@runa-ai/runa-cli 0.7.3 → 0.8.0

package/dist/{db-S4V4ETDR.js → db-EPI2DQYN.js}

@@ -4,9 +4,9 @@ import { detectDatabaseStack, getStackPaths } from './chunk-CCKG5R4Y.js';
 import { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
 import './chunk-ZZOXM6Q4.js';
 import { createError } from './chunk-JQXOVCOP.js';
-import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-CKRLVEIO.js';
-export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-CKRLVEIO.js';
-import { detectAppSchemas, normalizeDatabaseUrlForDdl, formatSchemasForSql } from './chunk-4XHZQRRK.js';
+import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-ZYT7OQJB.js';
+export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-ZYT7OQJB.js';
+import { detectAppSchemas, getIdempotentProtectedTables, getIdempotentProtectedObjects, parseExpectedPartitions, queryActualPartitions, detectPartitionDrift, formatPartitionWarnings, normalizeDatabaseUrlForDdl, filterFalsePositiveHazards, formatSchemasForSql, PARTITION_OF_REGEX, extractQualifiedName, resolveIdempotentDir, readIdempotentSqlFiles, getIdempotentRoles } from './chunk-6E2DRXIL.js';
 import './chunk-UHDAYPHH.js';
 import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, extractStaticSqlFromExpression } from './chunk-Y5ANTCKE.js';
 import { loadEnvFiles } from './chunk-WPMR7RQ4.js';
@@ -15,7 +15,7 @@ import { validateUserFilePath, filterSafePaths, resolveSafePath } from './chunk-
 import { runMachine } from './chunk-QDF7QXBL.js';
 import './chunk-XVNDDHAF.js';
 import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, diffSchema, generateTablesManifest, writeEnvLocalBridge, removeEnvLocalBridge } from './chunk-OBYZDT2E.js';
-import { parsePostgresUrl, buildPsqlEnv, buildPsqlArgs, psqlSyncQuery, blankDollarQuotedBodies, stripSqlComments, psqlSyncBatch, psqlSyncFile, psqlExec, psqlQuery } from './chunk-A6A7JIRD.js';
+import { parsePostgresUrl, buildPsqlEnv, buildPsqlArgs, psqlSyncQuery, psqlSyncBatch, psqlSyncFile, psqlExec, psqlQuery, blankDollarQuotedBodies, stripSqlComments } from './chunk-A6A7JIRD.js';
 import { redactSecrets } from './chunk-II7VYQEM.js';
 import { init_local_supabase, buildLocalDatabaseUrl, init_constants, detectLocalSupabasePorts, DATABASE_DEFAULTS, SEED_DEFAULTS, SCRIPT_LOCATIONS } from './chunk-QSEF4T3Y.js';
 export { DATABASE_DEFAULTS, SCRIPT_LOCATIONS, SEED_DEFAULTS } from './chunk-QSEF4T3Y.js';
@@ -31,8 +31,8 @@ import { CommandOutcomeSchema, createCLILogger, CLIError, dbGenerateDiagram, DbD
 import { fromPromise, setup, assign, createActor } from 'xstate';
 import { z } from 'zod';
 import { spawn, spawnSync, execFileSync } from 'child_process';
-import { existsSync, mkdirSync, copyFileSync, readdirSync, mkdtempSync, readFileSync, writeFileSync, rmSync, lstatSync, unlinkSync, statSync } from 'fs';
-import path15, { join, dirname, resolve, basename, relative } from 'path';
+import path15, { join, dirname, resolve, relative } from 'path';
+import { existsSync, mkdirSync, copyFileSync, readdirSync, mkdtempSync, readFileSync, writeFileSync, rmSync, unlinkSync, lstatSync, statSync } from 'fs';
 import crypto, { randomBytes, randomUUID } from 'crypto';
 import { tmpdir } from 'os';
 import { writeFile, appendFile, readFile, stat, realpath } from 'fs/promises';
@@ -118,6 +118,17 @@ var DbApplyMetricsSchema = z.object({
   /** Number of retry attempts for lock_timeout */
   retryAttempts: z.number().optional()
 });
+var DbApplyPlanSummarySchema = z.object({
+  rawStatements: z.number().int().nonnegative(),
+  effectiveStatements: z.number().int().nonnegative(),
+  noiseStatements: z.number().int().nonnegative(),
+  categories: z.object({
+    idempotentDrop: z.number().int().nonnegative(),
+    idempotentAuthz: z.number().int().nonnegative(),
+    idempotentRls: z.number().int().nonnegative(),
+    suppressedFunction: z.number().int().nonnegative()
+  }).strict()
+}).strict();
 var DbApplyOutputSchema = z.object({
   success: z.boolean(),
   idempotentSchemasApplied: z.number(),
@@ -143,6 +154,12 @@ var DbApplyOutputSchema = z.object({
    * SQL that is actually shown as executable in check mode (after idempotent drop filtering)
    */
   filteredPlanSql: z.string().optional(),
+  /**
+   * Statement counts for check-mode / compare-only plan review.
+   * Separates structural statements from metadata noise and semantically
+   * suppressed function churn.
+   */
+  planSummary: DbApplyPlanSummarySchema.optional(),
   /**
    * Whether this was a check (dry-run) only
    */
@@ -819,249 +836,20 @@ function validatePlanForExecution(plan, allowedHazardTypes) {
   }
 }
 
-// src/commands/db/apply/helpers/plan-check-filter.ts
-init_esm_shims();
-
-// src/commands/db/apply/helpers/idempotent-object-registry.ts
-init_esm_shims();
-
-// src/commands/db/apply/helpers/partition-validator.ts
+// src/commands/db/apply/helpers/no-change-plan.ts
 init_esm_shims();
-var QUALIFIED_NAME = '(?:(?:"([^"]+)"|([a-zA-Z_][a-zA-Z0-9_]*))\\s*\\.\\s*)?(?:"([^"]+)"|([a-zA-Z_][a-zA-Z0-9_]*))';
-var PARTITION_OF_REGEX = new RegExp(
-  `CREATE\\s+TABLE\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?${QUALIFIED_NAME}\\s+PARTITION\\s+OF\\s+${QUALIFIED_NAME}`,
-  "gi"
-);
-function extractQualifiedName(quotedSchema, unquotedSchema, quotedTable, unquotedTable) {
-  const schema = quotedSchema || unquotedSchema || "";
-  const table = quotedTable || unquotedTable || "";
-  return schema ? `${schema}.${table}` : table;
-}
-function parseExpectedPartitions(idempotentDir) {
-  if (!existsSync(idempotentDir)) return [];
-  const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql")).sort();
-  const partitions = [];
-  for (const file of files) {
-    const fullPath = join(idempotentDir, file);
-    try {
-      if (lstatSync(fullPath).isSymbolicLink()) continue;
-    } catch {
-      continue;
-    }
-    const raw = readFileSync(fullPath, "utf-8");
-    const cleaned = blankDollarQuotedBodies(stripSqlComments(raw));
-    for (const match of cleaned.matchAll(PARTITION_OF_REGEX)) {
-      const child = extractQualifiedName(match[1], match[2], match[3], match[4]);
-      const parent = extractQualifiedName(match[5], match[6], match[7], match[8]);
-      partitions.push({ child, parent, sourceFile: basename(file) });
-    }
-  }
-  return partitions;
-}
-function isValidSchemaName(name) {
-  return /^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name);
-}
-function queryActualPartitions(dbUrl, schemas) {
-  if (schemas.length === 0) return /* @__PURE__ */ new Map();
-  const validSchemas = schemas.filter(isValidSchemaName);
-  if (validSchemas.length === 0) return /* @__PURE__ */ new Map();
-  const schemaList = validSchemas.map((s) => `'${s}'`).join(", ");
-  const sql = `
-    SELECT
-      child_ns.nspname || '.' || child.relname AS child_name,
-      parent_ns.nspname || '.' || parent.relname AS parent_name
-    FROM pg_inherits i
-    JOIN pg_class child ON child.oid = i.inhrelid
-    JOIN pg_namespace child_ns ON child_ns.oid = child.relnamespace
-    JOIN pg_class parent ON parent.oid = i.inhparent
-    JOIN pg_namespace parent_ns ON parent_ns.oid = parent.relnamespace
-    WHERE child.relkind IN ('r', 'p')
-      AND child_ns.nspname IN (${schemaList})
-  `;
-  const result = psqlSyncQuery({ databaseUrl: dbUrl, sql: sql.trim(), timeout: 1e4 });
-  const map = /* @__PURE__ */ new Map();
-  if (result.status !== 0) return map;
-  const lines = (result.stdout || "").split("\n").filter((l) => l.trim());
-  for (const line of lines) {
-    const parts = line.split("|").map((p) => p.trim());
-    if (parts.length === 2 && parts[0] && parts[1]) {
-      map.set(parts[0], parts[1]);
-    }
-  }
-  return map;
-}
-function detectPartitionDrift(expected, actual) {
-  const missing = expected.filter((ep) => !actual.has(ep.child));
-  return { missing };
-}
-function formatPartitionWarnings(drift) {
-  return drift.missing.map(
-    (ep) => `Missing partition: ${ep.child} (PARTITION OF ${ep.parent}, defined in ${ep.sourceFile})`
-  );
-}
-
-// src/commands/db/apply/helpers/idempotent-object-registry.ts
-function resolveIdempotentDir(schemasDir) {
-  return schemasDir ? join(schemasDir, "..", "idempotent") : join(process.cwd(), "supabase", "schemas", "idempotent");
-}
-function readIdempotentSqlFiles(idempotentDir) {
-  if (!existsSync(idempotentDir)) return null;
-  try {
-    const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
-    return files.map((file) => ({
-      file,
-      content: stripSqlComments(readFileSync(join(idempotentDir, file), "utf-8"))
-    }));
-  } catch {
-    return null;
-  }
-}
-function readIdempotentSqlContent(idempotentDir) {
-  const files = readIdempotentSqlFiles(idempotentDir);
-  if (!files) return null;
-  return files.map((f) => f.content).join("\n");
-}
-function extractQualifiedName2(m, schemaIdx1, schemaIdx2, nameIdx1, nameIdx2) {
-  const schema = (m[schemaIdx1] ?? m[schemaIdx2] ?? "").toLowerCase();
-  const name = (m[nameIdx1] ?? m[nameIdx2] ?? "").toLowerCase();
-  return schema ? `${schema}.${name}` : name;
-}
-var cachedIdempotentRoles = null;
-function getIdempotentRoles(schemasDir) {
-  if (cachedIdempotentRoles !== null) {
-    return cachedIdempotentRoles;
-  }
-  const roles = [];
-  const idempotentDir = resolveIdempotentDir(schemasDir);
-  const sqlFiles = readIdempotentSqlFiles(idempotentDir);
-  if (!sqlFiles) {
-    cachedIdempotentRoles = [];
-    return [];
-  }
-  for (const { content } of sqlFiles) {
-    const roleMatches = content.matchAll(/CREATE\s+ROLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)/gi);
-    for (const match of roleMatches) {
-      if (match[1]) {
-        roles.push(match[1].toLowerCase());
-      }
-    }
-    const existsMatches = content.matchAll(/rolname\s*=\s*'(\w+)'/gi);
-    for (const match of existsMatches) {
-      if (match[1] && !roles.includes(match[1].toLowerCase())) {
-        roles.push(match[1].toLowerCase());
-      }
-    }
-  }
-  cachedIdempotentRoles = [...new Set(roles)];
-  return cachedIdempotentRoles;
-}
-function getIdempotentProtectedTables(schemasDir, configExclusions) {
-  const tables = /* @__PURE__ */ new Set();
-  const idempotentDir = resolveIdempotentDir(schemasDir);
-  const sqlFiles = readIdempotentSqlFiles(idempotentDir);
-  if (sqlFiles) {
-    for (const { content } of sqlFiles) {
-      const matches = content.matchAll(
-        /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|(\w+))\.(?:"([^"]+)"|(\w+))/gi
-      );
-      for (const m of matches) {
-        const schema = (m[1] ?? m[2]).toLowerCase();
-        const table = (m[3] ?? m[4]).toLowerCase();
-        tables.add(`${schema}.${table}`);
-      }
-    }
-  }
-  if (configExclusions) {
-    for (const pattern of configExclusions) {
-      tables.add(pattern.toLowerCase());
-    }
-  }
-  return [...tables];
-}
-function getIdempotentProtectedObjects(schemasDir, configExclusions) {
-  const tables = getIdempotentProtectedTables(schemasDir, configExclusions);
-  const functions = /* @__PURE__ */ new Set();
-  const triggers = /* @__PURE__ */ new Set();
-  const views = /* @__PURE__ */ new Set();
-  const types = /* @__PURE__ */ new Set();
-  const sequences = /* @__PURE__ */ new Set();
-  const idempotentDir = resolveIdempotentDir(schemasDir);
-  const content = readIdempotentSqlContent(idempotentDir);
-  if (!content) {
-    return { tables, functions: [], triggers: [], views: [], types: [], sequences: [] };
-  }
-  const funcRe = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))\s*\(/gi;
-  for (const m of content.matchAll(funcRe)) {
-    functions.add(extractQualifiedName2(m, 1, 2, 3, 4));
-  }
-  const trigRe = /CREATE\s+(?:OR\s+REPLACE\s+)?TRIGGER\s+(?:"([^"]+)"|(\w+))\s+.*?\s+ON\s+(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
-  for (const m of content.matchAll(trigRe)) {
-    const trigName = (m[1] ?? m[2] ?? "").toLowerCase();
-    const tblSchema = (m[3] ?? m[4] ?? "").toLowerCase();
-    const tblName = (m[5] ?? m[6] ?? "").toLowerCase();
-    const qualified = tblSchema ? `${tblSchema}.${trigName}` : trigName;
-    triggers.add(qualified);
-    if (tblSchema) {
-      triggers.add(`${tblSchema}.${trigName}_on_${tblName}`);
-    }
-  }
-  const viewRe = /CREATE\s+(?:OR\s+REPLACE\s+)?(?:MATERIALIZED\s+)?VIEW\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
-  for (const m of content.matchAll(viewRe)) {
-    views.add(extractQualifiedName2(m, 1, 2, 3, 4));
-  }
-  const typeRe = /CREATE\s+TYPE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
-  for (const m of content.matchAll(typeRe)) {
-    types.add(extractQualifiedName2(m, 1, 2, 3, 4));
-  }
-  const seqRe = /CREATE\s+SEQUENCE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))/gi;
-  for (const m of content.matchAll(seqRe)) {
-    sequences.add(extractQualifiedName2(m, 1, 2, 3, 4));
-  }
-  return {
-    tables,
-    functions: [...functions],
-    triggers: [...triggers],
-    views: [...views],
-    types: [...types],
-    sequences: [...sequences]
-  };
-}
-function isIdempotentRoleHazard(hazard, schemasDir) {
-  if (hazard.type !== "AUTHZ_UPDATE") {
-    return false;
-  }
-  const idempotentRoles = getIdempotentRoles(schemasDir);
-  if (idempotentRoles.length === 0) {
-    return false;
-  }
-  const sql = hazard.causingSql?.trim().toLowerCase() || "";
-  const isGrantRevoke = /^\s*(?:grant|revoke)\b/i.test(sql);
-  if (!isGrantRevoke) {
-    return false;
-  }
-  for (const role of idempotentRoles) {
-    const escapedRole = role.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const roleRegex = new RegExp(`\\b${escapedRole}\\b`, "i");
-    if (roleRegex.test(sql)) {
-      return true;
-    }
+function isNoChangePlanOutput(planOutput) {
+  if (!planOutput.trim()) {
+    return true;
   }
-  return false;
-}
-function filterFalsePositiveHazards(hazards, schemasDir) {
-  const filtered = [];
-  const falsePositives = [];
-  for (const hazard of hazards) {
-    if (isIdempotentRoleHazard(hazard, schemasDir)) {
-      falsePositives.push(hazard);
-    } else {
-      filtered.push(hazard);
-    }
+  if (planOutput.includes("No changes")) {
+    return true;
   }
-  return { filtered, falsePositives };
+  return parsePlanOutput(planOutput).totalStatements === 0;
 }
 
 // src/commands/db/apply/helpers/plan-check-filter.ts
+init_esm_shims();
 var FUNCTION_AUTHZ_ROLES = /* @__PURE__ */ new Set(["authenticated", "public", "service_role"]);
 var cachedManagedAuthz;
 function stripWrappingQuotes(value) {
@@ -1114,6 +902,21 @@ function parseSystemSchemas(sqlFiles) {
   }
   return systemSchemas;
 }
+function parseManagedRlsTables(sqlFiles) {
+  const rlsManagedTables = /* @__PURE__ */ new Set();
+  const rlsRegex = /\bALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))\s+(?:ENABLE|DISABLE|FORCE|NO\s+FORCE)\s+ROW\s+LEVEL\s+SECURITY\b/gi;
+  for (const { content } of sqlFiles) {
+    for (const match of content.matchAll(rlsRegex)) {
+      const schema = (match[1] ?? match[2] ?? "public").toLowerCase();
+      const name = (match[3] ?? match[4] ?? "").toLowerCase();
+      if (!name) {
+        continue;
+      }
+      rlsManagedTables.add(`${schema}.${name}`);
+    }
+  }
+  return rlsManagedTables;
+}
 function getManagedAuthzConfig(schemasDir) {
   const idempotentDir = resolveIdempotentDir(schemasDir);
   if (cachedManagedAuthz?.key === idempotentDir) {
@@ -1123,7 +926,8 @@ function getManagedAuthzConfig(schemasDir) {
   const config = {
     functionTargets: parseManagedFunctionTargets(sqlFiles),
     idempotentRoles: new Set(getIdempotentRoles(schemasDir)),
-    systemSchemas: parseSystemSchemas(sqlFiles)
+    systemSchemas: parseSystemSchemas(sqlFiles),
+    rlsManagedTables: parseManagedRlsTables(sqlFiles)
   };
   cachedManagedAuthz = { key: idempotentDir, value: config };
   return config;
@@ -1211,6 +1015,28 @@ function isIdempotentManagedAuthzStatement(sql, schemasDir) {
   }
   return isRoleManagedAuthz(target, roles, config);
 }
+function parseRlsTarget(sql) {
+  const match = sql.match(
+    /\bALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:(?:"([^"]+)"|(\w+))\.)?(?:"([^"]+)"|(\w+))\s+(?:ENABLE|DISABLE|FORCE|NO\s+FORCE)\s+ROW\s+LEVEL\s+SECURITY\b/i
+  );
+  if (!match) {
+    return null;
+  }
+  const schema = (match[1] ?? match[2] ?? "public").toLowerCase();
+  const name = (match[3] ?? match[4] ?? "").toLowerCase();
+  return name ? `${schema}.${name}` : null;
+}
+function isIdempotentManagedRlsStatement(sql, schemasDir) {
+  const normalized = stripLeadingSessionStatements(sql).trim();
+  if (!/^ALTER\s+TABLE\b/i.test(normalized)) {
+    return false;
+  }
+  const target = parseRlsTarget(normalized);
+  if (!target) {
+    return false;
+  }
+  return getManagedAuthzConfig(schemasDir).rlsManagedTables.has(target);
+}
 function rebuildPlan(statements, sourcePlan) {
   return {
     statements,
@@ -1226,18 +1052,39 @@ function filterCheckModePlanStatements(plan, protectedTables, protectedObjects,
     protectedObjects
   );
   const removedAuthzStatements = [];
+  const removedRlsStatements = [];
   const keptStatements = [];
   for (const statement of dropFilterResult.filteredPlan.statements) {
     if (isIdempotentManagedAuthzStatement(statement.sql, schemasDir)) {
       removedAuthzStatements.push(statement);
       continue;
     }
+    if (isIdempotentManagedRlsStatement(statement.sql, schemasDir)) {
+      removedRlsStatements.push(statement);
+      continue;
+    }
     keptStatements.push(statement);
   }
   return {
     filteredPlan: rebuildPlan(keptStatements, dropFilterResult.filteredPlan),
     removedDropStatements: dropFilterResult.removedStatements,
-    removedAuthzStatements
+    removedAuthzStatements,
+    removedRlsStatements
+  };
+}
+function buildCheckModePlanSummary(params) {
+  const categories = {
+    idempotentDrop: params.removedDropStatements.length,
+    idempotentAuthz: params.removedAuthzStatements.length,
+    idempotentRls: params.removedRlsStatements.length,
+    suppressedFunction: params.suppressedFunctionStatements?.length ?? 0
+  };
+  const noiseStatements = categories.idempotentDrop + categories.idempotentAuthz + categories.idempotentRls + categories.suppressedFunction;
+  return {
+    rawStatements: params.rawStatementCount,
+    effectiveStatements: params.filteredPlan.statements.length,
+    noiseStatements,
+    categories
   };
 }
 
@@ -1404,33 +1251,63 @@ function summarizePreviewStatement(sql) {
   });
   return meaningfulLine ?? lines[0] ?? normalizedSql.trim();
 }
-function displayCheckModeResults(planOutput, filterInfo) {
-  if (filterInfo && filterInfo.removedDropStatements.length > 0) {
+function displayCheckModeResults(planOutput, options = {}) {
+  const filterInfo = options.filterInfo;
+  const verbose = options.verbose === true;
+  if (filterInfo?.planSummary) {
     logger3.info(
-      `Filtered ${filterInfo.removedDropStatements.length} idempotent-managed DROP statement(s):`
+      `Plan summary: ${filterInfo.planSummary.rawStatements} raw statement(s), ${filterInfo.planSummary.effectiveStatements} structural, ${filterInfo.planSummary.noiseStatements} collapsed noise`
     );
-    for (const stmt of filterInfo.removedDropStatements) {
-      logger3.info(`  Skipped: ${stmt.sql.split("\n")[0]}`);
+    const categoryLabels = [
+      ["idempotent DROP", filterInfo.planSummary.categories.idempotentDrop],
+      ["idempotent AUTHZ", filterInfo.planSummary.categories.idempotentAuthz],
+      ["idempotent RLS", filterInfo.planSummary.categories.idempotentRls],
+      ["semantic function suppression", filterInfo.planSummary.categories.suppressedFunction]
+    ];
+    const summary = categoryLabels.filter(([, count]) => count > 0).map(([label, count]) => `${count} ${label}`).join(", ");
+    if (summary) {
+      logger3.info(`Collapsed noise: ${summary}`);
     }
     logger3.info("");
   }
-  if (filterInfo && filterInfo.removedAuthzStatements.length > 0) {
-    logger3.info(
-      `Filtered ${filterInfo.removedAuthzStatements.length} idempotent-managed AUTHZ statement(s):`
-    );
-    const previewStatements = filterInfo.removedAuthzStatements.slice(0, 10);
-    for (const stmt of previewStatements) {
-      logger3.info(`  Skipped: ${summarizePreviewStatement(stmt.sql)}`);
+  const verboseNoiseSections = [
+    {
+      title: "idempotent-managed DROP statement(s)",
+      statements: filterInfo?.removedDropStatements ?? []
+    },
+    {
+      title: "idempotent-managed AUTHZ statement(s)",
+      statements: filterInfo?.removedAuthzStatements ?? []
+    },
+    {
+      title: "idempotent-managed RLS statement(s)",
+      statements: filterInfo?.removedRlsStatements ?? []
+    },
+    {
+      title: "semantically equivalent function statement(s)",
+      statements: filterInfo?.suppressedFunctionStatements ?? []
     }
-    const remainingStatements = filterInfo.removedAuthzStatements.length - previewStatements.length;
-    if (remainingStatements > 0) {
-      logger3.info(`  ... (${remainingStatements} more idempotent-managed AUTHZ statement(s))`);
+  ];
+  if (verbose) {
+    for (const section of verboseNoiseSections) {
+      if (section.statements.length === 0) continue;
+      logger3.info(`Filtered ${section.statements.length} ${section.title}:`);
+      const previewStatements = section.statements.slice(0, 10);
+      for (const stmt of previewStatements) {
+        logger3.info(`  Skipped: ${summarizePreviewStatement(stmt.sql)}`);
+      }
+      const remainingStatements = section.statements.length - previewStatements.length;
+      if (remainingStatements > 0) {
+        logger3.info(`  ... (${remainingStatements} more statement(s))`);
+      }
+      logger3.info("");
     }
-    logger3.info("");
   }
   const displaySql = filterInfo?.filteredPlanSql ?? planOutput;
   if (filterInfo && displaySql === "-- No changes after filtering") {
-    logger3.success("Check mode: All changes are for idempotent-managed objects (nothing to apply)");
+    logger3.success(
+      "Check mode: Only idempotent-managed metadata noise or semantically equivalent function churn detected"
+    );
     return;
   }
   logger3.success("Check mode: Schema changes detected (not applied)");
@@ -6045,6 +5922,685 @@ var previewIdempotentSchemas = fromPromise(async ({ input: { input, targetDir }
 
 // src/commands/db/apply/actors/pg-schema-diff-actors.ts
 init_esm_shims();
+
+// src/commands/db/utils/duplicate-function-ownership.ts
+init_esm_shims();
+var DUPLICATE_FUNCTION_OWNERSHIP_NOTE = "Function ownership belongs to declarative SQL; idempotent 2nd pass must not redefine declarative-managed functions.";
+var TYPE_START_KEYWORDS = /* @__PURE__ */ new Set([
+  "bigint",
+  "bigserial",
+  "bit",
+  "boolean",
+  "box",
+  "bytea",
+  "char",
+  "character",
+  "cidr",
+  "circle",
+  "date",
+  "decimal",
+  "double",
+  "float",
+  "float4",
+  "float8",
+  "inet",
+  "int",
+  "int2",
+  "int4",
+  "int8",
+  "integer",
+  "interval",
+  "json",
+  "jsonb",
+  "line",
+  "lseg",
+  "macaddr",
+  "money",
+  "numeric",
+  "path",
+  "pg_lsn",
+  "point",
+  "polygon",
+  "real",
+  "record",
+  "serial",
+  "smallint",
+  "smallserial",
+  "text",
+  "time",
+  "timestamp",
+  "timestamptz",
+  "timetz",
+  "tsquery",
+  "tsvector",
+  "txid_snapshot",
+  "uuid",
+  "varchar",
+  "varying",
+  "void",
+  "xml"
+]);
+function createFunctionDefinitionRegex() {
+  return new RegExp(FUNCTION_DEFINITION_RE.source, FUNCTION_DEFINITION_RE.flags);
+}
+function normalizeSignatureText(signature) {
+  return signature.replace(/\s+/g, " ").replace(/\s*,\s*/g, ", ").trim();
+}
+function splitTopLevelCommaSeparated(input) {
+  const parts = [];
+  let current = "";
+  let depth = 0;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let activeDollarTag = null;
+  for (let index = 0; index < input.length; index += 1) {
+    if (activeDollarTag) {
+      if (input.startsWith(activeDollarTag, index)) {
+        current += activeDollarTag;
+        index += activeDollarTag.length - 1;
+        activeDollarTag = null;
+        continue;
+      }
+      current += input[index] ?? "";
+      continue;
+    }
+    const char = input[index] ?? "";
+    const next = input[index + 1] ?? "";
+    if (inSingleQuote) {
+      current += char;
+      if (char === "'" && next === "'") {
+        current += next;
+        index += 1;
+        continue;
+      }
+      if (char === "'") {
+        inSingleQuote = false;
+      }
+      continue;
+    }
+    if (inDoubleQuote) {
+      current += char;
+      if (char === '"' && next === '"') {
+        current += next;
+        index += 1;
+        continue;
+      }
+      if (char === '"') {
+        inDoubleQuote = false;
+      }
+      continue;
+    }
+    if (char === "'") {
+      inSingleQuote = true;
+      current += char;
+      continue;
+    }
+    if (char === '"') {
+      inDoubleQuote = true;
+      current += char;
+      continue;
+    }
+    if (char === "$") {
+      const dollarTag = tryMatchDollarTag(input, index);
+      if (dollarTag) {
+        activeDollarTag = dollarTag;
+        current += dollarTag;
+        index += dollarTag.length - 1;
+        continue;
+      }
+    }
+    if (char === "(" || char === "[") {
+      depth += 1;
+      current += char;
+      continue;
+    }
+    if (char === ")" || char === "]") {
+      depth = Math.max(0, depth - 1);
+      current += char;
+      continue;
+    }
+    if (char === "," && depth === 0) {
+      parts.push(current.trim());
+      current = "";
+      continue;
+    }
+    current += char;
+  }
+  if (inSingleQuote || inDoubleQuote || activeDollarTag) {
+    return null;
+  }
+  parts.push(current.trim());
+  return parts.filter((part) => part.length > 0);
+}
+function splitTopLevelWhitespace(input) {
+  const tokens = [];
+  let current = "";
+  let depth = 0;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let activeDollarTag = null;
+  for (let index = 0; index < input.length; index += 1) {
+    if (activeDollarTag) {
+      if (input.startsWith(activeDollarTag, index)) {
+        current += activeDollarTag;
+        index += activeDollarTag.length - 1;
+        activeDollarTag = null;
+        continue;
+      }
+      current += input[index] ?? "";
+      continue;
+    }
+    const char = input[index] ?? "";
+    const next = input[index + 1] ?? "";
+    if (inSingleQuote) {
+      current += char;
+      if (char === "'" && next === "'") {
+        current += next;
+        index += 1;
+        continue;
+      }
+      if (char === "'") {
+        inSingleQuote = false;
+      }
+      continue;
+    }
+    if (inDoubleQuote) {
+      current += char;
+      if (char === '"' && next === '"') {
+        current += next;
+        index += 1;
+        continue;
+      }
+      if (char === '"') {
+        inDoubleQuote = false;
+      }
+      continue;
+    }
+    if (char === "'") {
+      inSingleQuote = true;
+      current += char;
+      continue;
+    }
+    if (char === '"') {
+      inDoubleQuote = true;
+      current += char;
+      continue;
+    }
+    if (char === "$") {
+      const dollarTag = tryMatchDollarTag(input, index);
+      if (dollarTag) {
+        activeDollarTag = dollarTag;
+        current += dollarTag;
+        index += dollarTag.length - 1;
+        continue;
+      }
+    }
+    if (char === "(" || char === "[") {
+      depth += 1;
+      current += char;
+      continue;
+    }
+    if (char === ")" || char === "]") {
+      depth = Math.max(0, depth - 1);
+      current += char;
+      continue;
+    }
+    if (/\s/.test(char) && depth === 0) {
+      if (current.trim().length > 0) {
+        tokens.push(current.trim());
+        current = "";
+      }
+      continue;
+    }
+    current += char;
+  }
+  if (inSingleQuote || inDoubleQuote || activeDollarTag) {
+    return null;
+  }
+  if (current.trim().length > 0) {
+    tokens.push(current.trim());
+  }
+  return tokens;
+}
+function findTopLevelDefaultIndex(input) {
+  let depth = 0;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let activeDollarTag = null;
+  for (let index = 0; index < input.length; index += 1) {
+    if (activeDollarTag) {
+      if (input.startsWith(activeDollarTag, index)) {
+        index += activeDollarTag.length - 1;
+        activeDollarTag = null;
+      }
+      continue;
+    }
+    const char = input[index] ?? "";
+    const next = input[index + 1] ?? "";
+    if (inSingleQuote) {
+      if (char === "'" && next === "'") {
+        index += 1;
+        continue;
+      }
+      if (char === "'") {
+        inSingleQuote = false;
+      }
+      continue;
+    }
+    if (inDoubleQuote) {
+      if (char === '"' && next === '"') {
+        index += 1;
+        continue;
+      }
+      if (char === '"') {
+        inDoubleQuote = false;
+      }
+      continue;
+    }
+    if (char === "'") {
+      inSingleQuote = true;
+      continue;
+    }
+    if (char === '"') {
+      inDoubleQuote = true;
+      continue;
+    }
+    if (char === "$") {
+      const dollarTag = tryMatchDollarTag(input, index);
+      if (dollarTag) {
+        activeDollarTag = dollarTag;
+        index += dollarTag.length - 1;
+        continue;
+      }
+    }
+    if (char === "(" || char === "[") {
+      depth += 1;
+      continue;
+    }
+    if (char === ")" || char === "]") {
+      depth = Math.max(0, depth - 1);
+      continue;
+    }
+    if (depth === 0 && char === "=") {
+      return index;
+    }
+    if (depth === 0 && input.slice(index).match(/^DEFAULT\b/i) && (index === 0 || /\s/.test(input[index - 1] ?? " "))) {
+      return index;
+    }
+  }
+  return null;
+}
+function stripDefaultExpression(argument) {
+  const defaultIndex = findTopLevelDefaultIndex(argument);
+  if (defaultIndex == null) {
+    return argument.trim();
+  }
+  return argument.slice(0, defaultIndex).trim();
+}
+function normalizeTypeTokenText(tokens) {
+  const normalized = tokens.join(" ").replace(/\s+/g, " ").replace(/\s+\(/g, "(").replace(/\(\s+/g, "(").replace(/\s+\)/g, ")").replace(/\s+\[/g, "[").replace(/\[\s+/g, "[").replace(/\s+\]/g, "]").replace(/\s*,\s*/g, ", ").trim().toLowerCase();
+  return canonicalizeTypeAlias(normalized);
+}
+function canonicalizeTypeAlias(typeText) {
+  const aliasReplacements = [
+    [/^int$/g, "integer"],
+    [/\bint4\b/g, "integer"],
+    [/\bint8\b/g, "bigint"],
+    [/\bint2\b/g, "smallint"],
+    [/\bfloat8\b/g, "double precision"],
+    [/\bfloat4\b/g, "real"],
+    [/\bdecimal\b/g, "numeric"],
+    [/\bcharacter varying\b/g, "varchar"],
+    [/\bcharacter\b/g, "char"],
+    [/\btimestamp with time zone\b/g, "timestamptz"],
+    [/\btimestamp without time zone\b/g, "timestamp"],
+    [/\btime with time zone\b/g, "timetz"],
+    [/\btime without time zone\b/g, "time"]
+  ];
+  return aliasReplacements.reduce(
+    (current, [pattern, replacement]) => current.replace(pattern, replacement),
+    typeText
+  );
+}
+function normalizeIdentifierToken(token) {
+  return token.replace(/^"|"$/g, "").toLowerCase();
+}
+function looksLikeNamedArgumentToken(token) {
+  return /^"[^"]+"$/.test(token) || /^[A-Za-z_][A-Za-z0-9_]*$/.test(token);
+}
+function looksLikeTypeTokens(tokens) {
+  if (tokens.length === 0) {
+    return false;
+  }
+  const first = normalizeIdentifierToken(tokens[0] ?? "");
+  if (TYPE_START_KEYWORDS.has(first)) {
+    return true;
+  }
+  if (first.includes(".") || first.includes("%type") || first.endsWith("[]") || tokens[0]?.includes("(") || tokens[0]?.includes("[")) {
+    return true;
+  }
+  return tokens.length === 1;
+}
+function normalizeArgumentIdentity(argument) {
+  const withoutDefault = stripDefaultExpression(argument);
+  const tokens = splitTopLevelWhitespace(withoutDefault);
+  if (!tokens || tokens.length === 0) {
+    return null;
+  }
+  let index = 0;
+  let mode = null;
+  const firstToken = normalizeIdentifierToken(tokens[index] ?? "");
+  const secondToken = normalizeIdentifierToken(tokens[index + 1] ?? "");
+  if (firstToken === "in" && secondToken === "out") {
+    mode = "inout";
+    index += 2;
+  } else if (firstToken === "in" || firstToken === "out" || firstToken === "inout") {
+    mode = firstToken;
+    index += 1;
+  } else if (firstToken === "variadic") {
+    mode = "variadic";
+    index += 1;
+  }
+  let remaining = tokens.slice(index);
+  if (remaining.length === 0) {
+    return null;
+  }
+  if (mode === "out") {
+    return null;
+  }
+  const shouldDropName = remaining.length > 1 && looksLikeNamedArgumentToken(remaining[0] ?? "") && !TYPE_START_KEYWORDS.has(normalizeIdentifierToken(remaining[0] ?? "")) && looksLikeTypeTokens(remaining.slice(1));
+  if (shouldDropName) {
+    remaining = remaining.slice(1);
+  }
+  if (remaining.length === 0) {
+    return null;
+  }
+  const normalizedType = normalizeTypeTokenText(remaining);
+  if (!normalizedType) {
+    return null;
+  }
+  return mode === "variadic" ? `variadic ${normalizedType}` : normalizedType;
+}
+function tryMatchDollarTag(sql, index) {
+  const slice = sql.slice(index);
+  const match = slice.match(/^\$[A-Za-z_][A-Za-z0-9_]*\$|^\$\$/);
+  return match?.[0] ?? null;
+}
+function findMatchingParen(sql, openIndex) {
+  let depth = 0;
+  let index = openIndex;
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let activeDollarTag = null;
+  while (index < sql.length) {
+    if (activeDollarTag) {
+      if (sql.startsWith(activeDollarTag, index)) {
+        index += activeDollarTag.length;
+        activeDollarTag = null;
+        continue;
+      }
+      index += 1;
+      continue;
+    }
+    const char = sql[index] ?? "";
+    const next = sql[index + 1] ?? "";
+    if (inSingleQuote) {
+      if (char === "'" && next === "'") {
+        index += 2;
+        continue;
+      }
+      if (char === "'") {
+        inSingleQuote = false;
+      }
+      index += 1;
+      continue;
+    }
+    if (inDoubleQuote) {
+      if (char === '"' && next === '"') {
+        index += 2;
+        continue;
+      }
+      if (char === '"') {
+        inDoubleQuote = false;
+      }
+      index += 1;
+      continue;
+    }
+    if (char === "'") {
+      inSingleQuote = true;
+      index += 1;
+      continue;
+    }
+    if (char === '"') {
+      inDoubleQuote = true;
+      index += 1;
+      continue;
+    }
+    if (char === "$") {
+      const dollarTag = tryMatchDollarTag(sql, index);
+      if (dollarTag) {
+        activeDollarTag = dollarTag;
+        index += dollarTag.length;
+        continue;
+      }
+    }
+    if (char === "(") {
+      depth += 1;
+    } else if (char === ")") {
+      depth -= 1;
+      if (depth === 0) {
+        return index;
+      }
+    }
+    index += 1;
+  }
+  return null;
+}
+function extractFunctionSignature(statement, match) {
+  const definitionEndIndex = (match.index ?? 0) + match[0].length;
+  const openParenIndex = statement.indexOf("(", definitionEndIndex);
+  if (openParenIndex < 0) {
+    return null;
+  }
+  const closeParenIndex = findMatchingParen(statement, openParenIndex);
+  if (closeParenIndex == null) {
+    return null;
+  }
+  const rawSignature = statement.slice(openParenIndex + 1, closeParenIndex);
+  const argumentsList = splitTopLevelCommaSeparated(rawSignature);
+  if (!argumentsList) {
+    return null;
+  }
+  const normalizedArguments = [];
+  for (const argument of argumentsList) {
+    const normalizedArgument = normalizeArgumentIdentity(argument);
+    if (normalizedArgument) {
+      normalizedArguments.push(normalizedArgument);
+    }
+  }
+  return `(${normalizeSignatureText(normalizedArguments.join(", "))})`;
+}
+function extractFunctionOwnershipDefinition(statement, file, line, layer) {
+  const regex = createFunctionDefinitionRegex();
+  const match = regex.exec(statement);
+  if (!match) {
+    return null;
+  }
+  const schema = (match[1] ?? match[2] ?? PUBLIC_SCHEMA).toLowerCase();
+  const name = (match[3] ?? match[4] ?? "").toLowerCase();
+  if (!name) {
+    return null;
+  }
+  return {
+    qualifiedName: `${schema}.${name}`,
+    signature: extractFunctionSignature(statement, match),
+    file,
+    line,
+    layer
+  };
+}
+function collectFunctionOwnershipDefinitions(targetDir, layer) {
+  const definitions = [];
+  for (const file of collectSqlFiles(targetDir, layer)) {
+    for (const statement of splitSqlStatements(file.content)) {
+      const definition = extractFunctionOwnershipDefinition(
+        statement.statement,
+        file.relativePath,
+        statement.line,
+        layer
+      );
+      if (definition) {
+        definitions.push(definition);
+      }
+    }
+  }
+  return definitions;
+}
+function groupDefinitionsByQualifiedName(definitions) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const definition of definitions) {
+    const existing = grouped.get(definition.qualifiedName) ?? [];
+    existing.push(definition);
+    grouped.set(definition.qualifiedName, existing);
+  }
+  return grouped;
+}
+function buildExactFinding(params) {
+  return {
+    code: "DUPLICATE_FUNCTION_OWNERSHIP",
+    qualifiedName: params.qualifiedName,
+    signature: params.signature,
+    message: `Function ${params.qualifiedName}${params.signature} is defined in both declarative and idempotent SQL.`,
+    suggestion: "Keep the canonical function definition in declarative SQL and remove the idempotent duplicate.",
+    declarativeDefinitions: params.declarativeDefinitions,
+    idempotentDefinitions: params.idempotentDefinitions
+  };
+}
+function buildAmbiguousFinding(params) {
+  return {
+    code: "DUPLICATE_FUNCTION_OWNERSHIP_AMBIGUOUS",
+    qualifiedName: params.qualifiedName,
+    signature: null,
+    message: `Function ${params.qualifiedName} appears in both declarative and idempotent SQL, and the signature could not be matched safely.`,
+    suggestion: "Review both definitions manually and keep ownership in declarative SQL only.",
+    declarativeDefinitions: params.declarativeDefinitions,
+    idempotentDefinitions: params.idempotentDefinitions
+  };
+}
+function analyzeDuplicateFunctionOwnership(targetDir) {
+  const declarativeDefinitions = collectFunctionOwnershipDefinitions(targetDir, "declarative");
+  const idempotentDefinitions = collectFunctionOwnershipDefinitions(targetDir, "idempotent");
+  const idempotentByQualifiedName = groupDefinitionsByQualifiedName(idempotentDefinitions);
+  const findings = [];
+  const seenExact = /* @__PURE__ */ new Set();
+  const seenAmbiguous = /* @__PURE__ */ new Set();
+  for (const declarativeDefinition of declarativeDefinitions) {
+    const idempotentMatches = idempotentByQualifiedName.get(declarativeDefinition.qualifiedName);
+    if (!idempotentMatches || idempotentMatches.length === 0) {
+      continue;
+    }
+    if (declarativeDefinition.signature) {
+      const exactMatches = idempotentMatches.filter(
+        (candidate) => candidate.signature !== null && candidate.signature === declarativeDefinition.signature
+      );
+      if (exactMatches.length > 0) {
+        const exactKey = `${declarativeDefinition.qualifiedName}:${declarativeDefinition.signature}`;
+        if (!seenExact.has(exactKey)) {
+          seenExact.add(exactKey);
+          findings.push(
+            buildExactFinding({
+              qualifiedName: declarativeDefinition.qualifiedName,
+              signature: declarativeDefinition.signature,
+              declarativeDefinitions: declarativeDefinitions.filter(
+                (candidate) => candidate.qualifiedName === declarativeDefinition.qualifiedName && candidate.signature === declarativeDefinition.signature
+              ),
+              idempotentDefinitions: exactMatches
+            })
+          );
+        }
+        continue;
+      }
+    }
+    const hasAmbiguousMatch = declarativeDefinition.signature === null || idempotentMatches.some((candidate) => candidate.signature === null);
+    if (!hasAmbiguousMatch) {
+      continue;
+    }
+    if (!seenAmbiguous.has(declarativeDefinition.qualifiedName)) {
+      seenAmbiguous.add(declarativeDefinition.qualifiedName);
+      findings.push(
+        buildAmbiguousFinding({
+          qualifiedName: declarativeDefinition.qualifiedName,
+          declarativeDefinitions: declarativeDefinitions.filter(
+            (candidate) => candidate.qualifiedName === declarativeDefinition.qualifiedName
+          ),
+          idempotentDefinitions: idempotentMatches
+        })
+      );
+    }
+  }
+  return {
+    contractNote: DUPLICATE_FUNCTION_OWNERSHIP_NOTE,
+    findings,
+    definitions: {
+      declarative: declarativeDefinitions,
+      idempotent: idempotentDefinitions
+    }
+  };
+}
+function formatLocation(definition) {
+  return `${definition.file}:${definition.line}`;
+}
+function formatDuplicateFunctionOwnershipFinding(finding) {
+  const signatureSuffix = finding.signature ?? "(<manual review required>)";
+  return {
+    summary: `${finding.code}: ${finding.qualifiedName}${signatureSuffix}`,
+    declarativeLocations: finding.declarativeDefinitions.map(formatLocation),
+    idempotentLocations: finding.idempotentDefinitions.map(formatLocation),
+    suggestion: finding.suggestion
+  };
+}
+
+// src/commands/db/utils/plan-size-guard.ts
+init_esm_shims();
+var PLAN_SIZE_WARNING_THRESHOLD = {
+  effectiveStatements: 200,
+  rawStatements: 500
+};
+var PLAN_SIZE_BLOCKER_THRESHOLD = {
+  effectiveStatements: 500,
+  rawStatements: 1e3
+};
+function buildThresholdReasons(summary, threshold) {
+  const reasons = [];
+  if (summary.effectiveStatements >= threshold.effectiveStatements) {
+    reasons.push(
+      `effective structural statements ${summary.effectiveStatements} >= ${threshold.effectiveStatements}`
+    );
+  }
+  if (summary.rawStatements >= threshold.rawStatements) {
+    reasons.push(`raw statements ${summary.rawStatements} >= ${threshold.rawStatements}`);
+  }
+  return reasons;
+}
+function assessPlanSize(summary) {
+  if (!summary) {
+    return { severity: "ok", reasons: [] };
+  }
+  const blockerReasons = buildThresholdReasons(summary, PLAN_SIZE_BLOCKER_THRESHOLD);
+  if (blockerReasons.length > 0) {
+    return { severity: "blocker", reasons: blockerReasons };
+  }
+  const warningReasons = buildThresholdReasons(summary, PLAN_SIZE_WARNING_THRESHOLD);
+  if (warningReasons.length > 0) {
+    return { severity: "warning", reasons: warningReasons };
+  }
+  return { severity: "ok", reasons: [] };
+}
+function formatPlanSizeSummary(summary) {
+  return `${summary.rawStatements} raw statement(s), ${summary.effectiveStatements} structural, ${summary.noiseStatements} collapsed noise`;
+}
+
+// src/commands/db/apply/actors/pg-schema-diff-actors.ts
 init_local_supabase();
 
 // src/commands/db/utils/declarative-dependency-warning-governance.ts
@@ -7511,6 +8067,25 @@ function assertDeclarativeDependencyBoundary(targetDir, input) {
     throw new Error(buildDeclarativeDependencyWarningFailureLines(warningReview).join("\n"));
   }
 }
+function warnDuplicateFunctionOwnership(targetDir) {
+  const analysis = analyzeDuplicateFunctionOwnership(targetDir);
+  if (analysis.findings.length === 0) {
+    return;
+  }
+  logger15.warn(`Duplicate function ownership detected (${analysis.findings.length} finding(s))`);
+  logger15.info(`  ${analysis.contractNote}`);
+  for (const finding of analysis.findings) {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    logger15.info(`  [WARN] ${formatted.summary}`);
+    for (const location of formatted.declarativeLocations) {
+      logger15.info(`         declarative: ${location}`);
+    }
+    for (const location of formatted.idempotentLocations) {
+      logger15.info(`         idempotent: ${location}`);
+    }
+    logger15.info(`         ${formatted.suggestion}`);
+  }
+}
 function createCombinedSchemaBundle(schemaFiles, verbose) {
   const tmpDir = mkdtempSync(join(tmpdir(), "runa_pg_schema_diff_"));
   const combinedSchemaPath = join(tmpDir, "desired_schema.sql");
@@ -7541,7 +8116,7 @@ async function createShadowDbForRun(dbUrl, shadowExtensions, verbose) {
   return shadowDb;
 }
 function buildNoChangesResult(planOutput) {
-  if (!planOutput.trim() || planOutput.includes("No changes")) {
+  if (isNoChangePlanOutput(planOutput)) {
     logger15.success("No schema changes detected");
     return { sql: "", hazards: [], applied: true };
   }
@@ -7596,20 +8171,43 @@ function runPreApplyDataCompatibility(dbUrl, planOutput, input) {
   }
   return 0;
 }
-function buildCheckModeResult(input, planOutput, hazards, protectedTables, protectedObjects, dataViolationCount, schemasDir) {
+function buildCheckModeResult(input, planOutput, hazards, protectedTables, protectedObjects, dataViolationCount, schemasDir, options) {
   if (!input.check) {
     return null;
   }
   const plan = parsePlanOutput(planOutput);
-  const { filteredPlan, removedDropStatements, removedAuthzStatements } = filterCheckModePlanStatements(plan, protectedTables, protectedObjects, schemasDir);
-  displayCheckModeResults(planOutput, {
-    filteredPlanSql: filteredPlan.rawSql,
+  const { filteredPlan, removedDropStatements, removedAuthzStatements, removedRlsStatements } = filterCheckModePlanStatements(plan, protectedTables, protectedObjects, schemasDir);
+  const planSummary = buildCheckModePlanSummary({
+    rawStatementCount: options?.rawStatementCount ?? plan.statements.length,
+    filteredPlan,
     removedDropStatements,
-    removedAuthzStatements
+    removedAuthzStatements,
+    removedRlsStatements,
+    suppressedFunctionStatements: options?.suppressedFunctionStatements
+  });
+  displayCheckModeResults(planOutput, {
+    verbose: input.verbose,
+    filterInfo: {
+      filteredPlanSql: filteredPlan.rawSql,
+      removedDropStatements,
+      removedAuthzStatements,
+      removedRlsStatements,
+      suppressedFunctionStatements: options?.suppressedFunctionStatements,
+      planSummary
+    }
   });
+  const planSizeAssessment = assessPlanSize(planSummary);
+  if (planSizeAssessment.severity !== "ok") {
+    logger15.warn(`Large plan warning: ${formatPlanSizeSummary(planSummary)}`);
+    for (const reason of planSizeAssessment.reasons) {
+      logger15.info(`  \u2022 ${reason}`);
+    }
+    logger15.info("  Small production instances may see elevated load during apply.");
+  }
   return {
     sql: planOutput,
     filteredPlanSql: filteredPlan.rawSql,
+    planSummary,
     hazards,
     applied: false,
     dataViolations: dataViolationCount > 0 ? dataViolationCount : void 0
@@ -7658,6 +8256,7 @@ var applyPgSchemaDiff = fromPromise(async ({ input: { input, targetDir } }) => {
     logger15.info("No declarative schemas found");
     return { sql: "", hazards: [], applied: false };
   }
+  warnDuplicateFunctionOwnership(targetDir);
   assertDeclarativeDependencyBoundary(targetDir, input);
   const dbUrl = getDbUrl(input);
   const configState = loadPgSchemaDiffConfigState(targetDir, input.verbose);
@@ -7739,13 +8338,14 @@ var applyPgSchemaDiff = fromPromise(async ({ input: { input, targetDir } }) => {
         }
       )
     );
+    const rawPlanStatementCount = parsePlanOutput(planOutput).statements.length;
     let effectivePlanOutput = planOutput;
+    let suppressedPlan = {
+      planOutput,
+      suppressedStatements: [],
+      warnings: []
+    };
     if (!input.compareOnly) {
-      let suppressedPlan = {
-        planOutput,
-        suppressedStatements: [],
-        warnings: []
-      };
       try {
         suppressedPlan = await withProgress(
           "reviewing plan false positives",
@@ -7765,7 +8365,7 @@ var applyPgSchemaDiff = fromPromise(async ({ input: { input, targetDir } }) => {
       }
       effectivePlanOutput = suppressedPlan.planOutput;
     }
-    const noChangesResult = buildNoChangesResult(effectivePlanOutput);
+    const noChangesResult = rawPlanStatementCount === 0 || isNoChangePlanOutput(effectivePlanOutput) ? buildNoChangesResult(effectivePlanOutput) : null;
     if (noChangesResult) return noChangesResult;
     const { hazards } = await withProgress(
       "extracting migration hazards",
@@ -7792,7 +8392,11 @@ var applyPgSchemaDiff = fromPromise(async ({ input: { input, targetDir } }) => {
       protectedTables,
       protectedObjects,
       dataViolationCount,
-      schemasDir
+      schemasDir,
+      {
+        rawStatementCount: rawPlanStatementCount,
+        suppressedFunctionStatements: !input.compareOnly ? suppressedPlan.suppressedStatements : void 0
+      }
     );
     if (checkModeResult) return checkModeResult;
     backupProtectedTablesForProduction(dbUrl, protectedTables, input);
@@ -8003,15 +8607,16 @@ function runSeeds(input, targetDir, dbUrl) {
 async function generateTablesManifestSafely(targetDir, dbUrl) {
   try {
     await generateTablesManifest(targetDir, { databaseUrl: dbUrl });
+    return void 0;
   } catch (error) {
-    logger15.warn(`Failed to generate tables manifest: ${error}`);
+    return `Failed to generate tables manifest: ${error}`;
   }
 }
 var applySeeds = fromPromise(async ({ input: { input, targetDir } }) => {
   const dbUrl = getDbUrl(input);
   const seedsApplied = runSeeds(input, targetDir, dbUrl);
-  await generateTablesManifestSafely(targetDir, dbUrl);
-  return { applied: seedsApplied };
+  const manifestWarning = await generateTablesManifestSafely(targetDir, dbUrl);
+  return { applied: seedsApplied, warnings: manifestWarning ? [manifestWarning] : [] };
 });
 
 // src/commands/db/apply/machine.ts
@@ -8068,7 +8673,7 @@ var e2eMeta = {
       "expect(log).toContain('pg-schema-diff')",
       "expect(ctx.schemaChangesApplied).toBeDefined()"
     ],
-    nextStates: ["applyingIdempotentPost", "done", "failed"]
+    nextStates: ["applyingIdempotentPost", "validatingPartitions", "done", "failed"]
   },
   applyingIdempotentPost: {
     description: "Apply idempotent schemas (2nd pass: dependent tables, RLS)",
@@ -8159,6 +8764,9 @@ function buildDbApplyMetrics(context, endTime) {
     retryAttempts: toOptionalPositive(context.retryAttempts)
   };
 }
+function createMachineWarning(code, message, phase) {
+  return { code, message, phase };
+}
 function createDbApplyOutput(context, endTime) {
   const metrics = buildDbApplyMetrics(context, endTime);
   const totalIdempotentApplied = context.idempotentPreApplied + context.idempotentPostApplied;
@@ -8189,6 +8797,7 @@ function createDbApplyOutput(context, endTime) {
     dataViolations: toOptionalPositive(context.dataViolations),
     planSql: context.planSql ?? void 0,
     filteredPlanSql: context.filteredPlanSql ?? void 0,
+    planSummary: context.planSummary ?? void 0,
     checkOnly: toOptionalTrue(context.input.check === true),
     partitionWarnings: toOptionalArray(context.partitionWarnings),
     idempotentFiles: toOptionalArray(context.idempotentFiles),
@@ -8201,7 +8810,7 @@ function createDbApplyOutput(context, endTime) {
       endedAt: new Date(endTime).toISOString(),
       durationMs: endTime - context.startTime,
       phases,
-      warnings: [],
+      warnings: context.nonCriticalWarnings,
       errors: phases.map((phase) => phase.error).filter((value) => value != null),
       summary: buildCommandOutcomeSummary(phases)
     }
@@ -8210,6 +8819,23 @@ function createDbApplyOutput(context, endTime) {
 var dbApplyMachine = setup({
   types: {},
   actions: {
+    assignPgSchemaDiffResult: assign(({ event }) => {
+      if (!("output" in event)) {
+        return {};
+      }
+      const output = event.output;
+      return {
+        schemaChangesApplied: output.applied,
+        dataViolations: output.dataViolations ?? 0,
+        hazards: output.hazards,
+        planSql: output.sql ?? null,
+        filteredPlanSql: output.filteredPlanSql ?? null,
+        planSummary: output.planSummary ?? null,
+        ssotWarning: output.ssotWarning ?? null,
+        pgSchemaDiffEndTime: Date.now(),
+        retryAttempts: output.retryAttempts ?? 0
+      };
+    }),
     releaseAdvisoryLockOnFailure: ({ context }) => {
       if (context.lockAcquired) {
         try {
@@ -8251,7 +8877,9 @@ var dbApplyMachine = setup({
     error: null,
     planSql: null,
     filteredPlanSql: null,
+    planSummary: null,
     ssotWarning: null,
+    nonCriticalWarnings: [],
     // Idempotent preview (check mode)
     idempotentFiles: [],
     idempotentRisks: null,
@@ -8360,30 +8988,18 @@ var dbApplyMachine = setup({
           {
             guard: ({ context }) => context.input.check === true,
             target: "done",
-            actions: assign({
-              schemaChangesApplied: ({ event }) => event.output.applied,
-              dataViolations: ({ event }) => event.output.dataViolations ?? 0,
-              hazards: ({ event }) => event.output.hazards,
-              planSql: ({ event }) => event.output.sql ?? null,
-              filteredPlanSql: ({ event }) => event.output.filteredPlanSql ?? null,
-              ssotWarning: ({ event }) => event.output.ssotWarning ?? null,
-              pgSchemaDiffEndTime: () => Date.now(),
-              retryAttempts: ({ event }) => event.output.retryAttempts ?? 0
-            })
+            actions: "assignPgSchemaDiffResult"
           },
-          // Normal mode: continue to 2nd pass idempotent
+          // Normal mode: skip 2nd pass when no files were deferred in 1st pass
+          {
+            guard: ({ context }) => context.idempotentPreSkipped === 0,
+            target: "validatingPartitions",
+            actions: "assignPgSchemaDiffResult"
+          },
+          // Normal mode: run 2nd pass when deferred files exist
           {
             target: "applyingIdempotentPost",
-            actions: assign({
-              schemaChangesApplied: ({ event }) => event.output.applied,
-              dataViolations: ({ event }) => event.output.dataViolations ?? 0,
-              hazards: ({ event }) => event.output.hazards,
-              planSql: ({ event }) => event.output.sql ?? null,
-              filteredPlanSql: ({ event }) => event.output.filteredPlanSql ?? null,
-              ssotWarning: ({ event }) => event.output.ssotWarning ?? null,
-              pgSchemaDiffEndTime: () => Date.now(),
-              retryAttempts: ({ event }) => event.output.retryAttempts ?? 0
-            })
+            actions: "assignPgSchemaDiffResult"
           }
         ],
         onError: {
@@ -8471,6 +9087,12 @@ var dbApplyMachine = setup({
           target: "done",
           actions: assign({
             seedsApplied: ({ event }) => event.output.applied,
+            nonCriticalWarnings: ({ context, event }) => [
+              ...context.nonCriticalWarnings,
+              ...event.output.warnings.map(
+                (warning) => createMachineWarning("TABLES_MANIFEST_WARNING", warning, "applyingSeeds")
+              )
+            ],
             seedEndTime: () => Date.now()
           })
         },
@@ -8674,7 +9296,7 @@ function createWarning(code, message, phase) {
   return { code, message, phase };
 }
 function buildDbApplyOutcome(params) {
-  const warnings = [];
+  const warnings = [...params.result.outcome.warnings];
   const phases = [...params.phases];
   if (params.result.partitionWarnings && params.result.partitionWarnings.length > 0) {
     const warningList = params.result.partitionWarnings.map(
@@ -8700,9 +9322,20 @@ function buildDbApplyOutcome(params) {
       );
       warnings.push(seedWarning);
       seedPhase.status = "warning";
-      seedPhase.warningCount = 1;
-      seedPhase.warnings = [seedWarning];
+      seedPhase.warningCount = (seedPhase.warningCount ?? 0) + 1;
+      seedPhase.warnings = [...seedPhase.warnings ?? [], seedWarning];
+    }
+  }
+  for (const warning of params.result.outcome.warnings) {
+    const target = phases.find((phase) => phase.id === warning.phase);
+    if (!target) {
+      continue;
     }
+    if (target.status === "passed") {
+      target.status = "warning";
+    }
+    target.warningCount = (target.warningCount ?? 0) + 1;
+    target.warnings = [...target.warnings ?? [], warning];
   }
   const errors = phases.map((phase) => phase.error).filter((value) => value != null);
   return {
@@ -8757,6 +9390,7 @@ function describeSeedStatus(env, _noSeed, seedFlag) {
 async function runDbApply(env, options) {
   const logger17 = createCLILogger("db:apply");
   const resolvedEnv = env === "preview" ? "preview" : env === "production" ? "production" : "local";
+  loadEnvFiles({ runaEnv: resolvedEnv, silent: true });
   const noSeed = resolveNoSeed(resolvedEnv, options.seed);
   const compareOnly = options.check === true && options.compareOnly === true;
   if (resolvedEnv === "production" && !noSeed) {
@@ -8861,6 +9495,11 @@ function printCheckSummary(logger17, result) {
   logger17.info(`  Result: ${result.outcome.exitMode}`);
   logger17.info(`  \u2713 Idempotent schemas: ${result.idempotentSchemasApplied} files`);
   logger17.info(`  \u2713 Schema changes: ${result.planSql ? "detected" : "none"}`);
+  if (result.planSummary) {
+    logger17.info(
+      `  \u2713 Plan summary: ${result.planSummary.rawStatements} raw / ${result.planSummary.effectiveStatements} structural / ${result.planSummary.noiseStatements} collapsed noise`
+    );
+  }
   if (result.hazards.length > 0) logger17.info(`  \u26A0 Hazards: ${result.hazards.join(", ")}`);
   logger17.info("  \u2139 No changes were applied (check mode)");
 }
@@ -8887,6 +9526,12 @@ function printApplySummary(logger17, result) {
     logger17.info(`  \u26A0 Warnings: ${result.outcome.summary.warnings}`);
   }
   if (result.metrics) logger17.info(buildMetricsString(result.metrics));
+  if (result.outcome.warnings.length > 0) {
+    logger17.warn("\nNon-critical warnings:");
+    for (const warning of result.outcome.warnings) {
+      logger17.info(`  \u2022 [${warning.phase}] ${warning.message}`);
+    }
+  }
 }
 function printSummary(logger17, result) {
   if (result.error) {
@@ -8919,6 +9564,7 @@ var applyCommand = new Command("apply").description("Apply schema changes to any
 ).option("--fresh-db-check-sql <sql>", "Custom SQL to check if DB is fresh").action(async (env, options) => {
   const logger17 = createCLILogger("db:apply");
   const resolvedEnv = env === "preview" ? "preview" : env === "production" ? "production" : "local";
+  loadEnvFiles({ runaEnv: resolvedEnv, silent: true });
   try {
     const noSeed = resolveNoSeed(env, options.seed);
     const compareOnly = options.check === true && options.compareOnly === true;
@@ -10870,6 +11516,32 @@ async function runDeclarativeDependencyCheck(result, logger17, step, strictOptio
   }
 }
 
+// src/commands/db/utils/preflight-checks/duplicate-function-ownership-checks.ts
+init_esm_shims();
+async function runDuplicateFunctionOwnershipCheck(result, logger17, step) {
+  logger17.step("Checking duplicate function ownership", step.next());
+  const analysis = analyzeDuplicateFunctionOwnership(process.cwd());
+  if (analysis.findings.length === 0) {
+    logger17.success("No duplicate declarative/idempotent function ownership detected");
+    return;
+  }
+  result.passed = false;
+  result.errors.push(`Found ${analysis.findings.length} duplicate function ownership finding(s)`);
+  logger17.error(`Found ${analysis.findings.length} duplicate function ownership finding(s):`);
+  logger17.info(`  ${analysis.contractNote}`);
+  for (const finding of analysis.findings) {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    logger17.info(`  [ERROR] ${formatted.summary}`);
+    for (const location of formatted.declarativeLocations) {
+      logger17.info(`          declarative: ${location}`);
+    }
+    for (const location of formatted.idempotentLocations) {
+      logger17.info(`          idempotent: ${location}`);
+    }
+    logger17.info(`          ${formatted.suggestion}`);
+  }
+}
+
 // src/commands/db/utils/preflight-checks/schema-boundary-checks.ts
 init_esm_shims();
 
@@ -12561,6 +13233,7 @@ async function runPreflightChecks(env, strict = false) {
   await runSqlSchemaRiskCheck(result, logger17, step);
   await runSchemaBoundaryPlacementCheck(result, logger17, step, strict);
   await runIdempotentSchemaRiskCheck(result, logger17, step, strict);
+  await runDuplicateFunctionOwnershipCheck(result, logger17, step);
   await runDeclarativeDependencyCheck(result, logger17, step, strict);
   await runDomainNamingCheck(result, logger17, step);
   logSummary(result, logger17);
@@ -16585,9 +17258,20 @@ async function collectLocalPrecheckBundle(strict) {
   const adjustedIdempotentRisks = applyStrictModeToReport(idempotentRisks, strict);
   const adjustedPlacementRisks = applyStrictModeToReport(placementRisks, strict);
   const adjustedExtensionRisks = applyStrictModeToReport(extensionRisks, strict);
-  const hasLocalBlockers = hasReportBlockers(adjustedPlacementRisks) || hasReportBlockers(adjustedDeclarativeRisks) || hasReportBlockers(adjustedIdempotentRisks) || hasReportBlockers(adjustedExtensionRisks);
-  const hasLocalFindings = hasReportFindings(adjustedDeclarativeRisks) || hasReportFindings(adjustedIdempotentRisks) || hasReportFindings(adjustedPlacementRisks) || hasReportFindings(adjustedExtensionRisks);
+  const duplicateOwnershipAnalysis = analyzeDuplicateFunctionOwnership(process.cwd());
+  const duplicateOwnershipBlockers = duplicateOwnershipAnalysis.findings.map((finding) => {
+    const formatted = formatDuplicateFunctionOwnershipFinding(finding);
+    return [
+      formatted.summary,
+      `declarative=${formatted.declarativeLocations.join(", ")}`,
+      `idempotent=${formatted.idempotentLocations.join(", ")}`,
+      formatted.suggestion
+    ].join(" | ");
+  });
+  const hasLocalBlockers = duplicateOwnershipBlockers.length > 0 || hasReportBlockers(adjustedPlacementRisks) || hasReportBlockers(adjustedDeclarativeRisks) || hasReportBlockers(adjustedIdempotentRisks) || hasReportBlockers(adjustedExtensionRisks);
+  const hasLocalFindings = duplicateOwnershipBlockers.length > 0 || hasReportFindings(adjustedDeclarativeRisks) || hasReportFindings(adjustedIdempotentRisks) || hasReportFindings(adjustedPlacementRisks) || hasReportFindings(adjustedExtensionRisks);
   const localBlockers = [
+    ...duplicateOwnershipBlockers,
     ...adjustedPlacementRisks.blockers,
     ...adjustedDeclarativeRisks.blockers,
     ...adjustedIdempotentRisks.blockers,
@@ -16602,6 +17286,7 @@ async function collectLocalPrecheckBundle(strict) {
     adjustedIdempotentRisks,
     adjustedPlacementRisks,
     adjustedExtensionRisks,
+    duplicateOwnershipBlockers,
     hasLocalBlockers,
     hasLocalFindings,
     localBlockers
@@ -16616,6 +17301,12 @@ ${heading}`);
   }
 }
 function printLocalFindingCompactSummary(logger17, local, topLimit) {
+  printCompactSummary(
+    logger17,
+    "Duplicate function ownership summary",
+    local.duplicateOwnershipBlockers,
+    topLimit
+  );
   printCompactSummary(
     logger17,
     "Declarative risk summary (declarative/*.sql)",
@@ -16642,6 +17333,11 @@ function printLocalFindingCompactSummary(logger17, local, topLimit) {
   );
 }
 function printLocalFindingDetailedReport(logger17, local) {
+  logFindingSection(
+    logger17,
+    "Duplicate function ownership blockers:",
+    local.duplicateOwnershipBlockers
+  );
   logFindingSection(
     logger17,
     "Risk checks on supabase/schemas/declarative/*.sql:",
@@ -16797,6 +17493,28 @@ function assertNoProductionApplyRiskReasons(result) {
     ]
   );
 }
+function assertProductionPlanSizeBudget(logger17, result) {
+  const assessment = assessPlanSize(result.planSummary);
+  if (!result.planSummary || assessment.severity === "ok") {
+    return;
+  }
+  if (assessment.severity === "warning") {
+    logger17.warn(`Large production apply preview: ${formatPlanSizeSummary(result.planSummary)}`);
+    for (const reason of assessment.reasons) {
+      logger17.info(`  ${reason}`);
+    }
+    return;
+  }
+  throw new CLIError(
+    "Production apply preview exceeds plan size budget",
+    "DB_PRODUCTION_APPLY_PLAN_SIZE",
+    [
+      `Plan summary: ${formatPlanSizeSummary(result.planSummary)}`,
+      ...assessment.reasons,
+      "Reduce metadata churn or split the schema change before production apply"
+    ]
+  );
+}
 function collectProductionApplyRiskReasons(output) {
   const reasons = [];
   if (output.dataViolations && output.dataViolations > 0) {
@@ -16853,6 +17571,7 @@ async function runProductionApplyDryRunCheck(logger17, strict) {
     placement: local.placementRisks.allowlist.length,
     plan: plan.planBoundaryRisks.allowlist.length
   });
+  assertProductionPlanSizeBudget(logger17, plan.result);
   assertNoPlanBoundaryBlockers(logger17, plan.adjustedPlanBoundaryRisks, strict);
   assertNoProductionApplyRiskReasons(plan.result);
 }