@wpmoo/toolkit 0.9.25 → 0.9.27

package/dist/doctor.js

@@ -5,6 +5,7 @@ import { detectComposeLayout, readEnvFile, selectedComposeEnvironment } from './
 import { dailyActionScripts } from './daily-actions.js';
 import { defaultPostgresVersion } from './external-templates.js';
 import { defaultOdooVersion, markerPath, replaceSourceRepos } from './environment.js';
+import { POSTGRES_DIAGNOSTICS_CONTRACT_VERSION, POSTGRES_DIAGNOSTICS_QUERY, malformedPostgresDiagnosticKeys, missingPostgresDiagnosticKeys, parsePostgresDiagnostics, postgresPostgresWarnings, renderPostgresDiagnostics, structuredPostgresDiagnostics, unavailablePostgresDiagnosticsWarning, } from './postgres-diagnostics.js';
 import { listGitmoduleSources, readSourceManifest, sourceReposFromManifest, sourceManifestPath, syncManifestFromMetadataAndGitmodules, writeSourceManifest, } from './source-manifest.js';
 const realCommandRunner = async (command, args, options) => {
     const result = await execa(command, args, { cwd: options.cwd });
@@ -46,128 +47,6 @@ function isMetadataError(message) {
         message.startsWith('Invalid sourceRepos entry in .wpmoo/odoo.json'));
 }
 const incompatiblePostgres18MountTargets = ['/var/lib/postgresql/data', '/var/lib/postgresql/18/docker'];
-const postgresDiagnosticQuery = `
-WITH metrics(metric, value) AS (
-  SELECT 'database_count', count(*)::text
-    FROM pg_database
-    WHERE datistemplate = false
-  UNION ALL
-  SELECT 'active_connections', count(*)::text
-    FROM pg_stat_activity
-    WHERE datname IS NOT NULL
-      AND state = 'active'
-  UNION ALL
-  SELECT 'connection_count', count(*)::text
-    FROM pg_stat_activity
-    WHERE datname IS NOT NULL
-  UNION ALL
-  SELECT 'max_connections', COALESCE(
-    (SELECT setting FROM pg_settings WHERE name = 'max_connections'),
-    'unavailable'
-  )
-  UNION ALL
-  SELECT 'total_database_size_bytes', COALESCE(sum(pg_database_size(datname)), 0)::text
-    FROM pg_database
-    WHERE datistemplate = false
-  UNION ALL
-  SELECT 'largest_database_name', COALESCE(
-    (
-      SELECT datname
-      FROM pg_database
-      WHERE datistemplate = false
-      ORDER BY pg_database_size(datname) DESC, datname
-      LIMIT 1
-    ),
-    'unavailable'
-  )
-  UNION ALL
-  SELECT 'largest_database_size_bytes', COALESCE(
-    (
-      SELECT pg_database_size(datname)::text
-      FROM pg_database
-      WHERE datistemplate = false
-      ORDER BY pg_database_size(datname) DESC, datname
-      LIMIT 1
-    ),
-    '0'
-  )
-  UNION ALL
-  SELECT 'slow_query_logging', COALESCE(
-    (SELECT setting || unit FROM pg_settings WHERE name = 'log_min_duration_statement'),
-    'unavailable'
-  )
-  UNION ALL
-  SELECT 'pg_stat_statements',
-    CASE
-      WHEN EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_stat_statements') THEN 'installed'
-      WHEN EXISTS (SELECT 1 FROM pg_available_extensions WHERE name = 'pg_stat_statements') THEN 'available'
-      ELSE 'unavailable'
-    END
-  UNION ALL
-  SELECT 'pg_stat_statements_available_version', COALESCE(
-    (SELECT default_version FROM pg_available_extensions WHERE name = 'pg_stat_statements'),
-    'unavailable'
-  )
-  UNION ALL
-  SELECT 'pg_stat_statements_installed_version', COALESCE(
-    (SELECT extversion FROM pg_extension WHERE extname = 'pg_stat_statements'),
-    ''
-  )
-  UNION ALL
-  SELECT 'shared_preload_libraries', COALESCE(
-    (SELECT setting FROM pg_settings WHERE name = 'shared_preload_libraries'),
-    'unavailable'
-  )
-  UNION ALL
-  SELECT 'shared_buffers', COALESCE(
-    (SELECT setting FROM pg_settings WHERE name = 'shared_buffers'),
-    'unavailable'
-  )
-)
-SELECT metric || '|' || value
-FROM metrics
-ORDER BY CASE metric
-  WHEN 'database_count' THEN 1
-  WHEN 'active_connections' THEN 2
-  WHEN 'connection_count' THEN 3
-  WHEN 'max_connections' THEN 4
-  WHEN 'total_database_size_bytes' THEN 5
-  WHEN 'largest_database_name' THEN 6
-  WHEN 'largest_database_size_bytes' THEN 7
-  WHEN 'slow_query_logging' THEN 8
-  WHEN 'pg_stat_statements' THEN 9
-  WHEN 'pg_stat_statements_available_version' THEN 10
-  WHEN 'pg_stat_statements_installed_version' THEN 11
-  WHEN 'shared_preload_libraries' THEN 12
-  WHEN 'shared_buffers' THEN 13
-  ELSE 99
-END;
-`.trim();
-const postgresDiagnosticKeys = [
-    'database_count',
-    'active_connections',
-    'connection_count',
-    'max_connections',
-    'total_database_size_bytes',
-    'largest_database_name',
-    'largest_database_size_bytes',
-    'slow_query_logging',
-    'pg_stat_statements',
-    'pg_stat_statements_available_version',
-    'pg_stat_statements_installed_version',
-    'shared_preload_libraries',
-    'shared_buffers',
-];
-const requiredPostgresDiagnosticKeys = [
-    'database_count',
-    'active_connections',
-    'connection_count',
-    'max_connections',
-    'total_database_size_bytes',
-    'slow_query_logging',
-    'pg_stat_statements',
-    'shared_buffers',
-];
 function parsePostgresMajorFromValue(value) {
     if (!value)
         return undefined;
@@ -178,139 +57,8 @@ function parsePostgresMajorFromValue(value) {
     const match = trimmed.match(/postgres:([0-9]{1,3})(?:[-._][A-Za-z0-9._-]+)?(?:@[\w:.-]+)?/i);
     return match?.[1];
 }
-function parsePostgresDiagnostics(output) {
-    const diagnostics = {};
-    const allowedKeys = new Set(postgresDiagnosticKeys);
-    for (const rawLine of output.split(/\r?\n/u)) {
-        const line = rawLine.trim();
-        if (!line)
-            continue;
-        const separatorIndex = line.indexOf('|');
-        if (separatorIndex === -1)
-            continue;
-        const key = line.slice(0, separatorIndex).trim();
-        const value = line.slice(separatorIndex + 1).trim();
-        if (allowedKeys.has(key) && value) {
-            diagnostics[key] = value;
-        }
-    }
-    return diagnostics;
-}
-function renderPostgresDiagnostics(diagnostics) {
-    const connectionUtilizationPct = postgresConnectionUtilizationPct(diagnostics);
-    const parts = postgresDiagnosticKeys.flatMap((key) => {
-        const value = diagnostics[key];
-        const rendered = value ? [`${key}=${value}`] : [];
-        if (key === 'max_connections' && connectionUtilizationPct !== undefined) {
-            rendered.push(`connection_utilization_pct=${connectionUtilizationPct}`);
-        }
-        return rendered;
-    });
-    return parts.length > 0 ? `OK PostgreSQL diagnostics ${parts.join(' ')}` : undefined;
-}
-function missingPostgresDiagnosticKeys(diagnostics) {
-    return requiredPostgresDiagnosticKeys.filter((key) => !diagnostics[key]);
-}
-function unavailablePostgresDiagnosticsWarning(diagnostics, missingKeys) {
-    return Object.keys(diagnostics).length === 0
-        ? 'no diagnostic rows returned'
-        : `incomplete diagnostic rows: missing ${missingKeys.join(', ')}`;
-}
-function integerDiagnostic(value) {
-    if (!value || !/^\d+$/u.test(value)) {
-        return undefined;
-    }
-    return Number.parseInt(value, 10);
-}
-function malformedPostgresDiagnosticKeys(diagnostics) {
-    const numericKeys = [
-        'database_count',
-        'active_connections',
-        'connection_count',
-        'max_connections',
-        'total_database_size_bytes',
-        'largest_database_size_bytes',
-    ];
-    return numericKeys.filter((key) => diagnostics[key] !== undefined && integerDiagnostic(diagnostics[key]) === undefined);
-}
-function postgresConnectionUtilizationPct(diagnostics) {
-    const connectionCount = integerDiagnostic(diagnostics.connection_count);
-    const maxConnections = integerDiagnostic(diagnostics.max_connections);
-    if (connectionCount === undefined || maxConnections === undefined || maxConnections <= 0) {
-        return undefined;
-    }
-    return Math.round((connectionCount / maxConnections) * 100);
-}
-function postgresConnectionUtilizationWarning(diagnostics) {
-    const connectionCount = integerDiagnostic(diagnostics.connection_count);
-    const maxConnections = integerDiagnostic(diagnostics.max_connections);
-    const utilizationPct = postgresConnectionUtilizationPct(diagnostics);
-    if (connectionCount === undefined ||
-        maxConnections === undefined ||
-        utilizationPct === undefined ||
-        utilizationPct < 80) {
-        return undefined;
-    }
-    return `PostgreSQL connection utilization is high: ${utilizationPct}% of max_connections used (${connectionCount}/${maxConnections}).`;
-}
-function postgresSlowQueryLoggingWarning(diagnostics) {
-    const slowQueryLogging = diagnostics.slow_query_logging?.trim();
-    if (!slowQueryLogging || (!/^-1\s*(?:ms)?$/iu.test(slowQueryLogging) && !/^off$/iu.test(slowQueryLogging))) {
-        return undefined;
-    }
-    return `PostgreSQL slow-query logging is disabled (log_min_duration_statement=${slowQueryLogging}). Enable it before performance triage.`;
-}
-function postgresExtensionVisibilityWarning(diagnostics) {
-    if (diagnostics.pg_stat_statements === 'available' &&
-        diagnostics.pg_stat_statements_available_version &&
-        !diagnostics.pg_stat_statements_installed_version) {
-        return 'PostgreSQL pg_stat_statements is available but not installed. Install it before query-level performance triage.';
-    }
-    return undefined;
-}
-function structuredPostgresDiagnostics(diagnostics) {
-    const structured = {};
-    const databaseCount = integerDiagnostic(diagnostics.database_count);
-    const activeConnections = integerDiagnostic(diagnostics.active_connections);
-    const connectionCount = integerDiagnostic(diagnostics.connection_count);
-    const maxConnections = integerDiagnostic(diagnostics.max_connections);
-    const connectionUtilizationPct = postgresConnectionUtilizationPct(diagnostics);
-    const totalDatabaseSizeBytes = integerDiagnostic(diagnostics.total_database_size_bytes);
-    const largestDatabaseSizeBytes = integerDiagnostic(diagnostics.largest_database_size_bytes);
-    if (databaseCount !== undefined)
-        structured.databaseCount = databaseCount;
-    if (activeConnections !== undefined)
-        structured.activeConnections = activeConnections;
-    if (connectionCount !== undefined)
-        structured.connectionCount = connectionCount;
-    if (maxConnections !== undefined)
-        structured.maxConnections = maxConnections;
-    if (connectionUtilizationPct !== undefined)
-        structured.connectionUtilizationPct = connectionUtilizationPct;
-    if (totalDatabaseSizeBytes !== undefined)
-        structured.totalDatabaseSizeBytes = totalDatabaseSizeBytes;
-    if (diagnostics.largest_database_name)
-        structured.largestDatabaseName = diagnostics.largest_database_name;
-    if (largestDatabaseSizeBytes !== undefined)
-        structured.largestDatabaseSizeBytes = largestDatabaseSizeBytes;
-    if (diagnostics.slow_query_logging)
-        structured.slowQueryLogging = diagnostics.slow_query_logging;
-    if (diagnostics.pg_stat_statements)
-        structured.pgStatStatements = diagnostics.pg_stat_statements;
-    if (diagnostics.pg_stat_statements_available_version) {
-        structured.pgStatStatementsAvailableVersion = diagnostics.pg_stat_statements_available_version;
-    }
-    if (diagnostics.pg_stat_statements_installed_version) {
-        structured.pgStatStatementsInstalledVersion = diagnostics.pg_stat_statements_installed_version;
-    }
-    if (diagnostics.shared_preload_libraries)
-        structured.sharedPreloadLibraries = diagnostics.shared_preload_libraries;
-    if (diagnostics.shared_buffers)
-        structured.sharedBuffers = diagnostics.shared_buffers;
-    return structured;
-}
 async function readPostgresDiagnostics(target, runner) {
-    const queryLiteral = JSON.stringify(postgresDiagnosticQuery);
+    const queryLiteral = JSON.stringify(POSTGRES_DIAGNOSTICS_QUERY);
     const command = [
         `query=${queryLiteral}`,
         '. ./scripts/lib.sh >/dev/null',
@@ -716,21 +464,11 @@ export async function getDoctorReport(target = process.cwd(), runnerOrOptions =
                 }
                 report.postgres = {
                     requested: true,
+                    contractVersion: POSTGRES_DIAGNOSTICS_CONTRACT_VERSION,
                     available: true,
                     diagnostics: structuredPostgresDiagnostics(postgresDiagnostics),
                 };
-                const connectionUtilizationWarning = postgresConnectionUtilizationWarning(postgresDiagnostics);
-                if (connectionUtilizationWarning) {
-                    warnings.push(connectionUtilizationWarning);
-                }
-                const slowQueryLoggingWarning = postgresSlowQueryLoggingWarning(postgresDiagnostics);
-                if (slowQueryLoggingWarning) {
-                    warnings.push(slowQueryLoggingWarning);
-                }
-                const extensionVisibilityWarning = postgresExtensionVisibilityWarning(postgresDiagnostics);
-                if (extensionVisibilityWarning) {
-                    warnings.push(extensionVisibilityWarning);
-                }
+                warnings.push(...postgresPostgresWarnings(postgresDiagnostics));
             }
             else {
                 const warning = malformedKeys.length > 0
@@ -739,6 +477,7 @@ export async function getDoctorReport(target = process.cwd(), runnerOrOptions =
                 warnings.push(`PostgreSQL diagnostics unavailable: ${warning}`);
                 report.postgres = {
                     requested: true,
+                    contractVersion: POSTGRES_DIAGNOSTICS_CONTRACT_VERSION,
                     available: false,
                     diagnostics: structuredPostgresDiagnostics(postgresDiagnostics),
                     warning,
@@ -750,6 +489,7 @@ export async function getDoctorReport(target = process.cwd(), runnerOrOptions =
             warnings.push(`PostgreSQL diagnostics unavailable: ${warning}`);
             report.postgres = {
                 requested: true,
+                contractVersion: POSTGRES_DIAGNOSTICS_CONTRACT_VERSION,
                 available: false,
                 diagnostics: {},
                 warning,

package/dist/environment-policy.js

@@ -0,0 +1,219 @@
+export const dailyActionPolicyCommands = [
+    'start',
+    'stop',
+    'logs',
+    'restart',
+    'shell',
+    'psql',
+    'install',
+    'update',
+    'test',
+    'resetdb',
+    'snapshot',
+    'restore-snapshot',
+    'lint',
+    'pot',
+];
+function normalizeFlag(value) {
+    return value?.trim() ?? '';
+}
+function parseFlag(value) {
+    return normalizeFlag(value) === '1';
+}
+export const dailyActionPolicyTable = {
+    start: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    stop: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    logs: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    restart: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    shell: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    psql: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    install: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: true,
+        requiresProdLifecycleApproval: true,
+        isAuditWorthy: () => true,
+    },
+    update: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: true,
+        requiresProdLifecycleApproval: true,
+        isAuditWorthy: () => true,
+    },
+    test: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: true,
+        isAuditWorthy: () => true,
+    },
+    resetdb: {
+        isDestructive: () => true,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => true,
+    },
+    snapshot: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    'restore-snapshot': {
+        isDestructive: (args) => args[0] !== '--dry-run',
+        isDryRunAllowed: true,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: (args) => args[0] !== '--dry-run',
+    },
+    lint: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+    pot: {
+        isDestructive: () => false,
+        isDryRunAllowed: false,
+        requiresStageLifecycleApproval: false,
+        requiresProdLifecycleApproval: false,
+        isAuditWorthy: () => false,
+    },
+};
+export function parseEnvironmentKind(rawEnvName) {
+    const normalized = rawEnvName?.trim().toLowerCase();
+    if (normalized === 'stage' || normalized === 'prod') {
+        return normalized;
+    }
+    return 'dev';
+}
+export function isDailyActionPolicyCommand(value) {
+    return dailyActionPolicyCommands.includes(value);
+}
+export function isRestoreSnapshotDryRun(args) {
+    return args[0] === '--dry-run';
+}
+function denyMessage(kind, command, env) {
+    if (kind === 'destructive') {
+        return `Refusing destructive command '${command}' in WPMOO_ENV=${env}. Set WPMOO_ALLOW_DESTRUCTIVE=1 to run it intentionally.`;
+    }
+    if (kind === 'stage-lifecycle') {
+        return `Refusing stage lifecycle command '${command}' in WPMOO_ENV=stage. Set WPMOO_ALLOW_STAGE_LIFECYCLE=1 to run it intentionally.`;
+    }
+    return `Refusing production lifecycle command '${command}' in WPMOO_ENV=prod. Set WPMOO_ALLOW_PROD_LIFECYCLE=1 to run it intentionally.`;
+}
+export function renderPolicyDenyMessage(deny) {
+    return denyMessage(deny.kind, deny.command, deny.env);
+}
+export function evaluateDailyActionPolicy(command, args, flags) {
+    const env = parseEnvironmentKind(flags.envName);
+    const policy = dailyActionPolicyTable[command];
+    const isDestructive = policy.isDestructive(args);
+    const isDryRunPreview = command === 'restore-snapshot' && isRestoreSnapshotDryRun(args);
+    const isAuditWorthy = policy.isAuditWorthy(args);
+    if (policy.requiresStageLifecycleApproval && env === 'stage' && !parseFlag(flags.allowStageLifecycle)) {
+        const deny = {
+            kind: 'stage-lifecycle',
+            command,
+            env,
+            requiredFlag: 'WPMOO_ALLOW_STAGE_LIFECYCLE',
+            requiredValue: '1',
+        };
+        return {
+            allowed: false,
+            command,
+            env,
+            isDestructive,
+            isDryRunPreview,
+            isAuditWorthy,
+            deny,
+            message: renderPolicyDenyMessage(deny),
+        };
+    }
+    if (policy.requiresProdLifecycleApproval && env === 'prod' && !parseFlag(flags.allowProdLifecycle)) {
+        const deny = {
+            kind: 'prod-lifecycle',
+            command,
+            env,
+            requiredFlag: 'WPMOO_ALLOW_PROD_LIFECYCLE',
+            requiredValue: '1',
+        };
+        return {
+            allowed: false,
+            command,
+            env,
+            isDestructive,
+            isDryRunPreview,
+            isAuditWorthy,
+            deny,
+            message: renderPolicyDenyMessage(deny),
+        };
+    }
+    if (isDestructive && (env === 'stage' || env === 'prod') && !parseFlag(flags.allowDestructive)) {
+        const deny = {
+            kind: 'destructive',
+            command,
+            env,
+            requiredFlag: 'WPMOO_ALLOW_DESTRUCTIVE',
+            requiredValue: '1',
+        };
+        return {
+            allowed: false,
+            command,
+            env,
+            isDestructive,
+            isDryRunPreview,
+            isAuditWorthy,
+            deny,
+            message: renderPolicyDenyMessage(deny),
+        };
+    }
+    return {
+        allowed: true,
+        command,
+        env,
+        isDestructive,
+        isDryRunPreview,
+        isAuditWorthy,
+    };
+}

package/dist/migrations.js

@@ -0,0 +1,112 @@
+import { lstat, readdir } from 'node:fs/promises';
+import { resolve, join } from 'node:path';
+const sourceRepoTypes = ['private', 'oca', 'external'];
+const sourceRepoBase = ['odoo', 'custom', 'src'];
+const migrationFolders = ['migrations', 'migration'];
+const versionedMigrationFiles = ['pre-migration.py', 'post-migration.py', 'end-migration.py'];
+const scriptMigrationFiles = ['migrate.py', 'migration.py'];
+async function isDirectory(path) {
+    try {
+        const entry = await lstat(path);
+        return entry.isDirectory() && !entry.isSymbolicLink();
+    }
+    catch (error) {
+        if (error.code === 'ENOENT' || error.code === 'ENOTDIR') {
+            return false;
+        }
+        throw error;
+    }
+}
+async function isFile(path) {
+    try {
+        const entry = await lstat(path);
+        return entry.isFile() && !entry.isSymbolicLink();
+    }
+    catch (error) {
+        if (error.code === 'ENOENT' || error.code === 'ENOTDIR') {
+            return false;
+        }
+        throw error;
+    }
+}
+async function listDirectoryNames(path) {
+    try {
+        const entries = await readdir(path, { withFileTypes: true });
+        const filtered = entries.filter((entry) => entry.isDirectory() && !entry.isSymbolicLink() && !entry.name.startsWith('.'));
+        return filtered.map((entry) => entry.name).sort();
+    }
+    catch (error) {
+        if (error.code === 'ENOENT' || error.code === 'ENOTDIR') {
+            return [];
+        }
+        throw error;
+    }
+}
+async function listMigrationFiles(modulePath, migrationFolder) {
+    const found = [];
+    const versionRoot = join(modulePath, migrationFolder);
+    if (!(await isDirectory(versionRoot))) {
+        return found;
+    }
+    const versions = await listDirectoryNames(versionRoot);
+    for (const version of versions) {
+        const versionPath = join(versionRoot, version);
+        if (!(await isDirectory(versionPath))) {
+            continue;
+        }
+        for (const file of versionedMigrationFiles) {
+            const path = join(versionPath, file);
+            if (await isFile(path)) {
+                found.push(path);
+            }
+        }
+    }
+    return found;
+}
+async function scanModule(modulePath) {
+    const found = [];
+    for (const folder of migrationFolders) {
+        found.push(...(await listMigrationFiles(modulePath, folder)));
+    }
+    const scriptsPath = join(modulePath, 'scripts');
+    if (!(await isDirectory(scriptsPath))) {
+        return found.sort();
+    }
+    for (const migrationScript of scriptMigrationFiles) {
+        const candidate = join(scriptsPath, migrationScript);
+        if (await isFile(candidate)) {
+            found.push(candidate);
+        }
+    }
+    return found;
+}
+export async function scanMigrationRisks(target) {
+    const root = resolve(target);
+    const foundPaths = [];
+    const srcRoot = join(root, ...sourceRepoBase);
+    for (const sourceType of sourceRepoTypes) {
+        const typeRoot = join(srcRoot, sourceType);
+        if (!(await isDirectory(typeRoot))) {
+            continue;
+        }
+        const repoNames = await listDirectoryNames(typeRoot);
+        for (const repoName of repoNames) {
+            const repoPath = join(typeRoot, repoName);
+            if (!(await isDirectory(repoPath))) {
+                continue;
+            }
+            const moduleNames = await listDirectoryNames(repoPath);
+            for (const moduleName of moduleNames) {
+                const modulePath = join(repoPath, moduleName);
+                const modulePaths = await scanModule(modulePath);
+                foundPaths.push(...modulePaths);
+            }
+        }
+    }
+    foundPaths.sort();
+    return {
+        foundPaths,
+        count: foundPaths.length,
+        risk: foundPaths.length > 0,
+    };
+}