npm - @runa-ai/runa-cli - Versions diffs - 0.7.1 → 0.7.2 - Mend

@runa-ai/runa-cli 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/dist/risk-detector-plpgsql-ULV7NLDB.js ADDED Viewed

@@ -0,0 +1,638 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, skipWhitespace, parseTopLevelAssignment, extractStaticSqlFromExpression, mergeStringEnvValue, skipIdentifier } from './chunk-Y5ANTCKE.js';
+import { stripSqlCommentsPreserveLines, buildLineStarts, lineNumberFromIndex, stripSqlStringsPreserveLines, detectRisksFromContent, stripSqlForPatternMatching } from './chunk-3FDQW524.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+createRequire(import.meta.url);
+// src/validators/risk-detector-plpgsql.ts
+init_esm_shims();
+var DO_STATEMENT_PATTERN = /\bDO\b/gi;
+var CREATE_OR_ALTER_FUNCTION_PATTERN = /\b(?:CREATE|ALTER)\s+(?:OR\s+REPLACE\s+)?(?:FUNCTION|PROCEDURE)\b/gi;
+var IDEMPOTENT_SQL_PATH_PATTERN = /(?:^|[\\/])supabase[\\/]schemas[\\/]idempotent[\\/]/i;
+var DO_TABLE_REFERENCE_PATTERN = /\b(?:FROM|JOIN|INSERT\s+INTO|UPDATE(?!\s+USING\b)|DELETE\s+FROM|ALTER\s+TABLE|TRUNCATE(?:\s+TABLE)?)\s+(?:(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\.)?(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))/gi;
+var DO_TABLE_GUARD_PATTERNS = [
+  /\bpg_class\b/i,
+  /\binformation_schema\s*\.\s*tables\b/i,
+  /\bto_regclass\s*\(/i,
+  /\bpg_table_is_visible\s*\(/i
+];
+var NON_APP_SCHEMAS = /* @__PURE__ */ new Set([
+  "pg_catalog",
+  "information_schema",
+  "pg_toast",
+  "pg_temp",
+  "pg_class",
+  "pg_namespace",
+  "pg_attribute",
+  "pg_proc",
+  "pg_roles",
+  "auth",
+  "storage",
+  "realtime",
+  "supabase_migrations",
+  "supabase_functions",
+  "extensions",
+  "graphql",
+  "graphql_public",
+  "net",
+  "pgsodium",
+  "pgsodium_masks",
+  "vault",
+  "pgbouncer",
+  "cron",
+  "pgtap",
+  "tests"
+]);
+var NON_APP_RELATIONS = /* @__PURE__ */ new Set([
+  "schemata",
+  "tables",
+  "columns",
+  "views",
+  "routines",
+  "parameters",
+  "constraints",
+  "triggers"
+]);
+var sqlParserUtilsPromise = null;
+function getSqlParserUtils() {
+  sqlParserUtilsPromise ??= import('@runa-ai/runa/ast').then(async ({ loadSqlParserUtils }) => {
+    const loaded = await loadSqlParserUtils();
+    if (typeof loaded.parseSql === "function") {
+      return loaded;
+    }
+    throw new Error("SQL parser utilities are unavailable or missing parseSql()");
+  });
+  return sqlParserUtilsPromise;
+}
+function extractStringValue(node) {
+  if (!node) return void 0;
+  const strNode = node.String;
+  if (typeof strNode === "object" && strNode !== null) {
+    return strNode.sval;
+  }
+  return node.str;
+}
+function extractBodyFromDefElements(items, statementType) {
+  if (!items) return void 0;
+  for (const item of items) {
+    if (typeof item !== "object" || item === null) continue;
+    const defElem = item.DefElem;
+    if (!defElem || defElem.defname !== "as") continue;
+    const arg = defElem.arg;
+    if (!arg) continue;
+    if (statementType === "do") {
+      return extractStringValue(arg);
+    }
+    const list = arg.List;
+    const values = list?.items?.flatMap((entry) => {
+      if (typeof entry !== "object" || entry === null) return [];
+      const stringValue = extractStringValue(entry);
+      return stringValue ? [stringValue] : [];
+    });
+    if (values && values.length > 0) {
+      return values.join("\n");
+    }
+  }
+  return void 0;
+}
+function resolveStatementWindow(content, statementEntry, fallbackCursor) {
+  const start = typeof statementEntry.stmt_location === "number" && statementEntry.stmt_location >= 0 ? statementEntry.stmt_location : fallbackCursor;
+  const end = typeof statementEntry.stmt_len === "number" && statementEntry.stmt_len > 0 ? Math.min(content.length, start + statementEntry.stmt_len) : content.length;
+  return { start, end };
+}
+function locateBodyInStatement(statementText, body, statementType) {
+  const directIndex = statementText.indexOf(body);
+  if (directIndex !== -1) {
+    return {
+      bodyStart: directIndex,
+      bodyEnd: directIndex + body.length,
+      statementType
+    };
+  }
+  const fallbackRanges = statementType === "do" ? collectDoBodyRanges(statementText) : collectFunctionBodyRanges(statementText);
+  return fallbackRanges[0];
+}
+function detectAstStatementType(stmt) {
+  if (typeof stmt.DoStmt === "object" && stmt.DoStmt !== null) {
+    return "do";
+  }
+  if (typeof stmt.CreateFunctionStmt === "object" && stmt.CreateFunctionStmt !== null) {
+    return "function";
+  }
+  return null;
+}
+function extractAstStatementBody(stmt, statementType) {
+  if (statementType === "do") {
+    return extractBodyFromDefElements(
+      stmt.DoStmt.args,
+      statementType
+    );
+  }
+  return extractBodyFromDefElements(
+    stmt.CreateFunctionStmt.options,
+    statementType
+  );
+}
+function localizeBodyRange(content, statementEntry, fallbackCursor, body, statementType) {
+  const window = resolveStatementWindow(content, statementEntry, fallbackCursor);
+  const statementText = content.slice(window.start, window.end);
+  const localized = locateBodyInStatement(statementText, body, statementType);
+  return {
+    range: localized === void 0 ? void 0 : {
+      bodyStart: window.start + localized.bodyStart,
+      bodyEnd: window.start + localized.bodyEnd,
+      statementType
+    },
+    nextCursor: Math.max(window.end, fallbackCursor)
+  };
+}
+async function findFunctionAndDoBodiesWithAst(content) {
+  const parser = await getSqlParserUtils();
+  const parsed = await parser.parseSql(content);
+  if (!parsed || parsed.stmts.length === 0) return [];
+  const ranges = [];
+  let fallbackCursor = 0;
+  for (const statementEntry of parsed.stmts) {
+    const stmt = statementEntry.stmt;
+    const statementType = detectAstStatementType(stmt);
+    if (!statementType) {
+      const window = resolveStatementWindow(content, statementEntry, fallbackCursor);
+      fallbackCursor = Math.max(window.end, fallbackCursor);
+      continue;
+    }
+    const body = extractAstStatementBody(stmt, statementType);
+    const localized = body ? localizeBodyRange(content, statementEntry, fallbackCursor, body, statementType) : { range: void 0, nextCursor: fallbackCursor };
+    fallbackCursor = localized.nextCursor;
+    if (!body) continue;
+    if (localized.range) {
+      ranges.push(localized.range);
+    }
+  }
+  return ranges;
+}
+async function findFunctionAndDoBodies(content) {
+  try {
+    const astRanges = await findFunctionAndDoBodiesWithAst(content);
+    if (astRanges.length > 0) return astRanges;
+  } catch {
+  }
+  return [...collectDoBodyRanges(content), ...collectFunctionBodyRanges(content)];
+}
+function readDollarTag(content, index) {
+  const match = content.slice(index).match(/^\$([A-Za-z_][A-Za-z0-9_]*)?\$/);
+  return match ? match[0] : void 0;
+}
+function isWordChar(char) {
+  return /[A-Za-z0-9_]/.test(char);
+}
+function isKeywordAt(content, contentIndex, keyword) {
+  const endIndex = contentIndex + keyword.length;
+  if (endIndex > content.length) return false;
+  if (content.slice(contentIndex, endIndex).toUpperCase() !== keyword) return false;
+  const before = contentIndex > 0 ? content[contentIndex - 1] : " ";
+  const after = endIndex < content.length ? content[endIndex] : " ";
+  return !isWordChar(before) && !isWordChar(after);
+}
+function consumeSingleQuote(content, state) {
+  if (!state.inSingleQuote) return false;
+  if (content[state.cursor] === "'" && content[state.cursor + 1] === "'") {
+    state.cursor += 2;
+    return true;
+  }
+  if (content[state.cursor] === "'") {
+    state.inSingleQuote = false;
+  }
+  state.cursor += 1;
+  return true;
+}
+function consumeDoubleQuote(content, state) {
+  if (!state.inDoubleQuote) return false;
+  if (content[state.cursor] === '"' && content[state.cursor + 1] === '"') {
+    state.cursor += 2;
+    return true;
+  }
+  if (content[state.cursor] === '"') {
+    state.inDoubleQuote = false;
+  }
+  state.cursor += 1;
+  return true;
+}
+function consumeDollarQuote(content, state) {
+  if (state.inDollarQuote === void 0) return false;
+  const close = `$${state.inDollarQuote}$`;
+  if (content.startsWith(close, state.cursor)) {
+    state.inDollarQuote = void 0;
+    state.cursor += close.length;
+    return true;
+  }
+  state.cursor += 1;
+  return true;
+}
+function consumeQuotedSpan(content, state) {
+  if (consumeSingleQuote(content, state)) return true;
+  if (consumeDoubleQuote(content, state)) return true;
+  return consumeDollarQuote(content, state);
+}
+function tryStartSingleQuote(content, state) {
+  if (content[state.cursor] !== "'") return false;
+  state.inSingleQuote = true;
+  state.cursor += 1;
+  return true;
+}
+function tryStartDoubleQuote(content, state) {
+  if (content[state.cursor] !== '"') return false;
+  state.inDoubleQuote = true;
+  state.cursor += 1;
+  return true;
+}
+function tryStartDollarQuote(content, state) {
+  const dollarTag = readDollarTag(content, state.cursor);
+  if (dollarTag === void 0) return false;
+  state.inDollarQuote = dollarTag.slice(1, -1);
+  state.cursor += dollarTag.length;
+  return true;
+}
+function tryStartQuotedSpan(content, state) {
+  if (tryStartSingleQuote(content, state)) return true;
+  if (tryStartDoubleQuote(content, state)) return true;
+  return tryStartDollarQuote(content, state);
+}
+function findKeywordFromOffset(content, start, keyword) {
+  const state = {
+    cursor: start,
+    inSingleQuote: false,
+    inDoubleQuote: false,
+    inDollarQuote: void 0
+  };
+  while (state.cursor < content.length) {
+    if (consumeQuotedSpan(content, state)) continue;
+    if (tryStartQuotedSpan(content, state)) continue;
+    if (isKeywordAt(content, state.cursor, keyword)) {
+      return state.cursor;
+    }
+    state.cursor += 1;
+  }
+  return void 0;
+}
+var MAX_DOLLAR_QUOTE_DEPTH = 50;
+function skipUntilDollarClose(content, state, openTag, depth) {
+  if (depth >= MAX_DOLLAR_QUOTE_DEPTH) return -1;
+  const nestedTag = readDollarTag(content, state.cursor);
+  if (nestedTag === void 0 || nestedTag === openTag) {
+    return state.cursor;
+  }
+  const nestedStart = state.cursor + nestedTag.length;
+  const nestedEnd = closeIndexForDollarTag(content, nestedStart, nestedTag, depth + 1);
+  if (nestedEnd === -1) return -1;
+  state.cursor = nestedEnd + nestedTag.length;
+  return state.cursor;
+}
+function closeIndexForDollarTag(content, bodyStart, openTag, depth = 0) {
+  if (depth >= MAX_DOLLAR_QUOTE_DEPTH) return -1;
+  const state = {
+    cursor: bodyStart,
+    inSingleQuote: false,
+    inDoubleQuote: false,
+    inDollarQuote: void 0
+  };
+  while (state.cursor < content.length) {
+    if (consumeQuotedSpan(content, state)) continue;
+    if (content.startsWith(openTag, state.cursor)) {
+      return state.cursor;
+    }
+    const nestedCursor = skipUntilDollarClose(content, state, openTag, depth);
+    if (nestedCursor !== state.cursor) {
+      continue;
+    }
+    if (tryStartSingleQuote(content, state)) continue;
+    if (tryStartDoubleQuote(content, state)) continue;
+    state.cursor += 1;
+  }
+  return -1;
+}
+function resolveBodyRange(content, openTagStart, statementType) {
+  const openTag = readDollarTag(content, openTagStart);
+  if (openTag === void 0) return void 0;
+  const bodyStart = openTagStart + openTag.length;
+  const bodyEnd = closeIndexForDollarTag(content, bodyStart, openTag);
+  if (bodyEnd === -1) return void 0;
+  return {
+    range: { bodyStart, bodyEnd, statementType },
+    nextScanIndex: bodyEnd + openTag.length
+  };
+}
+function skipDoLanguageClause(content, cursor) {
+  if (!isKeywordAt(content, cursor, "LANGUAGE")) {
+    return cursor;
+  }
+  const langNameStart = skipWhitespace(content, cursor + "LANGUAGE".length);
+  const afterLangName = skipIdentifier(content, langNameStart);
+  return skipWhitespace(content, afterLangName);
+}
+function collectDoBodyRanges(content) {
+  const ranges = [];
+  DO_STATEMENT_PATTERN.lastIndex = 0;
+  let doMatch = DO_STATEMENT_PATTERN.exec(content);
+  while (doMatch !== null) {
+    const doStart = doMatch.index;
+    if (findKeywordFromOffset(content, doStart, "DO") !== doStart) {
+      DO_STATEMENT_PATTERN.lastIndex = doStart + doMatch[0].length;
+      doMatch = DO_STATEMENT_PATTERN.exec(content);
+      continue;
+    }
+    let cursor = skipWhitespace(content, doStart + doMatch[0].length);
+    cursor = skipDoLanguageClause(content, cursor);
+    const resolved = resolveBodyRange(content, cursor, "do");
+    if (resolved !== void 0) {
+      ranges.push(resolved.range);
+      DO_STATEMENT_PATTERN.lastIndex = resolved.nextScanIndex;
+    }
+    doMatch = DO_STATEMENT_PATTERN.exec(content);
+  }
+  DO_STATEMENT_PATTERN.lastIndex = 0;
+  return ranges;
+}
+function collectFunctionBodyRanges(content) {
+  const ranges = [];
+  CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = 0;
+  let functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
+  while (functionMatch !== null) {
+    const start = functionMatch.index;
+    const asIndex = findKeywordFromOffset(content, start + functionMatch[0].length, "AS");
+    if (asIndex === void 0) {
+      CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = start + functionMatch[0].length;
+      functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
+      continue;
+    }
+    const bodyStartAt = skipWhitespace(content, asIndex + 2);
+    const resolved = resolveBodyRange(content, bodyStartAt, "function");
+    if (resolved !== void 0) {
+      ranges.push(resolved.range);
+      CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = resolved.nextScanIndex;
+    }
+    functionMatch = CREATE_OR_ALTER_FUNCTION_PATTERN.exec(content);
+  }
+  CREATE_OR_ALTER_FUNCTION_PATTERN.lastIndex = 0;
+  return ranges;
+}
+function enrichStaticExecuteRiskFromSql(sql, sourceLine) {
+  const staticSql = stripSqlForPatternMatching(sql);
+  if (!staticSql.trim()) return [];
+  const staticSqlLineStarts = buildLineStarts(sql);
+  return detectRisksFromContent(staticSql, sql, staticSqlLineStarts).map((risk) => ({
+    ...risk,
+    line: sourceLine,
+    evidence: {
+      source: "static execute body",
+      snippet: sql.trim().slice(0, 200),
+      detail: "Reconstructed PL/pgSQL EXECUTE expression"
+    }
+  }));
+}
+function buildDoBlockRisk(commentlessContent, range, declarationLine) {
+  const bodyPreviewStart = Math.max(0, range.bodyStart - 80);
+  const bodyPreviewEnd = range.bodyEnd + 80;
+  return {
+    level: "medium",
+    description: "DO block detected in SQL",
+    mitigation: "Prefer static declarative SQL or move bootstrap logic to idempotent script files with clear intent",
+    line: declarationLine,
+    reasonCode: "PLPGSQL_DO_BLOCK_DETECTED",
+    confidence: "medium",
+    evidence: {
+      source: "findFunctionAndDoBodies",
+      snippet: range.statementType === "do" ? commentlessContent.slice(bodyPreviewStart, bodyPreviewEnd) : void 0,
+      detail: `${range.statementType.toUpperCase()} block detected in schema SQL`
+    }
+  };
+}
+function maybeAddDoBlockRisk(risks, dedupe, commentlessContent, range, declarationLine) {
+  if (range.statementType !== "do") return;
+  const doKey = `do:${range.statementType}:${declarationLine}`;
+  if (dedupe.has(doKey)) return;
+  dedupe.add(doKey);
+  risks.push(buildDoBlockRisk(commentlessContent, range, declarationLine));
+}
+function isIdempotentSchemaFile(filePath) {
+  return filePath !== void 0 && IDEMPOTENT_SQL_PATH_PATTERN.test(filePath);
+}
+function doBodyContainsGuard(body) {
+  return DO_TABLE_GUARD_PATTERNS.some((pattern) => pattern.test(body));
+}
+function doBodyReferencesApplicationTables(body) {
+  const searchableBody = stripSqlStringsPreserveLines(stripSqlCommentsPreserveLines(body)).replace(
+    /^\s*(?:GRANT|REVOKE)\b[\s\S]*?;/gim,
+    ""
+  );
+  DO_TABLE_REFERENCE_PATTERN.lastIndex = 0;
+  let match = DO_TABLE_REFERENCE_PATTERN.exec(searchableBody);
+  while (match !== null) {
+    const schema = (match[1] ?? match[2] ?? "").toLowerCase();
+    const relation = (match[3] ?? match[4] ?? "").toLowerCase();
+    if (schema.length === 0) {
+      if (!relation.startsWith("pg_") && !NON_APP_SCHEMAS.has(relation) && !NON_APP_RELATIONS.has(relation)) {
+        return true;
+      }
+      match = DO_TABLE_REFERENCE_PATTERN.exec(searchableBody);
+      continue;
+    }
+    if (!NON_APP_SCHEMAS.has(schema)) {
+      return true;
+    }
+    match = DO_TABLE_REFERENCE_PATTERN.exec(searchableBody);
+  }
+  return false;
+}
+function maybeBuildIdempotentDoGuardRisk(body, declarationLine, filePath) {
+  if (!isIdempotentSchemaFile(filePath)) return void 0;
+  if (!doBodyReferencesApplicationTables(body)) return void 0;
+  if (doBodyContainsGuard(body)) return void 0;
+  return {
+    level: "medium",
+    description: "Idempotent DO block references application tables without an existence guard for 2-pass execution",
+    mitigation: "Add a table-existence guard using pg_class, information_schema.tables, or to_regclass() before referencing declarative tables inside the DO block.",
+    line: declarationLine,
+    reasonCode: "IDEMPOTENT_DO_TABLE_REFERENCE_WITHOUT_GUARD",
+    confidence: "medium",
+    evidence: {
+      source: "findFunctionAndDoBodies",
+      snippet: body.trim().slice(0, 200),
+      detail: "DO block references app tables but no recognizable table-existence guard was found"
+    }
+  };
+}
+function applyStatementAssignment(statement, stringEnv) {
+  const assignment = parseTopLevelAssignment(statement.statement);
+  if (!assignment) return;
+  const resolved = extractStaticSqlFromExpression(assignment.expression, stringEnv);
+  if (resolved.kind !== "static") {
+    stringEnv.delete(assignment.target);
+    return;
+  }
+  if (assignment.isConditionalContext) {
+    mergeStringEnvValue(stringEnv, assignment.target, resolved.sql);
+    return;
+  }
+  stringEnv.set(assignment.target, resolved.sql);
+}
+function buildExecuteLine(content, lineStarts, range, statement, execute) {
+  return lineNumberFromIndex(
+    content,
+    range.bodyStart + statement.startOffset + execute.statementStartOffset,
+    lineStarts
+  );
+}
+function buildExecuteKey(range, statement, execute, executeLine) {
+  return `execute:${range.statementType}:${statement.startOffset}:${execute.statementStartOffset}:${executeLine}`;
+}
+function buildStaticExecuteRisk(execute, executeLine) {
+  return {
+    level: "medium",
+    description: "Static EXECUTE SQL detected in PL/pgSQL body",
+    mitigation: "Prefer declarative/static SQL when possible; keep this change explicit in declarative schemas",
+    line: executeLine,
+    reasonCode: "PLPGSQL_EXECUTE_STATIC",
+    confidence: "low",
+    evidence: {
+      source: "extractExecuteExpressions",
+      snippet: execute.expression.slice(0, 200),
+      detail: "Static EXECUTE SQL detected from reconstructed expression"
+    }
+  };
+}
+function pushDerivedStaticRisks(risks, dedupe, staticSql, executeLine, hasUsingClause) {
+  const staticRisks = enrichStaticExecuteRiskFromSql(staticSql, executeLine);
+  for (const staticRisk of staticRisks) {
+    const key = `${staticRisk.level}:${staticRisk.description}:${executeLine}`;
+    const dedupeKey = `static:${key}`;
+    if (dedupe.has(dedupeKey)) continue;
+    dedupe.add(dedupeKey);
+    risks.push({
+      ...staticRisk,
+      reasonCode: staticRisk.reasonCode ?? "PLPGSQL_EXECUTE_STATIC",
+      confidence: staticRisk.confidence ?? "low",
+      evidence: {
+        ...staticRisk.evidence,
+        source: staticRisk.evidence?.source ?? "detectRisksFromContent",
+        detail: `Static EXECUTE SQL analyzed from reconstructed expression${hasUsingClause ? " (USING clause present)" : ""}`
+      }
+    });
+  }
+}
+function maybeBuildUsingClauseRisk(execute, executeLine) {
+  if (!execute.hasUsingClause) return void 0;
+  return {
+    level: "high",
+    description: "PL/pgSQL EXECUTE uses USING bindings; values are applied at runtime and must be auditable",
+    mitigation: "Avoid runtime-bound SQL mutation in migration paths, or keep this change in idempotent with explicit review",
+    line: executeLine,
+    reasonCode: "PLPGSQL_EXECUTE_DYNAMIC_USING",
+    confidence: "high",
+    evidence: {
+      source: "extractExecuteExpressions",
+      snippet: execute.expression.slice(0, 200),
+      detail: "EXECUTE contains USING clause"
+    }
+  };
+}
+function pushBodyStaticRisks(risks, dedupe, body, bodyStartLine) {
+  const searchableBody = stripSqlStringsPreserveLines(body);
+  if (!searchableBody.trim()) return;
+  const bodyLineStarts = buildLineStarts(body);
+  const bodyRisks = detectRisksFromContent(searchableBody, body, bodyLineStarts);
+  for (const risk of bodyRisks) {
+    const line = bodyStartLine + ((risk.line ?? 1) - 1);
+    const dedupeKey = `body:${risk.reasonCode ?? risk.description}:${line}`;
+    if (dedupe.has(dedupeKey)) continue;
+    dedupe.add(dedupeKey);
+    risks.push({
+      ...risk,
+      line,
+      evidence: {
+        source: "plpgsql body",
+        snippet: body.trim().slice(0, 200),
+        detail: `Matched ${risk.reasonCode ?? "pattern"} inside PL/pgSQL body`
+      }
+    });
+  }
+}
+function buildUnresolvedExecuteRisk(execute, executeLine, reason) {
+  const clauseSuffix = execute.hasUsingClause ? " includes USING clause" : execute.hasIntoClause ? " includes INTO clause" : "";
+  return {
+    level: "high",
+    description: `UNRESOLVED_DYNAMIC_SQL in PL/PGSQL EXECUTE: ${reason}${clauseSuffix}`,
+    mitigation: "Resolve SQL construction at migration time or add manual review before production apply preview",
+    line: executeLine,
+    reasonCode: execute.hasUsingClause ? "PLPGSQL_EXECUTE_DYNAMIC_USING" : execute.hasIntoClause ? "PLPGSQL_EXECUTE_DYNAMIC_INTO" : "PLPGSQL_EXECUTE_UNRESOLVED",
+    confidence: "high",
+    evidence: {
+      source: "extractStaticSqlFromExpression",
+      snippet: execute.expression.slice(0, 200),
+      detail: `Failed to reconstruct dynamic SQL (${reason})`
+    }
+  };
+}
+function analyzeExecuteStatement(risks, dedupe, content, lineStarts, range, statement, execute, stringEnv) {
+  const executeLine = buildExecuteLine(content, lineStarts, range, statement, execute);
+  const executeKey = buildExecuteKey(range, statement, execute, executeLine);
+  if (dedupe.has(executeKey)) return;
+  dedupe.add(executeKey);
+  const extracted = extractStaticSqlFromExpression(execute.expression, stringEnv);
+  if (extracted.kind !== "static") {
+    risks.push(buildUnresolvedExecuteRisk(execute, executeLine, extracted.reason));
+    return;
+  }
+  risks.push(buildStaticExecuteRisk(execute, executeLine));
+  pushDerivedStaticRisks(risks, dedupe, extracted.sql, executeLine, execute.hasUsingClause);
+  const usingRisk = maybeBuildUsingClauseRisk(execute, executeLine);
+  if (usingRisk !== void 0) {
+    risks.push(usingRisk);
+  }
+}
+function analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts, range, options) {
+  const declarationLine = lineNumberFromIndex(commentlessContent, range.bodyStart, lineStarts);
+  maybeAddDoBlockRisk(risks, dedupe, commentlessContent, range, declarationLine);
+  const body = commentlessContent.slice(range.bodyStart, range.bodyEnd);
+  const doGuardRisk = maybeBuildIdempotentDoGuardRisk(body, declarationLine, options?.filePath);
+  if (doGuardRisk !== void 0) {
+    const key = `guard:${declarationLine}:${doGuardRisk.reasonCode}`;
+    if (!dedupe.has(key)) {
+      dedupe.add(key);
+      risks.push(doGuardRisk);
+    }
+  }
+  pushBodyStaticRisks(risks, dedupe, body, declarationLine);
+  const stringEnv = /* @__PURE__ */ new Map();
+  for (const statement of splitPlpgsqlStatementsWithOffsets(body)) {
+    applyStatementAssignment(statement, stringEnv);
+    const executeStatements = extractExecuteExpressions(statement.statement);
+    for (const execute of executeStatements) {
+      analyzeExecuteStatement(
+        risks,
+        dedupe,
+        content,
+        lineStarts,
+        range,
+        statement,
+        execute,
+        stringEnv
+      );
+    }
+  }
+}
+async function detectPlpgsqlDynamicExecutionRisks(content, options) {
+  const commentlessContent = stripSqlCommentsPreserveLines(content);
+  const lineStarts = buildLineStarts(commentlessContent);
+  const ranges = await findFunctionAndDoBodies(commentlessContent);
+  if (ranges.length === 0) return [];
+  const risks = [];
+  const dedupe = /* @__PURE__ */ new Set();
+  for (const range of ranges) {
+    analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts, range, options);
+  }
+  return risks;
+}
+export { detectPlpgsqlDynamicExecutionRisks };

package/dist/{template-check-FFJVDLBF.js → template-check-BDFMT6ZO.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { getErrorMessage } from './chunk-EMB6IZFT.js';
+import { getErrorMessage } from './chunk-XVNDDHAF.js';
 import { findRepoRoot } from './chunk-3WDV32GA.js';
 import { createMachineStateChangeLogger } from './chunk-5FT3F36G.js';
 import { getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';

package/dist/{upgrade-7TWORWBV.js → upgrade-BDUWBRT5.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { fetchTemplates } from './chunk-CCW3PLQY.js';
+import { fetchTemplates } from './chunk-Z7A4BEWF.js';
 import { updateRunaConfigSdkVersion } from './chunk-6AALH2ED.js';
 import './chunk-DRSUEMAK.js';
 import './chunk-RZLYEO4U.js';