@runa-ai/runa-cli 0.9.0 → 0.10.1

package/dist/{db-D2OLJDYW.js → db-PRGL7PBX.js}

@@ -2,22 +2,21 @@
 import { createRequire } from 'module';
 import { detectDatabaseStack, getStackPaths } from './chunk-MILCC3B6.js';
 import { categorizeRisks, detectSchemaRisks } from './chunk-PAWNJA3N.js';
-import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-YRNQEJQW.js';
-import './chunk-ZZOXM6Q4.js';
-import { createError } from './chunk-JQXOVCOP.js';
+import { isExecaError, resolveDbPreviewEnvironment, buildDbPlanCommandLabel, runDbApply, buildDbApplyCliError, DbPlanOutputSchema, parseDbPreviewProfile, DEFAULT_DB_PREVIEW_PROFILE, getDbPreviewModeLabel, buildDbPreviewCommandLabel, isCompareOnlyPreviewProfile, DbApplyOutputSchema, applyCommand, getDbPreviewIdempotentSchemaCount, classifyDbSyncCommandFailure, getDbSyncFallbackSuggestions, detectAppSchemas, normalizeDatabaseUrlForDdl, analyzeDuplicateFunctionOwnership, formatDuplicateFunctionOwnershipFinding, reviewDeclarativeDependencyWarnings, logDeclarativeDependencyWarnings, buildDeclarativeDependencyWarningFailureLines, parsePlanOutput, validateDependencyOrder, getBoundaryPolicy, resolveProductionApplyStrictMode, findDeclarativeRiskAllowlistMatch, assertBoundaryPolicyUsable, assertBoundaryPolicyQualityGate, formatSchemasForSql, findDirectoryPlacementAllowlistMatch, formatAllowlistMetadata, assessPlanSize, formatPlanSizeSummary, extractFunctionOwnershipDefinition } from './chunk-XRLIZKB2.js';
+import { createError } from './chunk-NIS77243.js';
 import { resolveDatabaseUrl, resolveDatabaseTarget, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
 export { resolveDatabaseUrl, tryResolveDatabaseUrl } from './chunk-WGRVAGSR.js';
-import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, extractFirstDollarBody, sanitizeExecutableCode, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-ZWDWFMOX.js';
+import { analyzeDeclarativeDependencyContract, formatDeclarativeDependencyViolation, parseSqlFilename, collectSqlFiles, splitSqlStatements, ALLOW_DYNAMIC_SQL_ANNOTATION, extractFirstDollarBody, sanitizeExecutableCode, detectExtensionFilePath, FUNCTION_DEFINITION_RE, blankQuotedStrings, sanitizeExecutableCodePreserveStrings, countNewlines, shouldReviewUnknownDeclarativeDdl, extractDdlObject, isNonSchemaOperation, isNonDdlMaintenanceStatement, shouldReviewUnknownIdempotentDdl } from './chunk-HWR5NUUZ.js';
 import './chunk-UHDAYPHH.js';
 import './chunk-Y5ANTCKE.js';
 import { loadEnvFiles } from './chunk-IWVXI5O4.js';
-import './chunk-GKBE7EIE.js';
+import './chunk-ZPE52NEK.js';
 import { diagnoseSupabaseStart } from './chunk-AAIE4F2U.js';
 import { validateUserFilePath, filterSafePaths, resolveSafePath } from './chunk-B7C7CLW2.js';
 import { runMachine } from './chunk-QDF7QXBL.js';
 import './chunk-XVNDDHAF.js';
 import { writeEnvLocalBridge, removeEnvLocalBridge } from './chunk-KUH3G522.js';
-import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-URWDB7YL.js';
+import { extractSchemaTablesAndEnums, fetchDbTablesAndEnums, extractTablesFromIdempotentSql, extractDynamicTablePatternsFromIdempotentSql, diffSchema, getSqlParserUtils, buildTablePatternMatcher } from './chunk-O3M7A73M.js';
 import { psqlExec, psqlQuery, blankDollarQuotedBodies, stripSqlComments, parsePostgresUrl, buildPsqlArgs, buildPsqlEnv } from './chunk-A6A7JIRD.js';
 import { redactSecrets } from './chunk-II7VYQEM.js';
 import { init_local_supabase, init_constants, detectLocalSupabasePorts, buildLocalDatabaseUrl, DATABASE_DEFAULTS, SEED_DEFAULTS, SCRIPT_LOCATIONS } from './chunk-QSEF4T3Y.js';
@@ -441,9 +440,10 @@ async function runCleanupAction(env, options) {
     } catch {
     }
     const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-    if (idempotentTables.length > 0) {
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+    if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
       excludeFromOrphanDetection = [
-        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
       ];
     }
     const diff = diffSchema({
@@ -1511,14 +1511,30 @@ function buildGuardrailConflictEntries(report, entries) {
 }
 function buildGuardrailHeaderEntries(report, entries) {
   if (report.staleBlocks.length > 0) {
+    const byFile = /* @__PURE__ */ new Map();
+    for (const block of report.staleBlocks) {
+      const kinds = byFile.get(block.file) ?? [];
+      kinds.push(block.kind === "file-header" ? "file metadata" : `table: ${block.target}`);
+      byFile.set(block.file, kinds);
+    }
     entries.push({
       level: "warn",
-      message: `Generated headers are stale in ${report.staleBlocks.map((value) => `${value.file}:${value.kind}`).join(", ")}`
+      message: `Generated headers are stale (${report.staleBlocks.length} block(s) in ${byFile.size} file(s)):`
     });
+    for (const [file, kinds] of byFile) {
+      entries.push({
+        level: "info",
+        message: `  ${file}: ${kinds.join(", ")}`
+      });
+    }
     if (!report.failure) {
       entries.push({
         level: "info",
-        message: "Run `runa db sync` to refresh generated headers before apply."
+        message: "Auto-fix: Run `runa db sync` to regenerate all headers automatically."
+      });
+      entries.push({
+        level: "info",
+        message: "Headers track: FK references, RLS policies, triggers, function ownership, and schema dependencies."
       });
     }
   }
@@ -1885,10 +1901,54 @@ function reportMediumRisks(result, logger4, mediumRisks) {
     logger4.info(`  \u2022 ${summary}`);
   }
 }
-function reportRiskGuidance(logger4, highRiskCount, lowRiskCount) {
-  if (lowRiskCount > 0) {
-    logger4.info(`  Found ${lowRiskCount} LOW risk suggestion(s) (informational)`);
+var SHOW_LOW_RISKS = process.env.RUNA_DB_SHOW_LOW_RISKS === "1";
+function reportLowRisks(logger4, lowRisks) {
+  if (lowRisks.length === 0) return;
+  if (SHOW_LOW_RISKS) {
+    logger4.info(`  Found ${lowRisks.length} LOW risk suggestion(s):`);
+    const summaries = summarizeRisks(lowRisks);
+    for (const summary of summaries) {
+      logger4.info(`    ${summary.replace("[MEDIUM]", "[LOW]")}`);
+    }
+  } else {
+    logger4.info(
+      `  Found ${lowRisks.length} LOW risk suggestion(s) (informational; set RUNA_DB_SHOW_LOW_RISKS=1 to see details)`
+    );
   }
+}
+function writeRiskJson(allRisks, categorized) {
+  if (!SHOW_LOW_RISKS) return;
+  const outputDir = path12.join(process.cwd(), ".runa", "tmp");
+  const outputPath = path12.join(outputDir, "schema-risks.json");
+  try {
+    mkdirSync(outputDir, { recursive: true });
+    const json = JSON.stringify(
+      {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        summary: {
+          high: categorized.high.length,
+          medium: categorized.medium.length,
+          low: categorized.low.length,
+          total: allRisks.length
+        },
+        risks: allRisks.map((risk) => ({
+          level: risk.level,
+          file: risk.file,
+          line: risk.line,
+          description: risk.description,
+          mitigation: risk.mitigation,
+          reasonCode: risk.reasonCode
+        }))
+      },
+      null,
+      2
+    );
+    writeFileSync(outputPath, json, "utf-8");
+  } catch {
+  }
+}
+function reportRiskGuidance(logger4, highRiskCount, lowRisks) {
+  reportLowRisks(logger4, lowRisks);
   if (highRiskCount > 0) {
     logger4.info("");
     logger4.info("  AGENTS.md requires Supabase Auth Schema Independence:");
@@ -1914,7 +1974,8 @@ async function runSqlSchemaRiskCheck(result, logger4, step) {
     const categorized = categorizeRisks(applySyncPreflightRiskPolicy(allRisks));
     reportHighRisks(result, logger4, categorized.high);
     reportMediumRisks(result, logger4, categorized.medium);
-    reportRiskGuidance(logger4, categorized.high.length, categorized.low.length);
+    reportRiskGuidance(logger4, categorized.high.length, categorized.low);
+    writeRiskJson(allRisks, categorized);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     logger4.warn(`SQL schema risk check skipped: ${message}`);
@@ -1971,9 +2032,10 @@ async function runOrphanCheck(env, dbPackagePath, result, logger4, step) {
     } catch {
     }
     const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-    if (idempotentTables.length > 0) {
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+    if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
       excludeFromOrphanDetection = [
-        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+        .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
       ];
     }
     const diff = diffSchema({
@@ -2724,26 +2786,45 @@ function shouldAbortSchemaPrecheckForBudget(state, filePath) {
 
 // src/commands/db/utils/sql-file-collector.ts
 init_esm_shims();
+var IGNORED_DIRECTORY_NAMES = /* @__PURE__ */ new Set([
+  "compat",
+  "archive",
+  "legacy",
+  "deprecated",
+  "backup",
+  "node_modules",
+  ".git",
+  "dist",
+  "build"
+]);
+function shouldSkipDirectory(name) {
+  return IGNORED_DIRECTORY_NAMES.has(name.toLowerCase());
+}
+function scanDirectory(dir, queue, sqlFiles) {
+  try {
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path12.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (!shouldSkipDirectory(entry.name)) queue.push(fullPath);
+      } else if (entry.isFile() && entry.name.endsWith(".sql")) {
+        sqlFiles.push(fullPath);
+      }
+    }
+  } catch {
+  }
+}
 function* collectSqlFilesRecursively(baseDir) {
   const queue = [baseDir];
+  const sqlFiles = [];
   let index = 0;
   while (index < queue.length) {
     const currentDir = queue[index++];
     if (!currentDir) continue;
-    try {
-      const entries = readdirSync(currentDir, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path12.join(currentDir, entry.name);
-        if (entry.isDirectory()) {
-          queue.push(fullPath);
-          continue;
-        }
-        if (entry.isFile() && entry.name.endsWith(".sql")) {
-          yield fullPath;
-        }
-      }
-    } catch {
-    }
+    scanDirectory(currentDir, queue, sqlFiles);
+  }
+  for (const file of sqlFiles) {
+    yield file;
   }
 }
 
@@ -3557,12 +3638,18 @@ function classifyIdempotentMisplacementRisk(file, content, boundaryPolicy) {
     skipUnknown: (statement, unknownObject) => isPartitionOfCreateTable(statement) && unknownObject === "TABLE"
   });
 }
+var DYNAMIC_SQL_DOWNGRADEABLE_PATTERNS = [
+  "Function DDL should be in declarative",
+  "Trigger DDL should be in declarative"
+];
+var DROP_IF_EXISTS_CLEANUP = /^\s*DROP\s+(?:FUNCTION|TRIGGER|VIEW|INDEX|POLICY|TYPE|SEQUENCE)\s+IF\s+EXISTS\b/i;
 function classifyFileMisplacementRisks(params) {
   const risks = [];
   const relative2 = path12.relative(process.cwd(), params.file);
   const normalized = normalizeSqlForPlacementCheck(params.content);
   const statements = splitSqlStatements(normalized);
   const seenMessages = /* @__PURE__ */ new Set();
+  const hasAllowDynamicSqlAnnotation = params.fileType === "idempotent" && ALLOW_DYNAMIC_SQL_ANNOTATION.test(params.content);
   for (const { statement, line } of statements) {
     const candidates = collectRuleBasedCandidates({
       statement,
@@ -3584,6 +3671,14 @@ function classifyFileMisplacementRisks(params) {
     }
     const best = selectHighestPriorityRisk(candidates);
     if (!best) continue;
+    if (params.fileType === "idempotent") {
+      if (DROP_IF_EXISTS_CLEANUP.test(statement)) {
+        best.level = "low";
+      }
+      if (hasAllowDynamicSqlAnnotation && DYNAMIC_SQL_DOWNGRADEABLE_PATTERNS.some((p) => best.message.includes(p))) {
+        best.level = "low";
+      }
+    }
     const key = buildDirectoryRiskKey(best);
     if (seenMessages.has(key)) continue;
     seenMessages.add(key);
@@ -4388,9 +4483,10 @@ var reconcile = fromPromise(
       } catch {
       }
       const idempotentTables = extractTablesFromIdempotentSql(idempotentSqlDir);
-      if (idempotentTables.length > 0) {
+      const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(idempotentSqlDir);
+      if (idempotentTables.length > 0 || dynamicPatterns.length > 0) {
         excludeFromOrphanDetection = [
-          .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables])
+          .../* @__PURE__ */ new Set([...excludeFromOrphanDetection, ...idempotentTables, ...dynamicPatterns])
         ];
       }
       const diff = diffSchema({
@@ -5185,6 +5281,29 @@ function createDefaultSchemaGuardrailConfig() {
     idempotentSqlDir: "supabase/schemas/idempotent"
   };
 }
+function loadAllowedDuplicatesFromSchemaOwnership(targetDir) {
+  const candidates = [
+    join(targetDir, "supabase", "schemas", "schema-ownership.json"),
+    join(targetDir, "schema-ownership.json")
+  ];
+  for (const filePath of candidates) {
+    if (!existsSync(filePath)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(filePath, "utf-8"));
+      const allowedDuplicates = raw?.rules?.allowed_duplicates;
+      if (!Array.isArray(allowedDuplicates)) continue;
+      return allowedDuplicates.filter(
+        (entry) => typeof entry === "object" && entry !== null && "qualifiedName" in entry && typeof entry.qualifiedName === "string"
+      ).map((entry) => ({
+        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+        signature: normalizeAllowlistSignature(entry.signature ?? ""),
+        reason: entry.reason ?? "Loaded from schema-ownership.json"
+      }));
+    } catch {
+    }
+  }
+  return [];
+}
 function loadSchemaGuardrailConfig(targetDir) {
   const defaults = createDefaultSchemaGuardrailConfig();
   try {
@@ -5192,13 +5311,17 @@ function loadSchemaGuardrailConfig(targetDir) {
     const databaseConfig = config.database ?? {};
     return {
       declarativeSqlDir: databaseConfig.schemaGuardrails?.declarativeSqlDir ?? defaults.declarativeSqlDir,
-      allowedDuplicateFunctions: databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
-        ...entry,
-        qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
-        signature: normalizeAllowlistSignature(entry.signature),
-        declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
-        idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
-      })) ?? [],
+      allowedDuplicateFunctions: [
+        ...databaseConfig.schemaGuardrails?.allowedDuplicateFunctions?.map((entry) => ({
+          ...entry,
+          qualifiedName: normalizeFunctionQualifiedName(entry.qualifiedName),
+          signature: normalizeAllowlistSignature(entry.signature),
+          declarativeFile: entry.declarativeFile ? normalizePathForMatch(entry.declarativeFile) : void 0,
+          idempotentFile: entry.idempotentFile ? normalizePathForMatch(entry.idempotentFile) : void 0
+        })) ?? [],
+        // Fallback: merge schema-ownership.json allowed_duplicates if present
+        ...loadAllowedDuplicatesFromSchemaOwnership(targetDir)
+      ],
       generatedHeaderRewriteTargets: normalizeFileList(
         (databaseConfig.schemaGuardrails?.generatedHeaderRewriteTargets ?? []).map(
           (value) => normalizePathForMatch(value)
@@ -5266,8 +5389,13 @@ function loadExtraTableFilters(targetDir) {
   const idempotentManagedTables = new Set(
     extractTablesFromIdempotentSql(idempotentDirectory, targetDir)
   );
+  const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+    idempotentDirectory,
+    targetDir
+  );
+  const allExclusions = [...config.excludeFromOrphanDetection, ...dynamicPatterns];
   return {
-    exclusionMatcher: buildTablePatternMatcher(config.excludeFromOrphanDetection),
+    exclusionMatcher: buildTablePatternMatcher(allExclusions),
     idempotentManagedTables
   };
 }
@@ -5480,24 +5608,36 @@ function collectExecuteOccurrencesFromBody(body, startLine) {
   }
   return occurrences.sort((left, right) => left.line - right.line);
 }
+var PARTITION_INFRA_PATTERNS = [
+  /\bPARTITION\b/i,
+  /\bATTACH\b/i,
+  /\bDETACH\b/i,
+  /\bCREATE\s+TABLE\s+IF\s+NOT\s+EXISTS\b/i,
+  /\bdefault\s*partition\b/i,
+  /\brange_partition\b/i
+];
+function isPartitionInfrastructure(body) {
+  return PARTITION_INFRA_PATTERNS.some((pattern) => pattern.test(body));
+}
 function createDynamicSqlBlockersForStatement(params) {
   const body = extractFirstDollarBody(params.statement, params.line);
   if (!body) {
     return [];
   }
   const executeOccurrences = collectExecuteOccurrencesFromBody(body.body, body.startLine);
+  const isInfra = isPartitionInfrastructure(body.body);
   return executeOccurrences.map((occurrence) => ({
-    kind: "dynamic-sql",
+    kind: isInfra ? "dynamic-sql-infra" : "dynamic-sql",
     sourceFile: params.sourceFile,
     line: occurrence.line,
     target: "EXECUTE",
-    details: occurrence.hasStaticLiteral ? "EXECUTE in SQL bodies is blocked locally. Replace it with direct guarded calls or static SQL." : "Unresolved dynamic EXECUTE is blocked locally. Replace it with explicit static SQL or explicit allowlisted statements."
+    details: isInfra ? "Dynamic SQL detected in partition/DDL infrastructure helper. Add `-- runa:allow-dynamic-sql reason: partition-helper` to suppress." : occurrence.hasStaticLiteral ? "EXECUTE in SQL bodies is blocked locally. Replace it with direct guarded calls or static SQL." : "Unresolved dynamic EXECUTE is blocked locally. Replace it with explicit static SQL or explicit allowlisted statements."
   }));
 }
 function buildDynamicSqlBlockers(params) {
   const blockers = [];
-  const allFiles = [...params.sources.declarativeFiles, ...params.sources.idempotentFiles];
-  for (const file of allFiles) {
+  for (const file of params.sources.declarativeFiles) {
+    if (ALLOW_DYNAMIC_SQL_ANNOTATION.test(file.content)) continue;
     for (const parsed of splitSqlStatements(file.content)) {
       blockers.push(
         ...createDynamicSqlBlockersForStatement({
@@ -5508,6 +5648,21 @@ function buildDynamicSqlBlockers(params) {
       );
     }
   }
+  for (const file of params.sources.idempotentFiles) {
+    if (ALLOW_DYNAMIC_SQL_ANNOTATION.test(file.content)) continue;
+    for (const parsed of splitSqlStatements(file.content)) {
+      const stmtBlockers = createDynamicSqlBlockersForStatement({
+        sourceFile: file.relativePath,
+        statement: parsed.statement,
+        line: parsed.line
+      });
+      for (const blocker of stmtBlockers) {
+        blocker.kind = "dynamic-sql-infra";
+        blocker.details = `${blocker.details} (idempotent file \u2014 add \`-- runa:allow-dynamic-sql reason: <role>\` if this is intentional infrastructure, e.g. partition-helper, runtime-infrastructure, compatibility-bootstrap)`;
+      }
+      blockers.push(...stmtBlockers);
+    }
+  }
   return stableSorted2(blockers, (value) => `${value.sourceFile}:${value.line ?? 0}:${value.kind}`);
 }
 function buildLocalBlindSpotBlockers(params) {
@@ -5522,7 +5677,7 @@ function buildLocalBlindSpotBlockers(params) {
     }),
     ...buildExtensionPlacementBlockers({
       sources: params.sources,
-      requiredFile: path12.posix.join("supabase", "schemas", "idempotent", "00_extensions.sql")
+      requiredFile: detectExtensionFilePath()
     })
   ];
   return stableSorted2(
@@ -5917,6 +6072,19 @@ function buildManagedBoundaryMetadataByFile(files) {
 }
 
 // src/commands/db/sync/schema-guardrail-graph-nodes.ts
+function extractTriggerFunctionArgs(statement) {
+  const execMatch = statement.match(
+    /\bEXECUTE\s+(?:FUNCTION|PROCEDURE)\s+(?:(?:"[^"]+"|[A-Za-z_]\w*)\s*\.\s*)?(?:"[^"]+"|[A-Za-z_]\w*)\s*\(([^)]*)\)/i
+  );
+  if (!execMatch?.[1]) return [];
+  const argsText = execMatch[1].trim();
+  if (!argsText) return [];
+  return argsText.split(",").map((arg) => arg.trim()).map((arg) => {
+    const stringMatch = arg.match(/^'([^']*)'$/);
+    if (stringMatch) return stringMatch[1];
+    return null;
+  }).filter((arg) => arg !== null);
+}
 function parseCreateTriggerStatement(statement) {
   const triggerRegex = /^\s*CREATE\s+TRIGGER\s+(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s+(BEFORE|AFTER|INSTEAD\s+OF)\s+([\s\S]+?)\s+ON\s+(?:(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s*\.\s*)?(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))[\s\S]*?\bEXECUTE\s+(?:FUNCTION|PROCEDURE)\s+(?:(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))\s*\.\s*)?(?:"([^"]+)"|([A-Za-z_][A-Za-z0-9_]*))/i;
   const match = statement.match(triggerRegex);
@@ -5933,13 +6101,15 @@ function parseCreateTriggerStatement(statement) {
   const schema = (match[5] ?? match[6] ?? "public").toLowerCase();
   const functionSchema = (match[9] ?? match[10] ?? "").toLowerCase();
   const functionName = (match[11] ?? match[12] ?? "").toLowerCase();
+  const functionArgs = extractTriggerFunctionArgs(statement);
   return {
     qualifiedTable: `${schema}.${table}`,
     trigger: {
       name: triggerName,
       timing,
       event,
-      functionName: functionName ? functionSchema ? `${functionSchema}.${functionName}` : functionName : void 0
+      functionName: functionName ? functionSchema ? `${functionSchema}.${functionName}` : functionName : void 0,
+      functionArgs: functionArgs.length > 0 ? functionArgs : void 0
     }
   };
 }
@@ -6902,6 +7072,114 @@ function buildBoundaryGuidanceWarnings(params) {
     (value) => `${value.sourceFile}.${value.kind}.${value.suggestedDeclarativeFile ?? ""}.${value.suggestedIdempotentFile ?? ""}.${value.target}`
   );
 }
+function extractCaseWhenBranches(functionBody) {
+  const branches = [];
+  const whenPattern = /\bWHEN\s+'([^']+)'/gi;
+  for (const match of functionBody.matchAll(whenPattern)) {
+    if (match[1]) branches.push(match[1].toLowerCase());
+  }
+  return [...new Set(branches)];
+}
+function escapeForRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function findFunctionBody(qualifiedName, sources) {
+  const rawName = qualifiedName.includes(".") ? qualifiedName.split(".")[1] : qualifiedName;
+  if (!rawName) return null;
+  const escaped = escapeForRegex(rawName);
+  const pattern = new RegExp(
+    `CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+(?:(?:"[^"]+"|\\w+)\\.)?(?:"?${escaped}"?)\\s*\\(`,
+    "i"
+  );
+  for (const file of [...sources.declarativeFiles, ...sources.idempotentFiles]) {
+    if (!pattern.test(file.content)) continue;
+    const bodyMatch = file.content.match(
+      new RegExp(
+        `CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+(?:(?:"[^"]+"|\\w+)\\.)?(?:"?${escaped}"?)\\s*\\([^)]*\\)[\\s\\S]*?\\$\\w*\\$([\\s\\S]*?)\\$\\w*\\$`,
+        "i"
+      )
+    );
+    if (bodyMatch?.[1]) return bodyMatch[1];
+  }
+  return null;
+}
+function buildTriggerDispatchGapWarnings(params) {
+  const argsByFunction = collectTriggerArgsByFunction(params.tableNodes);
+  return validateDispatchCoverage(argsByFunction, params.sources);
+}
+function collectTriggerArgsByFunction(tableNodes) {
+  const argsByFunction = /* @__PURE__ */ new Map();
+  for (const [, tableNode] of tableNodes) {
+    for (const trigger of tableNode.triggers) {
+      if (!trigger.functionName || !trigger.functionArgs?.length) continue;
+      for (const arg of trigger.functionArgs) {
+        const entries = argsByFunction.get(trigger.functionName) ?? [];
+        entries.push({
+          arg: arg.toLowerCase(),
+          triggerName: trigger.name,
+          table: tableNode.qualifiedName
+        });
+        argsByFunction.set(trigger.functionName, entries);
+      }
+    }
+  }
+  return argsByFunction;
+}
+function validateDispatchCoverage(argsByFunction, sources) {
+  const warnings = [];
+  for (const [functionName, triggerArgs] of argsByFunction) {
+    const body = findFunctionBody(functionName, sources);
+    if (!body || !/\bCASE\b/i.test(body)) continue;
+    const coveredBranches = extractCaseWhenBranches(body);
+    if (coveredBranches.length === 0) continue;
+    for (const { arg, triggerName, table } of triggerArgs) {
+      if (!coveredBranches.includes(arg)) {
+        warnings.push({
+          sourceFile: table,
+          kind: "trigger_dispatch_gap",
+          target: `${functionName}('${arg}')`,
+          reason: `Trigger "${triggerName}" on ${table} passes '${arg}' to ${functionName}(), but the function's CASE statement does not handle this value. Add a WHEN '${arg}' branch to prevent runtime errors.`
+        });
+      }
+    }
+  }
+  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+}
+var CREATE_INDEX_PATTERN = /^\s*CREATE\s+(?:UNIQUE\s+)?(?:INDEX\s+)?(?:CONCURRENTLY\s+)?(?:IF\s+NOT\s+EXISTS\s+)?(?:"([^"]+)"|([A-Za-z_]\w*))\s+ON\b/gim;
+function extractIndexNames(content) {
+  const names = /* @__PURE__ */ new Set();
+  CREATE_INDEX_PATTERN.lastIndex = 0;
+  for (const match of content.matchAll(CREATE_INDEX_PATTERN)) {
+    const name = (match[1] ?? match[2] ?? "").toLowerCase();
+    if (name) names.add(name);
+  }
+  return names;
+}
+function buildCrossLayerDuplicateIndexWarnings(sources) {
+  const declarativeIndexes = /* @__PURE__ */ new Map();
+  for (const file of sources.declarativeFiles) {
+    for (const name of extractIndexNames(file.content)) {
+      declarativeIndexes.set(name, file.relativePath);
+    }
+  }
+  const warnings = [];
+  for (const file of sources.idempotentFiles) {
+    for (const name of extractIndexNames(file.content)) {
+      const declarativeFile = declarativeIndexes.get(name);
+      if (declarativeFile) {
+        warnings.push({
+          sourceFile: file.relativePath,
+          kind: "trigger_function",
+          // reuse existing kind for index cross-layer
+          target: name,
+          suggestedDeclarativeFile: declarativeFile,
+          reason: `Index "${name}" is defined in both declarative (${declarativeFile}) and idempotent (${file.relativePath}). The idempotent copy is redundant \u2014 remove it or use a different index name.`
+        });
+      }
+    }
+  }
+  return stableSorted4(warnings, (w) => `${w.sourceFile}:${w.target}`);
+}
 
 // src/commands/db/sync/schema-guardrail-graph.ts
 function loadSqlSources(targetDir, config) {
@@ -7031,12 +7309,19 @@ async function buildStaticGraph(targetDir, config, sources) {
     runtimeTables: loadRuntimeTablesManifest(targetDir),
     config
   });
-  const boundaryGuidanceWarnings = buildBoundaryGuidanceWarnings({
-    fileNodes,
-    schemaNodes,
-    functionClaims,
-    ownerFileByTable
-  });
+  const boundaryGuidanceWarnings = [
+    ...buildBoundaryGuidanceWarnings({
+      fileNodes,
+      schemaNodes,
+      functionClaims,
+      ownerFileByTable
+    }),
+    ...buildTriggerDispatchGapWarnings({
+      tableNodes: tableNodesByName,
+      sources
+    }),
+    ...buildCrossLayerDuplicateIndexWarnings(sources)
+  ];
   const localBlindSpotBlockers = buildLocalBlindSpotBlockers({
     graph,
     sources,
@@ -7149,7 +7434,8 @@ function createCheckModePhases(report) {
           phase: "compare_generated_headers",
           details: {
             file: block.file,
-            target: block.target
+            target: block.target,
+            repair: "Run `runa db sync` to auto-regenerate headers"
           }
         }))
       })
@@ -7231,7 +7517,7 @@ function setFailure2(report, phase, code, message) {
 function stableSorted5(values, map) {
   return [...values].sort((a, b) => map(a).localeCompare(map(b)));
 }
-function normalizeFileList4(files) {
+function normalizeFileList3(files) {
   return [...new Set(files)].sort((a, b) => a.localeCompare(b));
 }
 function renderList(values) {
@@ -7716,7 +8002,7 @@ function rewriteManagedHeaders(params) {
       )
     };
   }
-  params.report.headersRewritten = normalizeFileList4(params.report.headersRewritten);
+  params.report.headersRewritten = normalizeFileList3(params.report.headersRewritten);
   params.report.rewritesRetainedOnDisk = params.report.headersRewritten.length > 0;
   params.report.staleBlocks = [];
   return null;
@@ -8073,7 +8359,7 @@ async function runProductionDdlOrderCheck(params) {
   }
   params.logger.info("\u{1F50D} Checking production DDL ordering...");
   try {
-    const { executePgSchemaDiffPlan } = await import('./pg-schema-diff-helpers-7377FS2D.js');
+    const { executePgSchemaDiffPlan } = await import('./pg-schema-diff-helpers-JZO4GAQG.js');
     const { planOutput } = executePgSchemaDiffPlan(
       productionUrl,
       schemasDir,
@@ -11416,6 +11702,62 @@ function formatImportImpactReport(report, changedSymbols) {
 // src/commands/db/commands/db-sync/production-precheck.ts
 init_esm_shims();
 
+// src/commands/db/utils/changed-files-detector.ts
+init_esm_shims();
+function detectDefaultBranch() {
+  const result = spawnSync("git", ["rev-parse", "--verify", "main"], {
+    timeout: 5e3,
+    encoding: "utf-8"
+  });
+  return result.status === 0 ? "main" : "master";
+}
+function getChangedSqlFiles() {
+  try {
+    const defaultBranch = detectDefaultBranch();
+    const mergeBase = spawnSync("git", ["merge-base", "HEAD", defaultBranch], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    let diffOutput;
+    if (mergeBase.status === 0 && mergeBase.stdout.trim()) {
+      const diff = spawnSync("git", ["diff", "--name-only", mergeBase.stdout.trim(), "HEAD"], {
+        timeout: 5e3,
+        encoding: "utf-8"
+      });
+      diffOutput = diff.stdout ?? "";
+    } else {
+      const diff = spawnSync("git", ["diff", "--name-only", "HEAD"], {
+        timeout: 5e3,
+        encoding: "utf-8"
+      });
+      diffOutput = diff.stdout ?? "";
+    }
+    const uncommitted = spawnSync("git", ["diff", "--name-only"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    const staged = spawnSync("git", ["diff", "--name-only", "--cached"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    const allChanged = [
+      ...diffOutput.split("\n"),
+      ...(uncommitted.stdout ?? "").split("\n"),
+      ...(staged.stdout ?? "").split("\n")
+    ].map((f) => f.trim()).filter((f) => f.length > 0 && f.endsWith(".sql"));
+    return [...new Set(allChanged)].sort();
+  } catch {
+    return [];
+  }
+}
+function classifyBlockerScope(blockerMessage, changedFiles) {
+  const fileMatch = blockerMessage.match(
+    /(supabase\/schemas\/(?:declarative|idempotent)\/[^\s:]+\.sql)/
+  );
+  if (!fileMatch) return "baseline";
+  return changedFiles.has(fileMatch[1]) ? "current-change" : "baseline";
+}
+
 // src/commands/db/commands/db-sync/plan-hazard-analyzer.ts
 init_esm_shims();
 function parseHazardType(hazard) {
@@ -11722,13 +12064,26 @@ async function collectLocalPrecheckBundle(strict) {
   const adjustedPlacementRisks = applyStrictModeToReport(placementRisks, strict);
   const adjustedExtensionRisks = applyStrictModeToReport(extensionRisks, strict);
   const duplicateOwnershipAnalysis = analyzeDuplicateFunctionOwnership(process.cwd());
-  const duplicateOwnershipBlockers = duplicateOwnershipAnalysis.findings.map((finding) => {
+  let guardrailAllowlist = [];
+  try {
+    guardrailAllowlist = loadSchemaGuardrailConfig(process.cwd()).allowedDuplicateFunctions;
+  } catch {
+  }
+  const duplicateOwnershipBlockers = duplicateOwnershipAnalysis.findings.filter(
+    (finding) => !isAllowlistedDuplicateFunction({
+      finding,
+      allowlist: guardrailAllowlist,
+      bodyHashes: /* @__PURE__ */ new Map()
+      // Hash check skipped; name + signature matching still works
+    })
+  ).map((finding) => {
     const formatted = formatDuplicateFunctionOwnershipFinding(finding);
     return [
       formatted.summary,
       `declarative=${formatted.declarativeLocations.join(", ")}`,
       `idempotent=${formatted.idempotentLocations.join(", ")}`,
-      formatted.suggestion
+      formatted.suggestion,
+      "Allowlist: runa.config.ts database.schemaGuardrails.allowedDuplicateFunctions"
     ].join(" | ");
   });
   const hasLocalBlockers = duplicateOwnershipBlockers.length > 0 || hasReportBlockers(adjustedPlacementRisks) || hasReportBlockers(adjustedDeclarativeRisks) || hasReportBlockers(adjustedIdempotentRisks) || hasReportBlockers(adjustedExtensionRisks);
@@ -11795,32 +12150,185 @@ function printLocalFindingCompactSummary(logger4, local, topLimit) {
     topLimit
   );
 }
+var APPLY_BLOCKER_PATTERNS = [
+  /Extension DDL/i,
+  /DROP.*CONCURRENTLY/i,
+  /DML.*declarative/i,
+  /DO.*maintenance/i,
+  /cross.*schema.*rls/i,
+  /auth\.\*.*direct.*reference/i,
+  /Duplicate function ownership/i
+];
+var INFRA_DYNAMIC_SQL_INDICATOR = /idempotent file/i;
+function isApplyBlocker(message) {
+  if (/EXECUTE|dynamic.*sql/i.test(message)) {
+    return !INFRA_DYNAMIC_SQL_INDICATOR.test(message);
+  }
+  return APPLY_BLOCKER_PATTERNS.some((pattern) => pattern.test(message));
+}
+function categorizeBlockers(blockers) {
+  const applyBlockers = [];
+  const architectureDebt = [];
+  for (const blocker of blockers) {
+    if (isApplyBlocker(blocker)) {
+      applyBlockers.push(blocker);
+    } else {
+      architectureDebt.push(blocker);
+    }
+  }
+  return { applyBlockers, architectureDebt };
+}
 function printLocalFindingDetailedReport(logger4, local) {
-  logFindingSection(
+  logLocalWarningsSections(logger4, local);
+  const allBlockers = collectAllBlockers(local);
+  const { applyBlockers, architectureDebt } = categorizeBlockers(allBlockers);
+  const changedFiles = new Set(getChangedSqlFiles());
+  if (changedFiles.size > 0) {
+    logScopedBlockers(logger4, applyBlockers, architectureDebt, changedFiles);
+  } else {
+    logUnscopedBlockers(logger4, applyBlockers, architectureDebt);
+  }
+}
+function logLocalWarningsSections(logger4, local) {
+  logFindingSection(logger4, "Declarative risk warnings:", local.adjustedDeclarativeRisks.warnings);
+  logFindingSection(logger4, "Idempotent risk warnings:", local.adjustedIdempotentRisks.warnings);
+  logFindingSection(logger4, "Placement warnings:", local.adjustedPlacementRisks.warnings);
+  logFindingSection(logger4, "Extension warnings:", local.adjustedExtensionRisks.warnings);
+}
+function collectAllBlockers(local) {
+  return [
+    ...local.duplicateOwnershipBlockers,
+    ...local.adjustedPlacementRisks.blockers,
+    ...local.adjustedDeclarativeRisks.blockers,
+    ...local.adjustedIdempotentRisks.blockers,
+    ...local.adjustedExtensionRisks.blockers
+  ];
+}
+function logScopedBlockers(logger4, applyBlockers, architectureDebt, changedFiles) {
+  const current = applyBlockers.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "current-change"
+  );
+  const baseline = applyBlockers.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "baseline"
+  );
+  const currentDebt = architectureDebt.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "current-change"
+  );
+  const baselineDebt = architectureDebt.filter(
+    (b) => classifyBlockerScope(b, changedFiles) === "baseline"
+  );
+  logBlockerGroup(
     logger4,
-    "Duplicate function ownership blockers:",
-    local.duplicateOwnershipBlockers
+    "error",
+    "[current change] Apply blockers",
+    current,
+    "fix before merging"
   );
-  logFindingSection(
+  logBlockerGroup(logger4, "warn", "[current change] Architecture debt", currentDebt);
+  logBlockerGroup(
     logger4,
-    "Risk checks on supabase/schemas/declarative/*.sql:",
-    local.adjustedDeclarativeRisks.warnings
+    "error",
+    "[repo baseline] Apply blockers",
+    baseline,
+    "pre-existing issues"
   );
-  logFindingSection(
+  logBlockerGroup(
     logger4,
-    "Risk checks on supabase/schemas/idempotent/*.sql:",
-    local.adjustedIdempotentRisks.warnings
+    "warn",
+    "[repo baseline] Architecture debt",
+    baselineDebt,
+    "pre-existing"
   );
-  logFindingSection(
+  logImpactSummary(logger4, {
+    current: current.length + currentDebt.length,
+    currentApply: current.length,
+    currentDebt: currentDebt.length,
+    baseline: baseline.length + baselineDebt.length,
+    baselineApply: baseline.length,
+    baselineDebt: baselineDebt.length,
+    total: applyBlockers.length + architectureDebt.length
+  });
+}
+var PRECHECK_COUNTS_PATH = join(".runa", "tmp", "precheck-counts.json");
+function loadPreviousPrecheckCounts() {
+  try {
+    const fullPath = join(process.cwd(), PRECHECK_COUNTS_PATH);
+    if (!existsSync(fullPath)) return null;
+    return JSON.parse(readFileSync(fullPath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function savePrecheckCounts(counts) {
+  try {
+    const fullPath = join(process.cwd(), PRECHECK_COUNTS_PATH);
+    const dir = join(fullPath, "..");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(fullPath, JSON.stringify(counts, null, 2), "utf-8");
+  } catch {
+  }
+}
+function logImpactSummary(logger4, counts) {
+  logger4.info("");
+  logger4.info("Impact summary:");
+  if (counts.current === 0 && counts.total > 0) {
+    logger4.info("  Current change: no new issues introduced");
+  } else if (counts.current > 0) {
+    logger4.info(
+      `  Regressions:    ${counts.current} issue(s) from changed files (${counts.currentApply} apply, ${counts.currentDebt} debt)`
+    );
+  }
+  if (counts.baseline > 0) {
+    logger4.info(
+      `  Baseline debt:  ${counts.baseline} pre-existing issue(s) (${counts.baselineApply} apply, ${counts.baselineDebt} debt)`
+    );
+  }
+  if (counts.total === 0) {
+    logger4.info("  All clear \u2014 no blockers or debt detected");
+  }
+  const previous = loadPreviousPrecheckCounts();
+  if (previous) {
+    const delta = counts.total - previous.total;
+    if (delta < 0) {
+      logger4.info(`  Improvement: ${Math.abs(delta)} fewer issue(s) than previous run`);
+    } else if (delta > 0) {
+      logger4.info(`  Regression:  ${delta} more issue(s) than previous run`);
+    } else {
+      logger4.info("  No change from previous run");
+    }
+  }
+  savePrecheckCounts({
+    total: counts.total,
+    apply: counts.currentApply + counts.baselineApply,
+    debt: counts.currentDebt + counts.baselineDebt,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+function logUnscopedBlockers(logger4, applyBlockers, architectureDebt) {
+  logBlockerGroup(
+    logger4,
+    "error",
+    "Apply blockers",
+    applyBlockers,
+    "deployment will fail if not fixed"
+  );
+  logBlockerGroup(
     logger4,
-    "Schema-directory placement checks:",
-    local.adjustedPlacementRisks.warnings
+    "warn",
+    "Architecture debt",
+    architectureDebt,
+    "works but should be addressed"
   );
-  logFindingSection(logger4, "Extension checks:", local.adjustedExtensionRisks.warnings);
-  logFindingSection(logger4, "Schema-directory blockers:", local.adjustedPlacementRisks.blockers);
-  logFindingSection(logger4, "Declarative risk blockers:", local.adjustedDeclarativeRisks.blockers);
-  logFindingSection(logger4, "Idempotent risk blockers:", local.adjustedIdempotentRisks.blockers);
-  logFindingSection(logger4, "Extension blockers:", local.adjustedExtensionRisks.blockers);
+}
+function logBlockerGroup(logger4, level, title, items, subtitle) {
+  if (items.length === 0) return;
+  const suffix = subtitle ? ` \u2014 ${subtitle}` : "";
+  const logFn = level === "error" ? logger4.error.bind(logger4) : logger4.warn.bind(logger4);
+  logFn(`
+${title} (${items.length})${suffix}:`);
+  for (const item of items) {
+    logger4.info(`  ${item}`);
+  }
 }
 function logLocalFindings(logger4, local, summary) {
   if (!local.hasLocalFindings) return;
@@ -12163,9 +12671,12 @@ async function runSyncAction(env, options) {
     const { dbTables, dbEnums } = await fetchDbTablesAndEnums(databaseUrl);
     const schemaDiffConfig = loadSchemaDiffConfig();
     const idempotentTables = extractTablesFromIdempotentSql(schemaDiffConfig.idempotentSqlDir);
+    const dynamicPatterns = extractDynamicTablePatternsFromIdempotentSql(
+      schemaDiffConfig.idempotentSqlDir
+    );
     const excludeFromOrphanDetection = mergeExcludedTables(
       schemaDiffConfig.excludeFromOrphanDetection,
-      idempotentTables
+      [...idempotentTables, ...dynamicPatterns]
     );
     const diff = diffSchema({
       expectedTables,