npm - @runa-ai/runa-cli - Versions diffs - 0.7.2 → 0.7.3 - Mend

@runa-ai/runa-cli 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-Z7A4BEWF.js → chunk-3JO6YP3T.js} RENAMED Viewed

@@ -16,7 +16,7 @@ init_esm_shims();
 // src/constants/versions.ts
 init_esm_shims();
-var COMPATIBLE_TEMPLATES_VERSION = "0.7.2";
+var COMPATIBLE_TEMPLATES_VERSION = "0.7.3";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";

package/dist/{chunk-PMXE5XOJ.js → chunk-AO554K3G.js} RENAMED Viewed

@@ -6,7 +6,7 @@ createRequire(import.meta.url);
 // src/version.ts
 init_esm_shims();
-var CLI_VERSION = "0.7.2";
+var CLI_VERSION = "0.7.3";
 var HAS_ADMIN_COMMAND = false;
 export { CLI_VERSION, HAS_ADMIN_COMMAND };

package/dist/{chunk-LCK2LGVR.js → chunk-PAWNJA3N.js} RENAMED Viewed

@@ -9,7 +9,7 @@ init_esm_shims();
 var riskDetectorModulePromise = null;
 async function loadRiskDetectorModule() {
   if (!riskDetectorModulePromise) {
-    riskDetectorModulePromise = import('./risk-detector-core-7WZJZ5ZI.js').catch((error) => {
+    riskDetectorModulePromise = import('./risk-detector-core-TGFKWHRS.js').catch((error) => {
       riskDetectorModulePromise = null;
       throw error;
     });

package/dist/{cli-Q2XIQDRS.js → cli-SVXOSMW6.js} RENAMED Viewed

@@ -2,7 +2,7 @@
 import { createRequire } from 'module';
 import { enableNonInteractiveMode } from './chunk-6Y3LAUGL.js';
 import { getRequestedCommandNameFromArgv } from './chunk-UWWSAPDR.js';
-import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-PMXE5XOJ.js';
+import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-AO554K3G.js';
 import { emitDefaultSuccessIfNeeded } from './chunk-WJXC4MVY.js';
 import { parseOutputFormat, setOutputFormat, getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
@@ -145,7 +145,7 @@ function isTestCommand(requested) {
 async function registerProjectLifecycleCommands(program, requested, loadAllCommands) {
   if (!loadAllCommands && requested) {
     if (requested === "init") {
-      const { initCommand: initCommand2 } = await import('./init-S2ATHLJ6.js');
+      const { initCommand: initCommand2 } = await import('./init-35JLDFHI.js');
       program.addCommand(initCommand2);
       return;
     }
@@ -155,7 +155,7 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
       return;
     }
     if (requested === "upgrade") {
-      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-BDUWBRT5.js');
+      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-7L4JIE4K.js');
       program.addCommand(upgradeCommand2);
       return;
     }
@@ -183,9 +183,9 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
     { buildCommand },
     { devCommand }
   ] = await Promise.all([
-    import('./init-S2ATHLJ6.js'),
+    import('./init-35JLDFHI.js'),
     import('./prepare-32DOVHTE.js'),
-    import('./upgrade-BDUWBRT5.js'),
+    import('./upgrade-7L4JIE4K.js'),
     import('./validate-CAAW4Y44.js'),
     import('./build-HQMSVN6N.js'),
     import('./dev-MLRKIP7F.js')
@@ -466,7 +466,7 @@ async function registerCiCommand(program) {
   program.addCommand(ciCommand);
 }
 async function registerDbCommand(program) {
-  const { dbCommand } = await import('./db-BPQ2TEQM.js');
+  const { dbCommand } = await import('./db-S4V4ETDR.js');
   program.addCommand(dbCommand);
 }
 async function registerServicesCommand(program) {
@@ -490,7 +490,7 @@ async function registerUiCommand(program) {
   program.addCommand(uiCommand);
 }
 async function registerWatchCommand(program) {
-  const { watchCommand } = await import('./watch-ITYW57SL.js');
+  const { watchCommand } = await import('./watch-AL4LCBRM.js');
   program.addCommand(watchCommand);
 }
 async function registerWorkflowCommand(program) {
@@ -498,7 +498,7 @@ async function registerWorkflowCommand(program) {
   program.addCommand(workflowCommand);
 }
 async function registerVulnCheckCommand(program) {
-  const { vulnCheckCommand } = await import('./vuln-check-66RXX3TO.js');
+  const { vulnCheckCommand } = await import('./vuln-check-D575VXIQ.js');
   program.addCommand(vulnCheckCommand);
 }
 async function registerTemplateCheckCommand(program) {

package/dist/commands/db/utils/boundary-policy/types.d.ts CHANGED Viewed

@@ -27,6 +27,7 @@ export type DirectoryPlacementAllowlistRule = {
     id: string;
     filePattern: RegExp;
     messagePattern: RegExp;
+    objectPattern?: RegExp;
     level?: BoundaryPolicyRiskLevel;
     lineStart?: number;
     lineEnd?: number;
@@ -65,6 +66,7 @@ export type RawRule = {
     code?: unknown;
     filePattern?: unknown;
     anchorPattern?: unknown;
+    objectPattern?: unknown;
     descriptionPattern?: unknown;
     messagePattern?: unknown;
     level?: unknown;

package/dist/constants/versions.d.ts CHANGED Viewed

@@ -20,7 +20,7 @@
  *
  * Sync strategy: Keep this in sync with packages/runa-templates/package.json version.
  */
-export declare const COMPATIBLE_TEMPLATES_VERSION = "0.7.2";
+export declare const COMPATIBLE_TEMPLATES_VERSION = "0.7.3";
 /**
  * Templates package name on GitHub Packages.
  * Published to npm.pkg.github.com (requires NODE_AUTH_TOKEN).

package/dist/{db-BPQ2TEQM.js → db-S4V4ETDR.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { detectDatabaseStack, getStackPaths } from './chunk-CCKG5R4Y.js';
-import { categorizeRisks, detectSchemaRisks } from './chunk-LCK2LGVR.js';
+import { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
 import './chunk-ZZOXM6Q4.js';
 import { createError } from './chunk-JQXOVCOP.js';
 import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-CKRLVEIO.js';
@@ -5947,7 +5947,7 @@ function logIdempotentRiskSummary(summary) {
 async function detectIdempotentRiskSummary(schemasDir, files, verbose) {
   const summary = emptyRiskSummary();
   try {
-    const { detectSchemaRisks: detectSchemaRisks2 } = await import('./risk-detector-VO5HJR4R.js');
+    const { detectSchemaRisks: detectSchemaRisks2 } = await import('./risk-detector-S7XQF4I2.js');
     for (const file of files) {
       const filePath = join(schemasDir, file);
       const risks = await detectSchemaRisks2(filePath);
@@ -6673,8 +6673,28 @@ function buildDirectoryPlacementRule(entry, index, seenIds, issueFormatter) {
     issueFormatter
   );
   reportDeprecatedLineUsage(id, line, lineStart, lineEnd, issueFormatter);
-  const scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
-  if (!scopedLineRange) return null;
+  const objectPatternStr = coerceOptionalString(
+    rawRule.objectPattern,
+    index,
+    `directoryPlacementAllowlist[${index}].objectPattern`,
+    issueFormatter
+  );
+  const compiledObjectPattern = compileOptionalRulePattern(
+    objectPatternStr ?? null,
+    issueFormatter
+  );
+  if (objectPatternStr && !compiledObjectPattern) return null;
+  const hasObjectPattern = compiledObjectPattern !== void 0;
+  let scopedLineRange;
+  if (!hasObjectPattern) {
+    scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
+    if (!scopedLineRange) return null;
+  } else {
+    if (lineStart !== void 0 && lineEnd !== void 0) {
+      scopedLineRange = toScopedLineRange(lineStart, lineEnd, id, section, issueFormatter);
+      if (!scopedLineRange) return null;
+    }
+  }
   const expiresAt = coerceExpiresAt(
     rawRule.expiresAt,
     id,
@@ -6692,9 +6712,10 @@ function buildDirectoryPlacementRule(entry, index, seenIds, issueFormatter) {
     id,
     filePattern: compiledPatterns[0],
     messagePattern: compiledPatterns[1],
+    objectPattern: compiledObjectPattern,
     level,
-    lineStart: scopedLineRange.lineStart,
-    lineEnd: scopedLineRange.lineEnd,
+    lineStart: scopedLineRange?.lineStart,
+    lineEnd: scopedLineRange?.lineEnd,
     reason,
     owner,
     ticket,
@@ -7044,6 +7065,10 @@ function findDirectoryPlacementAllowlistMatch(issue, policy) {
     if (entry.level !== void 0 && entry.level !== issue.level) return false;
     if (!entry.filePattern.test(issue.file)) return false;
     if (!entry.messagePattern.test(issue.message)) return false;
+    if (entry.objectPattern) {
+      if (entry.objectPattern.test(issue.message)) return true;
+      if (!hasExplicitLineScope(entry)) return false;
+    }
     if (!hasExplicitLineScope(entry)) return false;
     return entryLineScopeMatches(issue.line, entry);
   });
@@ -11996,7 +12021,9 @@ var IDEMPOTENT_DOWNGRADE_REASON_CODES = /* @__PURE__ */ new Set([
   "MEDIUM_RISK_DROP_SEQUENCE",
   "MEDIUM_RISK_DROP_INDEX",
   "MEDIUM_RISK_REVOKE",
-  "PLPGSQL_DO_BLOCK_DETECTED"
+  "PLPGSQL_DO_BLOCK_DETECTED",
+  "PLPGSQL_EXECUTE_BOUNDED_DISPATCH",
+  "GUARDED_DDL_ADD_CONSTRAINT"
 ]);
 var IDEMPOTENT_MEDIUM_REASON_CODES = /* @__PURE__ */ new Set([
   "PLPGSQL_EXECUTE_UNRESOLVED",
@@ -12017,7 +12044,7 @@ init_esm_shims();
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-VO5HJR4R.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-S7XQF4I2.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;
@@ -12130,6 +12157,7 @@ function formatCollectedIdempotentRisks(collected, allowlist) {
   }
   const high = collected.filter((r) => r.level === "high");
   const medium = collected.filter((r) => r.level === "medium");
+  const low = collected.filter((r) => r.level === "low");
   const blockers = [];
   const warnings = [];
   for (const risk of high) {
@@ -12138,6 +12166,9 @@ function formatCollectedIdempotentRisks(collected, allowlist) {
   for (const risk of medium) {
     warnings.push(`  [MEDIUM] ${formatDeclarativeRiskMessage(risk)}`);
   }
+  for (const risk of low) {
+    warnings.push(`  [LOW] ${formatDeclarativeRiskMessage(risk)}`);
+  }
   return {
     blockers: dedupeAndSort(blockers),
     warnings: dedupeAndSort(warnings),
@@ -12198,6 +12229,45 @@ async function processDeclarativeRiskFile(params) {
   });
   return { kind: "ok", detector: detectorResult.detector };
 }
+var CREATE_POLICY_NAME_PATTERN = /\bCREATE\s+(?:OR\s+REPLACE\s+)?POLICY\s+(?:"([^"]+)"|([A-Za-z_]\w*))/gi;
+var DROP_POLICY_NAME_LINE_PATTERN = /\bDROP\s+POLICY\s+IF\s+EXISTS\s+(?:"([^"]+)"|([A-Za-z_]\w*))/i;
+function extractCreatePolicyNames(content) {
+  const names = /* @__PURE__ */ new Set();
+  CREATE_POLICY_NAME_PATTERN.lastIndex = 0;
+  let match = CREATE_POLICY_NAME_PATTERN.exec(content);
+  while (match !== null) {
+    const name = (match[1] ?? match[2] ?? "").toLowerCase();
+    if (name) names.add(name);
+    match = CREATE_POLICY_NAME_PATTERN.exec(content);
+  }
+  CREATE_POLICY_NAME_PATTERN.lastIndex = 0;
+  return names;
+}
+function detectRecreatePairs(risks, absoluteFilePath) {
+  const dropPolicyRisks = risks.filter((r) => r.reasonCode === "HIGH_RISK_DROP_POLICY");
+  if (dropPolicyRisks.length === 0) return;
+  let content;
+  try {
+    content = readFileSync(absoluteFilePath, "utf-8");
+  } catch {
+    return;
+  }
+  const createPolicyNames = extractCreatePolicyNames(content);
+  if (createPolicyNames.size === 0) return;
+  const lines = content.split("\n");
+  for (const risk of dropPolicyRisks) {
+    if (risk.line === void 0) continue;
+    const startIdx = Math.max(0, risk.line - 2);
+    const endIdx = Math.min(lines.length, risk.line + 1);
+    const windowText = lines.slice(startIdx, endIdx).join(" ");
+    const nameMatch = DROP_POLICY_NAME_LINE_PATTERN.exec(windowText);
+    if (!nameMatch) continue;
+    const dropName = (nameMatch[1] ?? nameMatch[2] ?? "").toLowerCase();
+    if (dropName && createPolicyNames.has(dropName)) {
+      risk.level = "low";
+    }
+  }
+}
 async function collectDeclarativeRiskReport() {
   const declarativeDir = path15.join(process.cwd(), "supabase", "schemas", "declarative");
   if (!existsSync(declarativeDir)) {
@@ -12266,9 +12336,13 @@ async function collectIdempotentRiskReport() {
     const risks = await detectSchemaRisks2(file);
     if (risks.length === 0) continue;
     const relPath = path15.relative(process.cwd(), file);
-    for (const risk of risks) {
-      const level = correctIdempotentRiskLevel(risk.level, risk.reasonCode);
-      const scopedRisk = { ...risk, level, file: relPath };
+    const fileRisks = risks.map((risk) => ({
+      ...risk,
+      level: correctIdempotentRiskLevel(risk.level, risk.reasonCode),
+      file: relPath
+    }));
+    detectRecreatePairs(fileRisks, file);
+    for (const scopedRisk of fileRisks) {
       const matched = findDeclarativeRiskAllowlistMatch(scopedRisk, policy);
       if (matched) {
         if (SHOW_ALLOWLIST_REPORT2) {

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { getRequestedCommandNameFromArgv } from './chunk-UWWSAPDR.js';
-import { CLI_VERSION } from './chunk-PMXE5XOJ.js';
+import { CLI_VERSION } from './chunk-AO554K3G.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
 import { realpathSync } from 'fs';
 import { fileURLToPath } from 'url';
@@ -36,7 +36,7 @@ async function getProgram(options) {
   };
   const nextKey = getProgramCacheKey(resolvedOptions);
   if (!programInstance || programCacheKey !== nextKey) {
-    const { createProgram } = await import('./cli-Q2XIQDRS.js');
+    const { createProgram } = await import('./cli-SVXOSMW6.js');
     programInstance = await createProgram(resolvedOptions);
     programCacheKey = nextKey;
   }
@@ -60,7 +60,7 @@ async function runCliFromProcessArgv() {
     return;
   }
   const { setupSignalHandlers } = await import('./signal-handler-DO3OANW5.js');
-  const { executeProgram } = await import('./cli-Q2XIQDRS.js');
+  const { executeProgram } = await import('./cli-SVXOSMW6.js');
   setupSignalHandlers();
   const options = getProgramLoadOptions(argv);
   const program = await getProgram(options);

package/dist/{init-S2ATHLJ6.js → init-35JLDFHI.js} RENAMED Viewed

@@ -2,7 +2,7 @@
 import { createRequire } from 'module';
 import { diagnoseInitFailure } from './chunk-AAIE4F2U.js';
 import { getVercelRootDirectory } from './chunk-MXRWBNIY.js';
-import { fetchTemplates } from './chunk-Z7A4BEWF.js';
+import { fetchTemplates } from './chunk-3JO6YP3T.js';
 import { syncRunaConfigWithVercel } from './chunk-6AALH2ED.js';
 import './chunk-DRSUEMAK.js';
 import './chunk-RZLYEO4U.js';

package/dist/{risk-detector-VO5HJR4R.js → risk-detector-S7XQF4I2.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-export { categorizeRisks, detectSchemaRisks } from './chunk-LCK2LGVR.js';
+export { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
 import './chunk-VRXHCR5K.js';
 createRequire(import.meta.url);

package/dist/{risk-detector-core-7WZJZ5ZI.js → risk-detector-core-TGFKWHRS.js} RENAMED Viewed

@@ -54,7 +54,7 @@ var UNQUALIFIED_EXTENSION_REFERENCE_PATTERNS = [
 var plpgsqlModulePromise = null;
 async function loadPlpgsqlRiskDetectorModule() {
   if (!plpgsqlModulePromise) {
-    plpgsqlModulePromise = import('./risk-detector-plpgsql-ULV7NLDB.js').catch((error) => {
+    plpgsqlModulePromise = import('./risk-detector-plpgsql-O32TUR34.js').catch((error) => {
       plpgsqlModulePromise = null;
       throw error;
     });

package/dist/{risk-detector-plpgsql-ULV7NLDB.js → risk-detector-plpgsql-O32TUR34.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, skipWhitespace, parseTopLevelAssignment, extractStaticSqlFromExpression, mergeStringEnvValue, skipIdentifier } from './chunk-Y5ANTCKE.js';
+import { splitPlpgsqlStatementsWithOffsets, parseTopLevelAssignment, extractExecuteExpressions, skipWhitespace, extractStaticSqlFromExpression, mergeStringEnvValue, skipIdentifier } from './chunk-Y5ANTCKE.js';
 import { stripSqlCommentsPreserveLines, buildLineStarts, lineNumberFromIndex, stripSqlStringsPreserveLines, detectRisksFromContent, stripSqlForPatternMatching } from './chunk-3FDQW524.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
@@ -537,13 +537,74 @@ function maybeBuildUsingClauseRisk(execute, executeLine) {
     }
   };
 }
+var GUARD_START_PATTERN = /\bIF\s+NOT\s+EXISTS\s*\(/i;
+var PG_CONSTRAINT_PATTERN = /\bpg_constraint\b/i;
+var ADD_CONSTRAINT_PATTERN = /\bADD\s+CONSTRAINT\b/i;
+var END_IF_PATTERN = /\bEND\s+IF\b/i;
+var THEN_PATTERN = /\bTHEN\b/i;
+function detectGuardedDdlLines(body) {
+  const guardedLines = /* @__PURE__ */ new Set();
+  const lines = body.split("\n");
+  const guardedRanges = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (!GUARD_START_PATTERN.test(lines[i])) continue;
+    let foundPgConstraint = false;
+    let thenLine = -1;
+    const scanEnd = Math.min(i + 20, lines.length);
+    for (let j = i; j < scanEnd; j++) {
+      if (PG_CONSTRAINT_PATTERN.test(lines[j])) foundPgConstraint = true;
+      if (THEN_PATTERN.test(lines[j])) {
+        thenLine = j;
+        break;
+      }
+    }
+    if (!foundPgConstraint || thenLine < 0) continue;
+    const endScan = Math.min(thenLine + 30, lines.length);
+    for (let j = thenLine + 1; j < endScan; j++) {
+      if (END_IF_PATTERN.test(lines[j])) {
+        guardedRanges.push({ thenLine: thenLine + 1, endIfLine: j + 1 });
+        break;
+      }
+    }
+  }
+  for (let i = 0; i < lines.length; i++) {
+    if (!ADD_CONSTRAINT_PATTERN.test(lines[i])) continue;
+    const line1 = i + 1;
+    for (const range of guardedRanges) {
+      if (line1 >= range.thenLine && line1 <= range.endIfLine) {
+        guardedLines.add(line1);
+        break;
+      }
+    }
+  }
+  return guardedLines;
+}
 function pushBodyStaticRisks(risks, dedupe, body, bodyStartLine) {
   const searchableBody = stripSqlStringsPreserveLines(body);
   if (!searchableBody.trim()) return;
   const bodyLineStarts = buildLineStarts(body);
   const bodyRisks = detectRisksFromContent(searchableBody, body, bodyLineStarts);
+  const guardedDdlLines = detectGuardedDdlLines(body);
   for (const risk of bodyRisks) {
-    const line = bodyStartLine + ((risk.line ?? 1) - 1);
+    const bodyRelativeLine = risk.line ?? 1;
+    const line = bodyStartLine + (bodyRelativeLine - 1);
+    if (risk.reasonCode === "MEDIUM_RISK_ADD_UNIQUE" && guardedDdlLines.has(bodyRelativeLine)) {
+      const dedupeKey2 = `body:GUARDED_DDL_ADD_CONSTRAINT:${line}`;
+      if (dedupe.has(dedupeKey2)) continue;
+      dedupe.add(dedupeKey2);
+      risks.push({
+        ...risk,
+        level: "medium",
+        line,
+        reasonCode: "GUARDED_DDL_ADD_CONSTRAINT",
+        evidence: {
+          source: "plpgsql body",
+          snippet: body.trim().slice(0, 200),
+          detail: "ADD CONSTRAINT is guarded by IF NOT EXISTS (pg_constraint check)"
+        }
+      });
+      continue;
+    }
     const dedupeKey = `body:${risk.reasonCode ?? risk.description}:${line}`;
     if (dedupe.has(dedupeKey)) continue;
     dedupe.add(dedupeKey);
@@ -574,14 +635,40 @@ function buildUnresolvedExecuteRisk(execute, executeLine, reason) {
     }
   };
 }
-function analyzeExecuteStatement(risks, dedupe, content, lineStarts, range, statement, execute, stringEnv) {
+function executeReferencesBoundedVars(expression, conditionallyRemoved) {
+  if (conditionallyRemoved.size === 0) return false;
+  const normalized = expression.toLowerCase();
+  for (const varName of conditionallyRemoved) {
+    if (normalized.includes(varName.toLowerCase())) return true;
+  }
+  return false;
+}
+function buildBoundedDispatchRisk(execute, executeLine, reason) {
+  return {
+    level: "medium",
+    description: `Bounded dynamic SQL dispatch in PL/pgSQL EXECUTE: ${reason}`,
+    mitigation: "SQL is constructed from a finite set of branches (IF/CASE). Review each branch for correctness.",
+    line: executeLine,
+    reasonCode: "PLPGSQL_EXECUTE_BOUNDED_DISPATCH",
+    confidence: "medium",
+    evidence: {
+      source: "extractStaticSqlFromExpression",
+      snippet: execute.expression.slice(0, 200),
+      detail: "EXECUTE expression uses variables assigned in conditional branches (bounded dispatch)"
+    }
+  };
+}
+function analyzeExecuteStatement(risks, dedupe, content, lineStarts, range, statement, execute, stringEnv, conditionallyRemoved = /* @__PURE__ */ new Set()) {
   const executeLine = buildExecuteLine(content, lineStarts, range, statement, execute);
   const executeKey = buildExecuteKey(range, statement, execute, executeLine);
   if (dedupe.has(executeKey)) return;
   dedupe.add(executeKey);
   const extracted = extractStaticSqlFromExpression(execute.expression, stringEnv);
   if (extracted.kind !== "static") {
-    risks.push(buildUnresolvedExecuteRisk(execute, executeLine, extracted.reason));
+    const isBoundedDispatch = !execute.hasUsingClause && !execute.hasIntoClause && executeReferencesBoundedVars(execute.expression, conditionallyRemoved);
+    risks.push(
+      isBoundedDispatch ? buildBoundedDispatchRisk(execute, executeLine, extracted.reason) : buildUnresolvedExecuteRisk(execute, executeLine, extracted.reason)
+    );
     return;
   }
   risks.push(buildStaticExecuteRisk(execute, executeLine));
@@ -605,8 +692,18 @@ function analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts
   }
   pushBodyStaticRisks(risks, dedupe, body, declarationLine);
   const stringEnv = /* @__PURE__ */ new Map();
+  const conditionallyRemoved = /* @__PURE__ */ new Set();
   for (const statement of splitPlpgsqlStatementsWithOffsets(body)) {
+    const beforeKeys = new Set(stringEnv.keys());
     applyStatementAssignment(statement, stringEnv);
+    const assignment = parseTopLevelAssignment(statement.statement);
+    if (assignment?.isConditionalContext) {
+      for (const key of beforeKeys) {
+        if (!stringEnv.has(key)) {
+          conditionallyRemoved.add(key);
+        }
+      }
+    }
     const executeStatements = extractExecuteExpressions(statement.statement);
     for (const execute of executeStatements) {
       analyzeExecuteStatement(
@@ -617,7 +714,8 @@ function analyzeBodyRange(risks, dedupe, content, commentlessContent, lineStarts
         range,
         statement,
         execute,
-        stringEnv
+        stringEnv,
+        conditionallyRemoved
       );
     }
   }

package/dist/{upgrade-BDUWBRT5.js → upgrade-7L4JIE4K.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { fetchTemplates } from './chunk-Z7A4BEWF.js';
+import { fetchTemplates } from './chunk-3JO6YP3T.js';
 import { updateRunaConfigSdkVersion } from './chunk-6AALH2ED.js';
 import './chunk-DRSUEMAK.js';
 import './chunk-RZLYEO4U.js';

package/dist/{vuln-check-66RXX3TO.js → vuln-check-D575VXIQ.js} RENAMED Viewed

@@ -71,7 +71,7 @@ var vulnCheckCommand = new Command("vuln-check").description("Run comprehensive
   const logger = createCLILogger("vuln-check");
   const isJsonMode = getOutputFormatFromEnv() === "json" || options.format === "json";
   try {
-    const { VulnChecker } = await import('./vuln-checker-FFOGOJPT.js');
+    const { VulnChecker } = await import('./vuln-checker-QV6XODTJ.js');
     const categoryMap = {
       code: ["injection", "auth", "crypto"],
       deps: ["dependency"],

package/dist/{vuln-checker-FFOGOJPT.js → vuln-checker-QV6XODTJ.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { CLI_VERSION } from './chunk-PMXE5XOJ.js';
+import { CLI_VERSION } from './chunk-AO554K3G.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
 import { glob } from 'glob';
 import { exec } from 'child_process';

package/dist/{watch-ITYW57SL.js → watch-AL4LCBRM.js} RENAMED Viewed

@@ -284,7 +284,7 @@ function validateSqlSchema(content, errors, warnings) {
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-VO5HJR4R.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-S7XQF4I2.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runa-ai/runa-cli",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "private": false,
   "description": "AI-powered DevOps CLI",
   "type": "module",