@wpmoo/toolkit 0.9.25 → 0.9.27

package/dist/templates.js

@@ -601,6 +601,62 @@ allow_stage_lifecycle() {
   [[ "$value" == "1" ]]
 }
 
+allow_no_recent_snapshot() {
+  local value="\${WPMOO_ALLOW_NO_RECENT_SNAPSHOT:-$(env_file_value WPMOO_ALLOW_NO_RECENT_SNAPSHOT)}"
+  [[ "$value" == "1" ]]
+}
+
+allow_migrations() {
+  local value="\${WPMOO_ALLOW_MIGRATIONS:-$(env_file_value WPMOO_ALLOW_MIGRATIONS)}"
+  [[ "$value" == "1" ]]
+}
+
+has_recent_snapshot() {
+  local dir
+  for dir in backups backup snapshots; do
+    [[ -d "$dir" ]] || continue
+    if find "$dir" -type f \\( -name "*.dump" -o -name "*.sql" -o -name "*.sql.gz" -o -name "*.zip" -o -name "*.tar" -o -name "*.tar.gz" \\) -mtime -1 -print -quit 2>/dev/null | grep -q .; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+require_recent_snapshot_or_override() {
+  local command="$1"
+  local env_name
+  env_name="$(selected_env)"
+  if [[ "$env_name" == "stage" || "$env_name" == "prod" ]]; then
+    if ! allow_no_recent_snapshot && ! has_recent_snapshot; then
+      echo "Refusing destructive command '$command' in WPMOO_ENV=$env_name without a recent database snapshot. Create a snapshot first or set WPMOO_ALLOW_NO_RECENT_SNAPSHOT=1 to run it intentionally." >&2
+      exit 1
+    fi
+  fi
+}
+
+has_migration_risk() {
+  local base
+  for base in odoo/custom/src/private odoo/custom/src/oca odoo/custom/src/external; do
+    [[ -d "$base" ]] || continue
+    if find "$base" -type f \\( -path "*/migrations/*/pre-migration.py" -o -path "*/migrations/*/post-migration.py" -o -path "*/migrations/*/end-migration.py" -o -path "*/migration/*/pre-migration.py" -o -path "*/migration/*/post-migration.py" -o -path "*/migration/*/end-migration.py" -o -path "*/scripts/migrate.py" -o -path "*/scripts/migration.py" \\) -print -quit 2>/dev/null | grep -q .; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+require_migrations_allowed() {
+  local command="$1"
+  local env_name
+  env_name="$(selected_env)"
+  if [[ "$env_name" == "stage" || "$env_name" == "prod" ]]; then
+    if ! allow_migrations && has_migration_risk; then
+      echo "Refusing migration-risk command '$command' in WPMOO_ENV=$env_name. Review detected migration scripts or set WPMOO_ALLOW_MIGRATIONS=1 to run it intentionally." >&2
+      exit 1
+    fi
+  fi
+}
+
 require_stage_lifecycle_allowed() {
   local command="$1"
   local env_name
@@ -712,6 +768,7 @@ case "$command" in
     require_module_args "$command" "$@"
     require_stage_lifecycle_allowed "$command"
     require_prod_lifecycle_allowed "$command"
+    require_migrations_allowed "$command"
     run_script ./scripts/install.sh "$@"
     ;;
   "update")
@@ -719,18 +776,21 @@ case "$command" in
     require_module_args "$command" "$@"
     require_stage_lifecycle_allowed "$command"
     require_prod_lifecycle_allowed "$command"
+    require_migrations_allowed "$command"
     run_script ./scripts/update.sh "$@"
     ;;
   "test")
     shift
     validate_test_args "$@"
     require_prod_lifecycle_allowed "$command"
+    require_migrations_allowed "$command"
     run_script ./scripts/test.sh "$@"
     ;;
   "resetdb")
     shift
     positional_args "$command" 0 2 "$@"
     require_destructive_allowed "$command"
+    require_recent_snapshot_or_override "$command"
     run_script ./scripts/resetdb.sh "$@"
     ;;
   "snapshot")
@@ -749,6 +809,7 @@ case "$command" in
     restore_args+=("$@")
     if [[ "\${restore_args[0]:-}" != "--dry-run" ]]; then
       require_destructive_allowed "$command"
+      require_recent_snapshot_or_override "$command"
     fi
     run_script ./scripts/restore-snapshot.sh "\${restore_args[@]}"
     ;;

package/docs/generated-environment-verification.md

@@ -23,7 +23,7 @@ not validate staging or production deployments.
 | Doctor checks | Metadata, compose files, scripts, source repo paths, and local tooling checks behave as expected. | `npx @wpmoo/toolkit doctor` or `./moo doctor` |
 | Doctor safe fixes | Safe file-level fixes are applied only with `--fix`, then doctor runs again and reports any remaining manual issues. | `npx @wpmoo/toolkit doctor --fix` |
 | Generated Postgres checks | For PostgreSQL 18 environments, doctor validates db mount targets avoid old PG image-specific paths and can normalize safe targets with `--fix`. | `npx @wpmoo/toolkit doctor`, `npx @wpmoo/toolkit doctor --fix` |
-| PostgreSQL diagnostics | Optional read-only database health/performance diagnostics report database count, sessions currently running queries with `pg_stat_activity.state = 'active'`, total database size, slow-query readiness, extension visibility, and selected settings without failing doctor when the database is unavailable. | `npx @wpmoo/toolkit doctor --postgres`, `npx @wpmoo/toolkit doctor --json --postgres` |
+| PostgreSQL diagnostics | Optional read-only, advisory-only database health and performance diagnostics (no automatic tuning), covering active/idle-in-transaction sessions, table health signals, WAL/capacity context, unused-index hints, and slow-query readiness. JSON mode emits a versioned PostgreSQL contract with optional fields when a metric is unavailable. | `npx @wpmoo/toolkit doctor --postgres`, `npx @wpmoo/toolkit doctor --json --postgres` |
 | Source repo add/remove | Source repository registration and submodule lifecycle behave correctly. | `npx @wpmoo/toolkit add-repo ...`, `npx @wpmoo/toolkit remove-repo ...` |
 | Source manifest sync | Source repo metadata, `.gitmodules`, and `odoo/custom/manifests/sources.yaml` stay aligned. | `npx @wpmoo/toolkit source list`, `npx @wpmoo/toolkit source sync` |
 | Module add/remove | Module skeleton files include manifest, model, access CSV, explicit view XML, action/menu XML, post-install test scaffold, and selected source repo registration. Existing scaffold files are not overwritten. | `npx @wpmoo/toolkit add-module ...`, `npx @wpmoo/toolkit remove-module ...` |
@@ -76,16 +76,16 @@ is involved, use PostgreSQL upgrade tooling first.
 
 Use `doctor --postgres` when the database container is running and you want
 read-only PostgreSQL diagnostics. The check uses fixed diagnostic queries for
-database count, sessions currently running queries where
-`pg_stat_activity.state` is `active`, aggregate database size, slow-query
-logging readiness,
-`pg_stat_statements` availability, and `shared_buffers`. If the database is
-unavailable, doctor reports a warning instead of failing the whole environment
-check.
-JSON output preserves `checks` and `warnings` while adding a structured
-`postgres` object when `--postgres` is requested.
-Incomplete or malformed PostgreSQL metric rows are reported as unavailable
-diagnostics.
+database count, sessions currently running queries where `pg_stat_activity.state`
+is `active`, long transactions / idle-in-transaction sessions, table health
+signals, unused index advisor signals, WAL and capacity visibility, and
+slow-query logging readiness (`log_min_duration_statement` and
+`pg_stat_statements` visibility). If the database is unavailable, doctor reports
+a warning instead of failing the whole environment check.
+
+`doctor --json --postgres` keeps output stable by exposing a versioned PostgreSQL
+diagnostics contract. The contract is intentionally permissive: fields are optional
+and omitted or marked unavailable when a running database does not expose them.
 
 ## Safe reset policy
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wpmoo/toolkit",
-  "version": "0.9.25",
+  "version": "0.9.27",
   "description": "WPMoo Toolkit for development, staging, and production lifecycle workflows.",
   "type": "module",
   "repository": {