@runa-ai/runa-cli 0.5.72 → 0.6.0

package/dist/commands/db/apply/helpers/hazard-handler.d.ts

@@ -0,0 +1,60 @@
+/**
+ * AI HINT: Hazard Handler for pg-schema-diff
+ *
+ * Purpose: Parse, display, and handle hazards from pg-schema-diff plan output.
+ * Separates hazard logic from binary verification and plan execution.
+ *
+ * Hazard Types:
+ * - DELETES_DATA: Data loss risk (blocks production without --allow-data-loss)
+ * - AUTHZ_UPDATE: RLS policy changes (blocks production without --confirm-authz-update)
+ * - ACQUIRES_ACCESS_EXCLUSIVE_LOCK: Table lock during migration
+ * - HAS_UNTRACKABLE_DEPENDENCIES: Cross-schema dependencies
+ * - INDEX_BUILD / INDEX_DROPPED: Index operations
+ */
+import type { DbApplyInput } from '../contract.js';
+import { type ParsedHazard } from './idempotent-object-registry.js';
+/**
+ * Parse hazards from pg-schema-diff output with context.
+ * Enhanced to extract the SQL statement that caused each hazard.
+ */
+export declare function parseHazardsWithContext(planOutput: string): ParsedHazard[];
+/**
+ * Display hazards with context and return flags.
+ */
+export declare function displayHazardsWithContext(hazards: ParsedHazard[], verbose: boolean): {
+    hasDeletesData: boolean;
+    hasAuthzUpdate: boolean;
+};
+/**
+ * Handle production data protection for DELETES_DATA hazard.
+ */
+export declare function handleProductionDataProtection(allowDataLoss: boolean): void;
+/**
+ * Handle production RLS policy protection for AUTHZ_UPDATE hazard.
+ */
+export declare function handleProductionAuthzProtection(confirmAuthzUpdate: boolean): void;
+/**
+ * Build list of allowed hazards based on environment and flags.
+ */
+export declare function buildAllowedHazards(input: DbApplyInput): string[];
+/**
+ * Handle hazards with enhanced context display.
+ *
+ * This function filters out false positive AUTHZ_UPDATE hazards for roles
+ * defined in idempotent/*.sql (e.g., drizzle_app, drizzle_service).
+ */
+export declare function handleHazardsWithContext(planOutput: string, input: DbApplyInput, schemasDir?: string): {
+    hazards: string[];
+    hasDeletesData: boolean;
+    hasAuthzUpdate: boolean;
+};
+/**
+ * Display check mode results.
+ */
+export declare function displayCheckModeResults(planOutput: string, filterInfo?: {
+    filteredPlanSql: string;
+    removedStatements: {
+        sql: string;
+    }[];
+}): void;
+//# sourceMappingURL=hazard-handler.d.ts.map

package/dist/commands/db/apply/helpers/idempotent-object-registry.d.ts

@@ -0,0 +1,96 @@
+/**
+ * AI HINT: Idempotent Object Registry
+ *
+ * Purpose: Detect and register all objects defined in idempotent/*.sql files.
+ * These objects are invisible to pg-schema-diff's shadow DB, so pg-schema-diff
+ * generates DROP statements for them. This registry is used to filter those out.
+ *
+ * Objects tracked:
+ * - Roles (CREATE ROLE) — for AUTHZ_UPDATE false positive filtering
+ * - Tables (CREATE TABLE) — for DROP TABLE protection
+ * - Functions, Triggers, Views, Types, Sequences — for DROP protection
+ *
+ * Security: All identifier extraction uses regex on comment-stripped SQL.
+ */
+/**
+ * Resolve the idempotent directory from a schemasDir path.
+ */
+export declare function resolveIdempotentDir(schemasDir?: string): string;
+/**
+ * Read and strip comments from all idempotent SQL files.
+ * Returns per-file results with filename and comment-stripped content.
+ */
+export declare function readIdempotentSqlFiles(idempotentDir: string): Array<{
+    file: string;
+    content: string;
+}> | null;
+/**
+ * Extract role names from idempotent SQL files.
+ * These roles are managed outside pg-schema-diff and should not trigger AUTHZ_UPDATE.
+ */
+export declare function getIdempotentRoles(schemasDir?: string): string[];
+/**
+ * Reset the cached idempotent roles.
+ * Useful for testing or when schema files change.
+ */
+export declare function resetIdempotentRolesCache(): void;
+/**
+ * Extract table names from idempotent SQL files.
+ * These tables are managed outside pg-schema-diff and must not be dropped.
+ *
+ * Also merges tables from `excludeFromOrphanDetection` config.
+ */
+export declare function getIdempotentProtectedTables(schemasDir?: string, configExclusions?: string[]): string[];
+export interface IdempotentProtectedObjects {
+    tables: string[];
+    functions: string[];
+    triggers: string[];
+    views: string[];
+    types: string[];
+    sequences: string[];
+}
+/**
+ * Extract all protected object names from idempotent/*.sql files.
+ *
+ * Scans for:
+ * - CREATE [OR REPLACE] FUNCTION schema.name(...)
+ * - CREATE TRIGGER name ON schema.table
+ * - CREATE [OR REPLACE] [MATERIALIZED] VIEW schema.name
+ * - CREATE TYPE schema.name
+ * - CREATE SEQUENCE schema.name
+ */
+export declare function getIdempotentProtectedObjects(schemasDir?: string, configExclusions?: string[]): IdempotentProtectedObjects;
+/**
+ * Parsed hazard with context information.
+ * Defined here to avoid circular dependency (used by both registry and handler).
+ */
+export interface ParsedHazard {
+    type: string;
+    message: string;
+    fullMatch: string;
+    /** SQL statement that caused this hazard (if extractable) */
+    causingSql?: string;
+    /** Line number in the plan output */
+    lineNumber?: number;
+}
+/**
+ * Check if an AUTHZ_UPDATE hazard is a false positive.
+ *
+ * False positives occur when the hazard's causingSql is a GRANT/REVOKE statement
+ * targeting a role defined in idempotent/*.sql. These are expected to be re-applied
+ * by the 2nd-pass idempotent execution.
+ *
+ * IMPORTANT: Only GRANT/REVOKE statements are considered FP. If causingSql is a
+ * schema change (ALTER TABLE, CREATE TABLE, etc.) that triggers an AUTHZ_UPDATE,
+ * it is a genuine hazard and should NOT be filtered.
+ */
+export declare function isIdempotentRoleHazard(hazard: ParsedHazard, schemasDir?: string): boolean;
+/**
+ * Filter out false positive hazards.
+ * Returns hazards that are NOT false positives (i.e., real issues).
+ */
+export declare function filterFalsePositiveHazards(hazards: ParsedHazard[], schemasDir?: string): {
+    filtered: ParsedHazard[];
+    falsePositives: ParsedHazard[];
+};
+//# sourceMappingURL=idempotent-object-registry.d.ts.map

package/dist/commands/db/apply/helpers/idempotent-transaction.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Check if a SQL file contains statements that cannot run inside a transaction block.
+ */
+export declare function hasTransactionIncompatibleStatements(filePath: string): boolean;
+/**
+ * Check if SQL content contains transaction-incompatible statements.
+ * Exported separately for testing without file I/O.
+ */
+export declare function hasTransactionIncompatibleContent(sql: string): boolean;
+/**
+ * Determine the transaction strategy for a SQL file.
+ *
+ * @returns 'wrap' if file can be wrapped in BEGIN/COMMIT, 'skip' otherwise
+ */
+export declare function getTransactionStrategy(filePath: string): 'wrap' | 'skip';
+/**
+ * Wrap SQL content in a transaction block (BEGIN/COMMIT).
+ */
+export declare function wrapInTransaction(sql: string): string;
+//# sourceMappingURL=idempotent-transaction.d.ts.map

package/dist/commands/db/apply/helpers/index.d.ts

@@ -20,4 +20,10 @@ export type { DetectedPartitionStub, PrefilterResult } from './partition-prefilt
 export { prefilterPartitionStubs } from './partition-prefilter.js';
 export type { ExpectedPartition, PartitionDrift } from './partition-validator.js';
 export { blankDollarQuotedBodies, detectPartitionDrift, formatPartitionWarnings, parseExpectedPartitions, queryActualPartitions, } from './partition-validator.js';
+export { isValidIdentifier, maskDbCredentials, qualifiedTable, quoteIdent } from './sql-utils.js';
+export type { PgSchemaDiffResult } from './fresh-db-handler.js';
+export { handleFreshDbCase, hasAppTables } from './fresh-db-handler.js';
+export { checkPasswordSecurity, parseDbCredentials, setRolePasswords, } from './rbac-password-manager.js';
+export { backupIdempotentTables, getTableRowEstimates, verifyDataIntegrity, } from './data-integrity-verifier.js';
+export { getTransactionStrategy, hasTransactionIncompatibleContent, hasTransactionIncompatibleStatements, wrapInTransaction, } from './idempotent-transaction.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/commands/db/apply/helpers/partition-validator.d.ts

@@ -1,3 +1,5 @@
+import { blankDollarQuotedBodies, stripSqlComments } from '../../../../lib/sql-comment-utils.js';
+export { blankDollarQuotedBodies, stripSqlComments };
 export interface ExpectedPartition {
     /** Qualified child table name (e.g., "events.location_events_2026_01") */
     child: string;
@@ -10,12 +12,6 @@ export interface PartitionDrift {
     /** Partitions expected in SQL but missing from the database */
     missing: ExpectedPartition[];
 }
-/**
- * Strip SQL comments while preserving quoted text.
- * Handles: -- line comments, nested block comments, single/double/dollar-quoted strings,
- * and PostgreSQL E-string literals (E'...' with backslash escapes).
- */
-export declare function stripSqlComments(content: string): string;
 /**
  * Qualified name pattern: optional schema prefix + table name.
  * Matches: schema.table, "schema"."table", or bare table (no schema).
@@ -43,15 +39,6 @@ export declare const PARTITION_OF_REGEX: RegExp;
  * Returns "schema.table" when schema is present, or just "table" when absent.
  */
 export declare function extractQualifiedName(quotedSchema: string | undefined, unquotedSchema: string | undefined, quotedTable: string | undefined, unquotedTable: string | undefined): string;
-/**
- * Replace content inside dollar-quoted strings with spaces.
- * This prevents false-positive PARTITION OF matches inside PL/pgSQL function bodies.
- *
- * Input is already comment-stripped (from stripSqlComments), so we only need to
- * handle dollar-quoted strings — single/double quotes are already handled by the
- * regex (they can't span the CREATE TABLE ... PARTITION OF ... ; pattern).
- */
-export declare function blankDollarQuotedBodies(content: string): string;
 /**
  * Parse all expected partitions from idempotent SQL directory.
  *

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts

@@ -1,163 +1,37 @@
 /**
  * AI HINT: pg-schema-diff Helper Functions
  *
- * Purpose: Utility functions for pg-schema-diff operations
- * Pattern: Pure functions for verification, parsing, and display
+ * Purpose: Binary verification, plan execution, and error detection for pg-schema-diff.
+ * This file was refactored from a 1,015-line monolith into 3 focused modules:
  *
- * False Positive Filtering:
- * - AUTHZ_UPDATE hazards for roles defined in idempotent/*.sql are filtered
- * - Reason: idempotent files (e.g., 15_rbac_roles.sql) grant privileges that
- *   pg-schema-diff doesn't know about (it only manages declarative/*.sql)
+ * - idempotent-object-registry.ts: Idempotent object detection & DROP protection
+ * - hazard-handler.ts: Hazard parsing, display, and production protection
+ * - pg-schema-diff-helpers.ts (this file): Binary verification, plan execution, error detection
+ *
+ * Re-exports are provided for backward compatibility.
  *
  * Security:
  * - All psql calls use parsePostgresUrl + buildPsqlArgs to prevent SQL injection
  * - Passwords are passed via PGPASSWORD env var, not command line
  */
-import type { DbApplyInput } from '../contract.js';
-/**
- * Extract role names from idempotent SQL files.
- * These roles are managed outside pg-schema-diff and should not trigger AUTHZ_UPDATE.
- */
-export declare function getIdempotentRoles(schemasDir?: string): string[];
-/**
- * Check if an AUTHZ_UPDATE hazard is a false positive.
- *
- * False positives occur when:
- * - The hazard type is AUTHZ_UPDATE
- * - The causing SQL references a role defined in idempotent/*.sql
- * - Example: "REVOKE ... FROM drizzle_app" when drizzle_app is in 15_rbac_roles.sql
- */
-export declare function isIdempotentRoleHazard(hazard: ParsedHazard, schemasDir?: string): boolean;
-/**
- * Filter out false positive hazards.
- * Returns hazards that are NOT false positives (i.e., real issues).
- */
-export declare function filterFalsePositiveHazards(hazards: ParsedHazard[], schemasDir?: string): {
-    filtered: ParsedHazard[];
-    falsePositives: ParsedHazard[];
-};
-/**
- * Reset the cached idempotent roles.
- * Useful for testing or when schema files change.
- */
-export declare function resetIdempotentRolesCache(): void;
-/**
- * AI HINT: Idempotent Table Extraction
- *
- * Purpose: Extract table names defined in idempotent/*.sql files
- * Use case: Filter out DROP TABLE statements for these tables from pg-schema-diff plan
- *
- * Pattern: Parse SQL for CREATE TABLE statements
- * Example: CREATE TABLE location_data.location_events → ['location_data.location_events']
- *
- * Incident context: pg-schema-diff drops tables not in declarative/*.sql because its
- * shadow DB doesn't contain idempotent-managed tables. This function identifies those
- * tables so their DROP statements can be filtered from the plan output.
- */
-/**
- * Extract table names from idempotent SQL files.
- * These tables are managed outside pg-schema-diff and must not be dropped.
- *
- * Also merges tables from `excludeFromOrphanDetection` config.
- */
-export declare function getIdempotentProtectedTables(schemasDir?: string, configExclusions?: string[]): string[];
+export type { IdempotentProtectedObjects, ParsedHazard, } from './idempotent-object-registry.js';
+export { filterFalsePositiveHazards, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, isIdempotentRoleHazard, resetIdempotentRolesCache, } from './idempotent-object-registry.js';
+export { buildAllowedHazards, displayCheckModeResults, displayHazardsWithContext, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, parseHazardsWithContext, } from './hazard-handler.js';
 /**
  * Verify pg-schema-diff binary is available.
  */
-export declare function verifyPgSchemaDiffBinary(): void;
-/**
- * Verify database connection.
- */
-export declare function verifyDatabaseConnection(dbUrl: string): void;
-/**
- * Parsed hazard with context information.
- */
-export interface ParsedHazard {
-    type: string;
-    message: string;
-    fullMatch: string;
-    /** SQL statement that caused this hazard (if extractable) */
-    causingSql?: string;
-    /** Line number in the plan output */
-    lineNumber?: number;
+export interface VerifyPgSchemaDiffBinaryOptions {
+    strictVersion?: boolean;
 }
 /**
- * Parse hazards from pg-schema-diff output with context.
- * Enhanced to extract the SQL statement that caused each hazard.
- */
-export declare function parseHazardsWithContext(planOutput: string): ParsedHazard[];
-/**
- * Display hazards with context and return flags.
- */
-export declare function displayHazardsWithContext(hazards: ParsedHazard[], verbose: boolean): {
-    hasDeletesData: boolean;
-    hasAuthzUpdate: boolean;
-};
-/**
- * Handle production data protection for DELETES_DATA hazard.
- */
-export declare function handleProductionDataProtection(allowDataLoss: boolean): void;
-/**
- * Handle production RLS policy protection for AUTHZ_UPDATE hazard.
- * RLS policy changes can silently affect security if not explicitly approved.
- */
-export declare function handleProductionAuthzProtection(confirmAuthzUpdate: boolean): void;
-/**
- * AI HINT: Idempotent Object Extraction
- *
- * Purpose: Extract all object names defined in idempotent/*.sql files
- * Use case: Filter DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE from pg-schema-diff plan
- *
- * Pattern: Parse SQL for CREATE statements (after stripping comments)
- * Objects created in idempotent/*.sql are invisible to pg-schema-diff's shadow DB,
- * so pg-schema-diff generates DROP statements for them. We must filter these out.
- */
-export interface IdempotentProtectedObjects {
-    tables: string[];
-    functions: string[];
-    triggers: string[];
-    views: string[];
-    types: string[];
-    sequences: string[];
-}
-/**
- * Extract all protected object names from idempotent/*.sql files.
- *
- * Scans for:
- * - CREATE [OR REPLACE] FUNCTION schema.name(...)
- * - CREATE TRIGGER name ON schema.table
- * - CREATE [OR REPLACE] [MATERIALIZED] VIEW schema.name
- * - CREATE TYPE schema.name
- * - CREATE SEQUENCE schema.name
- *
- * Uses stripSqlComments to avoid matching inside comments.
- */
-export declare function getIdempotentProtectedObjects(schemasDir?: string, configExclusions?: string[]): IdempotentProtectedObjects;
-/**
- * Display check mode results.
- */
-export declare function displayCheckModeResults(planOutput: string, filterInfo?: {
-    filteredPlanSql: string;
-    removedStatements: {
-        sql: string;
-    }[];
-}): void;
-/**
- * Build list of allowed hazards based on environment and flags.
+ * Verify pg-schema-diff binary is available.
+ * strictVersion=true blocks unsupported/undetectable versions.
  */
-export declare function buildAllowedHazards(input: DbApplyInput): string[];
+export declare function verifyPgSchemaDiffBinary(options?: VerifyPgSchemaDiffBinaryOptions): void;
 /**
- * Handle hazards with enhanced context display.
- * Use this for detailed hazard reporting with SQL context.
- *
- * This function filters out false positive AUTHZ_UPDATE hazards for roles
- * defined in idempotent/*.sql (e.g., drizzle_app, drizzle_service).
+ * Verify database connection with retry for transient startup errors.
  */
-export declare function handleHazardsWithContext(planOutput: string, input: DbApplyInput, schemasDir?: string): {
-    hazards: string[];
-    hasDeletesData: boolean;
-    hasAuthzUpdate: boolean;
-};
+export declare function verifyDatabaseConnection(dbUrl: string): Promise<void>;
 export interface MissingExtensionDetection {
     detected: boolean;
     missingTypes: string[];
@@ -178,7 +52,6 @@ export interface PartitionPrivilegeDetection {
 }
 /**
  * Detect "privileges on partitions: not implemented" errors in pg-schema-diff output.
- * pg-schema-diff v1.0.5 hard-rejects partition privilege diffs in sql_generator.go.
  */
 export declare function detectPartitionPrivilegeError(errorOutput: string): PartitionPrivilegeDetection;
 /**
@@ -187,23 +60,12 @@ export declare function detectPartitionPrivilegeError(errorOutput: string): Part
 export declare function formatPartitionPrivilegeHint(detection: PartitionPrivilegeDetection): string;
 /**
  * Detect DROP TABLE statements in plan output.
- * Returns list of "schema.table" names that would be dropped.
- * Used for pre-apply warnings (separate from idempotent protection).
  */
 export declare function detectDropTableStatements(planOutput: string): string[];
-/**
- * Options for pg-schema-diff plan execution.
- */
 export interface PgSchemaDiffPlanOptions {
     /**
      * Shadow DB DSN for extension type resolution.
-     *
-     * When specified, pg-schema-diff uses this database for parsing
-     * extension-defined types (PostGIS geometry, pgvector vector, etc.).
-     *
-     * This is passed as --temp-db-dsn to pg-schema-diff.
-     *
-     * @see https://github.com/stripe/pg-schema-diff/pull/194
+     * Passed as --temp-db-dsn to pg-schema-diff.
      */
     tempDbDsn?: string;
 }
@@ -211,12 +73,6 @@ export interface PgSchemaDiffPlanOptions {
 export declare const PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS = 600000;
 /**
  * Execute pg-schema-diff plan and handle errors.
- *
- * @param dbUrl - Source database URL (--from-dsn)
- * @param schemasDir - Directory containing declarative SQL schemas (--to-dir)
- * @param includeSchemas - Schemas to include in diff
- * @param verbose - Enable verbose logging
- * @param options - Additional options (tempDbDsn for extension support)
  */
 export declare function executePgSchemaDiffPlan(dbUrl: string, schemasDir: string, includeSchemas: string[], verbose: boolean, options?: PgSchemaDiffPlanOptions): {
     planOutput: string;

package/dist/commands/db/apply/helpers/pg-schema-diff-patterns.d.ts

@@ -0,0 +1,55 @@
+/**
+ * AI HINT: pg-schema-diff Version-Sensitive Patterns
+ *
+ * Purpose: Centralize all regex patterns that depend on pg-schema-diff output format.
+ * When pg-schema-diff changes its output format, update ONLY this file.
+ *
+ * VERSION SENSITIVE: Tested against pg-schema-diff v0.9.x – v0.11.x
+ */
+/**
+ * Regex to detect statement index markers in plan output.
+ * VERSION SENSITIVE: pg-schema-diff v0.9.x uses "-- Statement Idx. N"
+ * Future versions may use different formats.
+ */
+export declare const STATEMENT_IDX_REGEX: RegExp;
+/**
+ * Test if a line is a statement index marker.
+ */
+export declare function isStatementMarker(line: string): boolean;
+/**
+ * Regex to parse hazard comments from plan output.
+ * VERSION SENSITIVE: pg-schema-diff v0.9.x uses "-- Hazard TYPE: message"
+ */
+export declare const HAZARD_REGEX: RegExp;
+/**
+ * Parse a hazard comment line. Returns null if not a hazard.
+ */
+export declare function parseHazardLine(line: string): {
+    type: string;
+    message: string;
+} | null;
+/**
+ * Map of type names to their required PostgreSQL extensions.
+ * VERSION SENSITIVE: pg-schema-diff reports these as type errors in shadow DB.
+ */
+export declare const EXTENSION_TYPE_MAP: Record<string, string>;
+/**
+ * Detect if a pg-schema-diff error is caused by a missing extension type.
+ * Returns the extension name if detected, null otherwise.
+ */
+export declare function detectExtensionTypeError(stderr: string): string | null;
+/**
+ * Regex to detect the pg-schema-diff partition privilege error.
+ * VERSION SENSITIVE: pg-schema-diff v1.0.5 uses this exact message.
+ */
+export declare const PARTITION_PRIVILEGE_ERROR_REGEX: RegExp;
+/**
+ * Check if a pg-schema-diff error is the known partition privilege limitation.
+ */
+export declare function isPartitionPrivilegeError(stderr: string): boolean;
+/**
+ * Check if stderr contains hazard-like content that wasn't parsed by the
+ * standard hazard regex. Used as a fallback warning mechanism.
+ */
+export declare function hasUnparsedHazardHints(stderr: string): boolean;
+//# sourceMappingURL=pg-schema-diff-patterns.d.ts.map

package/dist/commands/db/apply/helpers/pg-schema-diff-version.d.ts

@@ -0,0 +1,50 @@
+/**
+ * AI HINT: pg-schema-diff Version Detection & Compatibility
+ *
+ * Purpose: Detect installed pg-schema-diff version and enforce compatibility.
+ * In strict mode (production), incompatible/undetectable versions are blocked.
+ */
+/**
+ * Known compatible pg-schema-diff version range.
+ * Update this when testing against new pg-schema-diff releases.
+ */
+export declare const SUPPORTED_PG_SCHEMA_DIFF_VERSIONS: {
+    minMajor: number;
+    minMinor: number;
+    maxMajor: number;
+    maxMinor: number;
+};
+export interface PgSchemaDiffVersion {
+    raw: string;
+    major: number;
+    minor: number;
+    patch: number;
+}
+export interface VerifyPgSchemaDiffVersionOptions {
+    strict?: boolean;
+}
+/**
+ * Parse a version string into components.
+ * Supports formats:
+ *   - "v0.9.0", "0.10.1" (legacy --version output)
+ *   - "version=v1.0.5" (v1.x+ `version` subcommand output)
+ *   - "pg-schema-diff version v0.9.3" (verbose output)
+ */
+export declare function parseVersion(raw: string): PgSchemaDiffVersion | null;
+/**
+ * Check if a version is within the supported range.
+ */
+export declare function isVersionSupported(version: PgSchemaDiffVersion): boolean;
+/**
+ * Detect the installed pg-schema-diff version by running the binary.
+ * Tries `version` subcommand first (v1.x+), falls back to `--version` (v0.x).
+ * Returns null if the binary is not found or version cannot be parsed.
+ */
+export declare function detectPgSchemaDiffVersion(binaryPath: string): PgSchemaDiffVersion | null;
+/**
+ * Verify pg-schema-diff version compatibility.
+ * strict=true: throw on unknown/incompatible version (fail-closed).
+ * strict=false: warn only (best effort).
+ */
+export declare function verifyPgSchemaDiffVersion(binaryPath: string, options?: VerifyPgSchemaDiffVersionOptions): void;
+//# sourceMappingURL=pg-schema-diff-version.d.ts.map

package/dist/commands/db/apply/helpers/plan-validator.d.ts

@@ -36,6 +36,10 @@ export declare const ValidatedPlanSchema: z.ZodObject<{
     }, z.core.$strip>>;
     totalStatements: z.ZodNumber;
     rawSql: z.ZodString;
+    parseConfidence: z.ZodOptional<z.ZodEnum<{
+        high: "high";
+        low: "low";
+    }>>;
 }, z.core.$strip>;
 export type PlanHazard = z.infer<typeof PlanHazardSchema>;
 export type PlanStatement = z.infer<typeof PlanStatementSchema>;
@@ -54,16 +58,6 @@ export interface FilterResult {
     filteredPlan: ValidatedPlan;
     removedStatements: PlanStatement[];
 }
-/**
- * Check if a DROP statement targets a protected (idempotent-managed) table or index.
- *
- * Matching rules:
- * - DROP TABLE [IF EXISTS] schema.table → exact match or glob match
- * - DROP INDEX [IF EXISTS] schema.idx_* → index in same schema as protected table
- *
- * Glob support: patterns with `*` (e.g., `location_data.location_events_*`)
- * are converted to regex for matching partition child tables.
- */
 declare function isDropStatementForProtected(sql: string, protectedTables: string[]): boolean;
 /**
  * Check if a DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE targets a protected object.

package/dist/commands/db/apply/helpers/rbac-password-manager.d.ts

@@ -0,0 +1,34 @@
+/**
+ * AI HINT: RBAC Role Password Manager
+ *
+ * Purpose: Set passwords for RBAC roles (drizzle_app, drizzle_service) by
+ * extracting credentials from DATABASE_URL and DATABASE_URL_SERVICE.
+ *
+ * 3-Role Architecture:
+ * - postgres: DDL (schema migrations via db sync/apply)
+ * - drizzle_app: DML + RLS enforced (user API requests)
+ * - drizzle_service: DML + RLS bypassed (webhooks, background jobs)
+ *
+ * Security:
+ * - Role names validated against alphanumeric pattern
+ * - Passwords passed via psql command (not in logs)
+ * - Same-password warning detects RBAC bypass risk
+ */
+/**
+ * Parse database URL credentials safely.
+ */
+export declare function parseDbCredentials(url: string): {
+    username: string;
+    password: string;
+} | null;
+/**
+ * Check if drizzle_app and postgres roles use the same password.
+ * Logs a warning if they do (security risk).
+ */
+export declare function checkPasswordSecurity(): void;
+/**
+ * Set passwords for RBAC roles by extracting from DATABASE_URL and DATABASE_URL_SERVICE.
+ * Returns the number of role passwords that were successfully set.
+ */
+export declare function setRolePasswords(dbUrl: string, verbose: boolean): number;
+//# sourceMappingURL=rbac-password-manager.d.ts.map

package/dist/commands/db/apply/helpers/retry-logic.d.ts

@@ -4,7 +4,7 @@
  * Purpose: Retry pg-schema-diff operations on lock_timeout errors
  * Pattern: Exponential backoff with jitter (configurable max delay)
  */
-import { type IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
+import type { IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
 export declare const MAX_RETRIES = 5;
 export declare const BASE_DELAY_MS = 1000;
 export declare const DEFAULT_MAX_DELAY_MS = 30000;
@@ -41,7 +41,16 @@ export declare function sleep(ms: number): Promise<void>;
  */
 export declare function calculateBackoffDelay(attempt: number, maxDelayMs?: number): number;
 /**
- * Check if error is a lock_timeout error.
+ * Check if error is a lock_timeout error (retryable DDL lock contention).
+ *
+ * Matches PostgreSQL error patterns for DDL lock failures:
+ * - "lock_timeout" — GUC name appearing in error context
+ * - "canceling statement due to lock timeout" — explicit lock timeout message
+ * - "could not obtain lock on relation" — DDL lock acquisition failure
+ * - "deadlock detected" — deadlock between concurrent DDL
+ *
+ * NOTE: "could not obtain lock" (without "on relation") is intentionally NOT matched
+ * because it can fire for advisory lock failures or other non-DDL lock types.
  */
 export declare function isLockTimeoutError(errorOutput: string): boolean;
 /**
@@ -79,6 +88,11 @@ export interface PlanSqlRetryConfig extends RetryConfig {
      * Extends table protection to functions, triggers, views, types, and sequences.
      */
     protectedObjects?: IdempotentProtectedObjects;
+    /**
+     * Fail-closed when plan parser confidence is low.
+     * Recommended for production to avoid executing ambiguous SQL plans.
+     */
+    failOnLowParseConfidence?: boolean;
 }
 /**
  * Execute plan SQL via psql with retry logic.

package/dist/commands/db/apply/helpers/shadow-db-manager.d.ts

@@ -79,5 +79,5 @@ export declare function createShadowDbWithExtensions(config: ShadowDbConfig): Pr
 /**
  * Check if shadow DB with extensions is needed based on config.
  */
-export declare function needsShadowDb(extensions: string[] | undefined): boolean;
+export declare function needsShadowDb(extensions: string[] | undefined): extensions is [string, ...string[]];
 //# sourceMappingURL=shadow-db-manager.d.ts.map