.ZodString>;
     fromProduction: z.ZodOptional<z.ZodBoolean>;
     autoSnapshot: z.ZodOptional<z.ZodBoolean>;

package/dist/commands/db/sync/machine.d.ts CHANGED Viewed

@@ -104,13 +104,14 @@ export declare const dbSyncMachine: import("xstate").StateMachine<DbSyncContext,
     src: "writeReport";
     logic: import("xstate").PromiseActorLogic<actors.ReportOutput, actors.ReportInput, import("xstate").EventObject>;
     id: string | undefined;
-}, never, never, never, "failed" | "done" | "sync" | "setup" | "idle" | "snapshot" | "preflight" | "reconcile" | "report", string, {
+}, never, never, never, "done" | "failed" | "sync" | "setup" | "idle" | "snapshot" | "preflight" | "reconcile" | "report", string, {
     env?: "local" | "preview" | "production" | undefined;
     check?: boolean | undefined;
     force?: boolean | undefined;
     autoApprove?: boolean | undefined;
     verbose?: boolean | undefined;
     skipCodegen?: boolean | undefined;
+    strictIntrospect?: boolean | undefined;
     targetDir?: string | undefined;
     fromProduction?: boolean | undefined;
     autoSnapshot?: boolean | undefined;

package/dist/commands/db/types.d.ts CHANGED Viewed

@@ -77,6 +77,8 @@ export interface DbCommandOptions {
     verbose?: boolean;
     /** CI optimization: skip TypeScript + Zod generation during db sync */
     skipCodegen?: boolean;
+    /** Fail when generated schema still contains unresolved unknown(...) columns */
+    strictIntrospect?: boolean;
     json?: boolean;
     sql?: boolean;
     format?: string;

package/dist/commands/db/utils/boundary-policy/rule-compiler.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * AI HINT: Boundary policy rule compiler.
+ *
+ * Purpose: Convert raw policy JSON arrays into typed allowlist rules
+ * and normalize a full policy object with fallback defaults.
+ */
+import type { BoundaryPolicy, BoundaryPolicyMeta, DeclarativeRiskAllowlistRule, DirectoryPlacementAllowlistRule, PolicyIssueFormatter } from './types.js';
+export declare function toDeclarativeRiskRules(rawList: unknown, issueFormatter: PolicyIssueFormatter): DeclarativeRiskAllowlistRule[];
+export declare function toDirectoryPlacementRules(rawList: unknown, issueFormatter: PolicyIssueFormatter): DirectoryPlacementAllowlistRule[];
+export declare function normalizePolicySource(raw: unknown, source: BoundaryPolicyMeta['source'], sourcePath: string, issueFormatter: PolicyIssueFormatter): BoundaryPolicy;
+//# sourceMappingURL=rule-compiler.d.ts.map

package/dist/commands/db/utils/boundary-policy/types.d.ts ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * AI HINT: Boundary policy type definitions and small utility functions.
+ *
+ * Purpose: Shared types for boundary-policy validation, compilation, and loading.
+ */
+export type BoundaryPolicyRiskLevel = 'high' | 'medium' | 'low';
+export type AllowlistMetadata = {
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active?: boolean;
+};
+export type DeclarativeRiskAllowlistRule = {
+    id: string;
+    filePattern: RegExp;
+    descriptionPattern: RegExp;
+    level?: BoundaryPolicyRiskLevel;
+    reason: string;
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active: boolean;
+};
+export type DirectoryPlacementAllowlistRule = {
+    id: string;
+    filePattern: RegExp;
+    messagePattern: RegExp;
+    level?: BoundaryPolicyRiskLevel;
+    lineStart?: number;
+    lineEnd?: number;
+    reason: string;
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active: boolean;
+};
+export type BoundaryPolicyRaw = {
+    version?: unknown;
+    description?: unknown;
+    strictByDefault?: unknown;
+    declarativePreferredObjects?: unknown;
+    idempotentPreferredObjects?: unknown;
+    declarativeRiskAllowlist?: unknown;
+    directoryPlacementAllowlist?: unknown;
+};
+export type RawRule = {
+    id?: unknown;
+    filePattern?: unknown;
+    descriptionPattern?: unknown;
+    messagePattern?: unknown;
+    level?: unknown;
+    reason?: unknown;
+    owner?: unknown;
+    ticket?: unknown;
+    expiresAt?: unknown;
+    active?: unknown;
+    line?: unknown;
+    lineStart?: unknown;
+    lineEnd?: unknown;
+};
+export type BoundaryPolicyMeta = {
+    source: 'default' | 'policy-file';
+    sourcePath: string;
+    fallbackUsed: boolean;
+    invalidPolicy: boolean;
+    issues: string[];
+    warningCount: number;
+};
+export type BoundaryPolicy = {
+    version: string;
+    description: string;
+    strictByDefault: boolean;
+    declarativePreferredObjects: Set<string>;
+    idempotentPreferredObjects: Set<string>;
+    declarativeRiskAllowlist: DeclarativeRiskAllowlistRule[];
+    directoryPlacementAllowlist: DirectoryPlacementAllowlistRule[];
+    __meta: BoundaryPolicyMeta;
+};
+export type PolicyValidationSeverity = 'warning' | 'error';
+export type PolicyValidationIssue = {
+    field: string;
+    message: string;
+    severity: PolicyValidationSeverity;
+};
+export type PolicyIssueFormatter = (field: string, message: string, severity?: PolicyValidationSeverity) => void;
+export declare const BOUNDARY_POLICY_FILENAME = ".boundary-policy.json";
+export declare const DEFAULT_POLICY_VERSION = "1.0";
+export declare const SAFE_REGEXP: RegExp;
+export declare const POLICY_VERSION_PATTERN: RegExp;
+export declare const OBJECT_NAME_PATTERN: RegExp;
+export declare const DATE_ISO_PATTERN: RegExp;
+export declare const FALLBACK_DECLARATIVE_OBJECTS: Set<string>;
+export declare const FALLBACK_IDEMPOTENT_OBJECTS: Set<string>;
+export declare const FALLBACK_DECLARATIVE_RISK_ALLOWLIST: DeclarativeRiskAllowlistRule[];
+export declare const FALLBACK_DIRECTORY_PLACEMENT_ALLOWLIST: DirectoryPlacementAllowlistRule[];
+export declare function isObject(value: unknown): value is Record<string, unknown>;
+export declare function isStringArray(value: unknown): value is string[];
+export declare function isPastDate(value: string, today: string): boolean;
+export declare function isAllowlistRuleUsable(rule: {
+    active: boolean;
+    expiresAt?: string;
+}): boolean;
+export declare function formatBoundaryPolicyIssue(filePath: string, issue: PolicyValidationIssue): string;
+export declare function formatAllowlistMetadata(rule: AllowlistMetadata): string;
+//# sourceMappingURL=types.d.ts.map

package/dist/commands/db/utils/boundary-policy/validation.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * AI HINT: Boundary policy validation and coercion functions.
+ *
+ * Purpose: Validate raw policy JSON and coerce individual fields
+ * into strongly typed values with issue reporting.
+ */
+import type { BoundaryPolicyRiskLevel, PolicyIssueFormatter, PolicyValidationIssue, PolicyValidationSeverity } from './types.js';
+export declare function validateBoundaryPolicy(raw: unknown): PolicyValidationIssue[];
+export declare function coercePolicyStringList(value: unknown, field: string, issueFormatter: PolicyIssueFormatter): Set<string>;
+export declare function coerceRiskLevel(level: unknown): BoundaryPolicyRiskLevel | undefined;
+export declare function compileRegExp(pattern: string, issueFormatter: PolicyIssueFormatter): RegExp;
+export declare function coerceRuleId(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | null;
+export declare function coerceRulePattern(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | null;
+export declare function coerceOptionalString(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | undefined;
+export declare function coerceOptionalPositiveInteger(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): number | undefined;
+export declare function coerceBoolean(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): boolean;
+export declare function coerceExpiresAt(raw: unknown, ruleId: string, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | undefined;
+export declare function mapPolicyVersion(rawVersion: unknown): string;
+export declare function appendValidationIssue(issues: PolicyValidationIssue[], field: string, message: string, severity: PolicyValidationSeverity, policyFile: string, output: string[]): void;
+//# sourceMappingURL=validation.d.ts.map

package/dist/commands/db/utils/boundary-policy-runtime.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import { loadBoundaryPolicy, type DeclarativeRiskAllowlistRule, type DirectoryPlacementAllowlistRule } from './boundary-policy.js';
+type Logger = {
+    warn: (message: string) => void;
+    info: (message: string) => void;
+};
+type BoundaryPolicy = ReturnType<typeof loadBoundaryPolicy>;
+type DeclarativeRiskLike = {
+    level: 'high' | 'medium' | 'low';
+    file: string;
+    description: string;
+};
+type DirectoryRiskLike = {
+    level: 'high' | 'medium' | 'low';
+    file: string;
+    message: string;
+    line?: number;
+};
+export declare function getBoundaryPolicy(cwd?: string): BoundaryPolicy;
+export declare function reportBoundaryPolicyState(logger: Logger, policy: BoundaryPolicy): void;
+export declare function assertBoundaryPolicyUsable(logger: Logger, policy: BoundaryPolicy): void;
+export declare function assertBoundaryPolicyQualityGate(logger: Logger, policy: BoundaryPolicy, strict: boolean): void;
+export declare function findDeclarativeRiskAllowlistMatch(risk: DeclarativeRiskLike, policy: BoundaryPolicy): DeclarativeRiskAllowlistRule | undefined;
+export declare function hasExplicitLineScope(rule: DirectoryPlacementAllowlistRule): boolean;
+export declare function entryLineScopeMatches(issueLine: number | undefined, rule: DirectoryPlacementAllowlistRule): boolean;
+export declare function findDirectoryPlacementAllowlistMatch(issue: DirectoryRiskLike, policy: BoundaryPolicy): DirectoryPlacementAllowlistRule | undefined;
+export declare function resolveProductionApplyStrictMode(policy: BoundaryPolicy, strictOption: boolean | undefined): boolean;
+export {};
+//# sourceMappingURL=boundary-policy-runtime.d.ts.map

package/dist/commands/db/utils/boundary-policy.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { BoundaryPolicy } from './boundary-policy/types.js';
+export type { BoundaryPolicy, BoundaryPolicyMeta, BoundaryPolicyRiskLevel, DeclarativeRiskAllowlistRule, DirectoryPlacementAllowlistRule, } from './boundary-policy/types.js';
+export { formatAllowlistMetadata } from './boundary-policy/types.js';
+export declare function loadBoundaryPolicy(projectRoot: string, policyPath?: string): BoundaryPolicy;
+//# sourceMappingURL=boundary-policy.d.ts.map

package/dist/commands/db/utils/idempotent-risk-context.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * AI HINT: Idempotent Risk Context Correction
+ *
+ * Purpose: Shared constants and logic for adjusting risk severity in idempotent/ context.
+ * In idempotent/ files, DROP ... IF EXISTS is a standard cleanup-then-recreate pattern,
+ * so these are downgraded from their original severity to 'low'.
+ *
+ * Used by: preflight-check.ts, db-sync.ts
+ */
+/**
+ * Reason codes whose severity is downgraded to 'low' in idempotent context.
+ * DROP ... IF EXISTS patterns are standard cleanup-then-recreate in idempotent files.
+ * REVOKE + GRANT is a standard RBAC reset pattern in idempotent RBAC files.
+ * DO blocks are the expected pattern for conditional logic in idempotent files.
+ */
+export declare const IDEMPOTENT_DOWNGRADE_REASON_CODES: Set<string>;
+/**
+ * Reason codes whose severity is capped at 'medium' in idempotent context.
+ * DROP POLICY in idempotent files is typically a cleanup-then-recreate pattern,
+ * but still warrants review since it removes access control rules.
+ */
+export declare const IDEMPOTENT_MEDIUM_REASON_CODES: Set<string>;
+/**
+ * Correct risk severity for idempotent context.
+ *
+ * @returns adjusted severity level
+ */
+export declare function correctIdempotentRiskLevel(originalLevel: string, reasonCode: string | undefined): 'high' | 'medium' | 'low';
+//# sourceMappingURL=idempotent-risk-context.d.ts.map

package/dist/commands/db/utils/preflight-check.d.ts CHANGED Viewed

@@ -7,12 +7,26 @@
  * NOTE: This is DIFFERENT from `runa db preflight` command which checks DATA QUALITY
  *   - preflight-check.ts: Environment validation (Supabase status, env vars, orphan detection)
  *   - preflight/index.ts: Data quality validation (updated_at >= created_at constraint)
+ *
+ * Structure:
+ *   - preflight-check.ts: Orchestrator, types, basic checks (this file)
+ *   - preflight-checks/supabase-checks.ts: Supabase status & DB connection
+ *   - preflight-checks/schema-risk-checks.ts: SQL schema risk scanning
+ *   - preflight-checks/orphan-checks.ts: Orphaned objects & extension config
  */
 export interface PreflightCheckResult {
     passed: boolean;
     warnings: string[];
     errors: string[];
 }
+/**
+ * Step counter for dynamic step numbering.
+ * This ensures correct sequential numbering regardless of which checks are executed.
+ */
+export declare class StepCounter {
+    private current;
+    next(): number;
+}
 /**
  * Run all preflight checks
  */