@runa-ai/runa-cli 0.7.1 → 0.7.3

package/dist/commands/ci/utils/db-url-utils.d.ts

@@ -1,81 +1,8 @@
 /**
- * AI HINT: Database URL normalization utilities for CI operations
+ * AI HINT: Re-export from shared utils for backward compatibility.
  *
- * Purpose: Normalize database URLs for DDL operations and catalog queries
- * Shared: These utilities match SDK's behavior for consistent handling
- *
- * Key transformations:
- * 1. Port conversion: Transaction Pooler (6543) → Session Pooler (5432)
- * 2. pgbouncer cleanup: Remove pgbouncer parameter for Session Pooler
- * 3. IPv4 resolution: GitHub Actions runners can't reach IPv6-only hosts
- */
-/**
- * Resolve hostname to IPv4 address using getent (Linux).
- *
- * This is critical for GitHub Actions where IPv6 may not be routable to Supabase.
- * Matches SDK's resolveHostToIPv4 behavior.
- *
- * @param hostname - The hostname to resolve
- * @returns IPv4 address if resolvable, null otherwise
- */
-export declare function resolveHostToIPv4(hostname: string): string | null;
-/**
- * Normalize database URL for DDL reads and psql operations.
- *
- * Handles three critical issues:
- * 1. Port conversion: Transaction Pooler (6543) → Session Pooler (5432)
- *    - DDL and catalog reads are more reliable via Session Pooler
- * 2. pgbouncer cleanup: Remove pgbouncer parameter for Session Pooler
- *    - Session Pooler (5432) does NOT accept pgbouncer parameter
- * 3. IPv4 resolution: GitHub Actions runners can't reach IPv6-only hosts
- *    - This matches SDK's normalizeDatabaseUrlForDDL behavior
- *
- * @param databaseUrl - The database URL to normalize
- * @returns Normalized database URL suitable for DDL operations
- */
-export declare function normalizeDatabaseUrlForDdl(databaseUrl: string): string;
-/**
- * Get safe database target string for logging (without password).
- *
- * @param databaseUrl - The database URL
- * @returns Safe string for logging
- */
-export declare function getSafeDatabaseTarget(databaseUrl: string): string;
-/**
- * Escape SQL literal value for safe inclusion in SQL strings.
- *
- * @param value - The string value to escape
- * @returns Escaped string safe for SQL literals
- */
-export declare function escapeSqlLiteral(value: string): string;
-/**
- * Parse PostgreSQL boolean result to JavaScript boolean.
- *
- * PostgreSQL returns 't', 'true', or '1' for true values.
- * This utility normalizes these variants.
- *
- * @param value - The PostgreSQL boolean string
- * @returns JavaScript boolean
- */
-export declare function parseBoolish(value: string): boolean;
-/**
- * Check if a hostname resolves ONLY to IPv6 (no IPv4).
- *
- * This indicates that Supabase IPv4 Add-on is not enabled.
- * GitHub Actions cannot reach IPv6-only hosts.
- *
- * @param hostname - The hostname to check
- * @returns true if hostname resolves ONLY to IPv6, false otherwise
- */
-export declare function isIPv6Only(hostname: string): boolean;
-/**
- * Enhance error message with actionable advice.
- *
- * Detects common error patterns and adds clear guidance for users.
- *
- * @param error - Original error message
- * @param databaseUrl - The database URL that failed (optional)
- * @returns Enhanced error message with guidance
+ * The actual implementation lives in packages/cli/src/utils/db-url-utils.ts
+ * since these utilities are shared across both CI and DB modules.
  */
-export declare function enhanceConnectionError(error: string, databaseUrl?: string): string;
+export { enhanceConnectionError, escapeSqlLiteral, getSafeDatabaseTarget, isIPv6Only, normalizeDatabaseUrlForDdl, parseBoolish, resolveHostToIPv4, } from '../../../utils/db-url-utils.js';
 //# sourceMappingURL=db-url-utils.d.ts.map

package/dist/commands/ci/utils/github-api.d.ts

@@ -15,12 +15,26 @@ export declare function listPullRequestFiles(params: {
     repo: RepoContext;
     pullNumber: number;
 }): Promise<string[]>;
+export declare function mergeCommentSectionBody(params: {
+    existingBody: string;
+    startMarker: string;
+    endMarker: string;
+    sectionBody: string;
+}): string;
 export declare function upsertIssueComment(params: {
     repo: RepoContext;
     issueNumber: number;
     marker: string;
     body: string;
 }): Promise<void>;
+export declare function mergeIssueCommentSection(params: {
+    repo: RepoContext;
+    issueNumber: number;
+    marker: string;
+    startMarker: string;
+    endMarker: string;
+    sectionBody: string;
+}): Promise<void>;
 export declare function addIssueLabels(params: {
     repo: RepoContext;
     issueNumber: number;

package/dist/commands/db/apply/contract.d.ts

@@ -23,7 +23,9 @@ export declare const DbApplyInputSchema: z.ZodObject<{
     allowDataLoss: z.ZodDefault<z.ZodBoolean>;
     confirmAuthzUpdate: z.ZodDefault<z.ZodBoolean>;
     check: z.ZodDefault<z.ZodBoolean>;
+    strict: z.ZodDefault<z.ZodBoolean>;
     skipDataCheck: z.ZodDefault<z.ZodBoolean>;
+    compareOnly: z.ZodDefault<z.ZodBoolean>;
     maxLockWaitMs: z.ZodDefault<z.ZodNumber>;
     freshDbCheckSql: z.ZodOptional<z.ZodString>;
 }, z.core.$strict>;
@@ -67,6 +69,77 @@ export declare const DbApplyOutputSchema: z.ZodObject<{
         seedMs: z.ZodOptional<z.ZodNumber>;
         retryAttempts: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strip>>;
+    outcome: z.ZodObject<{
+        command: z.ZodString;
+        exitMode: z.ZodEnum<{
+            success: "success";
+            success_with_warnings: "success_with_warnings";
+            failed: "failed";
+            timeout: "timeout";
+            cancelled: "cancelled";
+        }>;
+        startedAt: z.ZodString;
+        endedAt: z.ZodString;
+        durationMs: z.ZodNumber;
+        phases: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            label: z.ZodString;
+            status: z.ZodEnum<{
+                failed: "failed";
+                timeout: "timeout";
+                cancelled: "cancelled";
+                pending: "pending";
+                running: "running";
+                passed: "passed";
+                warning: "warning";
+                skipped: "skipped";
+            }>;
+            startedAt: z.ZodOptional<z.ZodString>;
+            endedAt: z.ZodOptional<z.ZodString>;
+            durationMs: z.ZodOptional<z.ZodNumber>;
+            timeoutMs: z.ZodOptional<z.ZodNumber>;
+            warningCount: z.ZodOptional<z.ZodNumber>;
+            error: z.ZodOptional<z.ZodObject<{
+                code: z.ZodString;
+                message: z.ZodString;
+                statusCode: z.ZodOptional<z.ZodNumber>;
+                retryable: z.ZodBoolean;
+                retryAfterMs: z.ZodOptional<z.ZodNumber>;
+                phase: z.ZodOptional<z.ZodString>;
+                details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+            }, z.core.$strict>>;
+            warnings: z.ZodOptional<z.ZodArray<z.ZodObject<{
+                code: z.ZodString;
+                message: z.ZodString;
+                phase: z.ZodString;
+                details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+            }, z.core.$strict>>>;
+            metrics: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodNumber>>;
+        }, z.core.$strict>>;
+        warnings: z.ZodArray<z.ZodObject<{
+            code: z.ZodString;
+            message: z.ZodString;
+            phase: z.ZodString;
+            details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strict>>;
+        errors: z.ZodArray<z.ZodObject<{
+            code: z.ZodString;
+            message: z.ZodString;
+            statusCode: z.ZodOptional<z.ZodNumber>;
+            retryable: z.ZodBoolean;
+            retryAfterMs: z.ZodOptional<z.ZodNumber>;
+            phase: z.ZodOptional<z.ZodString>;
+            details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strict>>;
+        summary: z.ZodObject<{
+            passed: z.ZodNumber;
+            warnings: z.ZodNumber;
+            failed: z.ZodNumber;
+            skipped: z.ZodNumber;
+            timedOut: z.ZodNumber;
+        }, z.core.$strict>;
+        nextActions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strict>;
 }, z.core.$strict>;
 export type DbApplyOutput = z.infer<typeof DbApplyOutputSchema>;
 //# sourceMappingURL=contract.d.ts.map

package/dist/commands/db/apply/helpers/alter-statement-parsers.d.ts

@@ -0,0 +1,95 @@
+/**
+ * AI HINT: ALTER Statement Parsers & Validation Query Builders
+ *
+ * Purpose: Parse ALTER TABLE / CREATE UNIQUE INDEX statements to detect
+ *          data compatibility risks, and build validation queries for each.
+ *
+ * Detected patterns:
+ * 1. SET NOT NULL - fails if NULL values exist
+ * 2. ALTER TYPE   - fails if values can't be cast
+ * 3. ADD CHECK    - fails if data violates constraint
+ * 4. ADD UNIQUE / CREATE UNIQUE INDEX - fails if duplicates exist
+ *
+ * Extracted from data-compatibility-checker.ts for single responsibility.
+ */
+/**
+ * Parse SET NOT NULL from ALTER TABLE statement.
+ * Pattern: ALTER TABLE [IF EXISTS] ["schema"]."table" ALTER COLUMN ["col"] SET NOT NULL
+ */
+export declare function parseSetNotNull(sql: string): {
+    schema: string;
+    table: string;
+    column: string;
+} | null;
+/**
+ * Parse ALTER TYPE from ALTER TABLE statement.
+ * Pattern: ALTER TABLE ["schema"]."table" ALTER COLUMN ["col"] [SET DATA] TYPE target_type [USING ...]
+ *
+ * Handles:
+ * - Precision types: character varying(100), numeric(10,2)
+ * - Schema-qualified types: extensions.vector, public.citext
+ * - Array types: integer[], text[]
+ */
+export declare function parseAlterType(sql: string): {
+    schema: string;
+    table: string;
+    column: string;
+    targetType: string;
+} | null;
+/**
+ * Parse ADD CHECK from ALTER TABLE statement.
+ * Pattern: ALTER TABLE ["schema"]."table" ADD [CONSTRAINT name] CHECK (expr)
+ *
+ * Filters out pg-schema-diff internal temporary constraints (pgschemadiff_tmpnn_*)
+ * which are used for online NOT NULL migrations and would cause duplicate reports
+ * alongside parseSetNotNull.
+ */
+export declare function parseAddCheck(sql: string): {
+    schema: string;
+    table: string;
+    constraintName: string;
+    checkExpr: string;
+} | null;
+/**
+ * Parse ADD UNIQUE from ALTER TABLE statement.
+ * Pattern: ALTER TABLE ["schema"]."table" ADD [CONSTRAINT name] UNIQUE [NULLS [NOT] DISTINCT] (col1, col2)
+ */
+export declare function parseAddUnique(sql: string): {
+    schema: string;
+    table: string;
+    columns: string[];
+} | null;
+/**
+ * Parse CREATE UNIQUE INDEX statement.
+ * Pattern: CREATE UNIQUE INDEX [CONCURRENTLY] [IF NOT EXISTS] name ON ["schema"]."table" (columns) [WHERE ...]
+ *
+ * Handles:
+ * - Functional indexes: lower(email), upper(name)
+ * - Partial indexes: WHERE deleted_at IS NULL (excluded from column capture)
+ * - NULLS NOT DISTINCT (PostgreSQL 15+)
+ */
+export declare function parseCreateUniqueIndex(sql: string): {
+    schema: string;
+    table: string;
+    columns: string[];
+} | null;
+export declare function buildNotNullQuery(schema: string, table: string, column: string): string;
+/**
+ * Build a type cast validation query for known types.
+ * Returns null for unknown types (skip).
+ */
+export declare function buildTypeCastQuery(schema: string, table: string, column: string, targetType: string): string | null;
+/**
+ * Build query to validate CHECK constraint against existing data.
+ *
+ * SECURITY NOTE: checkExpr comes from pg_catalog (database metadata), not user input.
+ * We still apply basic validation as defense-in-depth against unexpected content.
+ */
+export declare function buildCheckConstraintQuery(schema: string, table: string, checkExpr: string): string;
+/**
+ * Quote a column expression for SQL.
+ * Simple column names are quoted; functional expressions (containing parens) are passed through.
+ */
+export declare function quoteColumnExpr(expr: string): string;
+export declare function buildUniqueQuery(schema: string, table: string, columns: string[]): string;
+//# sourceMappingURL=alter-statement-parsers.d.ts.map

package/dist/commands/db/apply/helpers/data-compatibility-checker.d.ts

@@ -33,67 +33,6 @@ export interface DataCompatibilityResult {
     /** Number of validation queries that failed (query errors + timeouts) */
     queryErrorCount: number;
 }
-/**
- * Parse SET NOT NULL from ALTER TABLE statement.
- * Pattern: ALTER TABLE [IF EXISTS] ["schema"]."table" ALTER COLUMN ["col"] SET NOT NULL
- */
-export declare function parseSetNotNull(sql: string): {
-    schema: string;
-    table: string;
-    column: string;
-} | null;
-/**
- * Parse ALTER TYPE from ALTER TABLE statement.
- * Pattern: ALTER TABLE ["schema"]."table" ALTER COLUMN ["col"] [SET DATA] TYPE target_type [USING ...]
- *
- * Handles:
- * - Precision types: character varying(100), numeric(10,2)
- * - Schema-qualified types: extensions.vector, public.citext
- * - Array types: integer[], text[]
- */
-export declare function parseAlterType(sql: string): {
-    schema: string;
-    table: string;
-    column: string;
-    targetType: string;
-} | null;
-/**
- * Parse ADD CHECK from ALTER TABLE statement.
- * Pattern: ALTER TABLE ["schema"]."table" ADD [CONSTRAINT name] CHECK (expr)
- *
- * Filters out pg-schema-diff internal temporary constraints (pgschemadiff_tmpnn_*)
- * which are used for online NOT NULL migrations and would cause duplicate reports
- * alongside parseSetNotNull.
- */
-export declare function parseAddCheck(sql: string): {
-    schema: string;
-    table: string;
-    constraintName: string;
-    checkExpr: string;
-} | null;
-/**
- * Parse ADD UNIQUE from ALTER TABLE statement.
- * Pattern: ALTER TABLE ["schema"]."table" ADD [CONSTRAINT name] UNIQUE [NULLS [NOT] DISTINCT] (col1, col2)
- */
-export declare function parseAddUnique(sql: string): {
-    schema: string;
-    table: string;
-    columns: string[];
-} | null;
-/**
- * Parse CREATE UNIQUE INDEX statement.
- * Pattern: CREATE UNIQUE INDEX [CONCURRENTLY] [IF NOT EXISTS] name ON ["schema"]."table" (columns) [WHERE ...]
- *
- * Handles:
- * - Functional indexes: lower(email), upper(name)
- * - Partial indexes: WHERE deleted_at IS NULL (excluded from column capture)
- * - NULLS NOT DISTINCT (PostgreSQL 15+)
- */
-export declare function parseCreateUniqueIndex(sql: string): {
-    schema: string;
-    table: string;
-    columns: string[];
-} | null;
 /**
  * Check data compatibility for all statements in a plan.
  *

package/dist/commands/db/apply/helpers/function-plan-false-positive-filter.d.ts

@@ -0,0 +1,36 @@
+import type { PlanStatement } from './plan-validator.js';
+import { type PlanAnalysisSession } from './plan-ast.js';
+interface DbFunctionMetadata {
+    schema: string;
+    name: string;
+    definition: string;
+    proconfig: string[];
+}
+interface NormalizedFunctionDefinition {
+    normalizedDefinition: string;
+    normalizedConfig: string;
+}
+export interface FunctionSchemaCheckSuppressionResult {
+    planOutput: string;
+    suppressedStatements: PlanStatement[];
+    warnings: string[];
+}
+declare function normalizeDbProconfig(entries: string[]): string;
+declare function normalizePlpgsqlFunctionDefinition(sql: string, dbProconfig?: string[], session?: PlanAnalysisSession): Promise<NormalizedFunctionDefinition | null>;
+declare function matchesSchemaCheckExclusion(objectKey: string, patterns: readonly string[]): boolean;
+declare function serializePlanStatements(statements: PlanStatement[]): string;
+declare function isSemanticallyEquivalentPlpgsqlFunction(sql: string, candidates: readonly DbFunctionMetadata[], session: PlanAnalysisSession): Promise<boolean>;
+export declare function suppressFunctionSchemaCheckFalsePositives(params: {
+    dbUrl: string;
+    planOutput: string;
+    excludeFromSchemaCheck?: readonly string[];
+}): Promise<FunctionSchemaCheckSuppressionResult>;
+export declare const _test: {
+    isSemanticallyEquivalentPlpgsqlFunction: typeof isSemanticallyEquivalentPlpgsqlFunction;
+    matchesSchemaCheckExclusion: typeof matchesSchemaCheckExclusion;
+    normalizeDbProconfig: typeof normalizeDbProconfig;
+    normalizePlpgsqlFunctionDefinition: typeof normalizePlpgsqlFunctionDefinition;
+    serializePlanStatements: typeof serializePlanStatements;
+};
+export {};
+//# sourceMappingURL=function-plan-false-positive-filter.d.ts.map

package/dist/commands/db/apply/helpers/hazard-handler.d.ts

@@ -48,12 +48,12 @@ export declare function handleHazardsWithContext(planOutput: string, input: DbAp
     hasDeletesData: boolean;
     hasAuthzUpdate: boolean;
 };
-/**
- * Display check mode results.
- */
 export declare function displayCheckModeResults(planOutput: string, filterInfo?: {
     filteredPlanSql: string;
-    removedStatements: {
+    removedDropStatements: {
+        sql: string;
+    }[];
+    removedAuthzStatements: {
         sql: string;
     }[];
 }): void;

package/dist/commands/db/apply/helpers/index.d.ts

@@ -4,16 +4,25 @@
  * Purpose: Export all helper functions for db apply actors
  */
 export { acquireAdvisoryLock, MIGRATION_LOCK_ID, releaseAdvisoryLock, } from './advisory-lock.js';
-export type { FilterResult, PlanHazard, PlanStatement, ValidatedPlan } from './plan-validator.js';
-export { ALLOWED_DDL_PREFIXES, BLOCKED_SQL_PATTERNS, filterIdempotentProtectedStatements, isDropStatementForProtectedObject, parsePlanOutput, validatePlanForExecution, validateStatementTypes, } from './plan-validator.js';
-export type { IdempotentProtectedObjects, ParsedHazard, PartitionPrivilegeDetection, PgSchemaDiffPlanOptions, } from './pg-schema-diff-helpers.js';
+export type { PlanHazard, PlanStatement, ValidatedPlan } from './plan-validator.js';
+export { ALLOWED_DDL_PREFIXES, BLOCKED_SQL_PATTERNS, parsePlanOutput, validatePlanForExecution, validateStatementTypes, } from './plan-validator.js';
+export type { FilterResult } from './plan-drop-protection.js';
+export { filterIdempotentProtectedStatements, isDropStatementForProtectedObject, } from './plan-drop-protection.js';
+export type { CheckModeFilterResult } from './plan-check-filter.js';
+export { filterCheckModePlanStatements, isIdempotentManagedAuthzStatement, resetManagedAuthzCache, stripLeadingSessionStatements, } from './plan-check-filter.js';
+export type { IdempotentProtectedObjects, ParsedHazard } from './idempotent-object-registry.js';
+export { filterFalsePositiveHazards, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, isIdempotentRoleHazard, resetIdempotentRolesCache, } from './idempotent-object-registry.js';
+export { buildAllowedHazards, displayCheckModeResults, displayHazardsWithContext, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, parseHazardsWithContext, } from './hazard-handler.js';
+export type { PartitionPrivilegeDetection, PgSchemaDiffPlanOptions, } from './pg-schema-diff-helpers.js';
+export { detectDropTableStatements, detectPartitionPrivilegeError, executePgSchemaDiffPlan, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, verifyDatabaseConnection, verifyPgSchemaDiffBinary, } from './pg-schema-diff-helpers.js';
 export type { ShadowDbConfig, ShadowDbResult } from './shadow-db-manager.js';
-export { buildAllowedHazards, detectDropTableStatements, detectPartitionPrivilegeError, displayCheckModeResults, displayHazardsWithContext, executePgSchemaDiffPlan, filterFalsePositiveHazards, formatPartitionPrivilegeHint, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, isIdempotentRoleHazard, parseHazardsWithContext, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, resetIdempotentRolesCache, verifyDatabaseConnection, verifyPgSchemaDiffBinary, } from './pg-schema-diff-helpers.js';
 export type { PlanSqlRetryConfig, RetryConfig, RetryResult } from './retry-logic.js';
 export { BASE_DELAY_MS, calculateBackoffDelay, DEFAULT_MAX_DELAY_MS, executePlanSqlWithRetry, isLockTimeoutError, MAX_RETRIES, sleep, } from './retry-logic.js';
 export { cleanupOrphanShadowDatabases, createShadowDbWithExtensions, needsShadowDb, } from './shadow-db-manager.js';
+export { bootstrapTempDbFromSource, buildTempDbBootstrapStatements, } from './temp-db-bootstrap.js';
+export { buildCheckConstraintQuery, buildNotNullQuery, buildTypeCastQuery, buildUniqueQuery, parseAddCheck, parseAddUnique, parseAlterType, parseCreateUniqueIndex, parseSetNotNull, } from './alter-statement-parsers.js';
 export type { DataCompatibilityResult, DataViolation, DataViolationType, } from './data-compatibility-checker.js';
-export { checkDataCompatibility, displayDataCompatibilityResults, parseAddCheck, parseAddUnique, parseAlterType, parseCreateUniqueIndex, parseSetNotNull, } from './data-compatibility-checker.js';
+export { checkDataCompatibility, displayDataCompatibilityResults, } from './data-compatibility-checker.js';
 export type { CleanPartitionAclsResult, PartitionAcl } from './partition-acl-cleaner.js';
 export { cleanPartitionAclsForPgSchemaDiff } from './partition-acl-cleaner.js';
 export type { DetectedPartitionStub, PrefilterResult } from './partition-prefilter.js';

package/dist/commands/db/apply/helpers/partition-acl-cleaner.d.ts

@@ -34,7 +34,9 @@ export declare function parseAclForNonOwnerRoles(acl: string, owner: string): Se
 /**
  * Execute REVOKE ALL statements for non-owner roles on partition children.
  *
- * Each REVOKE is executed individually so a single failure doesn't block others.
+ * All REVOKE statements are batched into a single psql process to minimize
+ * connection count (N*M → 1). Uses ON_ERROR_STOP=off so individual failures
+ * don't block others.
  */
 export declare function revokePartitionAcls(dbUrl: string, partitions: PartitionAcl[]): CleanPartitionAclsResult;
 /**

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts

@@ -8,15 +8,11 @@
  * - hazard-handler.ts: Hazard parsing, display, and production protection
  * - pg-schema-diff-helpers.ts (this file): Binary verification, plan execution, error detection
  *
- * Re-exports are provided for backward compatibility.
- *
  * Security:
  * - All psql calls use parsePostgresUrl + buildPsqlArgs to prevent SQL injection
  * - Passwords are passed via PGPASSWORD env var, not command line
  */
-export type { IdempotentProtectedObjects, ParsedHazard, } from './idempotent-object-registry.js';
-export { filterFalsePositiveHazards, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, isIdempotentRoleHazard, resetIdempotentRolesCache, } from './idempotent-object-registry.js';
-export { buildAllowedHazards, displayCheckModeResults, displayHazardsWithContext, handleHazardsWithContext, handleProductionAuthzProtection, handleProductionDataProtection, parseHazardsWithContext, } from './hazard-handler.js';
+import { type ChildProcess } from 'node:child_process';
 /**
  * Verify pg-schema-diff binary is available.
  */
@@ -28,10 +24,14 @@ export interface VerifyPgSchemaDiffBinaryOptions {
  * strictVersion=true blocks unsupported/undetectable versions.
  */
 export declare function verifyPgSchemaDiffBinary(options?: VerifyPgSchemaDiffBinaryOptions): void;
+export interface VerifyDatabaseConnectionOptions {
+    /** Override the maximum number of retries (default: 5). */
+    maxRetries?: number;
+}
 /**
  * Verify database connection with retry for transient startup errors.
  */
-export declare function verifyDatabaseConnection(dbUrl: string): Promise<void>;
+export declare function verifyDatabaseConnection(dbUrl: string, options?: VerifyDatabaseConnectionOptions): Promise<void>;
 export interface MissingExtensionDetection {
     detected: boolean;
     missingTypes: string[];
@@ -58,21 +58,84 @@ export declare function detectPartitionPrivilegeError(errorOutput: string): Part
  * Format actionable hint for partition privilege errors.
  */
 export declare function formatPartitionPrivilegeHint(detection: PartitionPrivilegeDetection): string;
+export interface MissingQualifiedFunctionDetection {
+    detected: boolean;
+    qualifiedName?: string;
+    signature?: string;
+}
+/**
+ * Detect schema-qualified "function does not exist" errors in pg-schema-diff output.
+ */
+export declare function detectMissingQualifiedFunction(errorOutput: string): MissingQualifiedFunctionDetection;
+export declare function formatDeclarativeDependencyBoundaryHint(errorOutput: string, schemasDir: string, targetDir?: string): string;
 /**
  * Detect DROP TABLE statements in plan output.
  */
 export declare function detectDropTableStatements(planOutput: string): string[];
+/**
+ * Free idle connection slots before pg-schema-diff plan execution.
+ *
+ * pg-schema-diff Go binary opens many internal connections during plan phase
+ * (schema comparison, check constraints, function dependencies).
+ * On Supabase (max_connections=60), built-in services (PostgREST, GoTrue,
+ * Realtime, Storage) hold ~8-15 idle connections, leaving insufficient
+ * slots for pg-schema-diff.
+ *
+ * This function terminates idle client backend connections to free slots.
+ * Non-fatal: failures are logged as warnings.
+ */
+export declare function freeConnectionSlotsForPgSchemaDiff(dbUrl: string, verbose: boolean): void;
+/**
+ * Build SQL that only terminates stale idle client backends.
+ *
+ * pg-schema-diff itself may keep short-lived idle pooled connections during
+ * planning. Killing all idle backends risks terminating the planner's own pool
+ * and causes `57P01 terminating connection due to administrator command`.
+ *
+ * We target only connections that have remained idle for a while, which matches
+ * long-lived Supabase service sessions but avoids fresh planner-owned idles.
+ */
+export declare function buildIdleConnectionCleanupSql(): string;
+/**
+ * Start a background psql process that continuously frees idle connections.
+ *
+ * Supabase built-in services (PostgREST, GoTrue, Realtime, Storage) reconnect
+ * within milliseconds after termination. A single one-shot cleanup is insufficient
+ * because pg-schema-diff plan takes ~20-30s and reaches peak connection usage
+ * during fetchDependsOnFunctions, long after the initial cleanup.
+ *
+ * This daemon runs a PL/pgSQL loop via `spawn` (non-blocking). Since `spawnSync`
+ * for pg-schema-diff blocks the Node.js thread, the daemon continues as an
+ * independent OS process.
+ *
+ * @returns ChildProcess handle; caller MUST call `.kill()` after pg-schema-diff completes.
+ */
+export declare function startConnectionCleanupDaemon(dbUrl: string, verbose: boolean): ChildProcess | null;
+/**
+ * Stop the connection cleanup daemon.
+ */
+export declare function stopConnectionCleanupDaemon(child: ChildProcess | null, verbose: boolean): void;
 export interface PgSchemaDiffPlanOptions {
     /**
      * Shadow DB DSN for extension type resolution.
      * Passed as --temp-db-dsn to pg-schema-diff.
      */
     tempDbDsn?: string;
+    /**
+     * Project root for boundary-aware diagnostics when schemasDir is a temporary bundle.
+     */
+    targetDir?: string;
 }
 /** Timeout for pg-schema-diff apply / SSOT cleanup (10 minutes) */
 export declare const PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS = 600000;
 /**
  * Execute pg-schema-diff plan and handle errors.
+ *
+ * Starts a background connection cleanup daemon for the duration of the plan
+ * to prevent connection slot exhaustion on Supabase (max_connections=60).
+ *
+ * Retries on transient connection failures (SQLSTATE 57P01, TCP reset, etc.)
+ * which can occur when Supabase terminates idle connections during plan generation.
  */
 export declare function executePgSchemaDiffPlan(dbUrl: string, schemasDir: string, includeSchemas: string[], verbose: boolean, options?: PgSchemaDiffPlanOptions): {
     planOutput: string;

package/dist/commands/db/apply/helpers/plan-ast.d.ts

@@ -0,0 +1,56 @@
+import type { PlanStatement, ValidatedPlan } from './plan-validator.js';
+export type PlanObjectKind = 'schema' | 'relation' | 'function' | 'function-privilege' | 'type' | 'other';
+export interface AnalyzedPlanStatement {
+    statement: PlanStatement;
+    strippedSql: string;
+    objectKind: PlanObjectKind;
+    targetKey: string | null;
+    targetRelationKey: string | null;
+    targetFunctionKey: string | null;
+    phase: number;
+    createsRelation: boolean;
+    relationDependencies: string[];
+    functionDependencies: string[];
+    hasDynamicSql: boolean;
+    normalizedDefinition?: string;
+    normalizedConfig?: string;
+}
+export interface AnalyzedPlan {
+    plan: ValidatedPlan;
+    statements: AnalyzedPlanStatement[];
+    createdRelations: Set<string>;
+}
+interface CachedSqlDependencies {
+    relationDependencies: string[];
+    functionDependencies: string[];
+}
+interface CachedPlpgsqlBodyAnalysis extends CachedSqlDependencies {
+    hasDynamicSql: boolean;
+    normalizedBody: string;
+}
+interface CachedStatementAnalysis extends Omit<AnalyzedPlanStatement, 'statement'> {
+}
+export interface PlanAnalysisSession {
+    parseSql(sql: string): Promise<{
+        stmts: Array<{
+            stmt: Record<string, unknown>;
+        }>;
+    } | null>;
+    analyzeStatement(sql: string): Promise<CachedStatementAnalysis>;
+    extractSqlDependencies(sql: string): Promise<CachedSqlDependencies>;
+    analyzePlpgsqlBody(body: string): Promise<CachedPlpgsqlBodyAnalysis>;
+}
+export declare function createPlanAnalysisSession(): PlanAnalysisSession;
+export declare function stripLeadingSetStatements(sql: string): string;
+export declare function analyzePlanStatement(statement: PlanStatement, session?: PlanAnalysisSession): Promise<AnalyzedPlanStatement>;
+export declare function analyzeValidatedPlan(plan: ValidatedPlan, session?: PlanAnalysisSession): Promise<AnalyzedPlan>;
+export declare function stabilizeAnalyzedPlanOrder(analyzedPlan: AnalyzedPlan): {
+    plan: ValidatedPlan;
+    movedStatements: number;
+};
+export declare function normalizeFunctionDefinitionAst(analyzed: Pick<AnalyzedPlanStatement, 'normalizedDefinition' | 'normalizedConfig'>, dbProconfig?: string[]): {
+    normalizedDefinition: string;
+    normalizedConfig: string;
+} | null;
+export {};
+//# sourceMappingURL=plan-ast.d.ts.map

package/dist/commands/db/apply/helpers/plan-check-filter.d.ts

@@ -0,0 +1,26 @@
+import type { IdempotentProtectedObjects } from './idempotent-object-registry.js';
+import type { PlanStatement, ValidatedPlan } from './plan-validator.js';
+export interface CheckModeFilterResult {
+    filteredPlan: ValidatedPlan;
+    removedDropStatements: PlanStatement[];
+    removedAuthzStatements: PlanStatement[];
+}
+declare function parseRolesFromAuthzStatement(sql: string): string[];
+export declare function stripLeadingSessionStatements(sql: string): string;
+type AuthzTarget = {
+    kind: 'function';
+    schema: string;
+    fullName: string;
+} | {
+    kind: 'schema' | 'sequence' | 'table';
+    schema: string;
+    fullName: string;
+} | null;
+declare function parseAuthzTarget(sql: string): AuthzTarget;
+export declare function isIdempotentManagedAuthzStatement(sql: string, schemasDir?: string): boolean;
+export declare function filterCheckModePlanStatements(plan: ValidatedPlan, protectedTables: string[], protectedObjects: IdempotentProtectedObjects, schemasDir?: string): CheckModeFilterResult;
+export declare function resetManagedAuthzCache(): void;
+export declare const _parseRolesFromAuthzStatement: typeof parseRolesFromAuthzStatement;
+export declare const _parseAuthzTarget: typeof parseAuthzTarget;
+export {};
+//# sourceMappingURL=plan-check-filter.d.ts.map