@runa-ai/runa-cli 0.7.2 → 0.8.0

package/dist/{ci-Z4525QW6.js → ci-ZK3LKYFX.js}

@@ -1,10 +1,9 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, detectAppSchemas, formatSchemasForSql } from './chunk-4XHZQRRK.js';
-import { isPathContained } from './chunk-DRSUEMAK.js';
+import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, isIdempotentRoleHazard, detectAppSchemas, formatSchemasForSql } from './chunk-6E2DRXIL.js';
 import './chunk-QDF7QXBL.js';
 import { getSnapshotStateName, getSnapshotStatePaths, isSnapshotComplete } from './chunk-XVNDDHAF.js';
-import { writeEnvLocal, startAppBackground, waitForAppReady, executePrSetupBase, createErrorOutput } from './chunk-FWMGC5FP.js';
+import { createInitialSummary, resolveMode, appendGithubStepSummary, buildCiProdApplyStepSummaryMarkdown, setSummaryErrorFromUnknown, writeEnvLocal, startAppBackground, waitForAppReady, executePrSetupBase, createErrorOutput, requireCiAutoApprove, resolveProdApplyInputs, parseIntOr, addGithubMask } from './chunk-RB2ZUS76.js';
 import { parsePostgresUrl, buildPsqlArgs, buildPsqlEnv, psqlSyncQuery } from './chunk-A6A7JIRD.js';
 import { ensureRunaTmpDir, runLogged } from './chunk-6FAU4IGR.js';
 import { createMachineStateChangeLogger } from './chunk-5FT3F36G.js';
@@ -13,13 +12,13 @@ import { init_constants, init_local_supabase, detectLocalSupabasePorts } from '.
 import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
 import './chunk-WJXC4MVY.js';
 import { setOutputFormat } from './chunk-HKUWEGUX.js';
-import { detectEnvironment } from './chunk-JMJP4A47.js';
-import { init_esm_shims, __require } from './chunk-VRXHCR5K.js';
+import './chunk-JMJP4A47.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
 import { Command } from 'commander';
 import { spawnSync, spawn, execFileSync } from 'child_process';
-import { mkdir, writeFile, appendFile, readFile } from 'fs/promises';
+import { mkdir, writeFile, readFile } from 'fs/promises';
 import path4, { join } from 'path';
-import { CommandOutcomeSchema, createCLILogger, CLIError, syncFromProduction, formatDuration, GITHUB_API, getClassificationForProfile, isTimeoutLikeMessage, buildCommandOutcomeSummary, deriveCommandExitMode, getStatusIcon, detectDatabasePackage, DATABASE_PACKAGE_CANDIDATES } from '@runa-ai/runa';
+import { CommandOutcomeSchema, createCLILogger, CLIError, syncFromProduction, GITHUB_API, getClassificationForProfile, formatDuration, isTimeoutLikeMessage, buildCommandOutcomeSummary, deriveCommandExitMode, getStatusIcon, detectDatabasePackage, DATABASE_PACKAGE_CANDIDATES } from '@runa-ai/runa';
 import { z } from 'zod';
 import { existsSync, createWriteStream, readFileSync, readdirSync, statSync, promises, lstatSync } from 'fs';
 import { resolve4 } from 'dns/promises';
@@ -37,28 +36,6 @@ init_esm_shims();
 
 // src/commands/ci/commands/ci-checks.ts
 init_esm_shims();
-
-// src/commands/ci/utils/github.ts
-init_esm_shims();
-async function appendGithubStepSummary(markdown) {
-  const file = process.env.GITHUB_STEP_SUMMARY;
-  if (!file) return;
-  await appendFile(file, `${markdown.trimEnd()}
-
-`, "utf-8");
-}
-function addGithubMask(value) {
-  if (!value) return;
-  console.log(`::add-mask::${value}`);
-}
-z.object({
-  action: z.string().optional(),
-  pull_request: z.object({
-    number: z.number().int()
-  })
-}).passthrough();
-
-// src/commands/ci/commands/ci-checks.ts
 async function runTool(params) {
   const startTime = Date.now();
   return new Promise((resolve) => {
@@ -859,8 +836,8 @@ async function detectRisks(repoRoot, tmpDir, timeoutMs) {
   } catch (error) {
     let logContent = "";
     try {
-      const { readFileSync: readFileSync5 } = await import('fs');
-      logContent = readFileSync5(logFile, "utf-8");
+      const { readFileSync: readFileSync4 } = await import('fs');
+      logContent = readFileSync4(logFile, "utf-8");
     } catch {
     }
     const isInitialDeployment = logContent.includes("No common ancestor") || logContent.includes("INITIAL DEPLOYMENT");
@@ -991,8 +968,8 @@ async function applyProductionSchema(repoRoot, tmpDir, productionDbUrlAdmin, pro
   const totalMs = Date.now() - startTime;
   let logContent = "";
   try {
-    const { readFileSync: readFileSync5 } = await import('fs');
-    logContent = readFileSync5(logPath, "utf-8");
+    const { readFileSync: readFileSync4 } = await import('fs');
+    logContent = readFileSync4(logPath, "utf-8");
   } catch {
   }
   const parsed = parseApplyLog(logContent);
@@ -1194,135 +1171,6 @@ async function maybePostFailureComment(params) {
   }
 }
 
-// src/commands/ci/commands/ci-prod-utils.ts
-init_esm_shims();
-function requireEnv(name) {
-  const v = process.env[name];
-  if (v && v.trim().length > 0) return v.trim();
-  throw new CLIError(
-    `Missing required environment variable: ${name}`,
-    "CI_INPUT_MISSING",
-    [`Set ${name} in GitHub Actions secrets/env`, "If unsure, run: runa check"],
-    void 0,
-    10
-  );
-}
-function resolveRepoKind() {
-  const env = detectEnvironment(process.cwd());
-  const result = env === "runa-repo" ? "monorepo" : env === "pj-repo" ? "pj-repo" : "unknown";
-  if (process.env.RUNA_DEBUG === "true") {
-    console.error("[DEBUG:resolveRepoKind]", {
-      cwd: process.cwd(),
-      detectedEnv: env,
-      result
-    });
-  }
-  return result;
-}
-function createInitialSummary(params) {
-  return {
-    version: "1.0",
-    mode: params.mode,
-    command: "ci prod-apply",
-    status: "failure",
-    startedAt: params.startedAt.toISOString(),
-    endedAt: params.startedAt.toISOString(),
-    durationMs: 0,
-    repoKind: resolveRepoKind(),
-    detected: {},
-    diagnostics: {},
-    steps: {},
-    layers: {},
-    errors: []
-  };
-}
-function requireCiAutoApprove(params) {
-  if (params.mode !== "github-actions") return;
-  if (params.autoApprove === true) return;
-  throw new CLIError(
-    "Missing required flag: --auto-approve (required in CI mode)",
-    "CI_AUTO_APPROVE_REQUIRED",
-    ["Re-run with: runa ci prod-apply --auto-approve", "Keep CI non-interactive and deterministic"],
-    void 0,
-    10
-  );
-}
-function resolveProdApplyInputs() {
-  const productionDatabaseUrlAdmin = requireEnv("GH_DATABASE_URL_ADMIN");
-  const productionDatabaseUrl = requireEnv("GH_DATABASE_URL");
-  addGithubMask(productionDatabaseUrlAdmin);
-  addGithubMask(productionDatabaseUrl);
-  return {
-    productionDatabaseUrlAdmin,
-    productionDatabaseUrl,
-    githubSha: process.env.GITHUB_SHA ?? "unknown",
-    githubActor: process.env.GITHUB_ACTOR ?? "unknown",
-    githubRepository: process.env.GITHUB_REPOSITORY ?? "unknown"
-  };
-}
-function setSummaryErrorFromUnknown(summary, error) {
-  if (error instanceof CLIError) {
-    summary.errors.push({
-      code: error.code ?? "CI_ERROR",
-      message: error.message,
-      step: "ci prod-apply",
-      details: error.cause instanceof Error ? error.cause.message : void 0
-    });
-    return;
-  }
-  if (error instanceof Error) {
-    summary.errors.push({ code: "CI_ERROR", message: error.message, step: "ci prod-apply" });
-    return;
-  }
-  summary.errors.push({ code: "CI_ERROR", message: String(error), step: "ci prod-apply" });
-}
-function buildCiProdApplyStepSummaryMarkdown(params) {
-  const { summary } = params;
-  const lines = [];
-  const statusEmoji = summary.status === "success" ? "\u2705" : "\u274C";
-  const duration = formatDuration(summary.durationMs);
-  lines.push(
-    `## ${statusEmoji} Production Deploy ${summary.status === "success" ? "Completed" : "Failed"}`
-  );
-  lines.push("");
-  lines.push(`**Duration**: ${duration}`);
-  lines.push("");
-  if (summary.dbOutcome) {
-    lines.push(`**Exit mode**: \`${summary.dbOutcome.exitMode}\``);
-    const failedPhase = summary.dbOutcome.phases.find(
-      (phase) => phase.status === "failed" || phase.status === "timeout"
-    );
-    if (failedPhase) {
-      lines.push(`**Failed phase**: \`${failedPhase.id}\``);
-    }
-    if (summary.dbOutcome.summary.warnings > 0) {
-      lines.push(`**Warnings**: ${summary.dbOutcome.summary.warnings}`);
-    }
-    lines.push("");
-  }
-  if (summary.errors.length > 0) {
-    lines.push("### \u274C Errors");
-    lines.push("");
-    for (const e of summary.errors) {
-      lines.push(`- **${e.code}**: ${e.message}`);
-    }
-    lines.push("");
-  }
-  lines.push("<details>");
-  lines.push("<summary>\u{1F4CB} Technical Details</summary>");
-  lines.push("");
-  lines.push(`- Command: \`${summary.command}\``);
-  lines.push(`- Mode: \`${summary.mode}\``);
-  lines.push(`- Summary: \`${params.summaryPath}\``);
-  if (summary.dbOutcome) {
-    lines.push(`- DB exit mode: \`${summary.dbOutcome.exitMode}\``);
-  }
-  lines.push("");
-  lines.push("</details>");
-  lines.push("");
-  return lines.join("\n");
-}
-
 // src/commands/ci/commands/ci-prod-workflow.ts
 init_esm_shims();
 
@@ -1756,22 +1604,6 @@ var CiProdApplyWorkflow = class {
   }
 };
 
-// src/commands/ci/commands/ci-resolvers.ts
-init_esm_shims();
-
-// src/commands/ci/utils/config-readers.ts
-init_esm_shims();
-
-// src/commands/ci/commands/ci-resolvers.ts
-function resolveMode(modeRaw) {
-  if (modeRaw === "github-actions" || modeRaw === "local") return modeRaw;
-  return process.env.GITHUB_ACTIONS === "true" ? "github-actions" : "local";
-}
-function parseIntOr(value, fallback) {
-  const n = Number.parseInt(String(value ?? ""), 10);
-  return Number.isNaN(n) ? fallback : n;
-}
-
 // src/commands/ci/utils/workflow-idempotency.ts
 init_esm_shims();
 var PROD_DEPLOY_LOCK_ID = 88889;
@@ -4256,41 +4088,6 @@ function extractSqlFromSchemaChanges(fullOutput) {
   }
   return null;
 }
-function getIdempotentRoleNames(repoRoot) {
-  const idempotentDir = path4.join(repoRoot, "supabase", "schemas", "idempotent");
-  const roles = [];
-  try {
-    if (!existsSync(idempotentDir)) return [];
-    const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
-    for (const file of files) {
-      const content = readFileSync(path4.join(idempotentDir, file), "utf-8");
-      const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(\w+)\s+WITH/gi);
-      for (const match of roleMatches) {
-        if (match[1]) roles.push(match[1].toLowerCase());
-      }
-      const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
-      for (const match of existsMatches) {
-        if (match[1] && !roles.includes(match[1].toLowerCase())) {
-          roles.push(match[1].toLowerCase());
-        }
-      }
-    }
-  } catch {
-  }
-  return [...new Set(roles)];
-}
-function isIdempotentRoleHazard(hazardType, hazardMessage, causingSql, idempotentRoles) {
-  if (hazardType.toUpperCase() !== "AUTHZ_UPDATE") return false;
-  if (idempotentRoles.length === 0) return false;
-  const sql = (causingSql || "").trim().toLowerCase();
-  const isGrantRevoke = /^\s*(?:grant|revoke)\b/i.test(sql);
-  if (sql && !isGrantRevoke) return false;
-  const textToCheck = sql || hazardMessage.toLowerCase();
-  for (const role of idempotentRoles) {
-    if (textToCheck.includes(role)) return true;
-  }
-  return false;
-}
 function getHazardSeverity(type) {
   switch (type.toUpperCase()) {
     case "DELETES_DATA":
@@ -4332,20 +4129,26 @@ function createHazardDetail(type, message, causingSql) {
     causingSql
   };
 }
-function collectCommentHazards(lines, idempotentRoles) {
+function collectCommentHazards(lines, schemasDir) {
   const hazards = [];
   for (let i = 0; i < lines.length; i++) {
     const parsed = parseHazardLine(lines[i] ?? "");
     if (!parsed) continue;
     const causingSql = findCausingSqlLine(lines, i);
-    if (isIdempotentRoleHazard(parsed.type, parsed.message, causingSql, idempotentRoles)) {
+    const registryHazard = {
+      type: parsed.type,
+      message: parsed.message,
+      fullMatch: lines[i] ?? "",
+      causingSql
+    };
+    if (isIdempotentRoleHazard(registryHazard, schemasDir)) {
       continue;
     }
     hazards.push(createHazardDetail(parsed.type, parsed.message, causingSql));
   }
   return hazards;
 }
-function appendEmojiHazards(fullOutput, idempotentRoles, hazards) {
+function appendEmojiHazards(fullOutput, schemasDir, hazards) {
   const hazardPrefixes = ["\u{1F534}", "\u{1F7E0}", "\u{1F7E1}", "\u26A0"];
   for (const line of fullOutput.split("\n")) {
     const trimmed = line.trim();
@@ -4356,7 +4159,12 @@ function appendEmojiHazards(fullOutput, idempotentRoles, hazards) {
     if (!match?.[1] || !match[2]) continue;
     const type = match[1].toUpperCase();
     const message = match[2].trim();
-    if (isIdempotentRoleHazard(type, message, void 0, idempotentRoles)) {
+    const registryHazard = {
+      type,
+      message,
+      fullMatch: trimmed
+    };
+    if (isIdempotentRoleHazard(registryHazard, schemasDir)) {
       continue;
     }
     const isDuplicate = hazards.some(
@@ -4369,9 +4177,9 @@ function appendEmojiHazards(fullOutput, idempotentRoles, hazards) {
 }
 function extractHazardsWithContext(fullOutput, repoRoot) {
   const lines = fullOutput.split("\n");
-  const idempotentRoles = repoRoot ? getIdempotentRoleNames(repoRoot) : [];
-  const hazards = collectCommentHazards(lines, idempotentRoles);
-  appendEmojiHazards(fullOutput, idempotentRoles, hazards);
+  const schemasDir = repoRoot ? path4.join(repoRoot, "supabase", "schemas", "declarative") : void 0;
+  const hazards = collectCommentHazards(lines, schemasDir);
+  appendEmojiHazards(fullOutput, schemasDir, hazards);
   return hazards;
 }
 function stripAnsi(text) {
@@ -4870,51 +4678,6 @@ function getSchemaGitDiff(repoRoot) {
     return null;
   }
 }
-function extractRolesFromSql(content) {
-  const roles = [];
-  const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(\w+)\s+WITH/gi);
-  for (const match of roleMatches) {
-    if (match[1]) roles.push(match[1].toLowerCase());
-  }
-  const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
-  for (const match of existsMatches) {
-    if (match[1] && !roles.includes(match[1].toLowerCase())) {
-      roles.push(match[1].toLowerCase());
-    }
-  }
-  return roles;
-}
-function getIdempotentRoleNames2(repoRoot) {
-  const idempotentDir = path4.join(repoRoot, "supabase", "schemas", "idempotent");
-  const roles = [];
-  try {
-    const fs2 = __require("fs");
-    if (!fs2.existsSync(idempotentDir)) return [];
-    const files = fs2.readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
-    for (const file of files) {
-      const filePath = path4.join(idempotentDir, file);
-      if (!isPathContained(idempotentDir, filePath)) {
-        continue;
-      }
-      const content = fs2.readFileSync(filePath, "utf-8");
-      roles.push(...extractRolesFromSql(content));
-    }
-  } catch {
-  }
-  return [...new Set(roles)];
-}
-function isIdempotentRoleHazard2(hazardType, hazardMessage, idempotentRoles, causingSql) {
-  if (hazardType !== "AUTHZ_UPDATE") return false;
-  if (idempotentRoles.length === 0) return false;
-  const sql = ("").trim().toLowerCase();
-  const isGrantRevoke = /^\s*(?:grant|revoke)\b/i.test(sql);
-  if (sql && !isGrantRevoke) return false;
-  const textToCheck = sql || hazardMessage.toLowerCase();
-  for (const role of idempotentRoles) {
-    if (textToCheck.includes(role)) return true;
-  }
-  return false;
-}
 function createEmptySchemaChangeStats() {
   return {
     creates: { tables: 0, indexes: 0, policies: 0, functions: 0, other: 0 },
@@ -4934,13 +4697,18 @@ function resolveSqlInput(sqlInput, logPath) {
     return null;
   }
 }
-function parseHazards(sql, idempotentRoles) {
+function parseHazards(sql, schemasDir) {
   const hazards = [];
   const hazardMatches = sql.matchAll(/-- Hazard (\w+): (.+)/g);
   for (const match of hazardMatches) {
     const hazardType = match[1];
     const hazardMessage = match[2];
-    if (isIdempotentRoleHazard2(hazardType, hazardMessage, idempotentRoles)) {
+    const registryHazard = {
+      type: hazardType,
+      message: hazardMessage,
+      fullMatch: match[0]
+    };
+    if (isIdempotentRoleHazard(registryHazard, schemasDir)) {
       continue;
     }
     hazards.push(`${hazardType}: ${hazardMessage}`);
@@ -4960,8 +4728,8 @@ function parseSchemaChangeStats(sqlInput, logPath, repoRoot) {
   stats.creates.other = countMatches(sql, /CREATE (TRIGGER|TYPE|SEQUENCE|VIEW|SCHEMA)/gi);
   stats.alters = countMatches(sql, /ALTER (TABLE|COLUMN|INDEX|POLICY|FUNCTION)/gi);
   stats.drops = countMatches(sql, /DROP (TABLE|COLUMN|INDEX|POLICY|FUNCTION|TRIGGER)/gi);
-  const idempotentRoles = repoRoot ? getIdempotentRoleNames2(repoRoot) : [];
-  stats.hazards = parseHazards(sql, idempotentRoles);
+  const schemasDir = repoRoot ? path4.join(repoRoot, "supabase", "schemas", "declarative") : void 0;
+  stats.hazards = parseHazards(sql, schemasDir);
   return stats;
 }
 function isCheckSummaryOutput(output) {
@@ -5235,9 +5003,9 @@ function detectSupabaseContainers() {
 async function checkSupabasePortConflicts(repoRoot) {
   let dbPort = 54322;
   try {
-    const { readFileSync: readFileSync5 } = await import('fs');
+    const { readFileSync: readFileSync4 } = await import('fs');
     const configPath = path4.join(repoRoot, "supabase", "config.toml");
-    const content = readFileSync5(configPath, "utf-8");
+    const content = readFileSync4(configPath, "utf-8");
     const match = /\[db\][^[]*?port\s*=\s*(\d+)/s.exec(content);
     if (match?.[1]) dbPort = Number.parseInt(match[1], 10);
   } catch {
@@ -5654,116 +5422,96 @@ async function queryScalar(params) {
 async function detectDbCapabilities(params) {
   const caps = /* @__PURE__ */ new Set();
   const diagnostics = {};
-  const isPostgresRaw = await queryScalar({
+  const batchedSql = `
+SELECT json_build_object(
+  'isPostgres', (SELECT version() LIKE 'PostgreSQL%'),
+  'tableCount', (
+    SELECT COUNT(*)::int
+    FROM information_schema.tables
+    WHERE table_type = 'BASE TABLE'
+      AND table_schema NOT LIKE 'pg_%'
+      AND table_schema NOT IN ('information_schema')
+  ),
+  'rlsCount', (
+    SELECT COUNT(*)::int
+    FROM pg_class c
+    JOIN pg_namespace n ON n.oid = c.relnamespace
+    WHERE c.relkind IN ('r', 'p')
+      AND n.nspname NOT LIKE 'pg_%'
+      AND n.nspname NOT IN ('information_schema')
+      AND c.relrowsecurity
+  ),
+  'canSelectAny', (
+    SELECT COALESCE(bool_or(has_table_privilege(current_user, tbl, 'select')), false)
+    FROM (
+      SELECT quote_ident(table_schema) || '.' || quote_ident(table_name) AS tbl
+      FROM information_schema.tables
+      WHERE table_type = 'BASE TABLE'
+        AND table_schema NOT LIKE 'pg_%'
+        AND table_schema NOT IN ('information_schema')
+      LIMIT 50  -- cap sampling to prevent slow scans on large databases
+    ) candidates
+  ),
+  'authenticatedExists', (
+    SELECT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated')
+  ),
+  'isMember', (
+    SELECT CASE
+      WHEN EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated')
+      THEN pg_has_role(current_user, 'authenticated', 'member')
+      ELSE false
+    END
+  )
+)::text;
+  `.trim();
+  const raw = await queryScalar({
     repoRoot: params.repoRoot,
     tmpDir: params.tmpDir,
     databaseUrl: params.databaseUrlApp,
-    sql: "SELECT version() LIKE 'PostgreSQL%';",
-    logName: "cap-is-postgres"
+    sql: batchedSql,
+    logName: "cap-db-batch"
   });
-  const isPostgres = parseBoolish(isPostgresRaw);
-  if (isPostgres) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    diagnostics["db.postgres"] = `Failed to parse batched query result (raw=${raw.substring(0, 200)})`;
+    return { capabilities: caps, diagnostics };
+  }
+  if (parsed.isPostgres) {
     caps.add("db.postgres");
     diagnostics["db.postgres"] = "PostgreSQL detected via SELECT version()";
   } else {
-    diagnostics["db.postgres"] = `Not PostgreSQL (raw=${isPostgresRaw})`;
+    diagnostics["db.postgres"] = `Not PostgreSQL`;
     return { capabilities: caps, diagnostics };
   }
-  const tablesRaw = await queryScalar({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrl: params.databaseUrlApp,
-    sql: `
-SELECT COUNT(*)::int
-FROM information_schema.tables
-WHERE table_type='BASE TABLE'
-AND table_schema NOT LIKE 'pg_%'
-AND table_schema NOT IN ('information_schema');
-    `.trim(),
-    logName: "cap-table-count"
-  });
-  const tableCount = Number.parseInt(tablesRaw, 10);
-  if (Number.isFinite(tableCount) && tableCount > 0) {
+  if (Number.isFinite(parsed.tableCount) && parsed.tableCount > 0) {
     caps.add("db.schemaApplied");
-    diagnostics["db.schemaApplied"] = `Non-system base tables detected: ${tableCount}`;
+    diagnostics["db.schemaApplied"] = `Non-system base tables detected: ${parsed.tableCount}`;
   } else {
-    diagnostics["db.schemaApplied"] = `No non-system base tables detected (raw=${tablesRaw})`;
+    diagnostics["db.schemaApplied"] = `No non-system base tables detected (count=${parsed.tableCount})`;
   }
-  const rlsCountRaw = await queryScalar({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrl: params.databaseUrlApp,
-    sql: `
-SELECT COUNT(*)::int
-FROM pg_class c
-JOIN pg_namespace n ON n.oid=c.relnamespace
-WHERE c.relkind IN ('r','p')
-AND n.nspname NOT LIKE 'pg_%'
-AND n.nspname NOT IN ('information_schema')
-AND c.relrowsecurity;
-    `.trim(),
-    logName: "cap-rls-count"
-  });
-  const rlsCount = Number.parseInt(rlsCountRaw, 10);
-  if (Number.isFinite(rlsCount) && rlsCount > 0) {
+  if (Number.isFinite(parsed.rlsCount) && parsed.rlsCount > 0) {
     caps.add("db.rlsEnabled");
-    diagnostics["db.rlsEnabled"] = `RLS-enabled tables detected: ${rlsCount}`;
+    diagnostics["db.rlsEnabled"] = `RLS-enabled tables detected: ${parsed.rlsCount}`;
   } else {
-    diagnostics["db.rlsEnabled"] = `No RLS-enabled tables detected (raw=${rlsCountRaw})`;
+    diagnostics["db.rlsEnabled"] = `No RLS-enabled tables detected (count=${parsed.rlsCount})`;
   }
-  const canSelectAnyRaw = await queryScalar({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrl: params.databaseUrlApp,
-    sql: `
-WITH candidates AS (
-  SELECT quote_ident(table_schema)||'.'||quote_ident(table_name) AS tbl
-  FROM information_schema.tables
-  WHERE table_type='BASE TABLE'
-    AND table_schema NOT LIKE 'pg_%'
-    AND table_schema NOT IN ('information_schema')
-  LIMIT 50
-),
-checks AS (
-  SELECT bool_or(has_table_privilege(current_user, tbl, 'select')) AS ok
-  FROM candidates
-)
-SELECT COALESCE(ok,false) FROM checks;
-    `.trim(),
-    logName: "cap-select-any"
-  });
-  const canSelectAny = parseBoolish(canSelectAnyRaw);
-  if (canSelectAny) {
+  if (parsed.canSelectAny) {
     caps.add("db.appCanSelectSomeTable");
     diagnostics["db.appCanSelectSomeTable"] = "has_table_privilege(select) true for at least one table";
   } else {
-    diagnostics["db.appCanSelectSomeTable"] = `App role cannot SELECT any sampled table (raw=${canSelectAnyRaw})`;
+    diagnostics["db.appCanSelectSomeTable"] = "App role cannot SELECT any sampled table";
   }
-  const authenticatedExistsRaw = await queryScalar({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrl: params.databaseUrlApp,
-    sql: "SELECT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='authenticated');",
-    logName: "cap-authenticated-role-exists"
-  });
-  const authenticatedExists = parseBoolish(authenticatedExistsRaw);
-  if (!authenticatedExists) {
+  if (!parsed.authenticatedExists) {
     diagnostics["db.appIsAuthenticatedMember"] = "n/a (authenticated role does not exist)";
     return { capabilities: caps, diagnostics };
   }
-  const isMemberRaw = await queryScalar({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrl: params.databaseUrlApp,
-    sql: "SELECT pg_has_role(current_user, 'authenticated', 'member');",
-    logName: "cap-app-is-authenticated-member"
-  });
-  const isMember = parseBoolish(isMemberRaw);
-  if (isMember) {
+  if (parsed.isMember) {
     caps.add("db.appIsAuthenticatedMember");
     diagnostics["db.appIsAuthenticatedMember"] = "pg_has_role(member, authenticated) is true";
   } else {
-    diagnostics["db.appIsAuthenticatedMember"] = `pg_has_role(member, authenticated)=false (raw=${isMemberRaw})`;
+    diagnostics["db.appIsAuthenticatedMember"] = "pg_has_role(member, authenticated)=false";
   }
   return { capabilities: caps, diagnostics };
 }
@@ -5874,23 +5622,25 @@ async function detectUiContractReady(params) {
 async function detectCiCapabilities(params) {
   const caps = /* @__PURE__ */ new Set();
   const diagnostics = {};
-  const db = await detectDbCapabilities({
-    repoRoot: params.repoRoot,
-    tmpDir: params.tmpDir,
-    databaseUrlApp: params.databaseUrlApp
-  });
-  for (const c of db.capabilities) caps.add(c);
-  for (const [k, v] of Object.entries(db.diagnostics)) diagnostics[k] = String(v);
-  const e2e = await detectGeneratedE2eCapabilities({ repoRoot: params.repoRoot });
-  for (const c of e2e.capabilities) caps.add(c);
-  for (const [k, v] of Object.entries(e2e.diagnostics)) diagnostics[k] = String(v);
+  const mergeDiagnostics = (result) => {
+    for (const c of result.capabilities) caps.add(c);
+    for (const [k, v] of Object.entries(result.diagnostics))
+      diagnostics[k] = String(v);
+  };
+  const [db, e2e, ui] = await Promise.all([
+    detectDbCapabilities({
+      repoRoot: params.repoRoot,
+      tmpDir: params.tmpDir,
+      databaseUrlApp: params.databaseUrlApp
+    }),
+    detectGeneratedE2eCapabilities({ repoRoot: params.repoRoot }),
+    detectUiContractReady({ baseUrl: params.baseUrl })
+  ]);
+  mergeDiagnostics(db);
+  mergeDiagnostics(e2e);
+  mergeDiagnostics(ui);
   const preview = await detectPreviewReachable({ baseUrl: params.baseUrl });
-  for (const c of preview.capabilities) caps.add(c);
-  for (const [k, v] of Object.entries(preview.diagnostics))
-    diagnostics[k] = String(v);
-  const ui = await detectUiContractReady({ baseUrl: params.baseUrl });
-  for (const c of ui.capabilities) caps.add(c);
-  for (const [k, v] of Object.entries(ui.diagnostics)) diagnostics[k] = String(v);
+  mergeDiagnostics(preview);
   return { capabilities: Array.from(caps), diagnostics };
 }
 function resolveRequiredCapabilities(params) {
@@ -6711,9 +6461,6 @@ var runLayersActor = fromPromise(
       progressIntervalSeconds = 30
     } = input;
     try {
-      console.log(
-        `[DEBUG] runLayersActor: Starting with layers=${JSON.stringify(layers)}, failFast=${failFast}`
-      );
       const results = await runLayersInParallel({
         repoRoot,
         tmpDir,
@@ -6727,15 +6474,9 @@ var runLayersActor = fromPromise(
       });
       const failedLayers = results.filter((r) => !r.success).map((r) => r.layer);
       const allPassed = failedLayers.length === 0;
-      console.log(
-        `[DEBUG] runLayersActor: Complete. results=${results.length}, failedLayers=${JSON.stringify(failedLayers)}, allPassed=${allPassed}`
-      );
       return { results, allPassed, failedLayers };
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
-      console.log(
-        `[DEBUG] runLayersActor: Caught error: ${errorMessage}. Returning failedLayers=${JSON.stringify(layers)}`
-      );
       return {
         results: [],
         allPassed: false,
@@ -6812,8 +6553,22 @@ function shouldPostGitHubComment(context) {
   if (context.input.skipGithubComment === true) return false;
   return true;
 }
+function isBlockingPhase(context) {
+  return isCiPrMode(context) && context.phase === "blocking";
+}
+function isObservabilityPhase(context) {
+  return isCiPrMode(context) && context.phase === "observability";
+}
 function isTestPhase(context) {
-  return isCiPrMode(context) && context.input.phase === "test";
+  return isCiPrMode(context) && context.phase === "test";
+}
+function shouldRunPrExecutionPhase(context) {
+  if (!isCiPrMode(context)) return true;
+  return !isObservabilityPhase(context);
+}
+function shouldRunPrObservabilityPhase(context) {
+  if (!isCiPrMode(context)) return true;
+  return !isBlockingPhase(context) && !isTestPhase(context);
 }
 function hasError(context) {
   return context.error !== null;
@@ -6868,7 +6623,7 @@ init_esm_shims();
 
 // src/commands/ci/machine/formatters/sections/format-helpers.ts
 init_esm_shims();
-function formatDuration4(ms) {
+function formatDuration3(ms) {
   if (ms < 1e3) return `${ms}ms`;
   const seconds = Math.floor(ms / 1e3);
   if (seconds < 60) return `${seconds}s`;
@@ -7713,6 +7468,10 @@ function generateKnownDriftOnlySection(schemaStats, expectedDrift) {
 }
 function generateProductionPreviewSection(phase, prodPreview, schemaDrift, schemaStats, expectedDrift) {
   const signals = getProductionSchemaSignals(prodPreview, schemaStats, expectedDrift);
+  const deferredSection = getDeferredProductionPreviewSection(phase, prodPreview);
+  if (deferredSection.length > 0) {
+    return deferredSection;
+  }
   if (!prodPreview?.executed) {
     if (schemaDrift?.gitDiff?.filesChanged?.length) {
       return [
@@ -7736,6 +7495,27 @@ function generateProductionPreviewSection(phase, prodPreview, schemaDrift, schem
   }
   return ["**\u672C\u756A\u30D7\u30EC\u30D3\u30E5\u30FC**: \u2705 \u672C\u756A\u306B\u9069\u7528\u3059\u308B\u30B9\u30AD\u30FC\u30DE\u5909\u66F4\u306F\u3042\u308A\u307E\u305B\u3093", ""];
 }
+function getDeferredProductionPreviewSection(phase, prodPreview) {
+  if (prodPreview?.executed) return [];
+  switch (phase) {
+    case "blocking":
+      return [
+        "**\u672C\u756A\u30D7\u30EC\u30D3\u30E5\u30FC**: \u23ED\uFE0F blocking phase \u3067\u306F\u5B9F\u884C\u3057\u307E\u305B\u3093",
+        "",
+        "> \u672C\u756A\u6BD4\u8F03\u3068 schema stats \u306F blocking CI \u306E\u30AF\u30EA\u30C6\u30A3\u30AB\u30EB\u30D1\u30B9\u304B\u3089\u5207\u308A\u96E2\u3055\u308C\u3066\u3044\u307E\u3059\u3002\u672C\u756A\u53CD\u6620\u524D\u306B\u306F `deploy-db.yml` \u304C compare-only dry-run \u3067\u518D\u691C\u8A3C\u3057\u307E\u3059\u3002",
+        ""
+      ];
+    case "test":
+      return [
+        "**\u672C\u756A\u30D7\u30EC\u30D3\u30E5\u30FC**: \u23ED\uFE0F phase=test \u306E\u305F\u3081\u30B9\u30AD\u30C3\u30D7",
+        "",
+        "> workflow-prepared DB \u3092\u518D\u5229\u7528\u3059\u308B\u8EFD\u91CF\u30D5\u30A7\u30FC\u30BA\u306E\u305F\u3081\u3001\u672C\u756A\u6BD4\u8F03\u306F\u5B9F\u884C\u3057\u3066\u3044\u307E\u305B\u3093\u3002",
+        ""
+      ];
+    default:
+      return [];
+  }
+}
 function shouldShowDeployButton(productionPreview, schemaDrift, hasSchemaChanges2) {
   if (hasSchemaChanges2) return true;
   if (productionPreview?.error) return true;
@@ -7744,6 +7524,7 @@ function shouldShowDeployButton(productionPreview, schemaDrift, hasSchemaChanges
 }
 function generateDeploySection(exitCode, layerResults, phase, gitBranchName, productionPreview, schemaDrift, schemaStats, expectedDrift, env) {
   if (!checkIfDeployable(exitCode, layerResults)) return [];
+  if (phase === "blocking" || phase === "test") return [];
   const deployWorkflowUrl = env.repository ? `${env.serverUrl}/${env.repository}/actions/workflows/deploy-db.yml` : null;
   const signals = getProductionSchemaSignals(productionPreview, schemaStats, expectedDrift);
   const hasSchemaChanges2 = signals.requiresDeploy;
@@ -7778,12 +7559,20 @@ function generateDeploySection(exitCode, layerResults, phase, gitBranchName, pro
 function generateObservabilitySectionBody(input) {
   const env = getGitHubEnv();
   const gitBranchName = input.prContext?.headBranch ?? input.branchName ?? "unknown";
+  const deferredPreviewLines = input.phase === "blocking" || input.phase === "test" ? generateProductionPreviewSection(
+    input.phase,
+    input.productionPreview,
+    input.schemaDrift,
+    input.schemaStats ?? null,
+    input.expectedDrift ?? []
+  ) : [];
   const lines = [
     ...formatSchemaMatrix(
       input.schemaStats,
       input.schemaDrift?.gitDiff ?? null,
       input.expectedDrift ?? []
     ),
+    ...deferredPreviewLines,
     ...generateDeploySection(
       input.exitCode,
       input.layerResults,
@@ -7867,7 +7656,7 @@ function calculateTotalElapsed(stepTimings2) {
   if (!stepTimings2) return 0;
   return Object.values(stepTimings2).reduce((sum, t) => sum + (t ?? 0), 0);
 }
-function formatProgressBar(currentStep, completedSteps, failedStep, skippedSteps) {
+function formatProgressBar(_currentStep, completedSteps, failedStep, skippedSteps) {
   const total = CI_STEPS.length;
   const completedBase = completedSteps.length + skippedSteps.length;
   const completed = failedStep ? completedBase : completedBase + 1;
@@ -8004,7 +7793,7 @@ function generateProgressHeader(currentStep, failedStep, completedSteps, skipped
     );
   }
   if (totalElapsed > 0) {
-    lines.push(`<sub>\u23F1\uFE0F \u7D4C\u904E\u6642\u9593: ${formatDuration4(totalElapsed)}</sub>`);
+    lines.push(`<sub>\u23F1\uFE0F \u7D4C\u904E\u6642\u9593: ${formatDuration3(totalElapsed)}</sub>`);
   }
   lines.push("");
   return lines;
@@ -8024,7 +7813,7 @@ function generateProgressSteps(currentStep, completedSteps, failedStep, skippedS
     const status = getStepStatus(step, currentStep, completedSteps, failedStep, skippedSteps);
     const icon = getStepIcon(status);
     const timing = stepTimings2?.[step];
-    const timingStr = timing !== void 0 ? ` \`${formatDuration4(timing)}\`` : "";
+    const timingStr = timing !== void 0 ? ` \`${formatDuration3(timing)}\`` : "";
     const stepDetail = getStepDetail(step, status, schemaDrift, layerResults);
     const runningDetail = getRunningStepDetail(step, detail, productionPreview);
     if (status === "running" && runningDetail) {
@@ -8125,6 +7914,11 @@ function generateTestResultsSection(layerResults) {
 }
 function generateProductionSchemaSection(productionPreview, phase, deployStatus, env) {
   const lines = ["### \u{1F4CB} \u672C\u756A\u30B9\u30AD\u30FC\u30DE\u72B6\u6CC1", ""];
+  const deferredMessage = getDeferredProductionPreviewMessage(phase, productionPreview);
+  if (!deployStatus?.deployed && deferredMessage) {
+    lines.push(deferredMessage, "");
+    return lines;
+  }
   const state = resolveProductionSchemaState(productionPreview, deployStatus);
   switch (state) {
     case "deployed":
@@ -8149,6 +7943,17 @@ function generateProductionSchemaSection(productionPreview, phase, deployStatus,
   }
   return lines;
 }
+function getDeferredProductionPreviewMessage(phase, productionPreview) {
+  if (productionPreview?.executed) return null;
+  switch (phase) {
+    case "blocking":
+      return "\u23ED\uFE0F _blocking phase \u306E\u305F\u3081\u3001\u672C\u756A\u6BD4\u8F03\u3068 schema stats \u306F\u3053\u306E job \u3067\u306F\u5B9F\u884C\u3057\u307E\u305B\u3093_";
+    case "test":
+      return "\u23ED\uFE0F _phase=test \u306E\u305F\u3081\u3001\u672C\u756A\u6BD4\u8F03\u306F\u30B9\u30AD\u30C3\u30D7\u3055\u308C\u3066\u3044\u307E\u3059_";
+    default:
+      return null;
+  }
+}
 function resolveProductionSchemaState(productionPreview, deployStatus) {
   if (deployStatus?.deployed) return "deployed";
   if (!productionPreview) return "checking";
@@ -8197,7 +8002,8 @@ function appendChangesPendingSection(lines, productionPreview, env) {
   }
   appendDeployLink(lines, env);
 }
-function generateDbDeploySection(layerResults, gitBranchName, productionPreview, env) {
+function generateDbDeploySection(phase, layerResults, gitBranchName, productionPreview, env) {
+  if (phase === "blocking" || phase === "test") return [];
   if (!checkBlockingLayersPassed(layerResults)) return [];
   if (productionPreview?.hasChanges) return [];
   const deployWorkflowUrl = env.repository ? `${env.serverUrl}/${env.repository}/actions/workflows/deploy-db.yml` : null;
@@ -8260,7 +8066,13 @@ function generateProgressCommentBody(input) {
     ...generateErrorSection(error ?? void 0, failedStep),
     ...generateTestResultsSection(input.layerResults),
     ...generateProductionSchemaSection(productionPreview, input.phase, deployStatus, env),
-    ...generateDbDeploySection(input.layerResults, gitBranchName, productionPreview, env)
+    ...generateDbDeploySection(
+      input.phase,
+      input.layerResults,
+      gitBranchName,
+      productionPreview,
+      env
+    )
   ];
   const jst = new Date(Date.now() + 9 * 60 * 60 * 1e3);
   const now = jst.toISOString().replace("T", " ").substring(0, 19);
@@ -8269,13 +8081,25 @@ function generateProgressCommentBody(input) {
 }
 
 // src/commands/ci/machine/formatters/github-comment.ts
+function getSkippedStepsForPhase(phase) {
+  switch (phase) {
+    case "test":
+      return ["syncSchema", "applySeeds", "observability"];
+    case "blocking":
+      return ["observability"];
+    case "observability":
+      return ["postSeedChecks", "staticChecks", "build", "runTests"];
+    default:
+      return [];
+  }
+}
 function createCommentInput(context, options) {
   const skippedLayerNumbers = Object.keys(context.layerSkipReasons || {}).map(Number);
   const originalSelectedLayers = [
     .../* @__PURE__ */ new Set([...skippedLayerNumbers, ...context.selectedLayers])
   ].sort((a, b) => a - b);
   return {
-    phase: context.input.phase ?? "all",
+    phase: context.phase,
     exitCode: context.exitCode,
     branchName: context.branchName,
     prContext: context.prContext,
@@ -8292,8 +8116,8 @@ function createCommentInput(context, options) {
   };
 }
 function createProgressCommentInput(context, currentStep, completedSteps, failedStep = null, stepTimings2) {
-  const phase = context.input.phase ?? "all";
-  const skippedSteps = phase === "test" ? ["syncSchema", "applySeeds", "observability"] : [];
+  const phase = context.phase;
+  const skippedSteps = getSkippedStepsForPhase(phase);
   return {
     phase,
     currentStep,
@@ -8728,6 +8552,8 @@ var ciMachine = setup({
     shouldInstallPgTap: ({ context }) => shouldInstallPgTap(context),
     shouldSetupRoles: ({ context }) => shouldSetupRoles(context),
     shouldPostGitHubComment: ({ context }) => shouldPostGitHubComment(context),
+    shouldRunPrExecutionPhase: ({ context }) => shouldRunPrExecutionPhase(context),
+    shouldRunPrObservabilityPhase: ({ context }) => shouldRunPrObservabilityPhase(context),
     isDryRun: ({ context }) => isDryRun(context),
     hasError: ({ context }) => hasError(context),
     allTestsPassed: ({ context }) => allTestsPassed(context)
@@ -9062,8 +8888,14 @@ var ciMachine = setup({
       },
       states: {
         execution: {
-          initial: "setupRoles",
+          initial: "gate",
           states: {
+            gate: {
+              always: [
+                { guard: "shouldRunPrExecutionPhase", target: "setupRoles" },
+                { target: "done" }
+              ]
+            },
             setupRoles: {
               invoke: {
                 src: "setupRoles",
@@ -9357,8 +9189,14 @@ var ciMachine = setup({
           }
         },
         observability: {
-          initial: "productionPreview",
+          initial: "gate",
           states: {
+            gate: {
+              always: [
+                { guard: "shouldRunPrObservabilityPhase", target: "productionPreview" },
+                { target: "done" }
+              ]
+            },
             productionPreview: {
               always: [
                 {
@@ -10190,9 +10028,15 @@ function createSyntheticSummary(stepId, status, params = {}) {
   ];
 }
 function getBuildSkipReason(context) {
+  if (!shouldRunPrExecutionPhase(context)) {
+    return getExecutionSkipReason(context);
+  }
   return isCiLocalMode(context) ? "Skipped in ci-local mode" : context.input.skipBuild === true ? "Skipped by --skip-build" : "Skipped by step guard";
 }
 function getPlaywrightSkipReason(context) {
+  if (!shouldRunPrExecutionPhase(context)) {
+    return getExecutionSkipReason(context);
+  }
   if (isCiLocalMode(context)) return "Skipped in ci-local mode";
   if (!context.selectedLayers.includes(4)) return "Skipped because Layer 4 is not selected";
   if (shouldReusePreparedPlaywright(context)) {
@@ -10203,6 +10047,21 @@ function getPlaywrightSkipReason(context) {
   }
   return "Skipped by step guard";
 }
+function getObservabilitySkipReason(context) {
+  if (isTestPhase(context)) {
+    return "Skipped in phase=test; observability DB checks are disabled";
+  }
+  if (isBlockingPhase(context)) {
+    return "Skipped in phase=blocking; observability runs outside the blocking path";
+  }
+  return "Skipped by phase selection";
+}
+function getExecutionSkipReason(context) {
+  if (isObservabilityPhase(context)) {
+    return "Skipped in phase=observability; execution work is disabled";
+  }
+  return "Skipped by phase selection";
+}
 function getSyntheticBuildEntries(context, trackedStepIds, _stepStates, _nowMs) {
   const entries = [];
   const pushEntry = (entry) => {
@@ -10211,6 +10070,17 @@ function getSyntheticBuildEntries(context, trackedStepIds, _stepStates, _nowMs)
     entries.push(entry);
   };
   const syntheticTimingParams = {};
+  if (!shouldRunPrExecutionPhase(context)) {
+    const reason = getExecutionSkipReason(context);
+    pushEntry(createSkippedSummary("postSeedPr.execution.buildAndPlaywright.build", reason));
+    pushEntry(
+      createSkippedSummary("postSeedPr.execution.buildAndPlaywright.manifestGenerate", reason)
+    );
+    pushEntry(
+      createSkippedSummary("postSeedPr.execution.buildAndPlaywright.playwrightInstall", reason)
+    );
+    return entries;
+  }
   if (shouldSkipBuild(context)) {
     const reason = getBuildSkipReason(context);
     pushEntry(createSkippedSummary("postSeedPr.execution.buildAndPlaywright.build", reason));
@@ -10333,38 +10203,46 @@ function getSkippedStepEntries(context, trackedStepIds) {
     const entry = createSkippedSummary(stepId, reason);
     if (entry) skipped.push(entry);
   };
+  if (isCiPrMode(context) && !shouldRunPrObservabilityPhase(context)) {
+    const reason = getObservabilitySkipReason(context);
+    pushSkipped("postSeedPr.observability.productionPreview", reason);
+    pushSkipped("postSeedPr.observability.collectSchemaStats", reason);
+  }
   if (isTestPhase(context)) {
     pushSkipped("syncSchema", "Skipped in phase=test; reusing prepared database");
     pushSkipped("applySeeds", "Skipped in phase=test; reusing prepared database");
-    pushSkipped(
-      "postSeedPr.observability.productionPreview",
-      "Skipped in phase=test; observability DB checks are disabled"
-    );
-    pushSkipped(
-      "postSeedPr.observability.collectSchemaStats",
-      "Skipped in phase=test; observability DB checks are disabled"
-    );
   }
   if (!shouldPostGitHubComment(context) || context.prContext?.prNumber === null) {
     const commentReason = context.input.skipGithubComment === true ? "Skipped by --skip-github-comment" : context.executionEnv !== "github-actions" ? "Skipped outside GitHub Actions" : "Skipped because PR context is unavailable";
     pushSkipped("initialComment", commentReason);
     pushSkipped("finalize.postComment", commentReason);
   }
-  if (shouldSkipStaticChecks(context)) {
-    const reason = isCiLocalMode(context) ? "Skipped in ci-local mode" : context.input.skipStaticChecks === true ? "Skipped by --skip-static-checks" : "Skipped by step guard";
+  if (isCiPrMode(context) && !shouldRunPrExecutionPhase(context)) {
+    const reason = getExecutionSkipReason(context);
+    pushSkipped("postSeedPr.execution.setupRoles", reason);
     pushSkipped("postSeedPr.execution.staticChecks", reason);
-  }
-  if (shouldSkipBuild(context)) {
-    pushSkipped("postSeedPr.execution.buildAndPlaywright", getBuildSkipReason(context));
-  }
-  if (shouldSkipAppStart(context)) {
-    const reason = isCiLocalMode(context) ? "Skipped in ci-local mode" : !context.selectedLayers.includes(4) ? "Skipped because Layer 4 is not selected" : "Skipped by step guard";
+    pushSkipped("postSeedPr.execution.buildAndPlaywright", reason);
     pushSkipped("postSeedPr.execution.appStart", reason);
-  }
-  if (!context.selectedLayers.includes(4)) {
-    pushSkipped("postSeedPr.execution.e2ePhase", "Skipped because Layer 4 is not selected");
-  } else if (Object.values(context.layerResults).some((result) => result.status === "failed")) {
-    pushSkipped("postSeedPr.execution.e2ePhase", "Skipped because blocking core tests failed");
+    pushSkipped("postSeedPr.execution.capabilities", reason);
+    pushSkipped("postSeedPr.execution.runCoreTests", reason);
+    pushSkipped("postSeedPr.execution.e2ePhase", reason);
+  } else {
+    if (shouldSkipStaticChecks(context)) {
+      const reason = isCiLocalMode(context) ? "Skipped in ci-local mode" : context.input.skipStaticChecks === true ? "Skipped by --skip-static-checks" : "Skipped by step guard";
+      pushSkipped("postSeedPr.execution.staticChecks", reason);
+    }
+    if (shouldSkipBuild(context)) {
+      pushSkipped("postSeedPr.execution.buildAndPlaywright", getBuildSkipReason(context));
+    }
+    if (shouldSkipAppStart(context)) {
+      const reason = isCiLocalMode(context) ? "Skipped in ci-local mode" : !context.selectedLayers.includes(4) ? "Skipped because Layer 4 is not selected" : "Skipped by step guard";
+      pushSkipped("postSeedPr.execution.appStart", reason);
+    }
+    if (!context.selectedLayers.includes(4)) {
+      pushSkipped("postSeedPr.execution.e2ePhase", "Skipped because Layer 4 is not selected");
+    } else if (Object.values(context.layerResults).some((result) => result.status === "failed")) {
+      pushSkipped("postSeedPr.execution.e2ePhase", "Skipped because blocking core tests failed");
+    }
   }
   return skipped;
 }
@@ -10460,7 +10338,7 @@ var progressHeartbeatTimer = null;
 var latestSnapshot = null;
 var heartbeatStep = null;
 var heartbeatFailedStep = null;
-var progressUpdateSuccessCount = 0;
+var _progressUpdateSuccessCount = 0;
 var stepStartTime = Date.now();
 var currentTrackedStep = null;
 var stepTimings = {};
@@ -10484,7 +10362,7 @@ function resetProgressTracking() {
   latestSnapshot = null;
   heartbeatStep = null;
   heartbeatFailedStep = null;
-  progressUpdateSuccessCount = 0;
+  _progressUpdateSuccessCount = 0;
   previousActiveSteps = /* @__PURE__ */ new Set();
   stepStartTime = Date.now();
   currentTrackedStep = null;
@@ -10651,8 +10529,8 @@ ${generateProgressCommentBody(progressInput)}`;
         marker: "<!-- runa-ci-report -->",
         body
       });
-      progressUpdateSuccessCount++;
-    } catch (error) {
+      _progressUpdateSuccessCount++;
+    } catch (_error) {
     }
   };
   pendingProgressUpdate = doUpdate();
@@ -11006,7 +10884,7 @@ init_esm_shims();
 init_esm_shims();
 var CiModeSchema = z.enum(["ci-local", "ci-pr-local"]);
 var CiExecutionEnvSchema = z.enum(["github-actions", "local"]);
-var CiPhaseSchema = z.enum(["all", "test"]);
+var CiPhaseSchema = z.enum(["all", "blocking", "observability", "test"]);
 var CiDbModeSchema = z.enum(["auto", "local"]);
 var RepoKindSchema = z.enum(["monorepo", "pj-repo", "unknown"]);
 var StepStatusSchema = z.enum(["passed", "failed", "skipped", "killed", "timeout"]);
@@ -11235,7 +11113,6 @@ z.object({
 });
 z.object({
   allowLocalFallback: z.boolean(),
-  allowPartialPhases: z.boolean(),
   source: z.enum(["config", "default"])
 });
 z.object({
@@ -11614,28 +11491,27 @@ async function runCiPrCommand(options) {
   const skipStaticChecks = options.skipStaticChecks === true;
   const skipBuild = options.skipBuild === true;
   const phase = options.phase ?? "all";
+  const blockingPhase = phase === "blocking";
+  const observabilityPhase = phase === "observability";
   const testOnlyPhase = phase === "test";
+  const runExecutionPath = !observabilityPhase;
   const preparedRuntime = options.skipLocalDbStart === true || options.assumeSupabaseReady === true;
   const preparedPlaywright = options.skipPlaywrightInstall === true;
+  const dbDescription = testOnlyPhase ? "Skip schema apply/seed and reuse the prepared database" : observabilityPhase ? "db apply \u2192 db seed \u2192 production preview \u2192 schema stats" : blockingPhase ? "db apply \u2192 db seed \u2192 db:setup-roles (observability deferred)" : "db apply \u2192 db seed \u2192 (production preview \u2225 schema stats \u2225 db:setup-roles)";
   const planSteps = [
     {
       id: "setup",
       description: testOnlyPhase ? "Resolve repo/app context (optionally reuse pre-started local Supabase)" : preparedRuntime ? "Reuse workflow-prepared local Supabase runtime" : "Start local Supabase instance"
     },
-    ...testOnlyPhase ? [{ id: "db", description: "Skip schema apply/seed and reuse the prepared database" }] : [
-      {
-        id: "db",
-        description: "db apply \u2192 db seed \u2192 (production preview \u2225 schema stats \u2225 db:setup-roles)"
-      }
-    ],
-    ...skipStaticChecks ? [] : [{ id: "static", description: "pnpm type-check + pnpm lint (parallel)" }],
-    ...skipBuild ? [] : [
+    { id: "db", description: dbDescription },
+    ...!runExecutionPath || skipStaticChecks ? [] : [{ id: "static", description: "pnpm type-check + pnpm lint (parallel)" }],
+    ...!runExecutionPath || skipBuild ? [] : [
       {
         id: "build",
         description: preparedPlaywright ? "pnpm build \u2192 manifest:generate (reuse preinstalled Playwright)" : "pnpm build \u2192 manifest:generate + playwright install"
       }
     ],
-    { id: "test", description: "Start app \u2192 detect capabilities \u2192 run layers 1-4" },
+    ...!runExecutionPath ? [] : [{ id: "test", description: "Start app \u2192 detect capabilities \u2192 run layers 1-4" }],
     {
       id: "finalize",
       description: "Write ci-summary.json + post GitHub comment"