@runa-ai/runa-cli 0.9.0 → 0.10.1

package/dist/{chunk-ZWDWFMOX.js → chunk-HWR5NUUZ.js}

@@ -2,10 +2,10 @@
 import { createRequire } from 'module';
 import { blankDollarQuotedBodies, stripSqlComments, psqlSyncQuery, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { existsSync, readdirSync, readFileSync } from 'fs';
 import path from 'path';
 import { execFileSync, spawnSync, spawn } from 'child_process';
 import { createCLILogger } from '@runa-ai/runa';
-import { existsSync, readdirSync, readFileSync } from 'fs';
 
 createRequire(import.meta.url);
 
@@ -473,6 +473,7 @@ function collectWarningsForStatement(statement, file, line, knownFunctionNames)
 
 // src/commands/db/utils/sql-boundary-parser.ts
 init_esm_shims();
+var ALLOW_DYNAMIC_SQL_ANNOTATION = /--\s*runa:allow-dynamic-sql\b/;
 var DOLLAR_QUOTE_PATTERN = /^\$([A-Za-z_][A-Za-z0-9_]*)?\$/;
 function countNewlines2(text) {
   let count = 0;
@@ -1204,6 +1205,20 @@ function detectMissingExtensionType(errorOutput) {
     suggestedExtensions: [...extensions]
   };
 }
+function detectExtensionFilePath() {
+  const defaultPath = "supabase/schemas/idempotent/00_extensions.sql";
+  const idempotentDir = path.join(process.cwd(), "supabase", "schemas", "idempotent");
+  if (!existsSync(idempotentDir)) return defaultPath;
+  try {
+    const files = readdirSync(idempotentDir).filter((f) => f.endsWith(".sql"));
+    const extensionFile = files.find((f) => /extension/i.test(f));
+    if (extensionFile) {
+      return path.posix.join("supabase", "schemas", "idempotent", extensionFile);
+    }
+  } catch {
+  }
+  return defaultPath;
+}
 function formatExtensionErrorHint(detection) {
   if (!detection.detected) return "";
   const lines = [];
@@ -1214,8 +1229,14 @@ function formatExtensionErrorHint(detection) {
     lines.push(`  type "${type}" \u2192 extension: ${ext ?? "unknown"}`);
   }
   if (detection.suggestedExtensions.length > 0) {
+    const extensionFile = detectExtensionFilePath();
+    const fileExists = existsSync(path.join(process.cwd(), extensionFile));
     lines.push("");
-    lines.push("Fix 1: Add to supabase/schemas/idempotent/00_extensions.sql:");
+    if (fileExists) {
+      lines.push(`Fix 1: Add to ${extensionFile}:`);
+    } else {
+      lines.push(`Fix 1: Create ${extensionFile} (or add to your existing extension file):`);
+    }
     for (const ext of detection.suggestedExtensions) {
       lines.push(`  CREATE EXTENSION IF NOT EXISTS ${ext};`);
     }
@@ -1511,4 +1532,4 @@ function executePgSchemaDiffPlan(dbUrl, schemasDir, includeSchemas, verbose, opt
   throw new Error("pg-schema-diff plan failed after all retries");
 }
 
-export { DB_APPLY_CHECK_MODE_CONTRACT_NOTE, FUNCTION_DEFINITION_RE, HAZARD_REGEX, MAX_DETAILED_DECLARATIVE_WARNINGS, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, PUBLIC_SCHEMA, STATEMENT_IDX_REGEX, analyzeDeclarativeDependencyContract, blankQuotedStrings, buildIdleConnectionCleanupSql, collectSqlFiles, countNewlines, detectDropTableStatements, detectMissingExtensionType, detectMissingQualifiedFunction, detectPartitionPrivilegeError, detectPgSchemaDiffVersion, executePgSchemaDiffPlan, extractDdlObject, extractFirstDollarBody, formatDeclarativeDependencyBoundaryHint, formatDeclarativeDependencyViolation, formatDeclarativeDependencyWarning, formatExtensionErrorHint, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, hasUnparsedHazardHints, isNonDdlMaintenanceStatement, isNonSchemaOperation, parseSqlFilename, sanitizeExecutableCode, sanitizeExecutableCodePreserveStrings, shouldReviewUnknownDeclarativeDdl, shouldReviewUnknownIdempotentDdl, splitSqlStatements, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, summarizeDeclarativeDependencyWarnings, verifyDatabaseConnection, verifyPgSchemaDiffBinary };
+export { ALLOW_DYNAMIC_SQL_ANNOTATION, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, FUNCTION_DEFINITION_RE, HAZARD_REGEX, MAX_DETAILED_DECLARATIVE_WARNINGS, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, PUBLIC_SCHEMA, STATEMENT_IDX_REGEX, analyzeDeclarativeDependencyContract, blankQuotedStrings, buildIdleConnectionCleanupSql, collectSqlFiles, countNewlines, detectDropTableStatements, detectExtensionFilePath, detectMissingExtensionType, detectMissingQualifiedFunction, detectPartitionPrivilegeError, detectPgSchemaDiffVersion, executePgSchemaDiffPlan, extractDdlObject, extractFirstDollarBody, formatDeclarativeDependencyBoundaryHint, formatDeclarativeDependencyViolation, formatDeclarativeDependencyWarning, formatExtensionErrorHint, formatPartitionPrivilegeHint, freeConnectionSlotsForPgSchemaDiff, hasUnparsedHazardHints, isNonDdlMaintenanceStatement, isNonSchemaOperation, parseSqlFilename, sanitizeExecutableCode, sanitizeExecutableCodePreserveStrings, shouldReviewUnknownDeclarativeDdl, shouldReviewUnknownIdempotentDdl, splitSqlStatements, startConnectionCleanupDaemon, stopConnectionCleanupDaemon, summarizeDeclarativeDependencyWarnings, verifyDatabaseConnection, verifyPgSchemaDiffBinary };

package/dist/{chunk-JQXOVCOP.js → chunk-NIS77243.js}

@@ -132,12 +132,12 @@ var ERROR_CATALOG = {
   LICENSE_UNAUTHORIZED: {
     code: "ERR_RUNA_LICENSE_UNAUTHORIZED",
     exitCode: EXIT_CODES.AUTH_ERROR,
-    title: "CI access not authorized",
-    template: 'Organization "{owner}" is not authorized to use runa CI',
+    title: "Legacy CI access policy denied command",
+    template: 'Legacy CI access policy denied runa execution for "{owner}"',
     suggestions: [
-      "Install GitHub App: https://github.com/apps/runa-app",
-      "Contact runa admin for approval",
-      "Local development is not affected"
+      "Upgrade to the latest @runa-ai/runa-cli",
+      "Public runa CLI/SDK/plugin commands should not require CI allowlist approval",
+      "Template operations use separate repository-access checks"
     ],
     docUrl: "https://runa.dev/docs/errors/license-unauthorized"
   },
@@ -571,4 +571,7 @@ function interpolateTemplate(template, params) {
   });
 }
 
+// src/errors/index.ts
+init_esm_shims();
+
 export { ERROR_CATALOG, createError };

package/dist/{chunk-URWDB7YL.js → chunk-O3M7A73M.js}

@@ -231,6 +231,32 @@ function extractTablesFromIdempotentSql(idempotentDir, projectRoot = process.cwd
   }
   return [...new Set(tables)].sort();
 }
+function extractDynamicTablePatternsFromIdempotentSql(idempotentDir, projectRoot = process.cwd()) {
+  const fullPath = path.resolve(projectRoot, idempotentDir);
+  if (!existsSync(fullPath)) {
+    return [];
+  }
+  const patterns = [];
+  const prefixInFormat = /EXECUTE\s+format\s*\(\s*'CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:"?([a-zA-Z_][a-zA-Z0-9_]*)"?\.)?([a-zA-Z_][a-zA-Z0-9_]*)%[sI]/gi;
+  try {
+    const files = readdirSync(fullPath).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const filePath = path.join(fullPath, file);
+      const content = readFileSync(filePath, "utf-8");
+      const cleaned = content.replace(/--.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+      for (const match of cleaned.matchAll(prefixInFormat)) {
+        const schema = match[1] || "public";
+        const prefix = match[2];
+        if (prefix && prefix.length >= 2) {
+          patterns.push(`${schema}.${prefix}*`);
+        }
+      }
+    }
+  } catch {
+    return [];
+  }
+  return [...new Set(patterns)].sort();
+}
 
 // src/commands/db/utils/table-registry.ts
 init_esm_shims();
@@ -1686,8 +1712,16 @@ function resolveSourceConfig(projectRoot, options) {
     }
   } catch {
   }
+  const resolvedIdempotentDir = isAbsolute(idempotentSqlDir) ? idempotentSqlDir : join(projectRoot, idempotentSqlDir);
+  const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+    resolvedIdempotentDir,
+    projectRoot
+  );
+  for (const pattern of dynamicPatterns) {
+    exclusions.add(pattern);
+  }
   return {
-    idempotentSqlDir: isAbsolute(idempotentSqlDir) ? idempotentSqlDir : join(projectRoot, idempotentSqlDir),
+    idempotentSqlDir: resolvedIdempotentDir,
     excludeFromOrphanDetection: [...exclusions].sort((a, b) => a.localeCompare(b))
   };
 }
@@ -1918,9 +1952,31 @@ async function generateTablesManifest(projectRoot, options = {}) {
   }
   writeFileSync(outputPath, `${JSON.stringify(manifest, null, 2)}
 `);
+  validateManifestSourceFiles(manifest, projectRoot);
   logManifestSummary(manifest, mappingResult.conflicts);
   return manifest;
 }
+function validateManifestSourceFiles(manifest, projectRoot) {
+  const staleEntries = [];
+  for (const table of manifest.tables) {
+    if (!table.sourceFile) continue;
+    const absolutePath = join(projectRoot, table.sourceFile);
+    if (!existsSync(absolutePath)) {
+      staleEntries.push({ table: table.qualifiedName, sourceFile: table.sourceFile });
+    }
+  }
+  if (staleEntries.length === 0) return;
+  console.warn(
+    `[tables-manifest] warn: ${staleEntries.length} table(s) reference non-existent sourceFile:`
+  );
+  for (const entry of staleEntries.slice(0, 5)) {
+    console.warn(`  ${entry.table} \u2192 ${entry.sourceFile} (file not found)`);
+  }
+  if (staleEntries.length > 5) {
+    console.warn(`  ... and ${staleEntries.length - 5} more`);
+  }
+  console.warn("  \u2192 If files were moved, re-run `runa db sync` to update sourceFile references.");
+}
 function logManifestSummary(manifest, conflicts) {
   const tableCount = manifest.tables.length;
   const schemas = [...new Set(manifest.tables.map((t) => t.schema))];
@@ -1975,4 +2031,4 @@ function logManifestSummary(manifest, conflicts) {
   console.log("   Path: .runa/manifests/tables.json\n");
 }
 
-export { buildTablePatternMatcher, diffSchema, extractSchemaTablesAndEnums, extractTablesFromIdempotentSql, fetchDbTablesAndEnums, generateTablesManifest, getSqlParserUtils };
+export { buildTablePatternMatcher, diffSchema, extractDynamicTablePatternsFromIdempotentSql, extractSchemaTablesAndEnums, extractTablesFromIdempotentSql, fetchDbTablesAndEnums, generateTablesManifest, getSqlParserUtils };

package/dist/{chunk-YRNQEJQW.js → chunk-XRLIZKB2.js}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { resolveDatabaseUrl, resolveDatabaseTarget } from './chunk-WGRVAGSR.js';
-import { verifyPgSchemaDiffBinary, verifyDatabaseConnection, freeConnectionSlotsForPgSchemaDiff, executePgSchemaDiffPlan, detectDropTableStatements, analyzeDeclarativeDependencyContract, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, formatDeclarativeDependencyViolation, summarizeDeclarativeDependencyWarnings, MAX_DETAILED_DECLARATIVE_WARNINGS, formatDeclarativeDependencyWarning, detectPgSchemaDiffVersion, STATEMENT_IDX_REGEX, hasUnparsedHazardHints, collectSqlFiles, splitSqlStatements, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, HAZARD_REGEX, PUBLIC_SCHEMA, FUNCTION_DEFINITION_RE } from './chunk-ZWDWFMOX.js';
+import { verifyPgSchemaDiffBinary, verifyDatabaseConnection, freeConnectionSlotsForPgSchemaDiff, executePgSchemaDiffPlan, detectDropTableStatements, analyzeDeclarativeDependencyContract, DB_APPLY_CHECK_MODE_CONTRACT_NOTE, formatDeclarativeDependencyViolation, summarizeDeclarativeDependencyWarnings, MAX_DETAILED_DECLARATIVE_WARNINGS, formatDeclarativeDependencyWarning, detectPgSchemaDiffVersion, STATEMENT_IDX_REGEX, hasUnparsedHazardHints, collectSqlFiles, splitSqlStatements, PG_SCHEMA_DIFF_APPLY_TIMEOUT_MS, HAZARD_REGEX, PUBLIC_SCHEMA, FUNCTION_DEFINITION_RE } from './chunk-HWR5NUUZ.js';
 import { splitPlpgsqlStatementsWithOffsets, extractExecuteExpressions, extractStaticSqlFromExpression } from './chunk-Y5ANTCKE.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import { CLI_VERSION } from './chunk-GKBE7EIE.js';
-import { generateTablesManifest } from './chunk-URWDB7YL.js';
+import { CLI_VERSION } from './chunk-ZPE52NEK.js';
+import { generateTablesManifest } from './chunk-O3M7A73M.js';
 import { parsePostgresUrl, buildPsqlEnv, buildPsqlArgs, stripSqlComments, psqlSyncQuery, blankDollarQuotedBodies, psqlSyncBatch, psqlSyncFile } from './chunk-A6A7JIRD.js';
 import { init_local_supabase, buildLocalDatabaseUrl } from './chunk-QSEF4T3Y.js';
 import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
@@ -2309,7 +2309,7 @@ function extractQualifiedNameAfterKeyword(sql, keywordPattern) {
   const rest = sql.slice(keywordMatch.index + keywordMatch[0].length);
   const nameMatch = rest.match(/^\s*["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/);
   if (!nameMatch) return null;
-  return `${nameMatch[1].replace(/"/g, "").toLowerCase()}.${nameMatch[2].replace(/"/g, "").toLowerCase()}`;
+  return `${nameMatch[1]?.replace(/"/g, "").toLowerCase()}.${nameMatch[2]?.replace(/"/g, "").toLowerCase()}`;
 }
 function extractFkReferences(sql) {
   const refs = /* @__PURE__ */ new Set();
@@ -2317,7 +2317,7 @@ function extractFkReferences(sql) {
     /REFERENCES\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?\s*\(/gi
   )) {
     refs.add(
-      `${match[1].replace(/"/g, "").toLowerCase()}.${match[2].replace(/"/g, "").toLowerCase()}`
+      `${match[1]?.replace(/"/g, "").toLowerCase()}.${match[2]?.replace(/"/g, "").toLowerCase()}`
     );
   }
   return [...refs];
@@ -2327,12 +2327,12 @@ function extractRelationRefsFromBody(sql) {
   for (const m of sql.matchAll(
     /\bFROM\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/gi
   )) {
-    refs.add(`${m[1].replace(/"/g, "").toLowerCase()}.${m[2].replace(/"/g, "").toLowerCase()}`);
+    refs.add(`${m[1]?.replace(/"/g, "").toLowerCase()}.${m[2]?.replace(/"/g, "").toLowerCase()}`);
   }
   for (const m of sql.matchAll(
     /["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?\s*%ROWTYPE/gi
   )) {
-    refs.add(`${m[1].replace(/"/g, "").toLowerCase()}.${m[2].replace(/"/g, "").toLowerCase()}`);
+    refs.add(`${m[1]?.replace(/"/g, "").toLowerCase()}.${m[2]?.replace(/"/g, "").toLowerCase()}`);
   }
   return [...refs];
 }
@@ -2404,7 +2404,7 @@ function analyzeWithRegexFallback(strippedSql) {
     const match = strippedSql.match(
       /(?:CREATE|ALTER|DROP)\s+POLICY\s+.*?\bON\s+["']?([A-Za-z_]\w*)["']?\s*\.\s*["']?([A-Za-z_]\w*)["']?/i
     );
-    const key = match ? `${match[1].replace(/"/g, "").toLowerCase()}.${match[2].replace(/"/g, "").toLowerCase()}` : null;
+    const key = match ? `${match[1]?.replace(/"/g, "").toLowerCase()}.${match[2]?.replace(/"/g, "").toLowerCase()}` : null;
     return {
       ...buildBaseStatementAnalysis(strippedSql, "relation"),
       targetKey: key,
@@ -2565,7 +2565,7 @@ function stabilizeAnalyzedPlanOrder(analyzedPlan) {
   const groupedStatements = /* @__PURE__ */ new Set();
   const deferredTriggerStatements = [];
   const createdFunctionKeys = new Set(
-    analyzedPlan.statements.filter((s) => s.objectKind === "function" && s.targetFunctionKey).map((s) => s.targetFunctionKey.toLowerCase())
+    analyzedPlan.statements.filter((s) => s.objectKind === "function" && s.targetFunctionKey).map((s) => s.targetFunctionKey?.toLowerCase())
   );
   for (const statement of analyzedPlan.statements) {
     if (statement.phase === 50 && statement.functionDependencies.some((fn) => createdFunctionKeys.has(fn.toLowerCase()))) {
@@ -3322,7 +3322,30 @@ async function createShadowDbWithExtensions(config) {
     // Extensions like PostGIS can take time
   });
   if (extResult.status !== 0) {
-    logger7.warn(`Some extensions failed to install: ${extResult.stderr}`);
+    const stderr = extResult.stderr?.trim() ?? "";
+    logger7.error(`Shadow DB extension installation failed: ${stderr}`);
+    logger7.error("Configured extensions may not be available in the target PostgreSQL server.");
+    logger7.error("Check that the extensions are installed on the server:");
+    for (const ext of extensions) {
+      logger7.error(`  SELECT * FROM pg_available_extensions WHERE name = '${ext}';`);
+    }
+    logger7.error(
+      "If running locally with Supabase, ensure extensions are enabled in the dashboard."
+    );
+  }
+  const verifyResult = psqlSyncQuery({
+    databaseUrl: shadowDsn,
+    sql: `SELECT extname FROM pg_extension WHERE extname = ANY(ARRAY[${extensions.map((e) => `'${e}'`).join(",")}])`,
+    timeout: 1e4
+  });
+  if (verifyResult.status === 0) {
+    const installed = (verifyResult.stdout ?? "").split("\n").map((l) => l.trim()).filter(Boolean);
+    const missing = extensions.filter((ext) => !installed.includes(ext));
+    if (missing.length > 0) {
+      logger7.warn(
+        `Shadow DB missing extensions: ${missing.join(", ")}. pg-schema-diff may fail on extension-defined types (geometry, vector, etc.).`
+      );
+    }
   }
   bootstrapShadowDbSchemaPrerequisites(sourceDbUrl, shadowDsn);
   logger7.debug(`Shadow database ready with extensions: ${extensions.join(", ")}`);
@@ -7203,11 +7226,54 @@ async function applyWithRetry(params) {
     retryWaitMs: result.totalWaitMs
   };
 }
+function autoDetectRequiredExtensions(targetDir) {
+  const EXTENSION_TYPE_KEYWORDS = {
+    geometry: "postgis",
+    geography: "postgis",
+    box2d: "postgis",
+    box3d: "postgis",
+    raster: "postgis_raster",
+    vector: "vector",
+    halfvec: "vector",
+    sparsevec: "vector",
+    citext: "citext",
+    hstore: "hstore",
+    ltree: "ltree"
+  };
+  const declarativeDir = join(targetDir, "supabase", "schemas", "declarative");
+  if (!existsSync(declarativeDir)) return [];
+  const detected = /* @__PURE__ */ new Set();
+  try {
+    const files = readdirSync(declarativeDir).filter((f) => f.endsWith(".sql"));
+    for (const file of files) {
+      const content = readFileSync(join(declarativeDir, file), "utf-8").toLowerCase();
+      for (const [typeName, extName] of Object.entries(EXTENSION_TYPE_KEYWORDS)) {
+        if (content.includes(typeName)) {
+          detected.add(extName);
+        }
+      }
+    }
+  } catch {
+  }
+  return [...detected].sort();
+}
+function resolveEffectiveShadowExtensions(configured, targetDir, verbose) {
+  if (configured && configured.length > 0) return configured;
+  const autoDetected = autoDetectRequiredExtensions(targetDir);
+  if (autoDetected.length > 0 && verbose) {
+    logger13.debug(`Auto-detected shadow DB extensions from SQL: ${autoDetected.join(", ")}`);
+  }
+  return autoDetected.length > 0 ? autoDetected : void 0;
+}
 function loadPgSchemaDiffConfigState(targetDir, verbose) {
   try {
     const config = loadRunaConfig(targetDir);
     return {
-      shadowExtensions: config.database?.pgSchemaDiff?.shadowDbExtensions,
+      shadowExtensions: resolveEffectiveShadowExtensions(
+        config.database?.pgSchemaDiff?.shadowDbExtensions,
+        targetDir,
+        verbose
+      ),
       configExclusions: config.database?.pgSchemaDiff?.excludeFromOrphanDetection ? [...config.database.pgSchemaDiff.excludeFromOrphanDetection] : void 0,
       schemaCheckExclusions: config.database?.pgSchemaDiff?.excludeFromSchemaCheck ? [...config.database.pgSchemaDiff.excludeFromSchemaCheck] : void 0
     };
@@ -7215,7 +7281,9 @@ function loadPgSchemaDiffConfigState(targetDir, verbose) {
     if (verbose) {
       logger13.debug("Could not load runa.config.ts - continuing without extension support");
     }
-    return {};
+    return {
+      shadowExtensions: resolveEffectiveShadowExtensions(void 0, targetDir, verbose)
+    };
   }
 }
 function createPrefilterState(schemasDir, verbose, configExclusions) {

package/dist/{chunk-IEKYTCYA.js → chunk-YTQS2O4H.js}

@@ -19,6 +19,64 @@ init_esm_shims();
 var COMPATIBLE_TEMPLATES_VERSION = "0.7.3";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";
+var TEMPLATES_SOURCE_REPOSITORY = "r06-dev/runa";
+var TEMPLATES_SOURCE_REPOSITORY_API_URL = `https://api.github.com/repos/${TEMPLATES_SOURCE_REPOSITORY}`;
+
+// src/utils/template-access.ts
+init_esm_shims();
+var TEMPLATE_ACCESS_TIMEOUT_MS = 5e3;
+var TEMPLATE_ACCESS_USER_AGENT = "runa-cli/template-access-check";
+async function hasRepoAccessWithToken(token) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TEMPLATE_ACCESS_TIMEOUT_MS);
+  try {
+    const response = await fetch(TEMPLATES_SOURCE_REPOSITORY_API_URL, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "User-Agent": TEMPLATE_ACCESS_USER_AGENT
+      },
+      signal: controller.signal
+    });
+    return response.ok;
+  } catch {
+    return false;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function hasRepoAccessWithGh() {
+  try {
+    const result = await secureGh(["api", `repos/${TEMPLATES_SOURCE_REPOSITORY}`, "--silent"], {
+      reject: false,
+      timeout: TEMPLATE_ACCESS_TIMEOUT_MS,
+      stdio: "pipe"
+    });
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+async function verifyTemplateRepoAccess() {
+  const explicitToken = process.env.NODE_AUTH_TOKEN?.trim();
+  if (explicitToken && await hasRepoAccessWithToken(explicitToken)) {
+    return;
+  }
+  if (await hasRepoAccessWithGh()) {
+    return;
+  }
+  throw new CLIError(
+    `Template operations require access to ${TEMPLATES_SOURCE_REPOSITORY}.`,
+    "TEMPLATE_REPO_ACCESS_REQUIRED",
+    [
+      `Use a GitHub account that can access https://github.com/${TEMPLATES_SOURCE_REPOSITORY}`,
+      "Authenticate with GitHub CLI: gh auth login",
+      "Or export NODE_AUTH_TOKEN from an authorized account",
+      "Normal runa CLI/SDK/plugin commands do not require this access"
+    ]
+  );
+}
 
 // src/utils/template-fetcher.ts
 var SAFE_VERSION_PATTERN = /^[a-zA-Z0-9._-]+$/;
@@ -273,6 +331,7 @@ async function fetchTemplates(options = {}) {
   const version = options.version ?? COMPATIBLE_TEMPLATES_VERSION;
   const fresh = options.fresh ?? false;
   const verbose = options.verbose ?? false;
+  await verifyTemplateRepoAccess();
   const workspaceResult = getWorkspaceTemplatesResult(resolveWorkspaceTemplates(), verbose);
   if (workspaceResult) {
     return workspaceResult;

package/dist/{chunk-GKBE7EIE.js → chunk-ZPE52NEK.js}

@@ -6,7 +6,7 @@ createRequire(import.meta.url);
 
 // src/version.ts
 init_esm_shims();
-var CLI_VERSION = "0.9.0";
+var CLI_VERSION = "0.10.1";
 var HAS_ADMIN_COMMAND = false;
 
 export { CLI_VERSION, HAS_ADMIN_COMMAND };

package/dist/{ci-S5KSBECX.js → ci-3HZWUQFN.js}

@@ -1,17 +1,17 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, isIdempotentRoleHazard, detectAppSchemas, formatSchemasForSql, getDbPlanArtifactPath, runDbApply } from './chunk-YRNQEJQW.js';
+import { normalizeDatabaseUrlForDdl, parseBoolish, enhanceConnectionError, isIdempotentRoleHazard, detectAppSchemas, formatSchemasForSql, getDbPlanArtifactPath, runDbApply } from './chunk-XRLIZKB2.js';
 import './chunk-WGRVAGSR.js';
-import './chunk-ZWDWFMOX.js';
+import './chunk-HWR5NUUZ.js';
 import './chunk-UHDAYPHH.js';
 import './chunk-Y5ANTCKE.js';
 import './chunk-IWVXI5O4.js';
-import './chunk-GKBE7EIE.js';
+import './chunk-ZPE52NEK.js';
 import './chunk-B7C7CLW2.js';
 import './chunk-QDF7QXBL.js';
 import { getSnapshotStateName, getSnapshotStatePaths, isSnapshotComplete } from './chunk-XVNDDHAF.js';
 import { createInitialSummary, resolveMode, appendGithubStepSummary, buildCiProdApplyStepSummaryMarkdown, setSummaryErrorFromUnknown, writeEnvLocal, startAppBackground, waitForAppReady, executePrSetupBase, createErrorOutput, requireCiAutoApprove, resolveProdApplyInputs, parseIntOr, classifyCiProdApplyError, addGithubMask } from './chunk-EXR4J2JT.js';
-import './chunk-URWDB7YL.js';
+import './chunk-O3M7A73M.js';
 import { parsePostgresUrl, buildPsqlArgs, buildPsqlEnv, psqlSyncQuery } from './chunk-A6A7JIRD.js';
 import { ensureRunaTmpDir, runLogged } from './chunk-ELXXQIGW.js';
 import { createMachineStateChangeLogger } from './chunk-5FT3F36G.js';

package/dist/{cli-TJZCAMB2.js → cli-RES5QRC2.js}

@@ -2,7 +2,7 @@
 import { createRequire } from 'module';
 import { enableNonInteractiveMode } from './chunk-6Y3LAUGL.js';
 import { getRequestedCommandNameFromArgv } from './chunk-UWWSAPDR.js';
-import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-GKBE7EIE.js';
+import { CLI_VERSION, HAS_ADMIN_COMMAND } from './chunk-ZPE52NEK.js';
 import { emitDefaultSuccessIfNeeded } from './chunk-WJXC4MVY.js';
 import { parseOutputFormat, setOutputFormat, getOutputFormatFromEnv } from './chunk-HKUWEGUX.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
@@ -145,7 +145,7 @@ function isTestCommand(requested) {
 async function registerProjectLifecycleCommands(program, requested, loadAllCommands) {
   if (!loadAllCommands && requested) {
     if (requested === "init") {
-      const { initCommand: initCommand2 } = await import('./init-2O6ODG5Z.js');
+      const { initCommand: initCommand2 } = await import('./init-4UAWYY75.js');
       program.addCommand(initCommand2);
       return;
     }
@@ -155,7 +155,7 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
       return;
     }
     if (requested === "upgrade") {
-      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-QZKEI3NJ.js');
+      const { upgradeCommand: upgradeCommand2 } = await import('./upgrade-LBO3Z3J7.js');
       program.addCommand(upgradeCommand2);
       return;
     }
@@ -170,7 +170,7 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
       return;
     }
     if (requested === "dev") {
-      const { devCommand: devCommand2 } = await import('./dev-LGSMDFJN.js');
+      const { devCommand: devCommand2 } = await import('./dev-QR55VDNZ.js');
       program.addCommand(devCommand2);
       return;
     }
@@ -183,12 +183,12 @@ async function registerProjectLifecycleCommands(program, requested, loadAllComma
     { buildCommand },
     { devCommand }
   ] = await Promise.all([
-    import('./init-2O6ODG5Z.js'),
+    import('./init-4UAWYY75.js'),
     import('./prepare-32DOVHTE.js'),
-    import('./upgrade-QZKEI3NJ.js'),
+    import('./upgrade-LBO3Z3J7.js'),
     import('./validate-CAAW4Y44.js'),
     import('./build-P2A6345N.js'),
-    import('./dev-LGSMDFJN.js')
+    import('./dev-QR55VDNZ.js')
   ]);
   program.addCommand(initCommand);
   program.addCommand(prepareCommand);
@@ -462,11 +462,11 @@ async function registerFocusedStatusUtilityCommand(program, requested) {
   return false;
 }
 async function registerCiCommand(program) {
-  const { ciCommand } = await import('./ci-S5KSBECX.js');
+  const { ciCommand } = await import('./ci-3HZWUQFN.js');
   program.addCommand(ciCommand);
 }
 async function registerDbCommand(program) {
-  const { dbCommand } = await import('./db-D2OLJDYW.js');
+  const { dbCommand } = await import('./db-PRGL7PBX.js');
   program.addCommand(dbCommand);
 }
 async function registerServicesCommand(program) {
@@ -478,7 +478,7 @@ async function registerEnvCommand(program) {
   program.addCommand(envCommand);
 }
 async function registerHotfixCommand(program) {
-  const { hotfixCommand } = await import('./hotfix-RJIAPLAM.js');
+  const { hotfixCommand } = await import('./hotfix-JYHDY2M6.js');
   program.addCommand(hotfixCommand);
 }
 async function registerSdkCommand(program) {
@@ -498,11 +498,11 @@ async function registerWorkflowCommand(program) {
   program.addCommand(workflowCommand);
 }
 async function registerVulnCheckCommand(program) {
-  const { vulnCheckCommand } = await import('./vuln-check-5NUTETPW.js');
+  const { vulnCheckCommand } = await import('./vuln-check-5JJ2YAJW.js');
   program.addCommand(vulnCheckCommand);
 }
 async function registerTemplateCheckCommand(program) {
-  const { templateCheckCommand } = await import('./template-check-BDFMT6ZO.js');
+  const { templateCheckCommand } = await import('./template-check-VNNQQXCX.js');
   program.addCommand(templateCheckCommand);
 }
 async function registerSessionCommands(program) {
@@ -708,7 +708,7 @@ async function executeProgram(program) {
   if (!isHelpOrVersion && shouldRunRuntimeBootstrap(argv)) {
     const [{ loadEnvFiles }, { enforceLicenseInCI }] = await Promise.all([
       import('./env-files-ONBC47I6.js'),
-      import('./license-OB7GVJQ2.js')
+      import('./license-M6ODBV4X.js')
     ]);
     loadEnvFiles({
       silent: true

package/dist/commands/db/apply/helpers/pg-schema-diff-helpers.d.ts

@@ -42,8 +42,14 @@ export interface MissingExtensionDetection {
  * and map them to the required PostgreSQL extensions.
  */
 export declare function detectMissingExtensionType(errorOutput: string): MissingExtensionDetection;
+/**
+ * Detect the actual extension management SQL file in the project.
+ * Falls back to the default path if no extension file is found.
+ */
+export declare function detectExtensionFilePath(): string;
 /**
  * Format actionable hint for missing extension type errors.
+ * Auto-detects the actual extension file path in the project.
  */
 export declare function formatExtensionErrorHint(detection: MissingExtensionDetection): string;
 export interface PartitionPrivilegeDetection {

package/dist/commands/db/commands/db-sync/production-precheck.d.ts

@@ -1,11 +1,3 @@
-/**
- * AI HINT: Production apply precheck orchestration
- *
- * Purpose: Run full production precheck pipeline: local risk checks + plan boundary reconciliation.
- * Collects findings, applies strict mode, logs results, and throws on blockers.
- *
- * Used by: db-sync.ts (maybeRunProductionApplyPrecheck)
- */
 import { type createCLILogger } from '@runa-ai/runa';
 import type { DbApplyOutput } from '../../apply/contract.js';
 import type { RunaDbEnv } from '../../utils/db-target.js';

package/dist/commands/db/sync/schema-guardrail-graph-guidance.d.ts

@@ -4,12 +4,29 @@
  * Purpose: Generate guidance warnings for schema boundary violations,
  * security definer issues, trigger ownership, and managed schema access
  */
-import type { SchemaGuardrailReport, SchemaGraphFunctionClaim, SchemaGraphFileNode, SchemaGraphSchemaNode } from './schema-guardrail-types.js';
+import type { BoundaryGuidanceWarning, SchemaGuardrailReport, SchemaGraphFunctionClaim, SchemaGraphFileNode, SchemaGraphSchemaNode, SchemaGraphTableNode, LoadedSqlSources } from './schema-guardrail-types.js';
 declare function buildBoundaryGuidanceWarnings(params: {
     fileNodes: SchemaGraphFileNode[];
     schemaNodes: SchemaGraphSchemaNode[];
     functionClaims: SchemaGraphFunctionClaim[];
     ownerFileByTable: Map<string, string>;
 }): SchemaGuardrailReport['boundaryGuidanceWarnings'];
+/**
+ * Detect trigger dispatch coverage gaps.
+ *
+ * When a trigger calls a dispatch function (e.g., check_org_id_matches_parent)
+ * with literal arguments (e.g., 'parent_table'), and the function body has
+ * CASE/WHEN branches that don't cover those arguments, report a warning.
+ */
+export declare function buildTriggerDispatchGapWarnings(params: {
+    tableNodes: Map<string, SchemaGraphTableNode>;
+    sources: LoadedSqlSources;
+}): BoundaryGuidanceWarning[];
+/**
+ * Detect index names that appear in both declarative and idempotent layers.
+ * This is typically redundant — declarative indexes are pg-schema-diff managed,
+ * and idempotent IF NOT EXISTS copies create silent redundancy.
+ */
+export declare function buildCrossLayerDuplicateIndexWarnings(sources: LoadedSqlSources): BoundaryGuidanceWarning[];
 export { buildBoundaryGuidanceWarnings };
 //# sourceMappingURL=schema-guardrail-graph-guidance.d.ts.map

package/dist/commands/db/sync/schema-guardrail-graph-nodes.d.ts

@@ -5,7 +5,7 @@
  * Includes: Trigger extraction, declarative file parsing,
  * table/FK/dependency/file node construction
  */
-import { type SqlFile } from '../utils/declarative-dependency-sql-utils.js';
+import type { SqlFile } from '../utils/declarative-dependency-sql-utils.js';
 import { type DeclarativeFileRecord, type DefinedFunctionMetadata, type ManagedBoundaryMetadata, type IdempotentTouchMetadata } from './schema-guardrail-graph-types.js';
 import type { SchemaGuardrailConfig, SchemaGraphFileDependencyEdge, SchemaGraphFileNode, SchemaGraphFunctionClaim, SchemaGraphPolicyClaim, SchemaGraphPolicyRef, SchemaGraphTableNode, SchemaGraphTriggerRef, SchemaGuardrailReport } from './schema-guardrail-types.js';
 declare function parseCreateTriggerStatement(statement: string): {

package/dist/commands/db/sync/schema-guardrail-graph-sql-helpers.d.ts

@@ -4,7 +4,7 @@
  * Purpose: SQL string sanitization, pattern matching, and metadata extraction
  * for idempotent file analysis
  */
-import { type SqlFile } from '../utils/declarative-dependency-sql-utils.js';
+import type { SqlFile } from '../utils/declarative-dependency-sql-utils.js';
 import type { IdempotentTouchMetadata } from './schema-guardrail-graph-types.js';
 declare function normalizeSqlIdentifier(value: string): string;
 declare function consumeSingleQuotedLiteral(params: {

package/dist/commands/db/sync/schema-guardrail-types.d.ts

@@ -3,8 +3,8 @@ export type SchemaManagedBlockKind = 'file-header' | 'table-header';
 export type SchemaGuardrailMode = 'check' | 'sync';
 export type SchemaGraphFileLayer = 'declarative' | 'idempotent';
 export type SchemaGraphFileAuthoringRole = 'declarative-owner' | 'operational';
-export type BoundaryGuidanceWarningKind = 'schema' | 'function' | 'policy' | 'security_definer' | 'trigger_function' | 'managed_boundary';
-export type LocalBlindSpotBlockerKind = 'cross-schema-rls' | 'dynamic-sql' | 'extension-placement';
+export type BoundaryGuidanceWarningKind = 'schema' | 'function' | 'policy' | 'security_definer' | 'trigger_function' | 'trigger_dispatch_gap' | 'managed_boundary';
+export type LocalBlindSpotBlockerKind = 'cross-schema-rls' | 'dynamic-sql' | 'dynamic-sql-infra' | 'extension-placement';
 export type SchemaGuardrailPhaseId = 'load_sources' | 'build_static_graph' | 'validate_ownership' | 'compare_generated_headers' | 'refresh_generated_headers' | 'handoff_db_sync' | 'runtime_reconcile' | 'publish_report';
 export type SchemaGuardrailFailureCode = 'source_load_failed' | 'duplicate_table_owner' | 'duplicate_function_owner' | 'policy_ownership_conflict' | 'raw_cross_schema_rls_blocked' | 'dynamic_sql_blocked' | 'extension_placement_blocked' | 'stale_generated_header' | 'generated_header_validation_failed' | 'generated_header_rewrite_failed' | 'static_graph_build_failed' | 'critical_runtime_graph_contradiction' | 'sync_apply_failed';
 export interface SchemaGraphFileNode {
@@ -58,6 +58,8 @@ export interface SchemaGraphTriggerRef {
     timing: 'BEFORE' | 'AFTER' | 'INSTEAD OF';
     event: string;
     functionName?: string;
+    /** Literal string arguments passed to the trigger function (e.g., 'parent_table') */
+    functionArgs?: string[];
 }
 export interface SchemaGraphTableNode {
     schema: string;