@soulbatical/tetra-dev-toolkit 1.20.2 → 2.0.0

package/lib/runner.js

@@ -12,10 +12,6 @@ import * as serviceKeyExposure from './checks/security/service-key-exposure.js'
 import * as deprecatedSupabaseAdmin from './checks/security/deprecated-supabase-admin.js'
 import * as directSupabaseClient from './checks/security/direct-supabase-client.js'
 import * as frontendSupabaseQueries from './checks/security/frontend-supabase-queries.js'
-import * as tetraCoreCompliance from './checks/security/tetra-core-compliance.js'
-import * as mixedDbUsage from './checks/security/mixed-db-usage.js'
-import * as configRlsAlignment from './checks/security/config-rls-alignment.js'
-import * as rpcSecurityMode from './checks/security/rpc-security-mode.js'
 import * as systemdbWhitelist from './checks/security/systemdb-whitelist.js'
 import * as huskyHooks from './checks/stability/husky-hooks.js'
 import * as ciPipeline from './checks/stability/ci-pipeline.js'
@@ -25,65 +21,12 @@ import * as fileSize from './checks/codeQuality/file-size.js'
 import * as namingConventions from './checks/codeQuality/naming-conventions.js'
 import * as routeSeparation from './checks/codeQuality/route-separation.js'
 import * as gitignoreValidation from './checks/security/gitignore-validation.js'
-import * as routeConfigAlignment from './checks/security/route-config-alignment.js'
-import * as rlsLiveAudit from './checks/security/rls-live-audit.js'
 import * as rlsPolicyAudit from './checks/supabase/rls-policy-audit.js'
 import * as rpcParamMismatch from './checks/supabase/rpc-param-mismatch.js'
 import * as rpcGeneratorOrigin from './checks/supabase/rpc-generator-origin.js'
 import * as fileOrganization from './checks/hygiene/file-organization.js'
 import * as stellaCompliance from './checks/hygiene/stella-compliance.js'
 
-// Health checks (score-based) — wrapped as runner checks via adapter
-import { check as checkTests } from './checks/health/tests.js'
-import { check as checkEslintSecurity } from './checks/health/eslint-security.js'
-import { check as checkTypescriptStrict } from './checks/health/typescript-strict.js'
-import { check as checkCoverageThresholds } from './checks/health/coverage-thresholds.js'
-import { check as checkKnip } from './checks/health/knip.js'
-import { check as checkDependencyCruiser } from './checks/health/dependency-cruiser.js'
-import { check as checkDependencyAutomation } from './checks/health/dependency-automation.js'
-import { check as checkPrettier } from './checks/health/prettier.js'
-import { check as checkConventionalCommits } from './checks/health/conventional-commits.js'
-import { check as checkBundleSize } from './checks/health/bundle-size.js'
-import { check as checkSast } from './checks/health/sast.js'
-import { check as checkLicenseAudit } from './checks/health/license-audit.js'
-import { check as checkSecurityLayers } from './checks/health/security-layers.js'
-import { check as checkSmokeReadiness } from './checks/health/smoke-readiness.js'
-
-/**
- * Adapt a health check (score-based) to the runner format (meta + run).
- * A health check passes if it scores > 0 (has at least some infrastructure).
- */
-function adaptHealthCheck(id, name, severity, healthCheckFn) {
-  return {
-    meta: { id, name, severity },
-    async run(config, projectRoot) {
-      const result = await healthCheckFn(projectRoot)
-      const passed = result.score > 0
-      const findings = []
-
-      if (!passed && result.details?.message) {
-        findings.push({
-          file: 'project',
-          line: 0,
-          severity,
-          message: result.details.message
-        })
-      }
-
-      return {
-        passed,
-        findings,
-        summary: {
-          total: 1,
-          [severity]: passed ? 0 : 1,
-          score: result.score,
-          maxScore: result.maxScore
-        }
-      }
-    }
-  }
-}
-
 // Register all checks
 const ALL_CHECKS = {
   security: [
@@ -92,33 +35,13 @@ const ALL_CHECKS = {
     deprecatedSupabaseAdmin,
     directSupabaseClient,
     frontendSupabaseQueries,
-    tetraCoreCompliance,
-    mixedDbUsage,
-    rpcSecurityMode,
     systemdbWhitelist,
-    gitignoreValidation,
-    routeConfigAlignment,
-    rlsLiveAudit,          // Must run BEFORE config-rls-alignment (provides live DB data)
-    configRlsAlignment,    // Uses live DB data from rls-live-audit when available
+    gitignoreValidation
   ],
   stability: [
     huskyHooks,
     ciPipeline,
-    npmAudit,
-    adaptHealthCheck('tests', 'Test Infrastructure', 'high', checkTests),
-    adaptHealthCheck('eslint-security', 'ESLint Security Plugins', 'high', checkEslintSecurity),
-    adaptHealthCheck('typescript-strict', 'TypeScript Strictness', 'medium', checkTypescriptStrict),
-    adaptHealthCheck('coverage-thresholds', 'Test Coverage Thresholds', 'medium', checkCoverageThresholds),
-    adaptHealthCheck('knip', 'Dead Code Detection (Knip)', 'medium', checkKnip),
-    adaptHealthCheck('dependency-cruiser', 'Dependency Architecture', 'medium', checkDependencyCruiser),
-    adaptHealthCheck('dependency-automation', 'Dependency Updates (Dependabot/Renovate)', 'medium', checkDependencyAutomation),
-    adaptHealthCheck('prettier', 'Code Formatting (Prettier)', 'low', checkPrettier),
-    adaptHealthCheck('conventional-commits', 'Conventional Commits', 'low', checkConventionalCommits),
-    adaptHealthCheck('bundle-size', 'Bundle Size Monitoring', 'low', checkBundleSize),
-    adaptHealthCheck('sast', 'Static Application Security Testing', 'medium', checkSast),
-    adaptHealthCheck('license-audit', 'License Compliance', 'low', checkLicenseAudit),
-    adaptHealthCheck('security-layers', 'Security Layer Coverage', 'high', checkSecurityLayers),
-    adaptHealthCheck('smoke-readiness', 'Smoke Test Readiness', 'medium', checkSmokeReadiness)
+    npmAudit
   ],
   codeQuality: [
     apiResponseFormat,
@@ -164,10 +87,6 @@ export async function runAllChecks(options = {}) {
     }
   }
 
-  // Track rls-live-audit result across suites so migration-based RLS checks can be skipped.
-  // rls-live-audit runs in 'security' suite, rls-policy-audit runs in 'supabase' suite.
-  let rlsLiveData = null
-
   for (const suite of suites) {
     if (!config.suites[suite]) {
       continue
@@ -180,43 +99,11 @@ export async function runAllChecks(options = {}) {
     }
 
     for (const check of checks) {
-      let checkResult
-
-      // rls-policy-audit is pure migration parsing — skip when live DB is available
-      if (rlsLiveData && check.meta.id === 'rls-policy-audit') {
-        checkResult = {
-          id: check.meta.id,
-          name: `${check.meta.name} (skipped — live DB is source of truth)`,
-          severity: check.meta.severity,
-          passed: true,
-          skipped: true,
-          skipReason: 'Skipped: rls-live-audit succeeded — live DB is the source of truth for current RLS state.',
-          findings: [],
-          summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
-        }
-      }
-      // config-rls-alignment: always runs, but uses live DB data when available
-      else if (rlsLiveData && check.meta.id === 'config-rls-alignment') {
-        checkResult = {
-          id: check.meta.id,
-          name: `${check.meta.name} (live DB)`,
-          severity: check.meta.severity,
-          ...await check.run(config, projectRoot, { liveState: rlsLiveData.liveState })
-        }
-      }
-      else {
-        checkResult = {
-          id: check.meta.id,
-          name: check.meta.name,
-          severity: check.meta.severity,
-          ...await check.run(config, projectRoot)
-        }
-      }
-
-      // Capture live data from rls-live-audit for downstream checks
-      if (check.meta.id === 'rls-live-audit' && !checkResult.skipped && checkResult._liveData) {
-        rlsLiveData = checkResult._liveData
-        delete checkResult._liveData // Don't leak internal data into output
+      const checkResult = {
+        id: check.meta.id,
+        name: check.meta.name,
+        severity: check.meta.severity,
+        ...await check.run(config, projectRoot)
       }
 
       results.suites[suite].checks.push(checkResult)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.20.2",
+  "version": "2.0.0",
   "publishConfig": {
     "access": "restricted"
   },
@@ -29,12 +29,7 @@
     "tetra-init": "./bin/tetra-init.js",
     "tetra-setup": "./bin/tetra-setup.js",
     "tetra-dev-token": "./bin/tetra-dev-token.js",
-    "tetra-check-rls": "./bin/tetra-check-rls.js",
-    "tetra-migration-lint": "./bin/tetra-migration-lint.js",
-    "tetra-db-push": "./bin/tetra-db-push.js",
-    "tetra-check-peers": "./bin/tetra-check-peers.js",
-    "tetra-security-gate": "./bin/tetra-security-gate.js",
-    "tetra-smoke": "./bin/tetra-smoke.js"
+    "tetra-check-rls": "./bin/tetra-check-rls.js"
   },
   "files": [
     "bin/",

package/bin/tetra-check-peers.js

@@ -1,359 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Tetra Check Peers — Validate peer dependency compatibility across consumer projects
- *
- * Scans all known consumer projects and checks if their installed versions
- * are compatible with tetra packages' peerDependencies.
- *
- * Usage:
- *   tetra-check-peers                  # Check all consumers
- *   tetra-check-peers --fix            # Show npm commands to fix mismatches
- *   tetra-check-peers --strict         # Fail on any mismatch (for CI/prepublish)
- *   tetra-check-peers --json           # JSON output
- *
- * Add to prepublishOnly to catch breaking peer dep changes before publish.
- */
-
-import { readFileSync, existsSync } from 'fs'
-import { join, basename, dirname } from 'path'
-import { execSync } from 'child_process'
-
-// ─── Config ──────────────────────────────────────────────
-
-// Resolve paths dynamically:
-// 1. TETRA_PROJECTS_ROOT env var (explicit override)
-// 2. Detect from tetra repo: this script lives in tetra/packages/dev-toolkit/bin/
-//    so tetra root = 4 levels up, and projects root = 5 levels up (sibling dirs)
-// 3. Fallback: ~/projecten
-function resolveProjectsRoot() {
-  if (process.env.TETRA_PROJECTS_ROOT) return process.env.TETRA_PROJECTS_ROOT
-
-  // This file: <projects>/<tetra>/packages/dev-toolkit/bin/tetra-check-peers.js
-  const scriptDir = dirname(new URL(import.meta.url).pathname)
-  const tetraRoot = join(scriptDir, '..', '..', '..')  // → tetra/
-  const possibleProjectsRoot = join(tetraRoot, '..')     // → projects/
-
-  // Verify: does this directory contain a 'tetra' subdirectory?
-  if (existsSync(join(possibleProjectsRoot, 'tetra', 'packages'))) {
-    return possibleProjectsRoot
-  }
-
-  return join(process.env.HOME || '~', 'projecten')
-}
-
-const PROJECTS_ROOT = resolveProjectsRoot()
-const TETRA_ROOT = join(PROJECTS_ROOT, 'tetra', 'packages')
-
-// Tetra packages that have peerDependencies
-const TETRA_PACKAGES = ['core', 'ui', 'dev-toolkit', 'schemas']
-
-// ─── Helpers ─────────────────────────────────────────────
-
-function readJson(path) {
-  try {
-    return JSON.parse(readFileSync(path, 'utf-8'))
-  } catch {
-    return null
-  }
-}
-
-function satisfiesRange(installed, range) {
-  // Check if a consumer's dependency range can satisfy a peer dep range.
-  // Both `installed` and `range` can be semver ranges (^2.48.0, ^2.93.3, etc.)
-  // We check if the ranges CAN overlap — i.e., there exists a version that satisfies both.
-  if (!installed || !range) return false
-  if (range === '*' || installed === '*') return true
-
-  const cleanVersion = (v) => v.replace(/^[\^~>=<\s]+/, '').trim()
-  const parseVersion = (v) => {
-    const cleaned = cleanVersion(v)
-    const parts = cleaned.split('.').map(Number)
-    return { major: parts[0] || 0, minor: parts[1] || 0, patch: parts[2] || 0 }
-  }
-  const versionGte = (a, b) => {
-    if (a.major !== b.major) return a.major > b.major
-    if (a.minor !== b.minor) return a.minor > b.minor
-    return a.patch >= b.patch
-  }
-
-  // For || ranges, check each part independently
-  const rangeParts = range.split('||').map(p => p.trim())
-  const installedParts = installed.split('||').map(p => p.trim())
-
-  return rangeParts.some(rPart => {
-    return installedParts.some(iPart => {
-      return rangesOverlap(iPart, rPart, parseVersion, versionGte)
-    })
-  })
-}
-
-function rangesOverlap(installedRange, requiredRange, parseVersion, versionGte) {
-  const isCaret = (r) => r.startsWith('^')
-  const isTilde = (r) => r.startsWith('~')
-  const isGte = (r) => r.startsWith('>=')
-
-  const inst = parseVersion(installedRange)
-  const req = parseVersion(requiredRange)
-
-  // Both caret ranges with same major: they overlap if their ranges intersect
-  // ^2.48.0 allows 2.48.0 - 2.x.x, ^2.93.3 allows 2.93.3 - 2.x.x
-  // They overlap because ^2.48.0 includes 2.93.3
-  if ((isCaret(installedRange) || !installedRange.match(/^[\^~>=]/)) &&
-      (isCaret(requiredRange) || !requiredRange.match(/^[\^~>=]/))) {
-    // Same major = ranges can overlap
-    if (inst.major === req.major) {
-      // The higher minimum must be reachable from the lower range
-      // ^2.48.0 (allows up to <3.0.0) can reach 2.93.3 ✓
-      // ^3.0.0 cannot reach 2.93.3 ✗
-      return true // Same major with caret = always overlapping
-    }
-    // Different major with exact versions: only if equal
-    if (!isCaret(installedRange) && !isCaret(requiredRange)) {
-      return inst.major === req.major && inst.minor === req.minor && inst.patch === req.patch
-    }
-    return false
-  }
-
-  // >= range checks
-  if (isGte(requiredRange)) {
-    // Required >= X.Y.Z: consumer's range must be able to produce a version >= X.Y.Z
-    // ^9.0.0 can produce 9.0.0+ which is >= 8.0.0 ✓
-    // ^5.3.3 can produce 5.3.3+ which is >= 5.0.0 ✓
-    // The max version of consumer's caret range is <(major+1).0.0
-    // So: consumer max >= required min
-    const consumerMax = isCaret(installedRange) ? { major: inst.major + 1, minor: 0, patch: 0 } : inst
-    return versionGte(consumerMax, req)
-  }
-  if (isGte(installedRange)) {
-    // Consumer has >= X, required has ^Y.Z.W — any version >= X could satisfy ^Y if X <= Y
-    return true // >= is open-ended, always overlaps with bounded ranges
-  }
-
-  // Tilde: ~X.Y.Z allows X.Y.Z - X.Y+1.0
-  if (isTilde(installedRange) || isTilde(requiredRange)) {
-    if (inst.major !== req.major) return false
-    // Tilde ranges on same major.minor overlap
-    if (isTilde(installedRange) && isTilde(requiredRange)) {
-      return inst.minor === req.minor
-    }
-    // Tilde + caret: tilde range must include or be included in caret range
-    return inst.minor === req.minor || (isCaret(requiredRange) && inst.minor >= req.minor)
-  }
-
-  // Fallback: exact match
-  return inst.major === req.major && inst.minor === req.minor && inst.patch === req.patch
-}
-
-// ─── Discovery ───────────────────────────────────────────
-
-function discoverTetraPeerDeps() {
-  const result = {}
-
-  for (const pkg of TETRA_PACKAGES) {
-    const pkgJson = readJson(join(TETRA_ROOT, pkg, 'package.json'))
-    if (!pkgJson?.peerDependencies) continue
-
-    result[pkgJson.name] = {
-      version: pkgJson.version,
-      peerDependencies: pkgJson.peerDependencies,
-      peerDependenciesMeta: pkgJson.peerDependenciesMeta || {}
-    }
-  }
-
-  return result
-}
-
-function discoverConsumers() {
-  const consumers = []
-
-  try {
-    const dirs = execSync(`ls -d ${PROJECTS_ROOT}/*/`, { encoding: 'utf-8' })
-      .trim().split('\n').filter(Boolean)
-
-    for (const dir of dirs) {
-      const projectName = basename(dir.replace(/\/$/, ''))
-      if (projectName === 'tetra' || projectName.startsWith('.') || projectName.startsWith('_')) continue
-
-      // Check root, backend/, frontend/ package.json
-      const locations = [
-        { path: join(dir, 'package.json'), label: projectName },
-        { path: join(dir, 'backend', 'package.json'), label: `${projectName}/backend` },
-        { path: join(dir, 'frontend', 'package.json'), label: `${projectName}/frontend` },
-      ]
-
-      for (const loc of locations) {
-        const pkg = readJson(loc.path)
-        if (!pkg) continue
-
-        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
-
-        // Check if this package.json uses any tetra package
-        const usesTetra = Object.keys(allDeps).some(d => d.startsWith('@soulbatical/tetra-'))
-        if (!usesTetra) continue
-
-        consumers.push({
-          label: loc.label,
-          path: loc.path,
-          dependencies: allDeps,
-          tetraDeps: Object.fromEntries(
-            Object.entries(allDeps).filter(([k]) => k.startsWith('@soulbatical/tetra-'))
-          )
-        })
-      }
-    }
-  } catch {
-    // ignore discovery errors
-  }
-
-  return consumers
-}
-
-// ─── Check ───────────────────────────────────────────────
-
-function checkCompatibility(tetraPeers, consumers) {
-  const issues = []
-
-  for (const consumer of consumers) {
-    for (const [tetraPkg, tetraInfo] of Object.entries(tetraPeers)) {
-      // Does this consumer use this tetra package?
-      if (!consumer.tetraDeps[tetraPkg]) continue
-
-      // Check each peer dependency
-      for (const [peerDep, requiredRange] of Object.entries(tetraInfo.peerDependencies)) {
-        const isOptional = tetraInfo.peerDependenciesMeta[peerDep]?.optional
-        const installedVersion = consumer.dependencies[peerDep]
-
-        if (!installedVersion) {
-          if (!isOptional) {
-            issues.push({
-              consumer: consumer.label,
-              tetraPackage: tetraPkg,
-              dependency: peerDep,
-              required: requiredRange,
-              installed: 'MISSING',
-              severity: 'error',
-              fix: `npm install ${peerDep}@"${requiredRange}"`
-            })
-          }
-          continue
-        }
-
-        // Extract version from range (consumer might have "^2.93.3")
-        const cleanInstalled = installedVersion.replace(/^[\^~>=<\s]+/, '')
-
-        if (!satisfiesRange(cleanInstalled, requiredRange)) {
-          // Check if it's an exact pin vs range issue
-          const isExactPin = !requiredRange.startsWith('^') && !requiredRange.startsWith('~') && !requiredRange.startsWith('>')
-          const severity = isExactPin ? 'warning' : 'error'
-
-          issues.push({
-            consumer: consumer.label,
-            tetraPackage: tetraPkg,
-            dependency: peerDep,
-            required: requiredRange,
-            installed: installedVersion,
-            severity,
-            isExactPin,
-            fix: `npm install ${peerDep}@"${requiredRange}"`,
-            suggestion: isExactPin
-              ? `Consider using "^${requiredRange}" in ${tetraPkg} peerDependencies for flexibility`
-              : null
-          })
-        }
-      }
-    }
-  }
-
-  return issues
-}
-
-// ─── Output ──────────────────────────────────────────────
-
-function formatTerminal(issues, consumers, tetraPeers, options) {
-  const lines = []
-
-  lines.push('')
-  lines.push('═══════════════════════════════════════════════════════════════')
-  lines.push('  🔗 Tetra Check Peers — Peer Dependency Compatibility')
-  lines.push('═══════════════════════════════════════════════════════════════')
-  lines.push('')
-
-  // Summary
-  const tetraPackages = Object.entries(tetraPeers)
-    .map(([name, info]) => `${name}@${info.version}`)
-    .join(', ')
-  lines.push(`  Tetra packages: ${tetraPackages}`)
-  lines.push(`  Consumers found: ${consumers.length}`)
-  lines.push(`  Issues found: ${issues.length}`)
-  lines.push('')
-
-  if (issues.length === 0) {
-    lines.push('  ✅ All consumer projects are compatible with current peer dependencies')
-    lines.push('')
-    lines.push('═══════════════════════════════════════════════════════════════')
-    return lines.join('\n')
-  }
-
-  // Group by consumer
-  const byConsumer = {}
-  for (const issue of issues) {
-    if (!byConsumer[issue.consumer]) byConsumer[issue.consumer] = []
-    byConsumer[issue.consumer].push(issue)
-  }
-
-  for (const [consumer, consumerIssues] of Object.entries(byConsumer)) {
-    lines.push(`  📦 ${consumer}`)
-    for (const issue of consumerIssues) {
-      const icon = issue.severity === 'error' ? '❌' : '⚠️'
-      lines.push(`     ${icon} ${issue.dependency}: installed ${issue.installed}, needs ${issue.required}`)
-      if (issue.suggestion) {
-        lines.push(`        💡 ${issue.suggestion}`)
-      }
-      if (options.fix) {
-        lines.push(`        → ${issue.fix}`)
-      }
-    }
-    lines.push('')
-  }
-
-  // Exact pin warnings
-  const exactPins = issues.filter(i => i.isExactPin)
-  if (exactPins.length > 0) {
-    const uniquePins = [...new Set(exactPins.map(i => `${i.dependency} (${i.required} in ${i.tetraPackage})`))]
-    lines.push('  💡 EXACT VERSION PINS detected — these cause most compatibility issues:')
-    for (const pin of uniquePins) {
-      lines.push(`     → ${pin}`)
-    }
-    lines.push('     Consider using "^x.y.z" ranges instead of exact versions in peerDependencies')
-    lines.push('')
-  }
-
-  lines.push('═══════════════════════════════════════════════════════════════')
-  return lines.join('\n')
-}
-
-// ─── Main ────────────────────────────────────────────────
-
-const args = process.argv.slice(2)
-const options = {
-  fix: args.includes('--fix'),
-  strict: args.includes('--strict'),
-  json: args.includes('--json'),
-}
-
-const tetraPeers = discoverTetraPeerDeps()
-const consumers = discoverConsumers()
-const issues = checkCompatibility(tetraPeers, consumers)
-
-if (options.json) {
-  console.log(JSON.stringify({ tetraPeers, consumers: consumers.map(c => c.label), issues }, null, 2))
-} else {
-  console.log(formatTerminal(issues, consumers, tetraPeers, options))
-}
-
-// Exit code
-const errors = issues.filter(i => i.severity === 'error')
-if (options.strict && errors.length > 0) {
-  process.exit(1)
-}

package/bin/tetra-db-push.js

@@ -1,91 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Tetra DB Push — Safe wrapper around `supabase db push`
- *
- * Runs tetra-migration-lint FIRST. If any CRITICAL or HIGH issues
- * are found, the push is BLOCKED. No exceptions.
- *
- * Usage:
- *   tetra-db-push                    # Lint + push
- *   tetra-db-push --force            # Skip lint (DANGEROUS — requires explicit flag)
- *   tetra-db-push --dry-run          # Lint only, don't push
- *   tetra-db-push -- --linked        # Pass flags to supabase db push
- *
- * Replace in your workflow:
- *   BEFORE: supabase db push
- *   AFTER:  tetra-db-push
- *
- * Or add alias: alias supabase-push='tetra-db-push'
- */
-
-import { execSync, spawnSync } from 'child_process'
-import chalk from 'chalk'
-import { resolve } from 'path'
-
-const args = process.argv.slice(2)
-const force = args.includes('--force')
-const dryRun = args.includes('--dry-run')
-const supabaseArgs = args.filter(a => a !== '--force' && a !== '--dry-run')
-
-const projectRoot = resolve(process.cwd())
-
-// ─── Step 1: Migration Lint ────────────────────────────────────────
-console.log('')
-console.log(chalk.bold('  🔒 Tetra DB Push — Security Gate'))
-console.log('')
-
-if (force) {
-  console.log(chalk.red.bold('  ⚠️  --force flag: SKIPPING security lint'))
-  console.log(chalk.red('  You are pushing migrations WITHOUT security validation.'))
-  console.log('')
-} else {
-  console.log(chalk.gray('  Step 1: Running migration lint...'))
-  console.log('')
-
-  const lintResult = spawnSync('node', [
-    resolve(import.meta.dirname, 'tetra-migration-lint.js'),
-    '--project', projectRoot
-  ], {
-    cwd: projectRoot,
-    stdio: 'inherit',
-    env: process.env
-  })
-
-  if (lintResult.status !== 0) {
-    console.log('')
-    console.log(chalk.red.bold('  ❌ Migration lint FAILED — push blocked'))
-    console.log(chalk.gray('  Fix the issues above, then run tetra-db-push again.'))
-    console.log('')
-    process.exit(1)
-  }
-
-  console.log(chalk.green('  ✅ Migration lint passed'))
-  console.log('')
-}
-
-// ─── Step 2: Supabase DB Push ──────────────────────────────────────
-if (dryRun) {
-  console.log(chalk.gray('  --dry-run: skipping actual push'))
-  console.log('')
-  process.exit(0)
-}
-
-console.log(chalk.gray('  Step 2: Running supabase db push...'))
-console.log('')
-
-const pushResult = spawnSync('npx', ['supabase', 'db', 'push', ...supabaseArgs], {
-  cwd: projectRoot,
-  stdio: 'inherit',
-  env: process.env
-})
-
-if (pushResult.status !== 0) {
-  console.log('')
-  console.log(chalk.red('  ❌ supabase db push failed'))
-  process.exit(pushResult.status || 1)
-}
-
-console.log('')
-console.log(chalk.green.bold('  ✅ Migrations pushed successfully (security validated)'))
-console.log('')