@runa-ai/runa-cli 0.7.1 → 0.7.2

package/dist/observability-CJA5UFIC.js

@@ -0,0 +1,721 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
+import './chunk-WJXC4MVY.js';
+import { getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';
+import { loadRunaConfig } from './chunk-5NKWR4FF.js';
+import './chunk-JMJP4A47.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { createObservabilityClient, ObservabilityIngestOutputSchema } from '@runa-ai/runa/observability';
+import { createCLILogger, CLIError } from '@runa-ai/runa/cli-runtime';
+import { Command } from 'commander';
+import { basename, join } from 'path';
+import { z } from 'zod';
+import { execa } from 'execa';
+import { createHash } from 'crypto';
+import { mkdirSync, writeFileSync, existsSync, readFileSync, readdirSync } from 'fs';
+
+createRequire(import.meta.url);
+
+// src/commands/observability.ts
+init_esm_shims();
+
+// src/cli/exec.ts
+init_esm_shims();
+function pipeChildToStderr(child) {
+  if (child.stdout) {
+    child.stdout.on("data", (chunk) => {
+      process.stderr.write(chunk);
+    });
+  }
+  if (child.stderr) {
+    child.stderr.on("data", (chunk) => {
+      process.stderr.write(chunk);
+    });
+  }
+}
+async function runExeca(file, args, options = {}) {
+  const isJson = getOutputFormatFromEnv() === "json";
+  const env = { DOTENVX_QUIET: "1", ...options.env };
+  if (!isJson) {
+    await execa(file, args, { ...options, env });
+    return;
+  }
+  const child = execa(file, args, {
+    ...options,
+    env,
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  pipeChildToStderr(child);
+  await child;
+}
+
+// src/commands/observability.helpers.ts
+init_esm_shims();
+var OBSERVABILITY_SECRET_SYNC_MARKER_PATH = "supabase/.temp/observability-function-secret-sync.json";
+function detectSupabaseProjectLink(targetDir) {
+  return resolveSupabaseProjectRef(targetDir) !== null;
+}
+function fileExists(targetDir, relativePath) {
+  return existsSync(join(targetDir, relativePath));
+}
+function readTextFile(targetDir, relativePath) {
+  const filePath = join(targetDir, relativePath);
+  if (!existsSync(filePath)) {
+    return null;
+  }
+  return readFileSync(filePath, "utf-8");
+}
+function readJsonFile(targetDir, relativePath) {
+  const raw = readTextFile(targetDir, relativePath);
+  if (!raw) {
+    return null;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function resolveSupabaseProjectRef(targetDir) {
+  const fromEnv = process.env.SUPABASE_PROJECT_REF?.trim();
+  if (fromEnv) {
+    return fromEnv;
+  }
+  const candidates = [".supabase/project-ref", "supabase/.temp/project-ref"];
+  for (const candidate of candidates) {
+    const value = readTextFile(targetDir, candidate)?.trim();
+    if (value) {
+      return value;
+    }
+  }
+  return null;
+}
+function hashObservabilityFunctionSecret(secret) {
+  return createHash("sha256").update(secret).digest("hex");
+}
+function readObservabilityFunctionSecretSyncMarker(targetDir) {
+  const marker = readJsonFile(
+    targetDir,
+    OBSERVABILITY_SECRET_SYNC_MARKER_PATH
+  );
+  if (!marker || marker.version !== 1) {
+    return null;
+  }
+  if (!marker.projectRef || !marker.secretHash || !marker.syncedAt) {
+    return null;
+  }
+  return marker;
+}
+function writeObservabilityFunctionSecretSyncMarker(targetDir, input) {
+  const markerPath = join(targetDir, OBSERVABILITY_SECRET_SYNC_MARKER_PATH);
+  mkdirSync(join(targetDir, "supabase/.temp"), { recursive: true });
+  const marker = {
+    version: 1,
+    projectRef: input.projectRef,
+    secretHash: hashObservabilityFunctionSecret(input.secret),
+    syncedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeFileSync(markerPath, `${JSON.stringify(marker, null, 2)}
+`, "utf-8");
+}
+function collectRouteFiles(rootDir) {
+  if (!existsSync(rootDir)) {
+    return [];
+  }
+  const entries = readdirSync(rootDir, { withFileTypes: true });
+  const routeFiles = [];
+  for (const entry of entries) {
+    const absolutePath = join(rootDir, entry.name);
+    if (entry.isDirectory()) {
+      routeFiles.push(...collectRouteFiles(absolutePath));
+      continue;
+    }
+    if (entry.isFile() && entry.name === "route.ts") {
+      routeFiles.push(absolutePath);
+    }
+  }
+  return routeFiles;
+}
+function createStatusItem(name, status, message) {
+  return { name, status, message };
+}
+var BLOCKING_WARNING_CHECK_NAMES = /* @__PURE__ */ new Set([
+  "runtime-surface",
+  "route-instrumentation",
+  "function-deploy",
+  "function-secret",
+  "scope-fallback"
+]);
+function resolveObservabilityTenantMode(targetDir) {
+  try {
+    const config = loadRunaConfig(targetDir);
+    const tenantMode2 = config.observability?.tenantMode;
+    if (tenantMode2 === "single-tenant" || tenantMode2 === "multi-tenant") {
+      return tenantMode2;
+    }
+  } catch {
+  }
+  const runaConfig = readTextFile(targetDir, "runa.config.ts");
+  if (!runaConfig) {
+    return "auto";
+  }
+  const tenantModeMatch = runaConfig.match(
+    /tenantMode\s*:\s*['"](auto|single-tenant|multi-tenant)['"]/
+  );
+  const tenantMode = tenantModeMatch?.[1];
+  if (tenantMode === "single-tenant" || tenantMode === "multi-tenant") {
+    return tenantMode;
+  }
+  const directTenantModeConstantMatch = runaConfig.match(
+    /(?:const|let|var)\s+tenantMode\s*=\s*['"](auto|single-tenant|multi-tenant)['"]/
+  );
+  const directTenantModeConstant = directTenantModeConstantMatch?.[1];
+  if (directTenantModeConstant === "single-tenant" || directTenantModeConstant === "multi-tenant") {
+    return directTenantModeConstant;
+  }
+  const tenantModeReferenceMatch = runaConfig.match(/tenantMode\s*:\s*([A-Za-z_$][A-Za-z0-9_$]*)/);
+  const tenantModeReference = tenantModeReferenceMatch?.[1];
+  if (tenantModeReference) {
+    const tenantModeConstantMatch = runaConfig.match(
+      new RegExp(
+        String.raw`(?:const|let|var)\s+${tenantModeReference}\s*=\s*['"](auto|single-tenant|multi-tenant)['"]`
+      )
+    );
+    const referencedTenantMode = tenantModeConstantMatch?.[1];
+    if (referencedTenantMode === "single-tenant" || referencedTenantMode === "multi-tenant") {
+      return referencedTenantMode;
+    }
+  }
+  return "auto";
+}
+function createRuntimeStatusItem(targetDir) {
+  const appRoot = "apps/web";
+  const hasAppRoot = fileExists(targetDir, appRoot);
+  const hasIngestHelper = fileExists(targetDir, "apps/web/lib/observability/ingest.ts");
+  const hasWrappersHelper = fileExists(targetDir, "apps/web/lib/observability/wrappers.ts");
+  if (!hasAppRoot) {
+    return createStatusItem(
+      "runtime-surface",
+      "ok",
+      "Headless observability is ready; an application UI surface is optional"
+    );
+  }
+  if (hasIngestHelper && hasWrappersHelper) {
+    return createStatusItem(
+      "runtime-surface",
+      "ok",
+      "Application runtime helpers for observability are present"
+    );
+  }
+  return createStatusItem(
+    "runtime-surface",
+    "warning",
+    "apps/web is present but observability runtime helpers were not detected"
+  );
+}
+function createTenantModeStatusItem(targetDir) {
+  const tenantMode = resolveObservabilityTenantMode(targetDir);
+  if (tenantMode === "single-tenant") {
+    return createStatusItem(
+      "tenant-mode",
+      "ok",
+      "Observability tenant mode is single-tenant; project-scoped fallback is expected"
+    );
+  }
+  if (tenantMode === "multi-tenant") {
+    return createStatusItem(
+      "tenant-mode",
+      "ok",
+      "Observability tenant mode is multi-tenant; tenant-aware scope resolution is required for background jobs"
+    );
+  }
+  return createStatusItem(
+    "tenant-mode",
+    "ok",
+    "Observability tenant mode is auto; authenticated requests use user-scoped fallback and background jobs may still require a scopeResolver"
+  );
+}
+function createRouteInstrumentationStatusItem(targetDir) {
+  const appRouteRoot = join(targetDir, "apps/web/app");
+  const routeFiles = collectRouteFiles(appRouteRoot);
+  if (routeFiles.length === 0) {
+    return createStatusItem(
+      "route-instrumentation",
+      "ok",
+      "No Next.js route handlers were detected in apps/web/app"
+    );
+  }
+  const unobservedRoutes = routeFiles.filter((routeFile) => {
+    const content = readFileSync(routeFile, "utf-8");
+    return !content.includes("withObservedRoute(");
+  });
+  if (unobservedRoutes.length === 0) {
+    return createStatusItem(
+      "route-instrumentation",
+      "ok",
+      `All detected route handlers use withObservedRoute (${routeFiles.length}/${routeFiles.length})`
+    );
+  }
+  return createStatusItem(
+    "route-instrumentation",
+    "warning",
+    `${unobservedRoutes.length}/${routeFiles.length} route handler(s) are not wrapped with withObservedRoute`
+  );
+}
+function createFunctionDeployStatusItem(targetDir) {
+  if (detectSupabaseProjectLink(targetDir)) {
+    return createStatusItem(
+      "function-deploy",
+      "ok",
+      "Supabase project link was detected for observability function deployment"
+    );
+  }
+  return createStatusItem(
+    "function-deploy",
+    "warning",
+    "No Supabase project link was detected; function deploy will require SUPABASE_PROJECT_REF + SUPABASE_ACCESS_TOKEN or supabase link"
+  );
+}
+function createFunctionSecretStatusItem(targetDir) {
+  const explicitFunctionSecret = process.env.OBSERVABILITY_FUNCTION_SECRET?.trim();
+  const serviceRoleSecret = process.env.SUPABASE_SERVICE_ROLE_KEY?.trim();
+  if (serviceRoleSecret) {
+    return createStatusItem(
+      "function-secret",
+      "ok",
+      "Supabase service-role key is available in the current environment and can authorize observability functions"
+    );
+  }
+  if (explicitFunctionSecret) {
+    const projectRef = resolveSupabaseProjectRef(targetDir);
+    if (!projectRef) {
+      return createStatusItem(
+        "function-secret",
+        "ok",
+        "Observability function secret is available in the current environment"
+      );
+    }
+    const marker = readObservabilityFunctionSecretSyncMarker(targetDir);
+    const expectedHash = hashObservabilityFunctionSecret(explicitFunctionSecret);
+    if (marker && marker.projectRef === projectRef && marker.secretHash === expectedHash) {
+      return createStatusItem(
+        "function-secret",
+        "ok",
+        `Observability function secret was synced for project ${projectRef}`
+      );
+    }
+    return createStatusItem(
+      "function-secret",
+      "warning",
+      "OBSERVABILITY_FUNCTION_SECRET is present locally but remote sync is not verified; run `runa observability enable` to sync it to Supabase Functions"
+    );
+  }
+  const hasAppRoot = fileExists(targetDir, "apps/web");
+  return createStatusItem(
+    "function-secret",
+    "warning",
+    hasAppRoot ? "No observability function secret was detected in the current environment; runtime emits will fail until OBSERVABILITY_FUNCTION_SECRET or SUPABASE_SERVICE_ROLE_KEY is set" : "No observability function secret was detected in the current environment; CLI emit/dispatch will fail until OBSERVABILITY_FUNCTION_SECRET or SUPABASE_SERVICE_ROLE_KEY is set"
+  );
+}
+function createScopeStatusItem(targetDir) {
+  const publicSchema = readTextFile(targetDir, "supabase/schemas/declarative/00_public.sql");
+  const observabilitySchema = readTextFile(
+    targetDir,
+    "supabase/schemas/declarative/85_observability.sql"
+  );
+  const tenantMode = resolveObservabilityTenantMode(targetDir);
+  const hasScopeResolver = publicSchema?.includes(
+    "CREATE OR REPLACE FUNCTION public.runa_get_scope_id()"
+  );
+  const hasAuthUidResolver = publicSchema?.includes(
+    "CREATE OR REPLACE FUNCTION public.runa_auth_uid()"
+  );
+  const usesProjectGlobalFallback = observabilitySchema?.includes("'project:global'") ?? false;
+  const usesUserFallback = observabilitySchema?.includes("'user:' ||") ?? false;
+  if (tenantMode === "single-tenant") {
+    return createStatusItem(
+      "scope-fallback",
+      "ok",
+      "Single-tenant mode is declared in runa.config.ts; project-scoped observability fallback is acceptable"
+    );
+  }
+  if (!hasScopeResolver) {
+    return createStatusItem(
+      "scope-fallback",
+      tenantMode === "multi-tenant" ? "error" : "warning",
+      tenantMode === "multi-tenant" ? "Multi-tenant mode is declared but no runa_get_scope_id() helper was detected; add a scope_id claim resolver before enabling observability" : "No runa_get_scope_id() helper was detected; add a scope_id claim resolver or treat the repo as intentionally single-tenant"
+    );
+  }
+  if (hasAuthUidResolver && usesUserFallback) {
+    return createStatusItem(
+      "scope-fallback",
+      "ok",
+      "Observability falls back to user-scoped visibility when scope_id is absent"
+    );
+  }
+  if (usesProjectGlobalFallback) {
+    return createStatusItem(
+      "scope-fallback",
+      tenantMode === "multi-tenant" ? "error" : "warning",
+      tenantMode === "multi-tenant" ? "Multi-tenant mode is declared but observability still falls back to a project-global scope; add scope_id claims or a worker scopeResolver for tenant-aware jobs" : "When scope_id is absent in the JWT, observability falls back to a project-global scope; add scope_id claims or a worker scopeResolver for tenant-aware jobs"
+    );
+  }
+  return createStatusItem(
+    "scope-fallback",
+    "ok",
+    "Observability scope resolution does not rely on the project-global fallback"
+  );
+}
+function buildObservabilityChecks(targetDir) {
+  const schemaFile = "supabase/schemas/declarative/85_observability.sql";
+  const configToml = readTextFile(targetDir, "supabase/config.toml");
+  const extensionsSql = readTextFile(targetDir, "supabase/schemas/idempotent/00_extensions.sql");
+  const checks = [
+    createStatusItem(
+      "schema",
+      fileExists(targetDir, schemaFile) ? "ok" : "error",
+      fileExists(targetDir, schemaFile) ? "Observability schema file is present" : "Missing supabase/schemas/declarative/85_observability.sql"
+    ),
+    createStatusItem(
+      "config",
+      configToml?.includes('"observability"') ? "ok" : "error",
+      configToml?.includes('"observability"') ? "Supabase API exposes the observability schema" : "supabase/config.toml does not expose the observability schema"
+    ),
+    createStatusItem(
+      "extensions",
+      extensionsSql?.includes("pg_cron") ? "ok" : "warning",
+      extensionsSql?.includes("pg_cron") ? "pg_cron bootstrap is configured" : "pg_cron bootstrap was not detected in 00_extensions.sql"
+    )
+  ];
+  for (const functionName of [
+    "observability-ingest",
+    "observability-checkin",
+    "observability-dispatch"
+  ]) {
+    checks.push(
+      createStatusItem(
+        functionName,
+        fileExists(targetDir, `supabase/functions/${functionName}/index.ts`) ? "ok" : "error",
+        fileExists(targetDir, `supabase/functions/${functionName}/index.ts`) ? `${functionName} Edge Function is present` : `Missing supabase/functions/${functionName}/index.ts`
+      )
+    );
+  }
+  checks.push(createRuntimeStatusItem(targetDir));
+  checks.push(createTenantModeStatusItem(targetDir));
+  checks.push(createRouteInstrumentationStatusItem(targetDir));
+  checks.push(createFunctionDeployStatusItem(targetDir));
+  checks.push(createFunctionSecretStatusItem(targetDir));
+  checks.push(createScopeStatusItem(targetDir));
+  return checks;
+}
+function isBlockingObservabilityCheck(check) {
+  if (check.status === "error") {
+    return true;
+  }
+  return check.status === "warning" && BLOCKING_WARNING_CHECK_NAMES.has(check.name);
+}
+function getObservabilityEnableBlockingChecks(targetDir, checks) {
+  const linkedProjectDetected = detectSupabaseProjectLink(targetDir);
+  const explicitFunctionSecret = process.env.OBSERVABILITY_FUNCTION_SECRET?.trim();
+  const projectRef = resolveSupabaseProjectRef(targetDir);
+  return checks.filter((check) => {
+    if (check.name === "function-secret" && check.status === "warning" && linkedProjectDetected && explicitFunctionSecret && projectRef) {
+      return false;
+    }
+    return isBlockingObservabilityCheck(check);
+  });
+}
+function isObservabilityReady(checks) {
+  return checks.every((check) => !isBlockingObservabilityCheck(check));
+}
+
+// src/commands/observability.ts
+var logger = createCLILogger("observability");
+var ObservabilityStatusInputSchema = z.object({
+  cwd: z.string().min(1).optional()
+}).strict();
+var ObservabilityStatusItemSchema = z.object({
+  name: z.string(),
+  status: z.enum(["ok", "warning", "error"]),
+  message: z.string()
+});
+var ObservabilityStatusOutputSchema = z.object({
+  ready: z.boolean(),
+  targetDir: z.string(),
+  checks: z.array(ObservabilityStatusItemSchema)
+});
+var ObservabilityEnableInputSchema = z.object({
+  cwd: z.string().min(1).optional(),
+  check: z.boolean().optional(),
+  skipFunctionDeploy: z.boolean().optional()
+}).strict();
+var ObservabilityEnableOutputSchema = z.object({
+  targetDir: z.string(),
+  checks: z.array(ObservabilityStatusItemSchema),
+  dbSyncApplied: z.boolean(),
+  functionSecretSynced: z.boolean(),
+  functionsDeployed: z.array(z.string()),
+  skippedFunctions: z.array(z.string()),
+  linkedProjectDetected: z.boolean()
+});
+var ObservabilityEmitTestEventInputSchema = z.object({
+  baseUrl: z.string().url().optional(),
+  accessToken: z.string().min(1).optional(),
+  functionSecret: z.string().min(1).optional(),
+  scopeKey: z.string().min(1).optional(),
+  serviceName: z.string().min(1).optional(),
+  environment: z.string().min(1).optional()
+}).strict();
+var ObservabilityEmitTestEventOutputSchema = z.object({
+  eventId: z.string().uuid(),
+  issueId: z.string().uuid().nullable(),
+  resolvedScopeKey: z.string().min(1)
+});
+var ObservabilityDispatchInputSchema = z.object({
+  baseUrl: z.string().url().optional(),
+  accessToken: z.string().min(1).optional(),
+  functionSecret: z.string().min(1).optional(),
+  limit: z.coerce.number().int().positive().max(100).optional()
+}).strict();
+var ObservabilityDispatchOutputSchema = z.object({
+  processed: z.number().int().nonnegative(),
+  delivered: z.number().int().nonnegative(),
+  failed: z.number().int().nonnegative()
+});
+function resolveBaseUrl(explicitValue) {
+  return explicitValue || process.env.SUPABASE_URL || process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.LOCAL_SUPABASE_URL;
+}
+function resolveAccessToken(explicitValue) {
+  return explicitValue || process.env.SUPABASE_ANON_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY;
+}
+function resolveFunctionSecret(explicitValue) {
+  return explicitValue || process.env.OBSERVABILITY_FUNCTION_SECRET || process.env.SUPABASE_SERVICE_ROLE_KEY;
+}
+function resolveRequestTimeoutMs() {
+  const raw = process.env.OBSERVABILITY_TIMEOUT_MS;
+  const parsed = raw ? Number.parseInt(raw, 10) : Number.NaN;
+  if (Number.isFinite(parsed) && parsed > 0) {
+    return parsed;
+  }
+  return 1500;
+}
+function printStatusChecks(checks) {
+  if (getOutputFormatFromEnv() === "json") {
+    return;
+  }
+  logger.section("Observability Status");
+  for (const check of checks) {
+    const icon = check.status === "ok" ? "\u2713" : check.status === "warning" ? "\u26A0" : "\u2717";
+    logger.info(`  ${icon} ${check.name.padEnd(24)} ${check.message}`);
+  }
+}
+async function runObservabilityStatus(command, options) {
+  const targetDir = options.cwd || process.cwd();
+  const checks = buildObservabilityChecks(targetDir);
+  const output = {
+    ready: isObservabilityReady(checks),
+    targetDir,
+    checks
+  };
+  printStatusChecks(checks);
+  emitJsonSuccess(command, ObservabilityStatusOutputSchema, output);
+  if (!output.ready) {
+    process.exitCode = 1;
+    if (getOutputFormatFromEnv() !== "json") {
+      const blockingMessages = checks.filter(isBlockingObservabilityCheck).map((check) => check.message);
+      throw new CLIError(
+        "Observability readiness check failed",
+        "OBSERVABILITY_STATUS_FAILED",
+        blockingMessages
+      );
+    }
+  }
+}
+async function runObservabilityEnable(command, options) {
+  const targetDir = options.cwd || process.cwd();
+  const checks = buildObservabilityChecks(targetDir);
+  const blockingChecks = getObservabilityEnableBlockingChecks(targetDir, checks);
+  const linkedProjectDetected = detectSupabaseProjectLink(targetDir);
+  const functions = ["observability-ingest", "observability-checkin", "observability-dispatch"];
+  printStatusChecks(checks);
+  if (blockingChecks.length > 0) {
+    throw new CLIError(
+      "Observability enable prerequisites are not satisfied",
+      "OBSERVABILITY_ENABLE_BLOCKED",
+      blockingChecks.map((check) => check.message)
+    );
+  }
+  const output = {
+    targetDir,
+    checks,
+    dbSyncApplied: false,
+    functionSecretSynced: false,
+    functionsDeployed: [],
+    skippedFunctions: [],
+    linkedProjectDetected
+  };
+  if (options.check) {
+    emitJsonSuccess(command, ObservabilityEnableOutputSchema, output);
+    return;
+  }
+  logger.section("Observability Enable");
+  logger.info("Applying observability schema via runa db sync...");
+  await runExeca("runa", ["db", "sync", "--auto-approve"], {
+    cwd: targetDir,
+    stdio: "inherit"
+  });
+  output.dbSyncApplied = true;
+  const explicitFunctionSecret = process.env.OBSERVABILITY_FUNCTION_SECRET?.trim();
+  const projectRef = resolveSupabaseProjectRef(targetDir);
+  if (linkedProjectDetected && explicitFunctionSecret && projectRef) {
+    logger.info(`Syncing OBSERVABILITY_FUNCTION_SECRET to Supabase project ${projectRef}...`);
+    await runExeca(
+      "supabase",
+      ["secrets", "set", `OBSERVABILITY_FUNCTION_SECRET=${explicitFunctionSecret}`],
+      {
+        cwd: targetDir,
+        stdio: "inherit"
+      }
+    );
+    writeObservabilityFunctionSecretSyncMarker(targetDir, {
+      projectRef,
+      secret: explicitFunctionSecret
+    });
+    output.functionSecretSynced = true;
+  }
+  if (options.skipFunctionDeploy) {
+    output.skippedFunctions = functions;
+  } else if (!linkedProjectDetected) {
+    output.skippedFunctions = functions;
+    logger.warn("Supabase project link was not detected; skipping Edge Function deploy");
+    logger.info("Link the project and run:");
+    for (const functionName of functions) {
+      logger.info(`  supabase functions deploy ${functionName}`);
+    }
+  } else {
+    logger.info("Deploying observability Edge Functions...");
+    for (const functionName of functions) {
+      await runExeca("supabase", ["functions", "deploy", functionName], {
+        cwd: targetDir,
+        stdio: "inherit"
+      });
+      output.functionsDeployed.push(functionName);
+    }
+  }
+  if (getOutputFormatFromEnv() !== "json") {
+    logger.success("Observability enable completed");
+  }
+  emitJsonSuccess(command, ObservabilityEnableOutputSchema, output);
+}
+async function runObservabilityEmitTestEvent(command, options) {
+  const baseUrl = resolveBaseUrl(options.baseUrl);
+  const accessToken = resolveAccessToken(options.accessToken);
+  const functionSecret = resolveFunctionSecret(options.functionSecret);
+  if (!baseUrl || !accessToken || !functionSecret) {
+    throw new CLIError(
+      "Observability emit requires Supabase URL, access token, and function secret",
+      "OBSERVABILITY_EMIT_CONFIG_MISSING",
+      [
+        "Provide --base-url, --access-token, and --function-secret",
+        "Or set SUPABASE_URL/NEXT_PUBLIC_SUPABASE_URL, SUPABASE_ANON_KEY/NEXT_PUBLIC_SUPABASE_ANON_KEY, and OBSERVABILITY_FUNCTION_SECRET/SUPABASE_SERVICE_ROLE_KEY"
+      ]
+    );
+  }
+  const client = createObservabilityClient({
+    baseUrl,
+    accessToken,
+    functionSecret,
+    timeoutMs: resolveRequestTimeoutMs()
+  });
+  const output = await client.captureEvent({
+    kind: "log",
+    category: "diagnostic",
+    level: "warn",
+    message: "runa observability emit-test-event",
+    scopeKey: options.scopeKey,
+    serviceName: options.serviceName || basename(process.cwd()) || "runa-cli",
+    environment: options.environment || process.env.VERCEL_ENV || process.env.NODE_ENV || "development",
+    source: "cli",
+    payload: {
+      command: "runa observability emit-test-event",
+      emittedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  if (getOutputFormatFromEnv() !== "json") {
+    logger.section("Observability Emit");
+    logger.success(`Emitted test event ${output.eventId} (${output.resolvedScopeKey})`);
+  }
+  emitJsonSuccess(
+    command,
+    ObservabilityEmitTestEventOutputSchema,
+    ObservabilityIngestOutputSchema.parse(output)
+  );
+}
+async function runObservabilityDispatch(command, options) {
+  const baseUrl = resolveBaseUrl(options.baseUrl);
+  const accessToken = resolveAccessToken(options.accessToken);
+  const functionSecret = resolveFunctionSecret(options.functionSecret);
+  if (!baseUrl || !accessToken || !functionSecret) {
+    throw new CLIError(
+      "Observability dispatch requires Supabase URL, access token, and function secret",
+      "OBSERVABILITY_DISPATCH_CONFIG_MISSING",
+      [
+        "Provide --base-url, --access-token, and --function-secret",
+        "Or set SUPABASE_URL/NEXT_PUBLIC_SUPABASE_URL, SUPABASE_ANON_KEY/NEXT_PUBLIC_SUPABASE_ANON_KEY, and OBSERVABILITY_FUNCTION_SECRET/SUPABASE_SERVICE_ROLE_KEY"
+      ]
+    );
+  }
+  const response = await fetch(
+    `${baseUrl.replace(/\/+$/, "")}/functions/v1/observability-dispatch`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        apikey: accessToken,
+        "Content-Type": "application/json",
+        "x-observability-secret": functionSecret
+      },
+      body: JSON.stringify({
+        limit: Number(options.limit || "25")
+      }),
+      signal: AbortSignal.timeout(resolveRequestTimeoutMs())
+    }
+  );
+  if (!response.ok) {
+    throw new CLIError(
+      `Observability dispatch failed: ${response.status} ${response.statusText}`,
+      "OBSERVABILITY_DISPATCH_FAILED",
+      ["Verify the observability-dispatch Edge Function is deployed"]
+    );
+  }
+  const output = ObservabilityDispatchOutputSchema.parse(await response.json());
+  if (getOutputFormatFromEnv() !== "json") {
+    logger.section("Observability Dispatch");
+    logger.success(
+      `Processed ${output.processed} notification(s), delivered ${output.delivered}, failed ${output.failed}`
+    );
+  }
+  emitJsonSuccess(command, ObservabilityDispatchOutputSchema, output);
+}
+var observabilityStatusCommand = new Command("status").description("Check observability readiness for the current project").option("--cwd <path>", "Working directory (default: current directory)").action(
+  async (options) => runObservabilityStatus(observabilityStatusCommand, options)
+);
+var observabilityCheckCommand = new Command("check").description("Alias for `runa observability status`").option("--cwd <path>", "Working directory (default: current directory)").action(
+  async (options) => runObservabilityStatus(observabilityCheckCommand, options)
+);
+var observabilityDoctorCommand = new Command("doctor").description("Deprecated alias for `runa observability status`").option("--cwd <path>", "Working directory (default: current directory)").action(
+  async (options) => runObservabilityStatus(observabilityDoctorCommand, options)
+);
+var observabilityEnableCommand = new Command("enable").description("Apply observability schema and deploy observability Edge Functions when possible").option("--cwd <path>", "Working directory (default: current directory)").option("--check", "Validate prerequisites without mutating the project").option("--skip-function-deploy", "Skip Supabase Edge Function deployment").action(
+  async (options) => runObservabilityEnable(observabilityEnableCommand, options)
+);
+var observabilityEmitTestEventCommand = new Command("emit-test-event").description("Emit a test observability event through the configured Supabase Edge Function").option("--base-url <url>", "Supabase base URL").option("--access-token <token>", "Supabase anon or service-role key").option("--function-secret <secret>", "Observability function shared secret").option("--scope-key <scopeKey>", "Override scope key").option("--service-name <serviceName>", "Override service name").option("--environment <environment>", "Override environment").action(
+  async (options) => runObservabilityEmitTestEvent(observabilityEmitTestEventCommand, options)
+);
+var observabilityDispatchCommand = new Command("dispatch").description("Dispatch pending observability notifications through the configured Edge Function").option("--base-url <url>", "Supabase base URL").option("--access-token <token>", "Supabase anon or service-role key").option("--function-secret <secret>", "Observability function shared secret").option("--limit <count>", "Maximum number of pending notifications to process", "25").action(
+  async (options) => runObservabilityDispatch(observabilityDispatchCommand, options)
+);
+var observabilityCommand = new Command("observability").description("Check and exercise the observability control plane").addCommand(observabilityEnableCommand).addCommand(observabilityStatusCommand).addCommand(observabilityCheckCommand).addCommand(observabilityDoctorCommand).addCommand(observabilityEmitTestEventCommand).addCommand(observabilityDispatchCommand);
+
+export { ObservabilityDispatchInputSchema, ObservabilityDispatchOutputSchema, ObservabilityEmitTestEventInputSchema, ObservabilityEmitTestEventOutputSchema, ObservabilityEnableInputSchema, ObservabilityEnableOutputSchema, ObservabilityStatusInputSchema, ObservabilityStatusOutputSchema, observabilityCheckCommand, observabilityCommand, observabilityDispatchCommand, observabilityDoctorCommand, observabilityEmitTestEventCommand, observabilityEnableCommand, observabilityStatusCommand };