@runa-ai/runa-cli 0.5.72 → 0.6.0

package/dist/commands/db/apply/helpers/sql-utils.d.ts

@@ -0,0 +1,26 @@
+/**
+ * AI HINT: Shared SQL Utility Functions
+ *
+ * Purpose: Common SQL utilities used across db apply helpers.
+ * Eliminates duplication of identifier quoting and validation.
+ */
+/**
+ * Validate that a name is a safe SQL identifier (no injection risk).
+ * Accepts: alphanumeric + underscore, must start with letter or underscore.
+ */
+export declare function isValidIdentifier(name: string): boolean;
+/**
+ * Quote an SQL identifier (double-quote escaping).
+ * Escapes embedded double-quotes by doubling them.
+ */
+export declare function quoteIdent(name: string): string;
+/**
+ * Build a fully qualified table name: "schema"."table"
+ */
+export declare function qualifiedTable(schema: string, table: string): string;
+/**
+ * Mask database credentials and sensitive information in error messages.
+ * Prevents accidental exposure of passwords, hosts, and ports in logs.
+ */
+export declare function maskDbCredentials(message: string): string;
+//# sourceMappingURL=sql-utils.d.ts.map

package/dist/commands/db/apply/machine.d.ts

@@ -36,6 +36,7 @@ import type { DbApplyInput } from './contract.js';
 interface DbApplyContext {
     input: DbApplyInput;
     targetDir: string;
+    lockAcquired: boolean;
     idempotentPreApplied: number;
     idempotentPreSkipped: number;
     idempotentPostApplied: number;
@@ -48,7 +49,14 @@ interface DbApplyContext {
     partitionWarnings: string[];
     error: string | null;
     planSql: string | null;
+    filteredPlanSql: string | null;
     ssotWarning: string | null;
+    idempotentFiles: string[];
+    idempotentRisks: {
+        high: number;
+        medium: number;
+        low: number;
+    } | null;
     startTime: number;
     idempotentPreStartTime: number | null;
     idempotentPreEndTime: number | null;
@@ -71,6 +79,15 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     }, {
         input: DbApplyInput;
         targetDir: string;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<{
+        acquired: boolean;
+    }, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<void, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<actors.IdempotentPreviewResult, {
+        input: DbApplyInput;
+        targetDir: string;
     }, import("xstate").EventObject>> | import("xstate").ActorRefFromLogic<import("xstate").PromiseActorLogic<actors.ApplyResult, {
         input: DbApplyInput;
         targetDir: string;
@@ -93,6 +110,27 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
         targetDir: string;
     }, import("xstate").EventObject>;
     id: string | undefined;
+} | {
+    src: "acquireLock";
+    logic: import("xstate").PromiseActorLogic<{
+        acquired: boolean;
+    }, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
+} | {
+    src: "releaseLock";
+    logic: import("xstate").PromiseActorLogic<void, {
+        input: DbApplyInput;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
+} | {
+    src: "previewIdempotentSchemas";
+    logic: import("xstate").PromiseActorLogic<actors.IdempotentPreviewResult, {
+        input: DbApplyInput;
+        targetDir: string;
+    }, import("xstate").EventObject>;
+    id: string | undefined;
 } | {
     src: "applyIdempotentSchemas";
     logic: import("xstate").PromiseActorLogic<actors.ApplyResult, {
@@ -117,7 +155,10 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
         targetDir: string;
     }, import("xstate").EventObject>;
     id: string | undefined;
-}, never, never, never, "failed" | "done" | "idle" | "applyingIdempotentPre" | "applyingPgSchemaDiff" | "applyingIdempotentPost" | "validatingPartitions" | "applyingSeeds", string, {
+}, {
+    type: "releaseAdvisoryLockOnFailure";
+    params: unknown;
+}, never, never, "done" | "failed" | "idle" | "acquiringLock" | "previewingIdempotent" | "applyingIdempotentPre" | "applyingPgSchemaDiff" | "applyingIdempotentPost" | "validatingPartitions" | "releasingLock" | "applyingSeeds", string, {
     input: DbApplyInput;
     targetDir: string;
 }, {
@@ -130,10 +171,17 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     rolePasswordsSet?: number | undefined;
     error?: string | undefined;
     planSql?: string | undefined;
+    filteredPlanSql?: string | undefined;
     checkOnly?: boolean | undefined;
     dataViolations?: number | undefined;
     ssotWarning?: string | undefined;
     partitionWarnings?: string[] | undefined;
+    idempotentFiles?: string[] | undefined;
+    idempotentRisks?: {
+        high: number;
+        medium: number;
+        low: number;
+    } | undefined;
     metrics?: {
         totalMs: number;
         idempotentMs?: number | undefined;
@@ -145,10 +193,13 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     id: "dbApply";
     states: {
         readonly idle: {};
+        readonly acquiringLock: {};
+        readonly previewingIdempotent: {};
         readonly applyingIdempotentPre: {};
         readonly applyingPgSchemaDiff: {};
         readonly applyingIdempotentPost: {};
         readonly validatingPartitions: {};
+        readonly releasingLock: {};
         readonly applyingSeeds: {};
         readonly done: {};
         readonly failed: {};

package/dist/commands/db/commands/db-apply.d.ts

@@ -1,4 +1,22 @@
 import { Command } from 'commander';
+import { type DbApplyOutput } from '../apply/index.js';
+export interface DbApplyOptions {
+    verbose?: boolean;
+    /** Commander pairs --seed/--no-seed into this single property */
+    seed?: boolean;
+    databaseUrl?: string;
+    autoApprove?: boolean;
+    allowDataLoss?: boolean;
+    confirmAuthzUpdate?: boolean;
+    check?: boolean;
+    skipDataCheck?: boolean;
+    maxLockWaitMs?: number;
+    freshDbCheckSql?: string;
+}
+/**
+ * Run db apply workflow
+ */
+export declare function runDbApply(env: string, options: DbApplyOptions): Promise<DbApplyOutput>;
 /**
  * db:apply command - Apply schema changes using pg-schema-diff at runtime
  */

package/dist/commands/db/commands/db-sync/boundary-classifier.d.ts

@@ -0,0 +1,21 @@
+/**
+ * AI HINT: Boundary Classifier for db-sync precheck
+ *
+ * Purpose: Classify DDL statements as belonging to declarative or idempotent
+ * directories, and detect misplacement risks. Works with the boundary policy
+ * to determine which DDL objects are expected in which directory.
+ */
+import type { getBoundaryPolicy } from '../../utils/boundary-policy-runtime.js';
+import type { DirectoryRiskEntry } from './types.js';
+import { GRANT_STATEMENT_RULE_TEXT, PLAN_BOUNDARY_CONTEXT_FILE } from './types.js';
+export { PLAN_BOUNDARY_CONTEXT_FILE, GRANT_STATEMENT_RULE_TEXT };
+export declare function isBoundaryRelevantDdlStatement(statement: string): boolean;
+export declare function isPlanBoundaryAmbiguous(statement: string): boolean;
+export declare function classifyUnknownObjectBoundary(file: string, object: string, fileType: 'declarative' | 'idempotent', policy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry | null;
+export declare function classifyPlanStatementBoundaryCandidates(statement: string, statementIndex: number, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>, options?: {
+    skipDefault?: boolean;
+}): DirectoryRiskEntry[];
+export declare function classifyPlanStatementBoundaryRisk(statement: string, statementIndex: number, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry | undefined;
+export declare function classifyDeclarativeMisplacementRisk(file: string, content: string, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry[];
+export declare function classifyIdempotentMisplacementRisk(file: string, content: string, boundaryPolicy: ReturnType<typeof getBoundaryPolicy>): DirectoryRiskEntry[];
+//# sourceMappingURL=boundary-classifier.d.ts.map

package/dist/commands/db/commands/db-sync/plan-hazard-analyzer.d.ts

@@ -0,0 +1,13 @@
+/**
+ * AI HINT: Plan Hazard Analyzer for db-sync precheck
+ *
+ * Purpose: Analyze pg-schema-diff plan output for hazards (DELETES_DATA,
+ * AUTHZ_UPDATE, etc.) and classify their boundary risk level.
+ */
+import type { PlanHazard, PlanStatement } from '../../apply/helpers/plan-validator.js';
+import { type DirectoryRiskEntry, type DirectoryRiskLevel } from './types.js';
+export declare function parseHazardType(hazard: string): string;
+export declare function getPlanHazardBoundaryLevel(type: string): DirectoryRiskLevel;
+export declare function buildPlanHazardBoundaryMessage(statement: string, statementIndex: number, hazard: PlanHazard): string;
+export declare function classifyPlanStatementHazards(statement: PlanStatement): DirectoryRiskEntry[];
+//# sourceMappingURL=plan-hazard-analyzer.d.ts.map

package/dist/commands/db/commands/db-sync/risk-reporter.d.ts

@@ -0,0 +1,19 @@
+/**
+ * AI HINT: Risk Reporter for db-sync precheck
+ *
+ * Purpose: Format, deduplicate, and display risk findings from declarative
+ * risk analysis, directory placement checks, and plan boundary reconciliation.
+ */
+import type { createCLILogger } from '@runa-ai/runa';
+import type { CompactFinding, DeclarativeRiskItem, DirectoryRiskEntry, DirectoryRiskLevel } from './types.js';
+export declare function getDirectoryRiskWeight(level: DirectoryRiskLevel): number;
+export declare function compareDirectoryRiskPriority(left: DirectoryRiskEntry, right: DirectoryRiskEntry): number;
+export declare function selectHighestPriorityRisk(entries: DirectoryRiskEntry[]): DirectoryRiskEntry | undefined;
+export declare function buildDirectoryRiskKey(entry: DirectoryRiskEntry): string;
+export declare function dedupeDirectoryRisksBySeverity(entries: DirectoryRiskEntry[]): DirectoryRiskEntry[];
+export declare function printList(title: string, items: string[], logger: ReturnType<typeof createCLILogger>): void;
+export declare function stripCommonPrefix(filePath: string): string;
+export declare function formatDeclarativeRiskMessage(risk: DeclarativeRiskItem): string;
+export declare function buildCompactFindingSummary(rawItems: string[]): CompactFinding[];
+export declare function printCompactSummary(logger: ReturnType<typeof createCLILogger>, title: string, rawItems: string[], topLimit: number): void;
+//# sourceMappingURL=risk-reporter.d.ts.map

package/dist/commands/db/commands/db-sync/sql-parser.d.ts

@@ -0,0 +1,25 @@
+/**
+ * AI HINT: SQL Parser for db-sync precheck
+ *
+ * Purpose: Low-level SQL text parsing utilities for embedded SQL extraction
+ * and directory placement analysis. These parsers handle dollar-quoted literals,
+ * single-quoted literals, and PL/pgSQL embedded SQL patterns.
+ */
+export declare function isWordChar(char: string): boolean;
+export declare function isWhitespaceChar(char: string): boolean;
+export declare function parseWordAt(statement: string, start: number): {
+    value: string;
+    start: number;
+    end: number;
+} | null;
+export declare function skipWhitespaceAndComments(statement: string, start: number): number;
+export declare function getPreviousWord(statement: string, start: number): string;
+export declare function parseDollarQuotedLiteral(statement: string, start: number): {
+    body: string;
+    next: number;
+} | null;
+export declare function extractEmbeddableSqlFragments(statement: string): string[];
+export declare function normalizeSqlForPlacementCheck(content: string): string;
+export declare function isPartitionOfCreateTable(statement: string): boolean;
+export declare function dedupeAndSort(lines: string[]): string[];
+//# sourceMappingURL=sql-parser.d.ts.map

package/dist/commands/db/commands/db-sync/types.d.ts

@@ -0,0 +1,47 @@
+import type { SchemaRisk } from '../../../../validators/risk-detector.js';
+export type DeclarativeRiskItem = SchemaRisk & {
+    file: string;
+};
+export type DirectoryRiskLevel = 'high' | 'medium' | 'low';
+export declare const DIRECTORY_RISK_ORDER: readonly ["high", "medium", "low"];
+export type DirectoryRiskEntry = {
+    file: string;
+    level: DirectoryRiskLevel;
+    message: string;
+    line?: number;
+};
+export type DirectoryRiskRule = {
+    level: DirectoryRiskLevel;
+    pattern: RegExp | ((statement: string) => boolean);
+    message: string;
+};
+export type ExtensionCheckReport = {
+    blockers: string[];
+    warnings: string[];
+};
+export type AllowlistAwareReport = ExtensionCheckReport & {
+    allowlist: string[];
+    stats?: {
+        parsedStatements: number;
+        planHazards: number;
+        classifiedHazardStatements: number;
+        classifiedRiskStatements: number;
+        allowlistSuppressed: number;
+        parseWarnings: number;
+        unclassifiedStatements: number;
+    };
+};
+export type CompactFinding = {
+    message: string;
+    count: number;
+    samples: string[];
+};
+export type SyncOptions = {
+    json?: boolean;
+    showImportImpact?: boolean;
+    withProductionApplyCheck?: boolean;
+    strict?: boolean;
+};
+export declare const PLAN_BOUNDARY_CONTEXT_FILE = "pg-schema-diff plan.sql";
+export declare const GRANT_STATEMENT_RULE_TEXT = "Grant/REVOKE statements are usually idempotent/bootstrap ACL setup and should be treated as such";
+//# sourceMappingURL=types.d.ts.map

package/dist/commands/db/commands/db-sync.d.ts

@@ -1,3 +1,17 @@
+/**
+ * AI HINT: db-sync command — Schema sync check + production apply precheck
+ *
+ * Purpose: Compare TypeScript schema vs database, detect schema drift,
+ * and run production apply prechecks (declarative risk, directory placement,
+ * plan boundary reconciliation).
+ *
+ * Submodules (db-sync/):
+ *   types.ts               — Shared type definitions
+ *   sql-parser.ts          — SQL text parsing & embedded SQL extraction
+ *   boundary-classifier.ts — DDL statement boundary classification
+ *   plan-hazard-analyzer.ts— pg-schema-diff plan hazard analysis
+ *   risk-reporter.ts       — Risk formatting, deduplication, display
+ */
 import { Command } from 'commander';
 export declare const checkCommand: Command;
 //# sourceMappingURL=db-sync.d.ts.map

package/dist/commands/db/sync/contract.d.ts

@@ -36,6 +36,7 @@ export declare const DbSyncInputSchema: z.ZodObject<{
     autoApprove: z.ZodDefault<z.ZodBoolean>;
     verbose: z.ZodDefault<z.ZodBoolean>;
     skipCodegen: z.ZodDefault<z.ZodBoolean>;
+    strictIntrospect: z.ZodDefault<z.ZodBoolean>;
     targetDir: z.ZodOptional<z.ZodString>;
     fromProduction: z.ZodDefault<z.ZodBoolean>;
     autoSnapshot: z.ZodDefault<z.ZodBoolean>;
@@ -46,9 +47,9 @@ export type DbSyncInput = z.infer<typeof DbSyncInputSchema>;
  * Step result type
  */
 export declare const StepResultSchema: z.ZodEnum<{
-    passed: "passed";
-    failed: "failed";
     skipped: "skipped";
+    failed: "failed";
+    passed: "passed";
 }>;
 export type StepResult = z.infer<typeof StepResultSchema>;
 /**
@@ -104,8 +105,10 @@ export declare const StepContextSchema: z.ZodObject<{
     }>;
     check: z.ZodBoolean;
     force: z.ZodBoolean;
+    autoApprove: z.ZodBoolean;
     verbose: z.ZodBoolean;
     skipCodegen: z.ZodBoolean;
+    strictIntrospect: z.ZodBoolean;
     fromProduction: z.ZodBoolean;
     autoSnapshot: z.ZodBoolean;
     noSeed: z.ZodBoolean;
@@ -148,6 +151,7 @@ export declare const DbSyncMachineInputSchema: z.ZodObject<{
     autoApprove: z.ZodOptional<z.ZodBoolean>;
     verbose: z.ZodOptional<z.ZodBoolean>;
     skipCodegen: z.ZodOptional<z.ZodBoolean>;
+    strictIntrospect: z.ZodOptional<z.ZodBoolean>;
     targetDir: z.ZodOptional<z.ZodString>;
     fromProduction: z.ZodOptional<z.ZodBoolean>;
     autoSnapshot: z.ZodOptional<z.ZodBoolean>;

package/dist/commands/db/sync/machine.d.ts

@@ -104,13 +104,14 @@ export declare const dbSyncMachine: import("xstate").StateMachine<DbSyncContext,
     src: "writeReport";
     logic: import("xstate").PromiseActorLogic<actors.ReportOutput, actors.ReportInput, import("xstate").EventObject>;
     id: string | undefined;
-}, never, never, never, "failed" | "done" | "sync" | "setup" | "idle" | "snapshot" | "preflight" | "reconcile" | "report", string, {
+}, never, never, never, "done" | "failed" | "sync" | "setup" | "idle" | "snapshot" | "preflight" | "reconcile" | "report", string, {
     env?: "local" | "preview" | "production" | undefined;
     check?: boolean | undefined;
     force?: boolean | undefined;
     autoApprove?: boolean | undefined;
     verbose?: boolean | undefined;
     skipCodegen?: boolean | undefined;
+    strictIntrospect?: boolean | undefined;
     targetDir?: string | undefined;
     fromProduction?: boolean | undefined;
     autoSnapshot?: boolean | undefined;

package/dist/commands/db/types.d.ts

@@ -77,6 +77,8 @@ export interface DbCommandOptions {
     verbose?: boolean;
     /** CI optimization: skip TypeScript + Zod generation during db sync */
     skipCodegen?: boolean;
+    /** Fail when generated schema still contains unresolved unknown(...) columns */
+    strictIntrospect?: boolean;
     json?: boolean;
     sql?: boolean;
     format?: string;

package/dist/commands/db/utils/boundary-policy/rule-compiler.d.ts

@@ -0,0 +1,11 @@
+/**
+ * AI HINT: Boundary policy rule compiler.
+ *
+ * Purpose: Convert raw policy JSON arrays into typed allowlist rules
+ * and normalize a full policy object with fallback defaults.
+ */
+import type { BoundaryPolicy, BoundaryPolicyMeta, DeclarativeRiskAllowlistRule, DirectoryPlacementAllowlistRule, PolicyIssueFormatter } from './types.js';
+export declare function toDeclarativeRiskRules(rawList: unknown, issueFormatter: PolicyIssueFormatter): DeclarativeRiskAllowlistRule[];
+export declare function toDirectoryPlacementRules(rawList: unknown, issueFormatter: PolicyIssueFormatter): DirectoryPlacementAllowlistRule[];
+export declare function normalizePolicySource(raw: unknown, source: BoundaryPolicyMeta['source'], sourcePath: string, issueFormatter: PolicyIssueFormatter): BoundaryPolicy;
+//# sourceMappingURL=rule-compiler.d.ts.map

package/dist/commands/db/utils/boundary-policy/types.d.ts

@@ -0,0 +1,105 @@
+/**
+ * AI HINT: Boundary policy type definitions and small utility functions.
+ *
+ * Purpose: Shared types for boundary-policy validation, compilation, and loading.
+ */
+export type BoundaryPolicyRiskLevel = 'high' | 'medium' | 'low';
+export type AllowlistMetadata = {
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active?: boolean;
+};
+export type DeclarativeRiskAllowlistRule = {
+    id: string;
+    filePattern: RegExp;
+    descriptionPattern: RegExp;
+    level?: BoundaryPolicyRiskLevel;
+    reason: string;
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active: boolean;
+};
+export type DirectoryPlacementAllowlistRule = {
+    id: string;
+    filePattern: RegExp;
+    messagePattern: RegExp;
+    level?: BoundaryPolicyRiskLevel;
+    lineStart?: number;
+    lineEnd?: number;
+    reason: string;
+    owner?: string;
+    ticket?: string;
+    expiresAt?: string;
+    active: boolean;
+};
+export type BoundaryPolicyRaw = {
+    version?: unknown;
+    description?: unknown;
+    strictByDefault?: unknown;
+    declarativePreferredObjects?: unknown;
+    idempotentPreferredObjects?: unknown;
+    declarativeRiskAllowlist?: unknown;
+    directoryPlacementAllowlist?: unknown;
+};
+export type RawRule = {
+    id?: unknown;
+    filePattern?: unknown;
+    descriptionPattern?: unknown;
+    messagePattern?: unknown;
+    level?: unknown;
+    reason?: unknown;
+    owner?: unknown;
+    ticket?: unknown;
+    expiresAt?: unknown;
+    active?: unknown;
+    line?: unknown;
+    lineStart?: unknown;
+    lineEnd?: unknown;
+};
+export type BoundaryPolicyMeta = {
+    source: 'default' | 'policy-file';
+    sourcePath: string;
+    fallbackUsed: boolean;
+    invalidPolicy: boolean;
+    issues: string[];
+    warningCount: number;
+};
+export type BoundaryPolicy = {
+    version: string;
+    description: string;
+    strictByDefault: boolean;
+    declarativePreferredObjects: Set<string>;
+    idempotentPreferredObjects: Set<string>;
+    declarativeRiskAllowlist: DeclarativeRiskAllowlistRule[];
+    directoryPlacementAllowlist: DirectoryPlacementAllowlistRule[];
+    __meta: BoundaryPolicyMeta;
+};
+export type PolicyValidationSeverity = 'warning' | 'error';
+export type PolicyValidationIssue = {
+    field: string;
+    message: string;
+    severity: PolicyValidationSeverity;
+};
+export type PolicyIssueFormatter = (field: string, message: string, severity?: PolicyValidationSeverity) => void;
+export declare const BOUNDARY_POLICY_FILENAME = ".boundary-policy.json";
+export declare const DEFAULT_POLICY_VERSION = "1.0";
+export declare const SAFE_REGEXP: RegExp;
+export declare const POLICY_VERSION_PATTERN: RegExp;
+export declare const OBJECT_NAME_PATTERN: RegExp;
+export declare const DATE_ISO_PATTERN: RegExp;
+export declare const FALLBACK_DECLARATIVE_OBJECTS: Set<string>;
+export declare const FALLBACK_IDEMPOTENT_OBJECTS: Set<string>;
+export declare const FALLBACK_DECLARATIVE_RISK_ALLOWLIST: DeclarativeRiskAllowlistRule[];
+export declare const FALLBACK_DIRECTORY_PLACEMENT_ALLOWLIST: DirectoryPlacementAllowlistRule[];
+export declare function isObject(value: unknown): value is Record<string, unknown>;
+export declare function isStringArray(value: unknown): value is string[];
+export declare function isPastDate(value: string, today: string): boolean;
+export declare function isAllowlistRuleUsable(rule: {
+    active: boolean;
+    expiresAt?: string;
+}): boolean;
+export declare function formatBoundaryPolicyIssue(filePath: string, issue: PolicyValidationIssue): string;
+export declare function formatAllowlistMetadata(rule: AllowlistMetadata): string;
+//# sourceMappingURL=types.d.ts.map

package/dist/commands/db/utils/boundary-policy/validation.d.ts

@@ -0,0 +1,20 @@
+/**
+ * AI HINT: Boundary policy validation and coercion functions.
+ *
+ * Purpose: Validate raw policy JSON and coerce individual fields
+ * into strongly typed values with issue reporting.
+ */
+import type { BoundaryPolicyRiskLevel, PolicyIssueFormatter, PolicyValidationIssue, PolicyValidationSeverity } from './types.js';
+export declare function validateBoundaryPolicy(raw: unknown): PolicyValidationIssue[];
+export declare function coercePolicyStringList(value: unknown, field: string, issueFormatter: PolicyIssueFormatter): Set<string>;
+export declare function coerceRiskLevel(level: unknown): BoundaryPolicyRiskLevel | undefined;
+export declare function compileRegExp(pattern: string, issueFormatter: PolicyIssueFormatter): RegExp;
+export declare function coerceRuleId(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | null;
+export declare function coerceRulePattern(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | null;
+export declare function coerceOptionalString(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | undefined;
+export declare function coerceOptionalPositiveInteger(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): number | undefined;
+export declare function coerceBoolean(raw: unknown, index: number, field: string, issueFormatter: PolicyIssueFormatter): boolean;
+export declare function coerceExpiresAt(raw: unknown, ruleId: string, index: number, field: string, issueFormatter: PolicyIssueFormatter): string | undefined;
+export declare function mapPolicyVersion(rawVersion: unknown): string;
+export declare function appendValidationIssue(issues: PolicyValidationIssue[], field: string, message: string, severity: PolicyValidationSeverity, policyFile: string, output: string[]): void;
+//# sourceMappingURL=validation.d.ts.map

package/dist/commands/db/utils/boundary-policy-runtime.d.ts

@@ -0,0 +1,28 @@
+import { loadBoundaryPolicy, type DeclarativeRiskAllowlistRule, type DirectoryPlacementAllowlistRule } from './boundary-policy.js';
+type Logger = {
+    warn: (message: string) => void;
+    info: (message: string) => void;
+};
+type BoundaryPolicy = ReturnType<typeof loadBoundaryPolicy>;
+type DeclarativeRiskLike = {
+    level: 'high' | 'medium' | 'low';
+    file: string;
+    description: string;
+};
+type DirectoryRiskLike = {
+    level: 'high' | 'medium' | 'low';
+    file: string;
+    message: string;
+    line?: number;
+};
+export declare function getBoundaryPolicy(cwd?: string): BoundaryPolicy;
+export declare function reportBoundaryPolicyState(logger: Logger, policy: BoundaryPolicy): void;
+export declare function assertBoundaryPolicyUsable(logger: Logger, policy: BoundaryPolicy): void;
+export declare function assertBoundaryPolicyQualityGate(logger: Logger, policy: BoundaryPolicy, strict: boolean): void;
+export declare function findDeclarativeRiskAllowlistMatch(risk: DeclarativeRiskLike, policy: BoundaryPolicy): DeclarativeRiskAllowlistRule | undefined;
+export declare function hasExplicitLineScope(rule: DirectoryPlacementAllowlistRule): boolean;
+export declare function entryLineScopeMatches(issueLine: number | undefined, rule: DirectoryPlacementAllowlistRule): boolean;
+export declare function findDirectoryPlacementAllowlistMatch(issue: DirectoryRiskLike, policy: BoundaryPolicy): DirectoryPlacementAllowlistRule | undefined;
+export declare function resolveProductionApplyStrictMode(policy: BoundaryPolicy, strictOption: boolean | undefined): boolean;
+export {};
+//# sourceMappingURL=boundary-policy-runtime.d.ts.map

package/dist/commands/db/utils/boundary-policy.d.ts

@@ -0,0 +1,5 @@
+import type { BoundaryPolicy } from './boundary-policy/types.js';
+export type { BoundaryPolicy, BoundaryPolicyMeta, BoundaryPolicyRiskLevel, DeclarativeRiskAllowlistRule, DirectoryPlacementAllowlistRule, } from './boundary-policy/types.js';
+export { formatAllowlistMetadata } from './boundary-policy/types.js';
+export declare function loadBoundaryPolicy(projectRoot: string, policyPath?: string): BoundaryPolicy;
+//# sourceMappingURL=boundary-policy.d.ts.map

package/dist/commands/db/utils/idempotent-risk-context.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AI HINT: Idempotent Risk Context Correction
+ *
+ * Purpose: Shared constants and logic for adjusting risk severity in idempotent/ context.
+ * In idempotent/ files, DROP ... IF EXISTS is a standard cleanup-then-recreate pattern,
+ * so these are downgraded from their original severity to 'low'.
+ *
+ * Used by: preflight-check.ts, db-sync.ts
+ */
+/**
+ * Reason codes whose severity is downgraded to 'low' in idempotent context.
+ * DROP ... IF EXISTS patterns are standard cleanup-then-recreate in idempotent files.
+ * REVOKE + GRANT is a standard RBAC reset pattern in idempotent RBAC files.
+ * DO blocks are the expected pattern for conditional logic in idempotent files.
+ */
+export declare const IDEMPOTENT_DOWNGRADE_REASON_CODES: Set<string>;
+/**
+ * Reason codes whose severity is capped at 'medium' in idempotent context.
+ * DROP POLICY in idempotent files is typically a cleanup-then-recreate pattern,
+ * but still warrants review since it removes access control rules.
+ */
+export declare const IDEMPOTENT_MEDIUM_REASON_CODES: Set<string>;
+/**
+ * Correct risk severity for idempotent context.
+ *
+ * @returns adjusted severity level
+ */
+export declare function correctIdempotentRiskLevel(originalLevel: string, reasonCode: string | undefined): 'high' | 'medium' | 'low';
+//# sourceMappingURL=idempotent-risk-context.d.ts.map

package/dist/commands/db/utils/preflight-check.d.ts

@@ -7,12 +7,26 @@
  * NOTE: This is DIFFERENT from `runa db preflight` command which checks DATA QUALITY
  *   - preflight-check.ts: Environment validation (Supabase status, env vars, orphan detection)
  *   - preflight/index.ts: Data quality validation (updated_at >= created_at constraint)
+ *
+ * Structure:
+ *   - preflight-check.ts: Orchestrator, types, basic checks (this file)
+ *   - preflight-checks/supabase-checks.ts: Supabase status & DB connection
+ *   - preflight-checks/schema-risk-checks.ts: SQL schema risk scanning
+ *   - preflight-checks/orphan-checks.ts: Orphaned objects & extension config
  */
 export interface PreflightCheckResult {
     passed: boolean;
     warnings: string[];
     errors: string[];
 }
+/**
+ * Step counter for dynamic step numbering.
+ * This ensures correct sequential numbering regardless of which checks are executed.
+ */
+export declare class StepCounter {
+    private current;
+    next(): number;
+}
 /**
  * Run all preflight checks
  */