@runa-ai/runa-cli 0.7.0 → 0.7.2

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts

@@ -8,15 +8,11 @@
  * - hazard-handler.ts: Hazard parsing, display, and production protection
  * - pg-schema-diff-helpers.ts (this file): Binary verification, plan execution, error detection
  *
- * Re-exports are provided for backward compatibility.
- *
  * Security:
  * - All psql calls use parsePostgresUrl + buildPsqlArgs to prevent SQL injection
  * - Passwords are passed via PGPASSWORD env var, not command line
  */
-export type { IdempotentProtectedObjects, ParsedHazard, } from './idempotent-object-registry.js';
-export { filterFalsePositiveHazards, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, isIdempotentRoleHazard, resetIdempotentRolesCache, } from './idempotent-object-registry.js';
-export { buildAllowedHazards, displayCheckModeResults, displayHazardsWithContext, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, parseHazardsWithContext, } from './hazard-handler.js';
+import { type ChildProcess } from 'node:child_process';
 /**
  * Verify pg-schema-diff binary is available.
  */
@@ -28,10 +24,14 @@ export interface VerifyPgSchemaDiffBinaryOptions {
  * strictVersion=true blocks unsupported/undetectable versions.
  */
 export declare function verifyPgSchemaDiffBinary(options?: VerifyPgSchemaDiffBinaryOptions): void;
+export interface VerifyDatabaseConnectionOptions {
+    /** Override the maximum number of retries (default: 5). */
+    maxRetries?: number;
+}
 /**
  * Verify database connection with retry for transient startup errors.
  */
-export declare function verifyDatabaseConnection(dbUrl: string): Promise<void>;
+export declare function verifyDatabaseConnection(dbUrl: string, options?: VerifyDatabaseConnectionOptions): Promise<void>;
 export interface MissingExtensionDetection {
     detected: boolean;
     missingTypes: string[];
@@ -58,21 +58,84 @@ export declare function detectPartitionPrivilegeError(errorOutput: string): Part
  * Format actionable hint for partition privilege errors.
  */
 export declare function formatPartitionPrivilegeHint(detection: PartitionPrivilegeDetection): string;
+export interface MissingQualifiedFunctionDetection {
+    detected: boolean;
+    qualifiedName?: string;
+    signature?: string;
+}
+/**
+ * Detect schema-qualified "function does not exist" errors in pg-schema-diff output.
+ */
+export declare function detectMissingQualifiedFunction(errorOutput: string): MissingQualifiedFunctionDetection;
+export declare function formatDeclarativeDependencyBoundaryHint(errorOutput: string, schemasDir: string, targetDir?: string): string;
 /**
  * Detect DROP TABLE statements in plan output.
  */
 export declare function detectDropTableStatements(planOutput: string): string[];
+/**
+ * Free idle connection slots before pg-schema-diff plan execution.
+ *
+ * pg-schema-diff Go binary opens many internal connections during plan phase
+ * (schema comparison, check constraints, function dependencies).
+ * On Supabase (max_connections=60), built-in services (PostgREST, GoTrue,
+ * Realtime, Storage) hold ~8-15 idle connections, leaving insufficient
+ * slots for pg-schema-diff.
+ *
+ * This function terminates idle client backend connections to free slots.
+ * Non-fatal: failures are logged as warnings.
+ */
+export declare function freeConnectionSlotsForPgSchemaDiff(dbUrl: string, verbose: boolean): void;
+/**
+ * Build SQL that only terminates stale idle client backends.
+ *
+ * pg-schema-diff itself may keep short-lived idle pooled connections during
+ * planning. Killing all idle backends risks terminating the planner's own pool
+ * and causes `57P01 terminating connection due to administrator command`.
+ *
+ * We target only connections that have remained idle for a while, which matches
+ * long-lived Supabase service sessions but avoids fresh planner-owned idles.
+ */
+export declare function buildIdleConnectionCleanupSql(): string;
+/**
+ * Start a background psql process that continuously frees idle connections.
+ *
+ * Supabase built-in services (PostgREST, GoTrue, Realtime, Storage) reconnect
+ * within milliseconds after termination. A single one-shot cleanup is insufficient
+ * because pg-schema-diff plan takes ~20-30s and reaches peak connection usage
+ * during fetchDependsOnFunctions, long after the initial cleanup.
+ *
+ * This daemon runs a PL/pgSQL loop via `spawn` (non-blocking). Since `spawnSync`
+ * for pg-schema-diff blocks the Node.js thread, the daemon continues as an
+ * independent OS process.
+ *
+ * @returns ChildProcess handle; caller MUST call `.kill()` after pg-schema-diff completes.
+ */
+export declare function startConnectionCleanupDaemon(dbUrl: string, verbose: boolean): ChildProcess | null;
+/**
+ * Stop the connection cleanup daemon.
+ */
+export declare function stopConnectionCleanupDaemon(child: ChildProcess | null, verbose: boolean): void;
 export interface PgSchemaDiffPlanOptions {
     /**
      * Shadow DB DSN for extension type resolution.
      * Passed as --temp-db-dsn to pg-schema-diff.
      */
     tempDbDsn?: string;
+    /**
+     * Project root for boundary-aware diagnostics when schemasDir is a temporary bundle.
+     */
+    targetDir?: string;
 }
 /** Timeout for pg-schema-diff apply / SSOT cleanup (10 minutes) */
 export declare const PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS = 600000;
 /**
  * Execute pg-schema-diff plan and handle errors.
+ *
+ * Starts a background connection cleanup daemon for the duration of the plan
+ * to prevent connection slot exhaustion on Supabase (max_connections=60).
+ *
+ * Retries on transient connection failures (SQLSTATE 57P01, TCP reset, etc.)
+ * which can occur when Supabase terminates idle connections during plan generation.
  */
 export declare function executePgSchemaDiffPlan(dbUrl: string, schemasDir: string, includeSchemas: string[], verbose: boolean, options?: PgSchemaDiffPlanOptions): {
     planOutput: string;

package/dist/commands/db/apply/helpers/plan-ast.d.ts

@@ -0,0 +1,56 @@
+import type { PlanStatement, ValidatedPlan } from './plan-validator.js';
+export type PlanObjectKind = 'schema' | 'relation' | 'function' | 'function-privilege' | 'type' | 'other';
+export interface AnalyzedPlanStatement {
+    statement: PlanStatement;
+    strippedSql: string;
+    objectKind: PlanObjectKind;
+    targetKey: string | null;
+    targetRelationKey: string | null;
+    targetFunctionKey: string | null;
+    phase: number;
+    createsRelation: boolean;
+    relationDependencies: string[];
+    functionDependencies: string[];
+    hasDynamicSql: boolean;
+    normalizedDefinition?: string;
+    normalizedConfig?: string;
+}
+export interface AnalyzedPlan {
+    plan: ValidatedPlan;
+    statements: AnalyzedPlanStatement[];
+    createdRelations: Set<string>;
+}
+interface CachedSqlDependencies {
+    relationDependencies: string[];
+    functionDependencies: string[];
+}
+interface CachedPlpgsqlBodyAnalysis extends CachedSqlDependencies {
+    hasDynamicSql: boolean;
+    normalizedBody: string;
+}
+interface CachedStatementAnalysis extends Omit<AnalyzedPlanStatement, 'statement'> {
+}
+export interface PlanAnalysisSession {
+    parseSql(sql: string): Promise<{
+        stmts: Array<{
+            stmt: Record<string, unknown>;
+        }>;
+    } | null>;
+    analyzeStatement(sql: string): Promise<CachedStatementAnalysis>;
+    extractSqlDependencies(sql: string): Promise<CachedSqlDependencies>;
+    analyzePlpgsqlBody(body: string): Promise<CachedPlpgsqlBodyAnalysis>;
+}
+export declare function createPlanAnalysisSession(): PlanAnalysisSession;
+export declare function stripLeadingSetStatements(sql: string): string;
+export declare function analyzePlanStatement(statement: PlanStatement, session?: PlanAnalysisSession): Promise<AnalyzedPlanStatement>;
+export declare function analyzeValidatedPlan(plan: ValidatedPlan, session?: PlanAnalysisSession): Promise<AnalyzedPlan>;
+export declare function stabilizeAnalyzedPlanOrder(analyzedPlan: AnalyzedPlan): {
+    plan: ValidatedPlan;
+    movedStatements: number;
+};
+export declare function normalizeFunctionDefinitionAst(analyzed: Pick<AnalyzedPlanStatement, 'normalizedDefinition' | 'normalizedConfig'>, dbProconfig?: string[]): {
+    normalizedDefinition: string;
+    normalizedConfig: string;
+} | null;
+export {};
+//# sourceMappingURL=plan-ast.d.ts.map

package/dist/commands/db/apply/helpers/plan-check-filter.d.ts

@@ -0,0 +1,26 @@
+import type { IdempotentProtectedObjects } from './idempotent-object-registry.js';
+import type { PlanStatement, ValidatedPlan } from './plan-validator.js';
+export interface CheckModeFilterResult {
+    filteredPlan: ValidatedPlan;
+    removedDropStatements: PlanStatement[];
+    removedAuthzStatements: PlanStatement[];
+}
+declare function parseRolesFromAuthzStatement(sql: string): string[];
+export declare function stripLeadingSessionStatements(sql: string): string;
+type AuthzTarget = {
+    kind: 'function';
+    schema: string;
+    fullName: string;
+} | {
+    kind: 'schema' | 'sequence' | 'table';
+    schema: string;
+    fullName: string;
+} | null;
+declare function parseAuthzTarget(sql: string): AuthzTarget;
+export declare function isIdempotentManagedAuthzStatement(sql: string, schemasDir?: string): boolean;
+export declare function filterCheckModePlanStatements(plan: ValidatedPlan, protectedTables: string[], protectedObjects: IdempotentProtectedObjects, schemasDir?: string): CheckModeFilterResult;
+export declare function resetManagedAuthzCache(): void;
+export declare const _parseRolesFromAuthzStatement: typeof parseRolesFromAuthzStatement;
+export declare const _parseAuthzTarget: typeof parseAuthzTarget;
+export {};
+//# sourceMappingURL=plan-check-filter.d.ts.map

package/dist/commands/db/apply/helpers/plan-drop-protection.d.ts

@@ -0,0 +1,43 @@
+/**
+ * AI HINT: pg-schema-diff Plan DROP Protection
+ *
+ * Purpose: Filter DROP TABLE/INDEX/FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE statements
+ *          targeting idempotent-managed objects from pg-schema-diff plans.
+ *          Also blocks DROP SCHEMA for protected schemas (throws error).
+ *
+ * Extracted from plan-validator.ts for single responsibility.
+ */
+import type { IdempotentProtectedObjects } from './idempotent-object-registry.js';
+import type { PlanStatement, ValidatedPlan } from './plan-validator.js';
+export interface FilterResult {
+    filteredPlan: ValidatedPlan;
+    removedStatements: PlanStatement[];
+}
+declare function isDropStatementForProtected(sql: string, protectedTables: string[]): boolean;
+/**
+ * Check if a DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE targets a protected object.
+ *
+ * For FUNCTION: matches schema.name (argument types stripped).
+ * For TRIGGER: matches schema.trigger_name via DROP TRIGGER name ON schema.table.
+ * For VIEW/TYPE/SEQUENCE: matches schema.name.
+ */
+export declare function isDropStatementForProtectedObject(sql: string, protectedObjects: IdempotentProtectedObjects): boolean;
+/**
+ * Extract unique schema names from protected table patterns.
+ * e.g., ['location_data.events', 'accounts.clients'] → ['location_data', 'accounts']
+ */
+declare function extractProtectedSchemas(protectedTables: string[]): string[];
+declare function isDropSchemaForProtected(sql: string, protectedTables: string[]): string | null;
+/**
+ * Filter out DROP TABLE/INDEX statements targeting idempotent-managed tables,
+ * and optionally DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE for protected objects.
+ * BLOCKS (throws error) on DROP SCHEMA targeting protected schemas.
+ *
+ * @param protectedObjects - Optional extended protection for non-table objects.
+ *   When omitted, only DROP TABLE/INDEX are filtered (backward compatible).
+ */
+export declare function filterIdempotentProtectedStatements(plan: ValidatedPlan, protectedTables: string[], protectedObjects?: IdempotentProtectedObjects): FilterResult;
+export { isDropStatementForProtected as _isDropStatementForProtected };
+export { extractProtectedSchemas as _extractProtectedSchemas };
+export { isDropSchemaForProtected as _isDropSchemaForProtected };
+//# sourceMappingURL=plan-drop-protection.d.ts.map

package/dist/commands/db/apply/helpers/plan-ordering.d.ts

@@ -0,0 +1,6 @@
+import type { ValidatedPlan } from './plan-validator.js';
+export declare function stabilizePlanStatementOrder(plan: ValidatedPlan): Promise<{
+    plan: ValidatedPlan;
+    movedStatements: number;
+}>;
+//# sourceMappingURL=plan-ordering.d.ts.map

package/dist/commands/db/apply/helpers/plan-statement-parser.d.ts

@@ -0,0 +1,39 @@
+/**
+ * AI HINT: pg-schema-diff Plan Statement Parser
+ *
+ * Purpose: Parse pg-schema-diff plan output into structured statements.
+ * Handles two formats:
+ * 1. With `-- Statement Idx. N` markers → split into individual statements
+ * 2. Without markers → treat as single statement
+ *
+ * Extracted from plan-validator.ts for single responsibility.
+ * For Zod-validated output, use parsePlanOutput() in plan-validator.ts.
+ */
+interface ParsedHazard {
+    type: string;
+    message: string;
+}
+interface ParsedStatement {
+    index: number;
+    sql: string;
+    hazards: ParsedHazard[];
+}
+export interface ParsedPlanOutput {
+    statements: ParsedStatement[];
+    totalStatements: number;
+    rawSql: string;
+    parseConfidence?: 'high' | 'low';
+}
+export declare function stripBlockComments(line: string, inBlockComment: boolean): {
+    text: string;
+    inBlockComment: boolean;
+};
+/**
+ * Parse pg-schema-diff plan output into structured statements.
+ *
+ * Returns a raw parsed result without Zod validation.
+ * For Zod-validated output, use parsePlanOutput() from plan-validator.ts.
+ */
+export declare function parsePlanStatements(planOutput: string): ParsedPlanOutput;
+export {};
+//# sourceMappingURL=plan-statement-parser.d.ts.map

package/dist/commands/db/apply/helpers/plan-validator.d.ts

@@ -1,10 +1,12 @@
 /**
  * AI HINT: pg-schema-diff Plan Output Validator
  *
- * Purpose: Parse pg-schema-diff plan output into structured statements and
- *          validate with Zod before psql execution (safety gate).
+ * Purpose: Zod schemas for plan validation and DDL/hazard safety checks.
  *
- * Pattern: plan → Zod validation → psql execution
+ * Architecture (split into 3 modules):
+ * - plan-statement-parser.ts: Parse raw plan output into structured statements
+ * - plan-drop-protection.ts: Filter DROP statements targeting protected objects
+ * - plan-validator.ts (this file): Zod schemas, DDL validation, hazard validation
  *
  * Safety layers:
  *   1. handleHazardsWithContext() in actors.ts → blocks unapproved hazards (primary)
@@ -12,7 +14,6 @@
  *   3. Zod structural validation → ensures plan is well-formed
  */
 import { z } from 'zod';
-import type { IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
 export declare const PlanHazardSchema: z.ZodObject<{
     type: z.ZodString;
     message: z.ZodString;
@@ -45,7 +46,7 @@ export type PlanHazard = z.infer<typeof PlanHazardSchema>;
 export type PlanStatement = z.infer<typeof PlanStatementSchema>;
 export type ValidatedPlan = z.infer<typeof ValidatedPlanSchema>;
 /**
- * Parse pg-schema-diff plan output into structured statements.
+ * Parse pg-schema-diff plan output into structured, Zod-validated statements.
  *
  * Handles two formats:
  * 1. With `-- Statement Idx. N` markers → split into individual statements
@@ -54,41 +55,6 @@ export type ValidatedPlan = z.infer<typeof ValidatedPlanSchema>;
  * @throws ZodError if parsed result fails structural validation
  */
 export declare function parsePlanOutput(planOutput: string): ValidatedPlan;
-export interface FilterResult {
-    filteredPlan: ValidatedPlan;
-    removedStatements: PlanStatement[];
-}
-declare function isDropStatementForProtected(sql: string, protectedTables: string[]): boolean;
-/**
- * Check if a DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE targets a protected object.
- *
- * For FUNCTION: matches schema.name (argument types stripped).
- * For TRIGGER: matches schema.trigger_name via DROP TRIGGER name ON schema.table.
- * For VIEW/TYPE/SEQUENCE: matches schema.name.
- */
-export declare function isDropStatementForProtectedObject(sql: string, protectedObjects: IdempotentProtectedObjects): boolean;
-/**
- * Extract unique schema names from protected table patterns.
- * e.g., ['location_data.events', 'accounts.clients'] → ['location_data', 'accounts']
- */
-declare function extractProtectedSchemas(protectedTables: string[]): string[];
-/**
- * Check if a SQL statement is a DROP SCHEMA targeting a protected schema.
- * Returns the schema name if protected, null otherwise.
- */
-declare function isDropSchemaForProtected(sql: string, protectedTables: string[]): string | null;
-/**
- * Filter out DROP TABLE/INDEX statements targeting idempotent-managed tables,
- * and optionally DROP FUNCTION/TRIGGER/VIEW/TYPE/SEQUENCE for protected objects.
- * BLOCKS (throws error) on DROP SCHEMA targeting protected schemas.
- *
- * @param protectedObjects - Optional extended protection for non-table objects.
- *   When omitted, only DROP TABLE/INDEX are filtered (backward compatible).
- */
-export declare function filterIdempotentProtectedStatements(plan: ValidatedPlan, protectedTables: string[], protectedObjects?: IdempotentProtectedObjects): FilterResult;
-export { isDropStatementForProtected as _isDropStatementForProtected };
-export { extractProtectedSchemas as _extractProtectedSchemas };
-export { isDropSchemaForProtected as _isDropSchemaForProtected };
 /**
  * Allowed DDL statement prefixes. Only these statement types are permitted
  * in pg-schema-diff plan output. Checked against the normalized first keyword(s)
@@ -124,4 +90,6 @@ export declare function validateStatementTypes(plan: ValidatedPlan): void;
  * @throws Error if unresolved hazards are found
  */
 export declare function validatePlanForExecution(plan: ValidatedPlan, allowedHazardTypes: string[]): void;
+export type { FilterResult } from './plan-drop-protection.js';
+export { filterIdempotentProtectedStatements, isDropStatementForProtectedObject, _isDropStatementForProtected, _extractProtectedSchemas, _isDropSchemaForProtected, } from './plan-drop-protection.js';
 //# sourceMappingURL=plan-validator.d.ts.map

package/dist/commands/db/apply/helpers/retry-logic.d.ts

@@ -4,7 +4,7 @@
  * Purpose: Retry pg-schema-diff operations on lock_timeout errors
  * Pattern: Exponential backoff with jitter (configurable max delay)
  */
-import type { IdempotentProtectedObjects } from './pg-schema-diff-helpers.js';
+import type { IdempotentProtectedObjects } from './idempotent-object-registry.js';
 export declare const MAX_RETRIES = 5;
 export declare const BASE_DELAY_MS = 1000;
 export declare const DEFAULT_MAX_DELAY_MS = 30000;
@@ -53,15 +53,6 @@ export declare function calculateBackoffDelay(attempt: number, maxDelayMs?: numb
  * because it can fire for advisory lock failures or other non-DDL lock types.
  */
 export declare function isLockTimeoutError(errorOutput: string): boolean;
-/**
- * Wrap plan SQL for execution.
- *
- * PostgreSQL DDL is transactional (except CREATE INDEX CONCURRENTLY),
- * so we wrap in BEGIN/COMMIT to prevent partial apply on failure.
- *
- * If the plan contains CREATE INDEX CONCURRENTLY, we skip the transaction
- * wrapper because CONCURRENTLY cannot run inside a transaction block.
- */
 export declare function wrapPlanSql(planSql: string): string;
 /**
  * Options for plan+psql execution with retry.

package/dist/commands/db/apply/helpers/temp-db-bootstrap.d.ts

@@ -0,0 +1,18 @@
+interface DefaultAclRow {
+    grantor: string;
+    schemaName: string;
+    objType: string;
+    grantee: string;
+    privType: string;
+    isGrantable: string;
+}
+export declare function buildTempDbBootstrapStatements(params: {
+    roleNames: string[];
+    defaultAclRows: DefaultAclRow[];
+}): string[];
+export declare function bootstrapTempDbFromSource(params: {
+    sourceDbUrl: string;
+    tempDbDsn: string;
+}): void;
+export {};
+//# sourceMappingURL=temp-db-bootstrap.d.ts.map

package/dist/commands/db/apply/helpers/temp-db-dsn.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Resolve the temp DB DSN passed to pg-schema-diff.
+ *
+ * Priority:
+ * 1. Explicit shadow DB DSN created by runa
+ * 2. External temp DB DSN from environment (for CI-local temp databases)
+ * 3. Local Supabase DB DSN fallback (for remote checks from a developer machine)
+ */
+export declare function resolvePgSchemaDiffTempDbDsn(params: {
+    shadowDbDsn?: string;
+    envTempDbDsn?: string;
+    localTempDbDsn?: string;
+}): string | undefined;
+//# sourceMappingURL=temp-db-dsn.d.ts.map

package/dist/commands/db/apply/machine.d.ts

@@ -1,35 +1,3 @@
-/**
- * AI HINT: db apply State Machine (Declarative Schema Management)
- *
- * Purpose: Orchestrate schema application to any DB (local, Branch DB, Production)
- *
- * User Journey (2-pass idempotent):
- * 1. Apply idempotent schemas (1st pass: extensions, roles - may skip dependent tables)
- * 2. Run pg-schema-diff (current DB → desired state)
- * 3. Apply idempotent schemas (2nd pass: dependent tables now succeed)
- * 4. Validate partitions (non-blocking drift detection)
- * 5. Apply seeds
- *
- * Why 2-pass idempotent?
- * - Some idempotent SQL depends on declarative tables (e.g., areas → floors)
- * - 1st pass: extensions/roles succeed, dependent tables are skipped (no error)
- * - 2nd pass: dependent tables succeed because declarative tables now exist
- *
- * Architecture:
- * - No migration files needed
- * - pg-schema-diff runs at runtime against actual DB state
- * - Same logic for all environments
- *
- * E2E Test Mapping (CLI observable behavior):
- * - idle → expect(log).toContain('Starting db apply')
- * - applyingIdempotentPre → expect(log).toContain('Applied idempotent schema')
- * - applyingPgSchemaDiff → expect(log).toContain('pg-schema-diff')
- * - applyingIdempotentPost → expect(log).toContain('Applied idempotent schema')
- * - validatingPartitions → expect(log).toContain('partition')
- * - applyingSeeds → expect(log).toContain('Applying seeds')
- * - done → expect(exitCode).toBe(0)
- * - failed → expect(exitCode).toBe(1)
- */
 import { type SnapshotFrom } from 'xstate';
 import * as actors from './actors.js';
 import type { DbApplyInput } from './contract.js';
@@ -167,6 +135,62 @@ export declare const dbApplyMachine: import("xstate").StateMachine<DbApplyContex
     schemaChangesApplied: boolean;
     hazards: string[];
     seedsApplied: boolean;
+    outcome: {
+        command: string;
+        exitMode: "success" | "timeout" | "failed" | "cancelled" | "success_with_warnings";
+        startedAt: string;
+        endedAt: string;
+        durationMs: number;
+        phases: {
+            id: string;
+            label: string;
+            status: "timeout" | "warning" | "skipped" | "failed" | "pending" | "running" | "passed" | "cancelled";
+            startedAt?: string | undefined;
+            endedAt?: string | undefined;
+            durationMs?: number | undefined;
+            timeoutMs?: number | undefined;
+            warningCount?: number | undefined;
+            error?: {
+                code: string;
+                message: string;
+                retryable: boolean;
+                statusCode?: number | undefined;
+                retryAfterMs?: number | undefined;
+                phase?: string | undefined;
+                details?: Record<string, unknown> | undefined;
+            } | undefined;
+            warnings?: {
+                code: string;
+                message: string;
+                phase: string;
+                details?: Record<string, unknown> | undefined;
+            }[] | undefined;
+            metrics?: Record<string, number> | undefined;
+        }[];
+        warnings: {
+            code: string;
+            message: string;
+            phase: string;
+            details?: Record<string, unknown> | undefined;
+        }[];
+        errors: {
+            code: string;
+            message: string;
+            retryable: boolean;
+            statusCode?: number | undefined;
+            retryAfterMs?: number | undefined;
+            phase?: string | undefined;
+            details?: Record<string, unknown> | undefined;
+        }[];
+        summary: {
+            passed: number;
+            warnings: number;
+            failed: number;
+            skipped: number;
+            timedOut: number;
+        };
+        nextActions?: string[] | undefined;
+    };
     idempotentSchemasSkipped?: number | undefined;
     rolePasswordsSet?: number | undefined;
     error?: string | undefined;

package/dist/commands/db/commands/db-apply-error.d.ts

@@ -0,0 +1,5 @@
+import { CLIError } from '@runa-ai/runa';
+type DbApplyEnvironment = 'local' | 'preview' | 'production';
+export declare function buildDbApplyCliError(errorMessage: string, environment: DbApplyEnvironment): CLIError;
+export {};
+//# sourceMappingURL=db-apply-error.d.ts.map

package/dist/commands/db/commands/db-apply.d.ts

@@ -9,7 +9,9 @@ export interface DbApplyOptions {
     allowDataLoss?: boolean;
     confirmAuthzUpdate?: boolean;
     check?: boolean;
+    strict?: boolean;
     skipDataCheck?: boolean;
+    compareOnly?: boolean;
     maxLockWaitMs?: number;
     freshDbCheckSql?: string;
 }

package/dist/commands/db/commands/db-sync/directory-placement-check.d.ts

@@ -0,0 +1,4 @@
+import type { AllowlistAwareReport, ExtensionCheckReport } from './types.js';
+export declare function collectDirectoryPlacementReport(): Promise<AllowlistAwareReport>;
+export declare function collectExtensionPlacementReport(): ExtensionCheckReport;
+//# sourceMappingURL=directory-placement-check.d.ts.map

package/dist/commands/db/commands/db-sync/error-classifier.d.ts

@@ -1,4 +1,4 @@
-import { type RunaDbEnv } from '../../utils/db-target.js';
+import type { RunaDbEnv } from '../../utils/db-target.js';
 export interface DbSyncCommandFailure {
     code: string;
     message: string;

package/dist/commands/db/commands/db-sync/plan-boundary-reconciliation.d.ts

@@ -0,0 +1,3 @@
+import type { AllowlistAwareReport } from './types.js';
+export declare function collectPlanBoundaryReconciliationReport(planSql: string | undefined): Promise<AllowlistAwareReport>;
+//# sourceMappingURL=plan-boundary-reconciliation.d.ts.map

package/dist/commands/db/commands/db-sync/precheck-helpers.d.ts

@@ -0,0 +1,18 @@
+/**
+ * AI HINT: Shared helpers for production precheck reporting
+ *
+ * Purpose: Small utility functions and constants shared across precheck modules
+ * Used by: plan-boundary-reconciliation, directory-placement-check, risk-scan-collectors, production-precheck
+ */
+import type { DeclarativeRiskAllowlistRule, DirectoryPlacementAllowlistRule } from '../../utils/boundary-policy.js';
+import type { ExtensionCheckReport } from './types.js';
+export declare const SHOW_ALLOWLIST_REPORT: boolean;
+export declare const DIRECTORY_PLACEMENT_WARNING_PREFIX = "  [misplacement] ";
+export declare function applyStrictModeToReport(report: ExtensionCheckReport, strict: boolean): ExtensionCheckReport;
+export declare function formatAllowlistReason({ label, ruleId, reason, rule, }: {
+    label: string;
+    ruleId: string;
+    reason: string;
+    rule?: DeclarativeRiskAllowlistRule | DirectoryPlacementAllowlistRule;
+}): string;
+//# sourceMappingURL=precheck-helpers.d.ts.map

package/dist/commands/db/commands/db-sync/production-precheck.d.ts

@@ -0,0 +1,15 @@
+/**
+ * AI HINT: Production apply precheck orchestration
+ *
+ * Purpose: Run full production precheck pipeline: local risk checks + plan boundary reconciliation.
+ * Collects findings, applies strict mode, logs results, and throws on blockers.
+ *
+ * Used by: db-sync.ts (maybeRunProductionApplyPrecheck)
+ */
+import { type createCLILogger } from '@runa-ai/runa';
+import type { DbApplyOutput } from '../../apply/contract.js';
+import type { RunaDbEnv } from '../../utils/db-target.js';
+import type { SyncOptions } from './types.js';
+export declare function collectProductionApplyRiskReasons(output: DbApplyOutput): string[];
+export declare function maybeRunProductionApplyPrecheck(logger: ReturnType<typeof createCLILogger>, runaEnv: RunaDbEnv, options: SyncOptions): Promise<void>;
+//# sourceMappingURL=production-precheck.d.ts.map

package/dist/commands/db/commands/db-sync/risk-scan-collectors.d.ts

@@ -0,0 +1,11 @@
+export declare function collectDeclarativeRiskReport(): Promise<{
+    blockers: string[];
+    warnings: string[];
+    allowlist: string[];
+}>;
+export declare function collectIdempotentRiskReport(): Promise<{
+    blockers: string[];
+    warnings: string[];
+    allowlist: string[];
+}>;
+//# sourceMappingURL=risk-scan-collectors.d.ts.map

package/dist/commands/db/commands/db-sync.d.ts

@@ -6,11 +6,17 @@
  * plan boundary reconciliation).
  *
  * Submodules (db-sync/):
- *   types.ts               — Shared type definitions
- *   sql-parser.ts          — SQL text parsing & embedded SQL extraction
- *   boundary-classifier.ts — DDL statement boundary classification
- *   plan-hazard-analyzer.ts— pg-schema-diff plan hazard analysis
- *   risk-reporter.ts       — Risk formatting, deduplication, display
+ *   types.ts                        — Shared type definitions
+ *   sql-parser.ts                   — SQL text parsing & embedded SQL extraction
+ *   boundary-classifier.ts          — DDL statement boundary classification
+ *   plan-hazard-analyzer.ts         — pg-schema-diff plan hazard analysis
+ *   risk-reporter.ts                — Risk formatting, deduplication, display
+ *   error-classifier.ts             — Error classification for sync failures
+ *   precheck-helpers.ts             — Shared constants and utilities for prechecks
+ *   plan-boundary-reconciliation.ts — Plan boundary analysis and reconciliation
+ *   directory-placement-check.ts    — Directory placement scanning
+ *   risk-scan-collectors.ts         — Declarative/idempotent risk scanning
+ *   production-precheck.ts          — Production precheck orchestration
  */
 import { Command } from 'commander';
 export declare const checkCommand: Command;