@runa-ai/runa-cli 0.7.2 → 0.8.0

package/dist/{chunk-Z7A4BEWF.js → chunk-3JO6YP3T.js}

@@ -16,7 +16,7 @@ init_esm_shims();
 
 // src/constants/versions.ts
 init_esm_shims();
-var COMPATIBLE_TEMPLATES_VERSION = "0.7.2";
+var COMPATIBLE_TEMPLATES_VERSION = "0.7.3";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";
 

package/dist/chunk-6E2DRXIL.js

@@ -0,0 +1,452 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { stripSqlComments, blankDollarQuotedBodies, psqlSyncQuery } from './chunk-A6A7JIRD.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { existsSync, readFileSync, readdirSync, lstatSync } from 'fs';
+import { join, basename } from 'path';
+import { execFileSync } from 'child_process';
+import { isIP } from 'net';
+
+createRequire(import.meta.url);
+
+// src/commands/db/utils/schema-detector.ts
+init_esm_shims();
+var EXCLUDED_SCHEMAS = /* @__PURE__ */ new Set([
+  // PostgreSQL system
+  "pg_catalog",
+  "information_schema",
+  "pg_toast",
+  // Supabase services
+  "auth",
+  "storage",
+  "realtime",
+  "pgsodium",
+  "pgsodium_masks",
+  // Supabase extensions
+  "extensions",
+  "graphql",
+  "graphql_public",
+  "net",
+  "vault",
+  // Supabase internal
+  "supabase_functions",
+  "supabase_migrations",
+  "pgbouncer",
+  "cron"
+]);
+var IDENTIFIER_PATTERN = "[A-Za-z_][A-Za-z0-9_]*";
+var SQL_IDENTIFIER = `(?:"(?:[^"]|"")*"|${IDENTIFIER_PATTERN})`;
+var CREATE_SCHEMA_PATTERN = new RegExp(
+  `^\\s*CREATE\\s+SCHEMA\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?(${SQL_IDENTIFIER})`,
+  "gim"
+);
+function collectSchemaSqlFiles(schemasDir) {
+  const entries = readdirSync(schemasDir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const filePath = join(schemasDir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...collectSchemaSqlFiles(filePath));
+    } else if (entry.isFile() && filePath.endsWith(".sql")) {
+      files.push(filePath);
+    }
+  }
+  return files;
+}
+function unquoteIdentifier(identifier) {
+  const trimmed = identifier.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+    return trimmed.slice(1, -1).replace(/""/g, '"');
+  }
+  return trimmed;
+}
+function detectAppSchemas(schemasDir, verbose) {
+  const schemas = /* @__PURE__ */ new Set(["public"]);
+  if (!existsSync(schemasDir)) {
+    return Array.from(schemas);
+  }
+  const files = collectSchemaSqlFiles(schemasDir).sort();
+  for (const file of files) {
+    const content = readFileSync(file, "utf-8");
+    const contentWithoutComments = stripSqlComments(content);
+    CREATE_SCHEMA_PATTERN.lastIndex = 0;
+    const matches = contentWithoutComments.matchAll(CREATE_SCHEMA_PATTERN);
+    for (const match of Array.from(matches)) {
+      const schemaNameRaw = unquoteIdentifier(match[1] ?? "");
+      if (!schemaNameRaw) {
+        continue;
+      }
+      const schemaName = schemaNameRaw.toLowerCase();
+      if (!EXCLUDED_SCHEMAS.has(schemaName)) {
+        schemas.add(schemaName);
+      }
+    }
+  }
+  const result = Array.from(schemas).sort();
+  if (verbose) {
+    console.log(`   \u2192 Detected app schemas: ${result.join(", ")}`);
+  }
+  return result;
+}
+var VALID_PG_IDENTIFIER = /^[a-zA-Z_][a-zA-Z0-9_]{0,62}$/;
+function formatSchemasForSql(schemas) {
+  return schemas.map((s) => {
+    if (!VALID_PG_IDENTIFIER.test(s)) {
+      throw new Error(`Invalid schema name "${s}": must be a valid PostgreSQL identifier`);
+    }
+    return `'${s.replace(/'/g, "''")}'`;
+  }).join(", ");
+}
+
+// src/utils/db-url-utils.ts
+init_esm_shims();
+function resolveHostToIPv4(hostname) {
+  const ipVersion = isIP(hostname);
+  if (ipVersion === 4) return hostname;
+  if (ipVersion === 6) return null;
+  try {
+    const output = execFileSync("getent", ["ahostsv4", hostname], {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    const firstLine = output.split("\n").find((l) => l.trim().length > 0);
+    if (!firstLine) return null;
+    const ip = firstLine.trim().split(/\s+/u)[0] ?? "";
+    return isIP(ip) === 4 ? ip : null;
+  } catch {
+    return null;
+  }
+}
+function normalizeDatabaseUrlForDdl(databaseUrl) {
+  try {
+    const url = new URL(databaseUrl);
+    const port = url.port ? Number(url.port) : void 0;
+    if (port === 6543) url.port = "5432";
+    if (url.searchParams.has("pgbouncer")) url.searchParams.delete("pgbouncer");
+    if (process.env.CI === "true") {
+      const ipv4 = resolveHostToIPv4(url.hostname);
+      if (ipv4) {
+        url.hostname = ipv4;
+      }
+    }
+    return url.toString();
+  } catch {
+    return databaseUrl;
+  }
+}
+function parseBoolish(value) {
+  return value === "t" || value === "true" || value === "1";
+}
+function isIPv6Only(hostname) {
+  const ipVersion = isIP(hostname);
+  if (ipVersion === 4) return false;
+  if (ipVersion === 6) return true;
+  const ipv4 = resolveHostToIPv4(hostname);
+  if (ipv4) return false;
+  try {
+    const output = execFileSync("getent", ["ahosts", hostname], {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    return output.trim().length > 0;
+  } catch {
+    return false;
+  }
+}
+function appendIpv4AddonGuidance(error) {
+  return `${error}
+
+\u{1F4A1} **\u89E3\u6C7A\u7B56**: Supabase IPv4 Add-on \u3092\u6709\u52B9\u5316\u3057\u3066\u304F\u3060\u3055\u3044 ($4/month)
+   Supabase Dashboard \u2192 Project Settings \u2192 Add-ons \u2192 IPv4 Add-on
+   (GitHub Actions \u306F IPv6 \u3092\u30B5\u30DD\u30FC\u30C8\u3057\u3066\u3044\u307E\u305B\u3093)`;
+}
+function appendConnectionRefusedGuidance(error) {
+  return `${error}
+
+\u{1F4A1} **\u78BA\u8A8D\u4E8B\u9805**:
+   1. DATABASE_URL \u304C Direct URL (port 5432) \u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u304B\uFF1F
+   2. Supabase \u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u304C\u7A3C\u50CD\u4E2D\u3067\u3059\u304B\uFF1F`;
+}
+function appendAuthFailureGuidance(error) {
+  return `${error}
+
+\u{1F4A1} **\u78BA\u8A8D\u4E8B\u9805**:
+   1. DATABASE_URL \u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u6B63\u3057\u3044\u3067\u3059\u304B\uFF1F
+   2. Supabase Database Settings \u3067\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u30EA\u30BB\u30C3\u30C8\u3067\u304D\u307E\u3059`;
+}
+function isIpv6ConnectionError(error) {
+  return error.includes("Network is unreachable") || error.includes("IPv6");
+}
+function hasIpv6AddressPattern(error) {
+  return /\([0-9a-f:]+\)/i.test(error);
+}
+function canDetectIpv6OnlyFromUrl(databaseUrl) {
+  try {
+    const url = new URL(databaseUrl);
+    return isIPv6Only(url.hostname);
+  } catch {
+    return false;
+  }
+}
+function shouldShowIpv4AddonGuidance(error, databaseUrl) {
+  if (!isIpv6ConnectionError(error)) {
+    return false;
+  }
+  if (databaseUrl && canDetectIpv6OnlyFromUrl(databaseUrl)) {
+    return true;
+  }
+  return hasIpv6AddressPattern(error);
+}
+function enhanceConnectionError(error, databaseUrl) {
+  if (shouldShowIpv4AddonGuidance(error, databaseUrl)) {
+    return appendIpv4AddonGuidance(error);
+  }
+  if (error.includes("Connection refused") || error.includes("connection refused")) {
+    return appendConnectionRefusedGuidance(error);
+  }
+  if (error.includes("password authentication failed") || error.includes("FATAL:  password")) {
+    return appendAuthFailureGuidance(error);
+  }
+  return error;
+}
+
+// src/commands/db/apply/helpers/partition-validator.ts
+init_esm_shims();
+var QUALIFIED_NAME = '(?:(?:"([^"]+)"|([a-zA-Z_][a-zA-Z0-9_]*))\\s*\\.\\s*)?(?:"([^"]+)"|([a-zA-Z_][a-zA-Z0-9_]*))';
+var PARTITION_OF_REGEX = new RegExp(
+  `CREATE\\s+TABLE\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?${QUALIFIED_NAME}\\s+PARTITION\\s+OF\\s+${QUALIFIED_NAME}`,
+  "gi"
+);
+function extractQualifiedName(quotedSchema, unquotedSchema, quotedTable, unquotedTable) {
+  const schema = quotedSchema || unquotedSchema || "";
+  const table = quotedTable || unquotedTable || "";
+  return schema ? `${schema}.${table}` : table;
+}
+function parseExpectedPartitions(idempotentDir) {
+  if (!existsSync(idempotentDir)) return [];
+  const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql")).sort();
+  const partitions = [];
+  for (const file of files) {
+    const fullPath = join(idempotentDir, file);
+    try {
+      if (lstatSync(fullPath).isSymbolicLink()) continue;
+    } catch {
+      continue;
+    }
+    const raw = readFileSync(fullPath, "utf-8");
+    const cleaned = blankDollarQuotedBodies(stripSqlComments(raw));
+    for (const match of cleaned.matchAll(PARTITION_OF_REGEX)) {
+      const child = extractQualifiedName(match[1], match[2], match[3], match[4]);
+      const parent = extractQualifiedName(match[5], match[6], match[7], match[8]);
+      partitions.push({ child, parent, sourceFile: basename(file) });
+    }
+  }
+  return partitions;
+}
+function isValidSchemaName(name) {
+  return /^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name);
+}
+function queryActualPartitions(dbUrl, schemas) {
+  if (schemas.length === 0) return /* @__PURE__ */ new Map();
+  const validSchemas = schemas.filter(isValidSchemaName);
+  if (validSchemas.length === 0) return /* @__PURE__ */ new Map();
+  const schemaList = validSchemas.map((s) => `'${s}'`).join(", ");
+  const sql = `
+    SELECT
+      child_ns.nspname || '.' || child.relname AS child_name,
+      parent_ns.nspname || '.' || parent.relname AS parent_name
+    FROM pg_inherits i
+    JOIN pg_class child ON child.oid = i.inhrelid
+    JOIN pg_namespace child_ns ON child_ns.oid = child.relnamespace
+    JOIN pg_class parent ON parent.oid = i.inhparent
+    JOIN pg_namespace parent_ns ON parent_ns.oid = parent.relnamespace
+    WHERE child.relkind IN ('r', 'p')
+      AND child_ns.nspname IN (${schemaList})
+  `;
+  const result = psqlSyncQuery({ databaseUrl: dbUrl, sql: sql.trim(), timeout: 1e4 });
+  const map = /* @__PURE__ */ new Map();
+  if (result.status !== 0) return map;
+  const lines = (result.stdout || "").split("\n").filter((l) => l.trim());
+  for (const line of lines) {
+    const parts = line.split("|").map((p) => p.trim());
+    if (parts.length === 2 && parts[0] && parts[1]) {
+      map.set(parts[0], parts[1]);
+    }
+  }
+  return map;
+}
+function detectPartitionDrift(expected, actual) {
+  const missing = expected.filter((ep) => !actual.has(ep.child));
+  return { missing };
+}
+function formatPartitionWarnings(drift) {
+  return drift.missing.map(
+    (ep) => `Missing partition: ${ep.child} (PARTITION OF ${ep.parent}, defined in ${ep.sourceFile})`
+  );
+}
+
+// src/commands/db/apply/helpers/idempotent-object-registry.ts
+init_esm_shims();
+function resolveIdempotentDir(schemasDir) {
+  return schemasDir ? join(schemasDir, "..", "idempotent") : join(process.cwd(), "supabase", "schemas", "idempotent");
+}
+function readIdempotentSqlFiles(idempotentDir) {
+  if (!existsSync(idempotentDir)) return null;
+  try {
+    const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
+    return files.map((file) => ({
+      file,
+      content: stripSqlComments(readFileSync(join(idempotentDir, file), "utf-8"))
+    }));
+  } catch {
+    return null;
+  }
+}
+function readIdempotentSqlContent(idempotentDir) {
+  const files = readIdempotentSqlFiles(idempotentDir);
+  if (!files) return null;
+  return files.map((f) => f.content).join("\n");
+}
+function extractQualifiedName2(m, schemaIdx1, schemaIdx2, nameIdx1, nameIdx2) {
+  const schema = (m[schemaIdx1] ?? m[schemaIdx2] ?? "").toLowerCase();
+  const name = (m[nameIdx1] ?? m[nameIdx2] ?? "").toLowerCase();
+  return schema ? `${schema}.${name}` : name;
+}
+var cachedIdempotentRoles = null;
+function getIdempotentRoles(schemasDir) {
+  if (cachedIdempotentRoles !== null) {
+    return cachedIdempotentRoles;
+  }
+  const roles = [];
+  const idempotentDir = resolveIdempotentDir(schemasDir);
+  const sqlFiles = readIdempotentSqlFiles(idempotentDir);
+  if (!sqlFiles) {
+    cachedIdempotentRoles = [];
+    return [];
+  }
+  for (const { content } of sqlFiles) {
+    const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)/gi);
+    for (const match of roleMatches) {
+      if (match[1]) {
+        roles.push(match[1].toLowerCase());
+      }
+    }
+    const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
+    for (const match of existsMatches) {
+      if (match[1] && !roles.includes(match[1].toLowerCase())) {
+        roles.push(match[1].toLowerCase());
+      }
+    }
+  }
+  cachedIdempotentRoles = [...new Set(roles)];
+  return cachedIdempotentRoles;
+}
+function getIdempotentProtectedTables(schemasDir, configExclusions) {
+  const tables = /* @__PURE__ */ new Set();
+  const idempotentDir = resolveIdempotentDir(schemasDir);
+  const sqlFiles = readIdempotentSqlFiles(idempotentDir);
+  if (sqlFiles) {
+    for (const { content } of sqlFiles) {
+      const matches = content.matchAll(
+        /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|(\w+))\.(?:"([^"]+)"|(\w+))/gi
+      );
+      for (const m of matches) {
+        const schema = (m[1] ?? m[2]).toLowerCase();
+        const table = (m[3] ?? m[4]).toLowerCase();
+        tables.add(`${schema}.${table}`);
+      }
+    }
+  }
+  if (configExclusions) {
+    for (const pattern of configExclusions) {
+      tables.add(pattern.toLowerCase());
+    }
+  }
+  return [...tables];
+}
+function getIdempotentProtectedObjects(schemasDir, configExclusions) {
+  const tables = getIdempotentProtectedTables(schemasDir, configExclusions);
+  const functions = /* @__PURE__ */ new Set();
+  const triggers = /* @__PURE__ */ new Set();
+  const views = /* @__PURE__ */ new Set();
+  const types = /* @__PURE__ */ new Set();
+  const sequences = /* @__PURE__ */ new Set();
+  const idempotentDir = resolveIdempotentDir(schemasDir);
+  const content = readIdempotentSqlContent(idempotentDir);
+  if (!content) {
+    return { tables, functions: [], triggers: [], views: [], types: [], sequences: [] };
+  }
+  const funcRe = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))\s*\(/gi;
+  for (const m of content.matchAll(funcRe)) {
+    functions.add(extractQualifiedName2(m, 1, 2, 3, 4));
+  }
+  const trigRe = /CREATE\s+(?:OR\s+REPLACE\s+)?TRIGGER\s+(?:"([^"]+)"|(\w+))\s+.*?\s+ON\s+(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
+  for (const m of content.matchAll(trigRe)) {
+    const trigName = (m[1] ?? m[2] ?? "").toLowerCase();
+    const tblSchema = (m[3] ?? m[4] ?? "").toLowerCase();
+    const tblName = (m[5] ?? m[6] ?? "").toLowerCase();
+    const qualified = tblSchema ? `${tblSchema}.${trigName}` : trigName;
+    triggers.add(qualified);
+    if (tblSchema) {
+      triggers.add(`${tblSchema}.${trigName}_on_${tblName}`);
+    }
+  }
+  const viewRe = /CREATE\s+(?:OR\s+REPLACE\s+)?(?:MATERIALIZED\s+)?VIEW\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
+  for (const m of content.matchAll(viewRe)) {
+    views.add(extractQualifiedName2(m, 1, 2, 3, 4));
+  }
+  const typeRe = /CREATE\s+TYPE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
+  for (const m of content.matchAll(typeRe)) {
+    types.add(extractQualifiedName2(m, 1, 2, 3, 4));
+  }
+  const seqRe = /CREATE\s+SEQUENCE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
+  for (const m of content.matchAll(seqRe)) {
+    sequences.add(extractQualifiedName2(m, 1, 2, 3, 4));
+  }
+  return {
+    tables,
+    functions: [...functions],
+    triggers: [...triggers],
+    views: [...views],
+    types: [...types],
+    sequences: [...sequences]
+  };
+}
+function isIdempotentRoleHazard(hazard, schemasDir) {
+  if (hazard.type !== "AUTHZ_UPDATE") {
+    return false;
+  }
+  const idempotentRoles = getIdempotentRoles(schemasDir);
+  if (idempotentRoles.length === 0) {
+    return false;
+  }
+  const sql = hazard.causingSql?.trim().toLowerCase() || "";
+  const isGrantRevoke = /^\s*(?:grant|revoke)\b/i.test(sql);
+  if (!isGrantRevoke) {
+    return false;
+  }
+  for (const role of idempotentRoles) {
+    const escapedRole = role.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const roleRegex = new RegExp(`\\b${escapedRole}\\b`, "i");
+    if (roleRegex.test(sql)) {
+      return true;
+    }
+  }
+  return false;
+}
+function filterFalsePositiveHazards(hazards, schemasDir) {
+  const filtered = [];
+  const falsePositives = [];
+  for (const hazard of hazards) {
+    if (isIdempotentRoleHazard(hazard, schemasDir)) {
+      falsePositives.push(hazard);
+    } else {
+      filtered.push(hazard);
+    }
+  }
+  return { filtered, falsePositives };
+}
+
+export { PARTITION_OF_REGEX, detectAppSchemas, detectPartitionDrift, enhanceConnectionError, extractQualifiedName, filterFalsePositiveHazards, formatPartitionWarnings, formatSchemasForSql, getIdempotentProtectedObjects, getIdempotentProtectedTables, getIdempotentRoles, isIdempotentRoleHazard, normalizeDatabaseUrlForDdl, parseBoolish, parseExpectedPartitions, queryActualPartitions, readIdempotentSqlFiles, resolveIdempotentDir };

package/dist/{chunk-PMXE5XOJ.js → chunk-GHQH6UC5.js}

@@ -6,7 +6,7 @@ createRequire(import.meta.url);
 
 // src/version.ts
 init_esm_shims();
-var CLI_VERSION = "0.7.2";
+var CLI_VERSION = "0.8.0";
 var HAS_ADMIN_COMMAND = false;
 
 export { CLI_VERSION, HAS_ADMIN_COMMAND };

package/dist/{chunk-LCK2LGVR.js → chunk-PAWNJA3N.js}

@@ -9,7 +9,7 @@ init_esm_shims();
 var riskDetectorModulePromise = null;
 async function loadRiskDetectorModule() {
   if (!riskDetectorModulePromise) {
-    riskDetectorModulePromise = import('./risk-detector-core-7WZJZ5ZI.js').catch((error) => {
+    riskDetectorModulePromise = import('./risk-detector-core-TGFKWHRS.js').catch((error) => {
       riskDetectorModulePromise = null;
       throw error;
     });