@runa-ai/runa-cli 0.7.0 → 0.7.2

package/dist/{risk-detector-plpgsql-HWKS4OLR.js → chunk-Y5ANTCKE.js}

@@ -1,16 +1,9 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { stripSqlCommentsPreserveLines, buildLineStarts, lineNumberFromIndex, stripSqlStringsPreserveLines, detectRisksFromContent, stripSqlForPatternMatching } from './chunk-3FDQW524.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
 
 createRequire(import.meta.url);
 
-// src/validators/risk-detector-plpgsql.ts
-init_esm_shims();
-
-// src/validators/risk-detector-plpgsql-parser.ts
-init_esm_shims();
-
 // src/validators/risk-detector-plpgsql-tokenizer.ts
 init_esm_shims();
 function skipWhitespace(content, index) {
@@ -1478,409 +1471,7 @@ function isPureLiteralValue(value) {
   return parseStaticSqlLiteral(trimmed) !== void 0 || parseDollarLiteral(trimmed) !== void 0;
 }
 
-// src/validators/risk-detector-plpgsql.ts
-var DO_STATEMENT_PATTERN = /\bDO\b/gi;
-var CREATE_OR_ALTER_FUNCTION_PATTERN = /\b(?:CREATE|ALTER)\s+(?:OR\s+REPLACE\s+)?(?:FUNCTION|PROCEDURE)\b/gi;
-function readDollarTag(content, index) {
-  const match = content.slice(index).match(/^\$([A-Za-z_][A-Za-z0-9_]*)?\$/);
-  return match ? match[0] : void 0;
-}
-function isWordChar2(char) {
-  return /[A-Za-z0-9_]/.test(char);
-}
-function isKeywordAt(content, contentIndex, keyword) {
-  const endIndex = contentIndex + keyword.length;
-  if (endIndex > content.length) return false;
-  if (content.slice(contentIndex, endIndex).toUpperCase() !== keyword) return false;
-  const before = contentIndex > 0 ? content[contentIndex - 1] : " ";
-  const after = endIndex < content.length ? content[endIndex] : " ";
-  return !isWordChar2(before) && !isWordChar2(after);
-}
-function consumeSingleQuote(content, state) {
-  if (!state.inSingleQuote) return false;
-  if (content[state.cursor] === "'" && content[state.cursor + 1] === "'") {
-    state.cursor += 2;
-    return true;
-  }
-  if (content[state.cursor] === "'") {
-    state.inSingleQuote = false;
-  }
-  state.cursor += 1;
-  return true;
-}
-function consumeDoubleQuote(content, state) {
-  if (!state.inDoubleQuote) return false;
-  if (content[state.cursor] === '"' && content[state.cursor + 1] === '"') {
-    state.cursor += 2;
-    return true;
-  }
-  if (content[state.cursor] === '"') {
-    state.inDoubleQuote = false;
-  }
-  state.cursor += 1;
-  return true;
-}
-function consumeDollarQuote(content, state) {
-  if (state.inDollarQuote === void 0) return false;
-  const close = `$${state.inDollarQuote}$`;
-  if (content.startsWith(close, state.cursor)) {
-    state.inDollarQuote = void 0;
-    state.cursor += close.length;
-    return true;
-  }
-  state.cursor += 1;
-  return true;
-}
-function consumeQuotedSpan(content, state) {
-  if (consumeSingleQuote(content, state)) return true;
-  if (consumeDoubleQuote(content, state)) return true;
-  return consumeDollarQuote(content, state);
-}
-function tryStartSingleQuote(content, state) {
-  if (content[state.cursor] !== "'") return false;
-  state.inSingleQuote = true;
-  state.cursor += 1;
-  return true;
-}
-function tryStartDoubleQuote(content, state) {
-  if (content[state.cursor] !== '"') return false;
-  state.inDoubleQuote = true;
-  state.cursor += 1;
-  return true;
-}
-function tryStartDollarQuote(content, state) {
-  const dollarTag = readDollarTag(content, state.cursor);
-  if (dollarTag === void 0) return false;
-  state.inDollarQuote = dollarTag.slice(1, -1);
-  state.cursor += dollarTag.length;
-  return true;
-}
-function tryStartQuotedSpan(content, state) {
-  if (tryStartSingleQuote(content, state)) return true;
-  if (tryStartDoubleQuote(content, state)) return true;
-  return tryStartDollarQuote(content, state);
-}
-function findKeywordFromOffset(content, start, keyword) {
-  const state = {
-    cursor: start,
-    inSingleQuote: false,
-    inDoubleQuote: false,
-    inDollarQuote: void 0
-  };
-  while (state.cursor < content.length) {
-    if (consumeQuotedSpan(content, state)) continue;
-    if (tryStartQuotedSpan(content, state)) continue;
-    if (isKeywordAt(content, state.cursor, keyword)) {
-      return state.cursor;
-    }
-    state.cursor += 1;
-  }
-  return void 0;
-}
-var MAX_DOLLAR_QUOTE_DEPTH = 50;
-function skipUntilDollarClose(content, state, openTag, depth) {
-  if (depth >= MAX_DOLLAR_QUOTE_DEPTH) return -1;
-  const nestedTag = readDollarTag(content, state.cursor);
-  if (nestedTag === void 0 || nestedTag === openTag) {
-    return state.cursor;
-  }
-  const nestedStart = state.cursor + nestedTag.length;
-  const nestedEnd = closeIndexForDollarTag(content, nestedStart, nestedTag, depth + 1);
-  if (nestedEnd === -1) return -1;
-  state.cursor = nestedEnd + nestedTag.length;
-  return state.cursor;
-}
-function closeIndexForDollarTag(content, bodyStart, openTag, depth = 0) {
-  if (depth >= MAX_DOLLAR_QUOTE_DEPTH) return -1;
-  const state = {
-    cursor: bodyStart,
-    inSingleQuote: false,
-    inDoubleQuote: false,
-    inDollarQuote: void 0
-  };
-  while (state.cursor < content.length) {
-    if (consumeQuotedSpan(content, state)) continue;
-    if (content.startsWith(openTag, state.cursor)) {
-      return state.cursor;
-    }
-    const nestedCursor = skipUntilDollarClose(content, state, openTag, depth);
-    if (nestedCursor !== state.cursor) {
-      continue;
-    }
-    if (tryStartSingleQuote(content, state)) continue;
-    if (tryStartDoubleQuote(content, state)) continue;
-    state.cursor += 1;
-  }
-  return -1;
-}
-function resolveBodyRange(content, openTagStart, statementType) {
-  const openTag = readDollarTag(content, openTagStart);
-  if (openTag === void 0) return void 0;
-  const bodyStart = openTagStart + openTag.length;
-  const bodyEnd = closeIndexForDollarTag(content, bodyStart, openTag);
-  if (bodyEnd === -1) return void 0;
-  return {
-    range: { bodyStart, bodyEnd, statementType },
-    nextScanIndex: bodyEnd + openTag.length
-  };
-}
-function skipDoLanguageClause(content, cursor) {
-  if (!isKeywordAt(content, cursor, "LANGUAGE")) {
-    return cursor;
-  }
-  const langNameStart = skipWhitespace2(content, cursor + "LANGUAGE".length);
-  const afterLangName = skipIdentifier(content, langNameStart);
-  return skipWhitespace2(content, afterLangName);
-}
-function collectDoBodyRanges(content) {
-  const ranges = [];
-  DO_STATEMENT_PATTERN.lastIndex = 0;
-  let doMatch = DO_STATEMENT_PATTERN.exec(content);
-  while (doMatch !== null) {
-    const doStart = doMatch.index;
-    if (findKeywordFromOffset(content, doStart, "DO") !== doStart) {
-      DO_STATEMENT_PATTERN.lastIndex = doStart + doMatch[0].length;
-      doMatch = DO_STATEMENT_PATTERN.exec(content);
-      continue;
-    }
-    let cursor = skipWhitespace2(content, doStart + doMatch[0].length);
-    cursor = skipDoLanguageClause(content, cursor);
-    const resolved = resolveBodyRange(content, cursor, "do");
-    if (resolved !== void 0) {
-      ranges.push(resolved.range);
-      DO_STATEMENT_PATTERN.lastIndex = resolved.nextScanIndex;
-    }
-    doMatch = DO_STATEMENT_PATTERN.exec(content);
-  }
-  DO_STATEMENT_PATTERN.lastIndex = 0;
-  return ranges;
-}
-function collectFunctionBodyRanges(content) {
-  const ranges = [];
-  CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = 0;
-  let functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
-  while (functionMatch !== null) {
-    const start = functionMatch.index;
-    const asIndex = findKeywordFromOffset(content, start + functionMatch[0].length, "AS");
-    if (asIndex === void 0) {
-      CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = start + functionMatch[0].length;
-      functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
-      continue;
-    }
-    const bodyStartAt = skipWhitespace2(content, asIndex + 2);
-    const resolved = resolveBodyRange(content, bodyStartAt, "function");
-    if (resolved !== void 0) {
-      ranges.push(resolved.range);
-      CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = resolved.nextScanIndex;
-    }
-    functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
-  }
-  CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = 0;
-  return ranges;
-}
-function findFunctionAndDoBodies(content) {
-  return [...collectDoBodyRanges(content), ...collectFunctionBodyRanges(content)];
-}
-function enrichStaticExecuteRiskFromSql(sql, sourceLine) {
-  const staticSql2 = stripSqlForPatternMatching(sql);
-  if (!staticSql2.trim()) return [];
-  const staticSqlLineStarts = buildLineStarts(sql);
-  return detectRisksFromContent(staticSql2, sql, staticSqlLineStarts).map((risk) => ({
-    ...risk,
-    line: sourceLine,
-    evidence: {
-      source: "static execute body",
-      snippet: sql.trim().slice(0, 200),
-      detail: "Reconstructed PL/pgSQL EXECUTE expression"
-    }
-  }));
-}
-function buildDoBlockRisk(commentlessContent, range, declarationLine) {
-  const bodyPreviewStart = Math.max(0, range.bodyStart - 80);
-  const bodyPreviewEnd = range.bodyEnd + 80;
-  return {
-    level: "medium",
-    description: "DO block detected in SQL",
-    mitigation: "Prefer static declarative SQL or move bootstrap logic to idempotent script files with clear intent",
-    line: declarationLine,
-    reasonCode: "PLPGSQL_DO_BLOCK_DETECTED",
-    confidence: "medium",
-    evidence: {
-      source: "findFunctionAndDoBodies",
-      snippet: range.statementType === "do" ? commentlessContent.slice(bodyPreviewStart, bodyPreviewEnd) : void 0,
-      detail: `${range.statementType.toUpperCase()} block detected in schema SQL`
-    }
-  };
-}
-function maybeAddDoBlockRisk(risks, dedupe, commentlessContent, range, declarationLine) {
-  if (range.statementType !== "do") return;
-  const doKey = `do:${range.statementType}:${declarationLine}`;
-  if (dedupe.has(doKey)) return;
-  dedupe.add(doKey);
-  risks.push(buildDoBlockRisk(commentlessContent, range, declarationLine));
-}
-function applyStatementAssignment(statement, stringEnv) {
-  const assignment = parseTopLevelAssignment(statement.statement);
-  if (!assignment) return;
-  const resolved = extractStaticSqlFromExpression(assignment.expression, stringEnv);
-  if (resolved.kind !== "static") {
-    stringEnv.delete(assignment.target);
-    return;
-  }
-  if (assignment.isConditionalContext) {
-    mergeStringEnvValue(stringEnv, assignment.target, resolved.sql);
-    return;
-  }
-  stringEnv.set(assignment.target, resolved.sql);
-}
-function buildExecuteLine(content, lineStarts, range, statement, execute) {
-  return lineNumberFromIndex(
-    content,
-    range.bodyStart + statement.startOffset + execute.statementStartOffset,
-    lineStarts
-  );
-}
-function buildExecuteKey(range, statement, execute, executeLine) {
-  return `execute:${range.statementType}:${statement.startOffset}:${execute.statementStartOffset}:${executeLine}`;
-}
-function buildStaticExecuteRisk(execute, executeLine) {
-  return {
-    level: "medium",
-    description: "Static EXECUTE SQL detected in PL/pgSQL body",
-    mitigation: "Prefer declarative/static SQL when possible; keep this change explicit in declarative schemas",
-    line: executeLine,
-    reasonCode: "PLPGSQL_EXECUTE_STATIC",
-    confidence: "low",
-    evidence: {
-      source: "extractExecuteExpressions",
-      snippet: execute.expression.slice(0, 200),
-      detail: "Static EXECUTE SQL detected from reconstructed expression"
-    }
-  };
-}
-function pushDerivedStaticRisks(risks, dedupe, staticSql2, executeLine, hasUsingClause) {
-  const staticRisks = enrichStaticExecuteRiskFromSql(staticSql2, executeLine);
-  for (const staticRisk of staticRisks) {
-    const key = `${staticRisk.level}:${staticRisk.description}:${executeLine}`;
-    const dedupeKey = `static:${key}`;
-    if (dedupe.has(dedupeKey)) continue;
-    dedupe.add(dedupeKey);
-    risks.push({
-      ...staticRisk,
-      reasonCode: staticRisk.reasonCode ?? "PLPGSQL_EXECUTE_STATIC",
-      confidence: staticRisk.confidence ?? "low",
-      evidence: {
-        ...staticRisk.evidence,
-        source: staticRisk.evidence?.source ?? "detectRisksFromContent",
-        detail: `Static EXECUTE SQL analyzed from reconstructed expression${hasUsingClause ? " (USING clause present)" : ""}`
-      }
-    });
-  }
-}
-function maybeBuildUsingClauseRisk(execute, executeLine) {
-  if (!execute.hasUsingClause) return void 0;
-  return {
-    level: "high",
-    description: "PL/pgSQL EXECUTE uses USING bindings; values are applied at runtime and must be auditable",
-    mitigation: "Avoid runtime-bound SQL mutation in migration paths, or keep this change in idempotent with explicit review",
-    line: executeLine,
-    reasonCode: "PLPGSQL_EXECUTE_DYNAMIC_USING",
-    confidence: "high",
-    evidence: {
-      source: "extractExecuteExpressions",
-      snippet: execute.expression.slice(0, 200),
-      detail: "EXECUTE contains USING clause"
-    }
-  };
-}
-function pushBodyStaticRisks(risks, dedupe, body, bodyStartLine) {
-  const searchableBody = stripSqlStringsPreserveLines(body);
-  if (!searchableBody.trim()) return;
-  const bodyLineStarts = buildLineStarts(body);
-  const bodyRisks = detectRisksFromContent(searchableBody, body, bodyLineStarts);
-  for (const risk of bodyRisks) {
-    const line = bodyStartLine + ((risk.line ?? 1) - 1);
-    const dedupeKey = `body:${risk.reasonCode ?? risk.description}:${line}`;
-    if (dedupe.has(dedupeKey)) continue;
-    dedupe.add(dedupeKey);
-    risks.push({
-      ...risk,
-      line,
-      evidence: {
-        source: "plpgsql body",
-        snippet: body.trim().slice(0, 200),
-        detail: `Matched ${risk.reasonCode ?? "pattern"} inside PL/pgSQL body`
-      }
-    });
-  }
-}
-function buildUnresolvedExecuteRisk(execute, executeLine, reason) {
-  const clauseSuffix = execute.hasUsingClause ? " includes USING clause" : execute.hasIntoClause ? " includes INTO clause" : "";
-  return {
-    level: "high",
-    description: `UNRESOLVED_DYNAMIC_SQL in PL/PGSQL EXECUTE: ${reason}${clauseSuffix}`,
-    mitigation: "Resolve SQL construction at migration time or add manual review before production apply preview",
-    line: executeLine,
-    reasonCode: execute.hasUsingClause ? "PLPGSQL_EXECUTE_DYNAMIC_USING" : execute.hasIntoClause ? "PLPGSQL_EXECUTE_DYNAMIC_INTO" : "PLPGSQL_EXECUTE_UNRESOLVED",
-    confidence: "high",
-    evidence: {
-      source: "extractStaticSqlFromExpression",
-      snippet: execute.expression.slice(0, 200),
-      detail: `Failed to reconstruct dynamic SQL (${reason})`
-    }
-  };
-}
-function analyzeExecuteStatement(risks, dedupe, content, lineStarts, range, statement, execute, stringEnv) {
-  const executeLine = buildExecuteLine(content, lineStarts, range, statement, execute);
-  const executeKey = buildExecuteKey(range, statement, execute, executeLine);
-  if (dedupe.has(executeKey)) return;
-  dedupe.add(executeKey);
-  const extracted = extractStaticSqlFromExpression(execute.expression, stringEnv);
-  if (extracted.kind !== "static") {
-    risks.push(buildUnresolvedExecuteRisk(execute, executeLine, extracted.reason));
-    return;
-  }
-  risks.push(buildStaticExecuteRisk(execute, executeLine));
-  pushDerivedStaticRisks(risks, dedupe, extracted.sql, executeLine, execute.hasUsingClause);
-  const usingRisk = maybeBuildUsingClauseRisk(execute, executeLine);
-  if (usingRisk !== void 0) {
-    risks.push(usingRisk);
-  }
-}
-function analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts, range) {
-  const declarationLine = lineNumberFromIndex(commentlessContent, range.bodyStart, lineStarts);
-  maybeAddDoBlockRisk(risks, dedupe, commentlessContent, range, declarationLine);
-  const body = commentlessContent.slice(range.bodyStart, range.bodyEnd);
-  pushBodyStaticRisks(risks, dedupe, body, declarationLine);
-  const stringEnv = /* @__PURE__ */ new Map();
-  for (const statement of splitPlpgsqlStatementsWithOffsets(body)) {
-    applyStatementAssignment(statement, stringEnv);
-    const executeStatements = extractExecuteExpressions(statement.statement);
-    for (const execute of executeStatements) {
-      analyzeExecuteStatement(
-        risks,
-        dedupe,
-        content,
-        lineStarts,
-        range,
-        statement,
-        execute,
-        stringEnv
-      );
-    }
-  }
-}
-function detectPlpgsqlDynamicExecutionRisks(content) {
-  const commentlessContent = stripSqlCommentsPreserveLines(content);
-  const lineStarts = buildLineStarts(commentlessContent);
-  const ranges = findFunctionAndDoBodies(commentlessContent);
-  if (ranges.length === 0) return [];
-  const risks = [];
-  const dedupe = /* @__PURE__ */ new Set();
-  for (const range of ranges) {
-    analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts, range);
-  }
-  return risks;
-}
+// src/validators/risk-detector-plpgsql-parser.ts
+init_esm_shims();
 
-export { detectPlpgsqlDynamicExecutionRisks };
+export { extractExecuteExpressions, extractStaticSqlFromExpression, mergeStringEnvValue, parseTopLevelAssignment, skipIdentifier, skipWhitespace2 as skipWhitespace, splitPlpgsqlStatementsWithOffsets };

package/dist/{chunk-SGJG3BKD.js → chunk-Z7A4BEWF.js}

@@ -16,7 +16,7 @@ init_esm_shims();
 
 // src/constants/versions.ts
 init_esm_shims();
-var COMPATIBLE_TEMPLATES_VERSION = "0.5.71";
+var COMPATIBLE_TEMPLATES_VERSION = "0.7.2";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";