@runa-ai/runa-cli 0.5.72 → 0.7.0

package/dist/chunk-3FDQW524.js

@@ -0,0 +1,544 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+
+createRequire(import.meta.url);
+
+// src/validators/risk-detector-patterns.ts
+init_esm_shims();
+var IDENTIFIER_PATTERN = "[A-Za-z_][A-Za-z0-9_]*";
+var QUOTED_IDENTIFIER_PATTERN = '"(?:[^"]|"")*"';
+var SQL_IDENTIFIER = `(?:${IDENTIFIER_PATTERN}|${QUOTED_IDENTIFIER_PATTERN})`;
+var QUALIFIED_IDENTIFIER = `${SQL_IDENTIFIER}(?:\\s*\\.\\s*${SQL_IDENTIFIER})?`;
+var RUNA_AUTH_FUNCTION_NAME = /runa_auth_[A-Za-z_][A-Za-z0-9_]*/i;
+var RISK_PATTERNS = [
+  {
+    pattern: new RegExp(`\\bREFERENCES\\s+auth\\.${SQL_IDENTIFIER}\\s*\\(`, "gi"),
+    level: "high",
+    description: "REFERENCES auth.* violates Supabase Auth Schema Independence (AGENTS.md)",
+    mitigation: "Remove FK constraint. Store UUID without REFERENCES. See database.md#Supabase-Auth-Schema-Independence",
+    reasonCode: "HIGH_RISK_AUTH_REFERENCE",
+    confidence: "high"
+  },
+  {
+    pattern: /\bauth\.uid\s*\(\s*\)/gi,
+    level: "high",
+    description: "Direct auth.uid() usage violates Supabase Auth Schema Independence (AGENTS.md)",
+    mitigation: "Use runa_auth_uid() wrapper function instead. See database.md#Supabase-Auth-Schema-Independence",
+    reasonCode: "HIGH_RISK_AUTH_UID",
+    confidence: "high"
+  },
+  {
+    pattern: /\bauth\.jwt\s*\(\s*\)/gi,
+    level: "high",
+    description: "Direct auth.jwt() usage violates Supabase Auth Schema Independence (AGENTS.md)",
+    mitigation: "Use runa_auth_jwt() or runa_auth_claim_text() wrapper instead. See database.md#Supabase-Auth-Schema-Independence",
+    reasonCode: "HIGH_RISK_AUTH_JWT",
+    confidence: "high"
+  },
+  {
+    pattern: /\bpublic\.(?:st_[a-z_]+|geometry|geography|vector|halfvec|sparsevec|cube|earth|hstore|citext|ltree|lquery|ltxtquery|crypt|gen_salt|uuid_generate_v[0-9])\s*\(/gi,
+    level: "high",
+    description: "public.* schema-qualified extension function/type detected \u2014 extension objects live in extensions schema, not public",
+    mitigation: "Use unqualified name (e.g., st_x(geom)) or extensions-qualified (e.g., extensions.st_x(geom)). See known-limitations #15",
+    reasonCode: "HIGH_RISK_WRONG_EXTENSION_SCHEMA",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bDROP\\s+TABLE\\s+(?:IF\\s+(?:NOT\\s+)?EXISTS\\s+)?(?:ONLY\\s+)?${QUALIFIED_IDENTIFIER}(?:\\s*,\\s*(?:ONLY\\s+)?${QUALIFIED_IDENTIFIER})*`,
+      "gi"
+    ),
+    level: "high",
+    description: "DROP TABLE detected - potential data loss",
+    mitigation: "Use _deprecated_ prefix instead of dropping",
+    reasonCode: "HIGH_RISK_DROP_TABLE",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+DROP\\s+COLUMN\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "high",
+    description: "DROP COLUMN detected - potential data loss",
+    mitigation: "Rename to _deprecated_ prefix instead",
+    reasonCode: "HIGH_RISK_DROP_COLUMN",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+ALTER\\s+COLUMN\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}\\s+SET\\s+NOT\\s+NULL`,
+      "gi"
+    ),
+    level: "high",
+    description: "Adding NOT NULL constraint may fail if existing data has nulls",
+    mitigation: "Ensure all existing rows have non-null values first",
+    reasonCode: "HIGH_RISK_SET_NOT_NULL",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bTRUNCATE\\s+(?:TABLE\\s+)?(?:ONLY\\s+)?${QUALIFIED_IDENTIFIER}(?:\\s*,\\s*${QUALIFIED_IDENTIFIER})*`,
+      "gi"
+    ),
+    level: "high",
+    description: "TRUNCATE detected - all data will be deleted",
+    mitigation: "Use DELETE with WHERE clause for selective deletion",
+    reasonCode: "HIGH_RISK_TRUNCATE",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+ADD\\s+CONSTRAINT\\s+${SQL_IDENTIFIER}\\s+UNIQUE`,
+      "gi"
+    ),
+    level: "medium",
+    description: "Adding UNIQUE constraint may fail if existing data has duplicates",
+    mitigation: "Check for duplicate values before adding constraint",
+    reasonCode: "MEDIUM_RISK_ADD_UNIQUE",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+ALTER\\s+COLUMN\\s+${SQL_IDENTIFIER}\\s+(?:SET\\s+DATA\\s+)?TYPE`,
+      "gi"
+    ),
+    level: "medium",
+    description: "Changing column type may cause data loss or conversion errors",
+    mitigation: "Verify data compatibility before type change",
+    reasonCode: "MEDIUM_RISK_ALTER_COLUMN_TYPE",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(`\\bALTER\\s+TYPE\\s+${QUALIFIED_IDENTIFIER}`, "gi"),
+    level: "medium",
+    description: "Altering enum/composite type may affect existing data",
+    mitigation: "Check all usages of this type before modification",
+    reasonCode: "MEDIUM_RISK_ALTER_TYPE",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+DISABLE\\s+ROW\\s+LEVEL\\s+SECURITY`,
+      "gi"
+    ),
+    level: "high",
+    description: "DISABLE ROW LEVEL SECURITY removes all RLS protection",
+    mitigation: "Verify this is intentional. RLS bypass exposes all rows to all roles.",
+    reasonCode: "HIGH_RISK_DISABLE_RLS",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(`\\bDROP\\s+POLICY\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}\\s+ON`, "gi"),
+    level: "high",
+    description: "DROP POLICY removes access control rules",
+    mitigation: "Ensure replacement policy exists. Dropping without replacement may block or expose access.",
+    reasonCode: "HIGH_RISK_DROP_POLICY",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(`\\bDROP\\s+SCHEMA\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}`, "gi"),
+    level: "high",
+    description: "DROP SCHEMA removes entire schema and all contained objects",
+    mitigation: "Verify all tables in this schema are backed up or migrated first.",
+    reasonCode: "HIGH_RISK_DROP_SCHEMA",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(
+      `\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+RENAME\\s+(?:COLUMN\\s+)?${SQL_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "medium",
+    description: "RENAME TABLE/COLUMN may break application queries and foreign key references",
+    mitigation: "Update all application code referencing the old name. Consider add-then-migrate-then-drop instead.",
+    reasonCode: "MEDIUM_RISK_RENAME",
+    confidence: "medium"
+  },
+  {
+    pattern: /\bREVOKE\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b/gi,
+    level: "medium",
+    description: "REVOKE may break application access if privileges are required",
+    mitigation: "Verify the role being revoked is no longer needed for application operations.",
+    reasonCode: "MEDIUM_RISK_REVOKE",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bCREATE\\s+(?:UNIQUE\\s+)?INDEX\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?(?!CONCURRENTLY)${SQL_IDENTIFIER}\\s+ON`,
+      "gi"
+    ),
+    level: "low",
+    description: "Creating index without CONCURRENTLY may lock table",
+    mitigation: "Consider CREATE INDEX CONCURRENTLY for large tables",
+    reasonCode: "LOW_RISK_INDEX_NO_CONCURRENTLY",
+    confidence: "low"
+  },
+  // --- Gap 6: Additional DROP patterns ---
+  {
+    pattern: new RegExp(
+      `\\bDROP\\s+FUNCTION\\s+(?:IF\\s+EXISTS\\s+)?${QUALIFIED_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "medium",
+    description: "DROP FUNCTION detected - may break dependent views, triggers, or policies",
+    mitigation: "Use CREATE OR REPLACE FUNCTION when possible. Verify no dependencies.",
+    reasonCode: "MEDIUM_RISK_DROP_FUNCTION",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(`\\bDROP\\s+TRIGGER\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}\\s+ON`, "gi"),
+    level: "medium",
+    description: "DROP TRIGGER detected - may disable audit trails or business rules",
+    mitigation: "Verify the trigger is being replaced or is no longer needed.",
+    reasonCode: "MEDIUM_RISK_DROP_TRIGGER",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bDROP\\s+(?:MATERIALIZED\\s+)?VIEW\\s+(?:IF\\s+EXISTS\\s+)?${QUALIFIED_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "medium",
+    description: "DROP VIEW detected - may break dependent queries or applications",
+    mitigation: "Use CREATE OR REPLACE VIEW when possible. Check for dependencies.",
+    reasonCode: "MEDIUM_RISK_DROP_VIEW",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bDROP\\s+SEQUENCE\\s+(?:IF\\s+EXISTS\\s+)?${QUALIFIED_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "medium",
+    description: "DROP SEQUENCE detected - may break tables using this sequence for defaults",
+    mitigation: "Verify no tables reference this sequence before dropping.",
+    reasonCode: "MEDIUM_RISK_DROP_SEQUENCE",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(`\\bDROP\\s+EXTENSION\\s+(?:IF\\s+EXISTS\\s+)?${SQL_IDENTIFIER}`, "gi"),
+    level: "high",
+    description: "DROP EXTENSION detected \u2014 CASCADE removes all dependent functions, types, operators, and indexes",
+    mitigation: "Verify no tables or functions depend on this extension. DROP EXTENSION postgis CASCADE destroys all geometry columns.",
+    reasonCode: "HIGH_RISK_DROP_EXTENSION",
+    confidence: "high"
+  },
+  {
+    pattern: /\b(?:REASSIGN|DROP)\s+OWNED\s+BY\b/gi,
+    level: "high",
+    description: "REASSIGN/DROP OWNED BY detected - mass ownership change or object deletion",
+    mitigation: "This affects ALL objects owned by the role. Review carefully.",
+    reasonCode: "HIGH_RISK_REASSIGN_DROP_OWNED",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(`\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+DISABLE\\s+TRIGGER`, "gi"),
+    level: "high",
+    description: "DISABLE TRIGGER detected - may bypass audit trails and business rules",
+    mitigation: "This disables triggers which may enforce critical business logic. Verify intent.",
+    reasonCode: "HIGH_RISK_DISABLE_TRIGGER",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(`\\bALTER\\s+TABLE\\s+${QUALIFIED_IDENTIFIER}\\s+SET\\s+UNLOGGED`, "gi"),
+    level: "medium",
+    description: "SET UNLOGGED detected - data will not survive crash recovery",
+    mitigation: "UNLOGGED tables are not WAL-logged. Data is lost on crash. Use only for ephemeral data.",
+    reasonCode: "MEDIUM_RISK_SET_UNLOGGED",
+    confidence: "medium"
+  },
+  {
+    pattern: new RegExp(
+      `\\bDROP\\s+INDEX\\s+(?:IF\\s+EXISTS\\s+)?(?:CONCURRENTLY\\s+)?${QUALIFIED_IDENTIFIER}`,
+      "gi"
+    ),
+    level: "medium",
+    description: "DROP INDEX detected - may degrade query performance",
+    mitigation: "Verify the index is no longer needed for query performance.",
+    reasonCode: "MEDIUM_RISK_DROP_INDEX",
+    confidence: "medium"
+  },
+  // --- ENUM type detection (pg-schema-diff cannot manage ENUM value changes) ---
+  {
+    pattern: new RegExp(`\\bCREATE\\s+TYPE\\s+${QUALIFIED_IDENTIFIER}\\s+AS\\s+ENUM\\b`, "gi"),
+    level: "high",
+    description: "CREATE TYPE AS ENUM detected \u2014 pg-schema-diff cannot manage ENUM value changes",
+    mitigation: "Use TEXT column with CHECK constraint instead. See database-pg-schema-diff.md",
+    reasonCode: "HIGH_RISK_ENUM_TYPE",
+    confidence: "high"
+  },
+  // --- Cloud-incompatible SQL (managed PostgreSQL restrictions) ---
+  {
+    pattern: new RegExp(`\\bCREATE\\s+DATABASE\\s+${SQL_IDENTIFIER}`, "gi"),
+    level: "high",
+    description: "CREATE DATABASE detected \u2014 not available on managed PostgreSQL (Supabase)",
+    mitigation: "Use Supabase dashboard or API for database creation.",
+    reasonCode: "HIGH_RISK_CREATE_DATABASE",
+    confidence: "high"
+  },
+  {
+    pattern: /\bALTER\s+SYSTEM\s+(?:SET|RESET)\b/gi,
+    level: "high",
+    description: "ALTER SYSTEM detected \u2014 requires superuser, not available on managed PostgreSQL",
+    mitigation: "Use Supabase dashboard for server configuration changes.",
+    reasonCode: "HIGH_RISK_ALTER_SYSTEM",
+    confidence: "high"
+  },
+  {
+    pattern: new RegExp(`\\b(?:CREATE|ALTER|DROP)\\s+TABLESPACE\\s+${SQL_IDENTIFIER}`, "gi"),
+    level: "medium",
+    description: "TABLESPACE operation detected \u2014 not available on managed PostgreSQL",
+    mitigation: "Remove tablespace references. Managed databases handle storage allocation.",
+    reasonCode: "MEDIUM_RISK_TABLESPACE",
+    confidence: "medium"
+  },
+  {
+    pattern: /\bCREATE\s+(?:OR\s+REPLACE\s+)?(?:TRUSTED\s+)?(?:PROCEDURAL\s+)?LANGUAGE\b/gi,
+    level: "medium",
+    description: "CREATE LANGUAGE detected \u2014 requires superuser on managed PostgreSQL",
+    mitigation: "Use CREATE EXTENSION instead (e.g., CREATE EXTENSION plpython3u).",
+    reasonCode: "MEDIUM_RISK_CREATE_LANGUAGE",
+    confidence: "medium"
+  },
+  // --- Gap 7: auth.role() detection ---
+  {
+    pattern: /\bauth\.role\s*\(\s*\)/gi,
+    level: "high",
+    description: "Direct auth.role() usage violates Supabase Auth Schema Independence",
+    mitigation: "Use a runa_auth_* wrapper function instead. See database.md#Supabase-Auth-Schema-Independence",
+    reasonCode: "HIGH_RISK_AUTH_ROLE",
+    confidence: "high"
+  },
+  // --- Auth table reference detection (FROM/JOIN auth.*) ---
+  {
+    pattern: new RegExp(`\\b(?:FROM|JOIN)\\s+auth\\.${SQL_IDENTIFIER}`, "gi"),
+    level: "high",
+    description: "Direct auth.* table reference detected \u2014 violates Supabase Auth Schema Independence",
+    mitigation: "Do not query auth schema tables directly. Use your own user/profile tables instead. See database.md#Supabase-Auth-Schema-Independence",
+    reasonCode: "HIGH_RISK_AUTH_TABLE_REFERENCE",
+    confidence: "high"
+  },
+  // --- SECURITY DEFINER detection (RLS bypass risk) ---
+  {
+    pattern: /\bSECURITY\s+DEFINER\b/gi,
+    level: "high",
+    description: "SECURITY DEFINER detected \u2014 function executes with owner privileges, bypassing caller RLS",
+    mitigation: "Use SECURITY INVOKER (default) unless owner-privilege execution is explicitly required. Review function body for RLS bypass.",
+    reasonCode: "HIGH_RISK_SECURITY_DEFINER",
+    confidence: "high"
+  },
+  // --- GRANT ALL mass privilege detection ---
+  {
+    pattern: /\bGRANT\s+ALL\s+(?:PRIVILEGES\s+)?ON\s+ALL\s+(?:TABLES|FUNCTIONS|SEQUENCES)\b/gi,
+    level: "medium",
+    description: "GRANT ALL ON ALL detected \u2014 mass privilege grant affects all current objects in schema",
+    mitigation: "Prefer granular GRANT on specific tables/functions. Mass grants may expose unintended objects.",
+    reasonCode: "MEDIUM_RISK_GRANT_ALL",
+    confidence: "medium"
+  }
+];
+
+// src/validators/risk-detector-text-utils.ts
+init_esm_shims();
+var RE_DOLLAR_TAG = /\$([a-zA-Z_][a-zA-Z0-9_]*)?\$/y;
+var RE_WRAPPER_FUNCTION = new RegExp(
+  `CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+(${QUALIFIED_IDENTIFIER})\\s*\\([\\s\\S]*?\\)\\s+[\\s\\S]*?\\s+AS\\s*(\\$\\$|\\$[a-zA-Z_][a-zA-Z0-9_]*\\$)`,
+  "gi"
+);
+function stripSqlCommentsPreserveLines(content) {
+  const lineMasked = content.replace(/--[^\n]*/g, (match) => " ".repeat(match.length));
+  return lineMasked.replace(/\/\*[\s\S]*?\*\//g, (match) => match.replace(/[^\n]/g, " "));
+}
+function asMaskedChar(char) {
+  return char === "\n" ? "\n" : " ";
+}
+function consumeSingleQuotedString(content, state) {
+  if (!state.inSingleQuote) return false;
+  const char = content[state.i];
+  const next = content[state.i + 1];
+  if (char === "'" && next === "'") {
+    state.result += "  ";
+    state.i += 2;
+    return true;
+  }
+  if (char === "'") {
+    state.inSingleQuote = false;
+  }
+  state.result += asMaskedChar(char);
+  state.i += 1;
+  return true;
+}
+function consumeDoubleQuotedIdentifier(content, state) {
+  if (!state.inDoubleQuote) return false;
+  const char = content[state.i];
+  const next = content[state.i + 1];
+  if (char === '"' && next === '"') {
+    state.result += '""';
+    state.i += 2;
+    return true;
+  }
+  if (char === '"') {
+    state.inDoubleQuote = false;
+  }
+  state.result += char ?? "";
+  state.i += 1;
+  return true;
+}
+function consumeDollarQuotedString(content, state) {
+  if (!state.inDollarQuote) return false;
+  const closingTag = `$${state.dollarTag}$`;
+  if (content.startsWith(closingTag, state.i)) {
+    state.inDollarQuote = false;
+    state.dollarTag = "";
+    state.result += " ".repeat(closingTag.length);
+    state.i += closingTag.length;
+    return true;
+  }
+  state.result += asMaskedChar(content[state.i]);
+  state.i += 1;
+  return true;
+}
+function tryStartSingleQuotedString(content, state) {
+  if (content[state.i] !== "'") return false;
+  state.inSingleQuote = true;
+  state.result += asMaskedChar(content[state.i]);
+  state.i += 1;
+  return true;
+}
+function tryStartDoubleQuotedIdentifier(content, state) {
+  if (content[state.i] !== '"') return false;
+  state.inDoubleQuote = true;
+  state.result += content[state.i] ?? "";
+  state.i += 1;
+  return true;
+}
+function tryStartDollarQuotedString(content, state) {
+  if (content[state.i] !== "$") return false;
+  RE_DOLLAR_TAG.lastIndex = state.i;
+  const match = RE_DOLLAR_TAG.exec(content);
+  if (!match) return false;
+  state.inDollarQuote = true;
+  state.dollarTag = match[1] ?? "";
+  state.result += " ".repeat(match[0].length);
+  state.i += match[0].length;
+  return true;
+}
+function stripSqlStringsPreserveLines(content) {
+  const state = {
+    result: "",
+    i: 0,
+    inSingleQuote: false,
+    inDoubleQuote: false,
+    inDollarQuote: false,
+    dollarTag: ""
+  };
+  while (state.i < content.length) {
+    if (consumeSingleQuotedString(content, state)) continue;
+    if (consumeDoubleQuotedIdentifier(content, state)) continue;
+    if (consumeDollarQuotedString(content, state)) continue;
+    if (tryStartSingleQuotedString(content, state)) continue;
+    if (tryStartDoubleQuotedIdentifier(content, state)) continue;
+    if (tryStartDollarQuotedString(content, state)) continue;
+    state.result += content[state.i] ?? "";
+    state.i += 1;
+  }
+  return state.result;
+}
+function normalizeSqlIdentifier(identifier) {
+  const trimmed = identifier.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    return trimmed.slice(1, -1).replace(/""/g, '"');
+  }
+  return trimmed;
+}
+function maskWrapperFunctions(content) {
+  RE_WRAPPER_FUNCTION.lastIndex = 0;
+  let lastIndex = 0;
+  let output = "";
+  for (const match of content.matchAll(RE_WRAPPER_FUNCTION)) {
+    const matchStart = match.index ?? 0;
+    const functionName = normalizeSqlIdentifier((match[1] ?? "").split(".").pop() ?? "");
+    if (!RUNA_AUTH_FUNCTION_NAME.test(functionName)) {
+      continue;
+    }
+    const tag = String(match[2]);
+    const tagStart = matchStart + match[0].lastIndexOf(tag);
+    const bodyStart = tagStart + tag.length;
+    const tagEnd = content.indexOf(tag, bodyStart);
+    if (tagEnd === -1) {
+      continue;
+    }
+    output += content.slice(lastIndex, matchStart);
+    output += " ".repeat(tagEnd + tag.length - matchStart);
+    lastIndex = tagEnd + tag.length;
+  }
+  if (!output) return content;
+  return output + content.slice(lastIndex);
+}
+function buildLineStarts(content) {
+  const lineStarts = [0];
+  for (let i = 0; i < content.length; i += 1) {
+    if (content[i] === "\n") {
+      lineStarts.push(i + 1);
+    }
+  }
+  return lineStarts;
+}
+function lineNumberFromIndex(content, index, lineStarts = []) {
+  const clampedIndex = Math.max(0, Math.min(index, Math.max(0, content.length - 1)));
+  if (!lineStarts.length) {
+    return content.substring(0, clampedIndex + 1).split("\n").length;
+  }
+  let low = 0;
+  let high = lineStarts.length - 1;
+  let line = 0;
+  while (low <= high) {
+    const mid = Math.floor((low + high) / 2);
+    if (lineStarts[mid] <= clampedIndex) {
+      line = mid;
+      low = mid + 1;
+    } else {
+      high = mid - 1;
+    }
+  }
+  return line + 1;
+}
+
+// src/validators/risk-detector-content-risks.ts
+init_esm_shims();
+function stripSqlForPatternMatching(content) {
+  return content.replace(/--[^\n]*/g, (match) => " ".repeat(match.length)).replace(/\/\*[\s\S]*?\*\//g, (match) => match.replace(/[^\n]/g, " "));
+}
+function detectRisksFromContent(normalizedContent, originalContent, lineStarts) {
+  const risks = [];
+  const seenDescriptions = /* @__PURE__ */ new Set();
+  for (const riskPattern of RISK_PATTERNS) {
+    riskPattern.pattern.lastIndex = 0;
+    let match = riskPattern.pattern.exec(normalizedContent);
+    while (match !== null) {
+      const key = `${riskPattern.description}:${match[0]}`;
+      if (!seenDescriptions.has(key)) {
+        seenDescriptions.add(key);
+        risks.push({
+          level: riskPattern.level,
+          description: riskPattern.description,
+          mitigation: riskPattern.mitigation,
+          reasonCode: riskPattern.reasonCode,
+          confidence: riskPattern.confidence,
+          evidence: {
+            source: "pattern-match",
+            snippet: match[0],
+            detail: `Matched pattern ${riskPattern.pattern.toString()}`
+          },
+          line: lineNumberFromIndex(originalContent, match.index ?? 0, lineStarts)
+        });
+      }
+      match = riskPattern.pattern.exec(normalizedContent);
+    }
+  }
+  return risks;
+}
+
+export { QUALIFIED_IDENTIFIER, buildLineStarts, detectRisksFromContent, lineNumberFromIndex, maskWrapperFunctions, stripSqlCommentsPreserveLines, stripSqlForPatternMatching, stripSqlStringsPreserveLines };

package/dist/chunk-3WDV32GA.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { existsSync, readFileSync } from 'fs';
+import path from 'path';
+
+createRequire(import.meta.url);
+
+// src/commands/utils/repo-root.ts
+init_esm_shims();
+function findRepoRoot(startDir) {
+  let current = startDir;
+  while (current !== path.dirname(current)) {
+    if (existsSync(path.join(current, "turbo.json"))) {
+      return current;
+    }
+    const pkgPath = path.join(current, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        const rawPackage = readFileSync(pkgPath, "utf-8");
+        const pkg = JSON.parse(rawPackage);
+        if (pkg.workspaces) {
+          return current;
+        }
+      } catch (error) {
+      }
+    }
+    current = path.dirname(current);
+  }
+  return startDir;
+}
+
+export { findRepoRoot };

package/dist/chunk-5FT3F36G.js

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+
+createRequire(import.meta.url);
+
+// src/commands/utils/machine-state-logging.ts
+init_esm_shims();
+function createMachineStateChangeLogger(options) {
+  const {
+    getState,
+    getContext,
+    handlers,
+    useParentState = false,
+    shouldSkipState,
+    onUnknownState,
+    handlerArgumentOrder = "logger-first"
+  } = options;
+  function resolveHandler(state) {
+    const exact = handlers[state];
+    if (exact) return exact;
+    if (!useParentState) return void 0;
+    const parent = state.includes(".") ? state.split(".")[0] : void 0;
+    return parent ? handlers[parent] : void 0;
+  }
+  function invokeHandler(handler, context, logger, extra) {
+    if (handlerArgumentOrder === "context-first") {
+      handler(
+        context,
+        logger,
+        extra
+      );
+      return;
+    }
+    handler(
+      logger,
+      context,
+      extra
+    );
+  }
+  return (snapshot, prevState, logger, extra) => {
+    const state = getState(snapshot);
+    if (state === prevState) {
+      return;
+    }
+    const context = getContext(snapshot);
+    if (shouldSkipState?.(state, prevState, context, extra)) {
+      return;
+    }
+    const handler = resolveHandler(state);
+    if (handler) {
+      invokeHandler(handler, context, logger, extra);
+      return;
+    }
+    onUnknownState?.(state, logger, context, extra, prevState);
+  };
+}
+
+export { createMachineStateChangeLogger };