@wpmoo/toolkit 0.9.29 → 0.9.30

package/dist/module-quality.js

@@ -82,9 +82,15 @@ async function readOptionalFile(path) {
 function moduleIssue(moduleName, path, issue) {
     return { moduleName, path, issue };
 }
+function moduleQualityIssue(moduleName, path, issue, severity) {
+    return { moduleName, path, issue, severity };
+}
 function manifestData(manifest) {
     return Array.isArray(manifest?.data) ? manifest.data : [];
 }
+function manifestDemo(manifest) {
+    return Array.isArray(manifest?.demo) ? manifest.demo : [];
+}
 function manifestDepends(manifest) {
     return Array.isArray(manifest?.depends) ? manifest.depends : [];
 }
@@ -105,6 +111,70 @@ function pythonImportPresent(content, importName) {
         return false;
     return new RegExp(`^\\s*from\\s+\\.\\s+import\\s+.*\\b${importName}\\b`, 'mu').test(content);
 }
+function xmlAttributeValues(content, attributeName) {
+    const values = [];
+    const pattern = new RegExp(`\\b${attributeName}=(["'])(.*?)\\1`, 'gsu');
+    let match;
+    while ((match = pattern.exec(content))) {
+        const value = match[2]?.trim();
+        if (value)
+            values.push(value);
+    }
+    return values;
+}
+function declaredActionIds(xmlFiles) {
+    const ids = new Set();
+    for (const content of xmlFiles) {
+        for (const record of content.matchAll(/<record\b[^>]*\bmodel=(["'])ir\.actions\.act_window\1[^>]*>/gsu)) {
+            for (const id of xmlAttributeValues(record[0], 'id')) {
+                ids.add(id);
+            }
+        }
+    }
+    return ids;
+}
+function menuActionReferences(xmlFiles) {
+    const refs = [];
+    for (const content of xmlFiles) {
+        for (const menu of content.matchAll(/<menuitem\b[^>]*>/gsu)) {
+            refs.push(...xmlAttributeValues(menu[0], 'action'));
+        }
+    }
+    return refs;
+}
+function declaredModelIds(modelFileContents) {
+    const modelIds = new Set();
+    for (const content of modelFileContents) {
+        for (const match of content.matchAll(/^\s*_name\s*=\s*["']([^"']+)["']/gmu)) {
+            const modelName = match[1]?.trim();
+            if (modelName) {
+                modelIds.add(`model_${modelName.replace(/\./gu, '_')}`);
+            }
+        }
+    }
+    return modelIds;
+}
+function accessCsvModelIds(content) {
+    if (!content)
+        return [];
+    const lines = content
+        .split(/\r?\n/u)
+        .map((line) => line.trim())
+        .filter((line) => line && !line.startsWith('#'));
+    if (lines.length < 2)
+        return [];
+    const header = lines[0]?.split(',').map((value) => value.trim()) ?? [];
+    const modelColumn = header.findIndex((value) => value === 'model_id:id' || value === 'model_id');
+    if (modelColumn < 0)
+        return [];
+    return lines
+        .slice(1)
+        .map((line) => line.split(',')[modelColumn]?.trim())
+        .filter((value) => Boolean(value));
+}
+async function readModelFileContents(modulePath, modelFiles) {
+    return Promise.all(modelFiles.map(async (fileName) => (await readOptionalFile(join(modulePath, 'models', fileName))) ?? ''));
+}
 export async function analyzeModuleDirectory(modulePath, moduleName = basename(modulePath), relativePath = modulePath) {
     const issues = [];
     let manifest;
@@ -135,9 +205,21 @@ export async function analyzeModuleDirectory(modulePath, moduleName = basename(m
     const menuXml = await readMenusXml(modulePath);
     const modelFiles = await readPythonModelFiles(modulePath);
     const viewFiles = await readViewXmlFiles(modulePath);
+    const viewXml = await Promise.all(viewFiles.map(async (fileName) => (await readOptionalFile(join(modulePath, 'views', fileName))) ?? ''));
     const depends = manifestDepends(manifest);
     const data = manifestData(manifest);
+    const demo = manifestDemo(manifest);
     const hasOdooStructures = moduleHasOdooStructures(modelFiles, viewFiles, menuXml, data);
+    for (const entry of data) {
+        if (!(await fileExists(join(modulePath, entry)))) {
+            issues.push(moduleQualityIssue(moduleName, relativePath, `missing manifest data file: ${entry}`, 'error'));
+        }
+    }
+    for (const entry of demo) {
+        if (!(await fileExists(join(modulePath, entry)))) {
+            issues.push(moduleQualityIssue(moduleName, relativePath, `missing manifest demo file: ${entry}`, 'warning'));
+        }
+    }
     if (hasOdooStructures && !depends.includes('base')) {
         issues.push(moduleIssue(moduleName, relativePath, 'missing base dependency for model-based module'));
     }
@@ -157,6 +239,15 @@ export async function analyzeModuleDirectory(modulePath, moduleName = basename(m
             issues.push(moduleIssue(moduleName, relativePath, 'missing security/ir.model.access.csv'));
         }
     }
+    const modelFileContents = await readModelFileContents(modulePath, modelFiles);
+    const modelIds = declaredModelIds(modelFileContents);
+    if (modelIds.size > 0) {
+        for (const modelId of accessCsvModelIds(await readOptionalFile(join(modulePath, 'security/ir.model.access.csv')))) {
+            if (!modelIds.has(modelId)) {
+                issues.push(moduleQualityIssue(moduleName, relativePath, `access CSV references unknown model id: ${modelId}`, 'error'));
+            }
+        }
+    }
     if (hasOdooStructures && !dataIncludesAccessCsv(data)) {
         issues.push(moduleIssue(moduleName, relativePath, 'missing security/ir.model.access.csv in manifest data'));
     }
@@ -166,6 +257,13 @@ export async function analyzeModuleDirectory(modulePath, moduleName = basename(m
     if (!(await directoryExists(join(modulePath, 'tests')))) {
         issues.push(moduleIssue(moduleName, relativePath, 'missing tests directory'));
     }
+    const allViewXml = [...viewXml, ...menuXml];
+    const actionIds = declaredActionIds(allViewXml);
+    for (const actionRef of menuActionReferences(menuXml)) {
+        if (!actionIds.has(actionRef)) {
+            issues.push(moduleQualityIssue(moduleName, relativePath, `menu XML references missing action id: ${actionRef}`, 'error'));
+        }
+    }
     const hasMenuAction = menuXml.some((content) => hasActionableMenuXml(content, moduleName));
     if (!hasMenuAction) {
         issues.push(moduleIssue(moduleName, relativePath, 'missing actionable menu XML'));

package/dist/postgres-diagnostics.js

@@ -214,6 +214,21 @@ FROM (
     'unavailable'
   )
   UNION ALL
+  SELECT 'work_mem', COALESCE(
+    (SELECT setting || COALESCE(unit, '') FROM pg_settings WHERE name = 'work_mem'),
+    'unavailable'
+  )
+  UNION ALL
+  SELECT 'maintenance_work_mem', COALESCE(
+    (SELECT setting || COALESCE(unit, '') FROM pg_settings WHERE name = 'maintenance_work_mem'),
+    'unavailable'
+  )
+  UNION ALL
+  SELECT 'effective_cache_size', COALESCE(
+    (SELECT setting || COALESCE(unit, '') FROM pg_settings WHERE name = 'effective_cache_size'),
+    'unavailable'
+  )
+  UNION ALL
   SELECT 'long_transaction_count', long_transaction_count FROM transaction_health
   UNION ALL
   SELECT 'oldest_long_transaction_age_seconds', oldest_long_transaction_age_seconds FROM transaction_health
@@ -264,6 +279,9 @@ export const POSTGRES_DIAGNOSTIC_KEYS = [
     'pg_stat_statements_installed_version',
     'shared_preload_libraries',
     'shared_buffers',
+    'work_mem',
+    'maintenance_work_mem',
+    'effective_cache_size',
     'long_transaction_count',
     'oldest_long_transaction_age_seconds',
     'idle_in_transaction_count',
@@ -591,6 +609,15 @@ export function structuredPostgresDiagnostics(diagnostics) {
     if (diagnostics.shared_buffers) {
         structured.sharedBuffers = diagnostics.shared_buffers;
     }
+    if (diagnostics.work_mem) {
+        structured.workMem = diagnostics.work_mem;
+    }
+    if (diagnostics.maintenance_work_mem) {
+        structured.maintenanceWorkMem = diagnostics.maintenance_work_mem;
+    }
+    if (diagnostics.effective_cache_size) {
+        structured.effectiveCacheSize = diagnostics.effective_cache_size;
+    }
     if (longTransactionCount !== undefined) {
         structured.longTransactionCount = longTransactionCount;
     }

package/dist/repo-url.js

@@ -1,4 +1,6 @@
 import { basename } from 'node:path';
+import { validateRepoPath } from './path-validation.js';
+import { parseGitHubRepoUrl } from './github.js';
 export function normalizeRepositoryUrl(repoUrl) {
     const trimmed = repoUrl.trim();
     const withoutSuffix = trimmed.replace(/[?#].*$/, '').replace(/\/+$/, '').replace(/\.git$/, '');
@@ -15,13 +17,8 @@ export function inferRepoPath(repoUrl) {
     if (!withoutGit) {
         throw new Error(`Cannot infer repository path from URL: ${repoUrl}`);
     }
-    return withoutGit;
+    return validateRepoPath(withoutGit);
 }
 export function inferGitHubOwner(repoUrl) {
-    const normalized = normalizeRepositoryUrl(repoUrl);
-    const httpsMatch = normalized.match(/^https:\/\/github\.com\/([^/]+)\//);
-    if (httpsMatch)
-        return httpsMatch[1];
-    const sshMatch = normalized.match(/^git@github\.com:([^/]+)\//);
-    return sshMatch?.[1];
+    return parseGitHubRepoUrl(normalizeRepositoryUrl(repoUrl))?.owner;
 }

package/dist/safe-reset.js

@@ -70,7 +70,7 @@ function parseGitmodules(target) {
         const gitmodules = readFileSync(join(target, '.gitmodules'), 'utf8');
         const sections = gitmodules.split(/\n(?=\[submodule )/);
         return sections.flatMap((section) => {
-            const pathMatch = section.match(/^\s*path\s*=\s*odoo\/custom\/src\/(private|oca|external)\/([^\s]+)\s*$/m);
+            const pathMatch = section.match(/^\s*path\s*=\s*odoo\/custom\/src\/(?:(private|oca|external)\/)?([^\s/]+)\s*$/m);
             if (!pathMatch) {
                 return [];
             }
@@ -78,7 +78,7 @@ function parseGitmodules(target) {
             if (!source) {
                 return [];
             }
-            const sourceType = pathMatch[1];
+            const sourceType = (pathMatch[1] ?? 'private');
             return [{ path: pathMatch[2], sourceType, url: source }];
         });
     }
@@ -150,7 +150,7 @@ function inferOptionsForPreviewSync(target) {
                 url: metadataMatch?.url?.trim() ||
                     gitmoduleMatch?.url ||
                     readSubmoduleUrlFromPath(target, path, sourceType),
-                addons: parseAddonsForRepo(addonsYaml, path),
+                addons: parseAddonsForRepo(addonsYaml, path, sourceType),
             };
         }),
         engine: 'compose',
@@ -171,9 +171,12 @@ function inferOptionsForPreviewSync(target) {
 function readSubmoduleUrlFromPath(target, repoPath, sourceType) {
     try {
         const gitmodules = readFileSync(join(target, '.gitmodules'), 'utf8');
-        const escapedPath = `odoo/custom/src/${sourceType}/${repoPath}`;
+        const expectedPaths = [`odoo/custom/src/${sourceType}/${repoPath}`];
+        if (sourceType === 'private') {
+            expectedPaths.push(`odoo/custom/src/${repoPath}`);
+        }
         const sections = gitmodules.split(/\n(?=\[submodule )/);
-        const section = sections.find((value) => value.includes(`path = ${escapedPath}`));
+        const section = sections.find((value) => expectedPaths.some((path) => value.includes(`path = ${path}`)));
         const url = section?.match(/^\s*url\s*=\s*(.+)$/m)?.[1]?.trim();
         return url || `odoo/custom/src/${sourceType}/${repoPath}`;
     }
@@ -311,11 +314,14 @@ function safeResetExternalAssetOptions(options) {
         ],
     }));
 }
-function parseAddonsForRepo(addonsYaml, repoPath) {
+function parseAddonsForRepo(addonsYaml, repoPath, sourceType = 'private') {
     const safeRepoPath = validateRepoPath(repoPath);
     const lines = addonsYaml.split('\n');
-    const header = `private/${safeRepoPath}:`;
-    const start = lines.findIndex((line) => line.trim() === header);
+    const headers = [`${sourceType}/${safeRepoPath}:`];
+    if (sourceType === 'private') {
+        headers.push(`${safeRepoPath}:`);
+    }
+    const start = lines.findIndex((line) => headers.includes(line.trim()));
     if (start === -1)
         return [safeRepoPath];
     const addons = [];
@@ -332,7 +338,7 @@ function parseAddonsForRepo(addonsYaml, repoPath) {
     return addons.length ? addons : [safeRepoPath];
 }
 function parseRepoPathsFromAddonsYaml(addonsYaml) {
-    return [...addonsYaml.matchAll(/^private\/(.+):$/gm)]
+    return [...addonsYaml.matchAll(/^(?:private\/)?([^/\s][^/:]*):$/gm)]
         .map((match) => match[1].trim())
         .filter((repoPath) => repoPath && isValidPathSegment(repoPath))
         .map(validateRepoPath);
@@ -341,9 +347,12 @@ async function readSubmoduleUrl(target, repoPath, sourceType) {
     const safeRepoPath = validateRepoPath(repoPath);
     try {
         const gitmodules = await readFile(join(target, '.gitmodules'), 'utf8');
-        const escapedPath = `odoo/custom/src/${sourceType}/${safeRepoPath}`;
+        const expectedPaths = [`odoo/custom/src/${sourceType}/${safeRepoPath}`];
+        if (sourceType === 'private') {
+            expectedPaths.push(`odoo/custom/src/${safeRepoPath}`);
+        }
         const sections = gitmodules.split(/\n(?=\[submodule )/);
-        const section = sections.find((value) => value.includes(`path = ${escapedPath}`));
+        const section = sections.find((value) => expectedPaths.some((path) => value.includes(`path = ${path}`)));
         const url = section?.match(/^\s*url\s*=\s*(.+)$/m)?.[1]?.trim();
         return url || `odoo/custom/src/${sourceType}/${safeRepoPath}`;
     }
@@ -389,7 +398,7 @@ async function inferOptions(target) {
             ?.url.trim() ||
             gitmoduleSources.find((repo) => repo.path === path && repo.type === sourceType)?.url ||
             (await readSubmoduleUrl(target, path, sourceType)),
-        addons: parseAddonsForRepo(addonsYaml, path),
+        addons: parseAddonsForRepo(addonsYaml, path, sourceType),
     })));
     return {
         product,

package/dist/source-manifest.js

@@ -273,13 +273,13 @@ export async function listGitmoduleSources(target) {
         const gitmodules = await readFile(join(target, '.gitmodules'), 'utf8');
         const lines = gitmodules.split(/\r?\n/);
         const locations = [];
-        const pathRegex = /^\s*path\s*=\s*odoo\/custom\/src\/(private|oca|external)\/(.+)\s*$/;
+        const pathRegex = /^\s*path\s*=\s*odoo\/custom\/src\/(?:(private|oca|external)\/)?([^/\s]+)\s*$/;
         const urlRegex = /^\s*url\s*=\s*(.+)\s*$/;
         let pending;
         for (const line of lines) {
             const parsedPath = line.match(pathRegex);
             if (parsedPath) {
-                const sourceType = parsedPath[1];
+                const sourceType = (parsedPath[1] ?? 'private');
                 const repoPath = parsedPath[2]?.trim() ?? '';
                 if (!repoPath || !isValidPathSegment(repoPath)) {
                     pending = undefined;

package/dist/templates.js

@@ -212,6 +212,8 @@ In WPMOO_ENV=prod, module lifecycle commands such as install, update, and test
 require WPMOO_ALLOW_PROD_LIFECYCLE=1. Destructive database commands such as
 resetdb and real restore-snapshot require WPMOO_ALLOW_DESTRUCTIVE=1 in stage
 and prod. restore-snapshot --dry-run remains available for preview.
+For short-lived local approvals, add JSONL entries to \`.wpmoo/approvals.jsonl\`;
+generated \`.gitignore\` keeps that ledger out of Git.
 
 If copied from the standalone resource, additional compose notes are in
 \`docs/compose.md\`.
@@ -415,6 +417,7 @@ __pycache__/
 .env.*
 !.env.example
 *.local
+.wpmoo/approvals.jsonl
 
 # Local generated files
 *.code-workspace
@@ -457,7 +460,7 @@ usage() {
     "update") echo "Usage: ./moo update <module[,module]> [db]" ;;
     "test") echo "Usage: ./moo test <module[,module]> [--db <db>] [--mode auto|init|update] [--tags <tags>]" ;;
     "resetdb") echo "Usage: ./moo resetdb [db] [module[,module]]" ;;
-    "snapshot") echo "Usage: ./moo snapshot [db] [snapshot-name]" ;;
+    "snapshot") echo "Usage: ./moo snapshot [--list] [db] [snapshot-name]" ;;
     "restore-snapshot") echo "Usage: ./moo restore-snapshot [--dry-run] <snapshot-name> [db]" ;;
     "lint") echo "Usage: ./moo lint" ;;
     "pot") echo "Usage: ./moo pot <module[,module]> [db] [output]" ;;
@@ -574,9 +577,51 @@ selected_env() {
   printf '%s\\n' "\${value:-dev}"
 }
 
+approval_active() {
+  local scope="$1"
+  local command="$2"
+  local env_name="$3"
+  [[ -f .wpmoo/approvals.jsonl ]] || return 1
+
+  node --input-type=module - "$scope" "$command" "$env_name" <<'NODE'
+import { readFileSync } from 'node:fs';
+
+const [scope, command, envName] = process.argv.slice(2);
+
+try {
+  const content = readFileSync('.wpmoo/approvals.jsonl', 'utf8');
+  for (const rawLine of content.split(/\\r?\\n/)) {
+    const line = rawLine.trim();
+    if (!line) continue;
+
+    let entry;
+    try {
+      entry = JSON.parse(line);
+    } catch {
+      continue;
+    }
+
+    if (!entry || typeof entry !== 'object') continue;
+    if (entry.scope !== scope || entry.environment !== envName) continue;
+    if (typeof entry.command === 'string' && entry.command !== command) continue;
+
+    const expiresAt = Date.parse(entry.expiresAt);
+    if (Number.isFinite(expiresAt) && expiresAt > Date.now()) {
+      process.exit(0);
+    }
+  }
+} catch {
+}
+
+process.exit(1);
+NODE
+}
+
 allow_destructive() {
+  local command="$1"
+  local env_name="\${2:-$(selected_env)}"
   local value="\${WPMOO_ALLOW_DESTRUCTIVE:-$(env_file_value WPMOO_ALLOW_DESTRUCTIVE)}"
-  [[ "$value" == "1" ]]
+  [[ "$value" == "1" ]] || approval_active "destructive" "$command" "$env_name"
 }
 
 require_destructive_allowed() {
@@ -584,7 +629,7 @@ require_destructive_allowed() {
   local env_name
   env_name="$(selected_env)"
   if [[ "$env_name" == "stage" || "$env_name" == "prod" ]]; then
-    if ! allow_destructive; then
+    if ! allow_destructive "$command" "$env_name"; then
       echo "Refusing destructive command '$command' in WPMOO_ENV=$env_name. Set WPMOO_ALLOW_DESTRUCTIVE=1 to run it intentionally." >&2
       exit 1
     fi
@@ -592,28 +637,36 @@ require_destructive_allowed() {
 }
 
 allow_prod_lifecycle() {
+  local command="$1"
+  local env_name="\${2:-$(selected_env)}"
   local value="\${WPMOO_ALLOW_PROD_LIFECYCLE:-$(env_file_value WPMOO_ALLOW_PROD_LIFECYCLE)}"
-  [[ "$value" == "1" ]]
+  [[ "$value" == "1" ]] || approval_active "prod-lifecycle" "$command" "$env_name"
 }
 
 allow_stage_lifecycle() {
+  local command="$1"
+  local env_name="\${2:-$(selected_env)}"
   local value="\${WPMOO_ALLOW_STAGE_LIFECYCLE:-$(env_file_value WPMOO_ALLOW_STAGE_LIFECYCLE)}"
-  [[ "$value" == "1" ]]
+  [[ "$value" == "1" ]] || approval_active "stage-lifecycle" "$command" "$env_name"
 }
 
 allow_no_recent_snapshot() {
+  local command="$1"
+  local env_name="\${2:-$(selected_env)}"
   local value="\${WPMOO_ALLOW_NO_RECENT_SNAPSHOT:-$(env_file_value WPMOO_ALLOW_NO_RECENT_SNAPSHOT)}"
-  [[ "$value" == "1" ]]
+  [[ "$value" == "1" ]] || approval_active "no-recent-snapshot" "$command" "$env_name"
 }
 
 allow_migrations() {
+  local command="$1"
+  local env_name="\${2:-$(selected_env)}"
   local value="\${WPMOO_ALLOW_MIGRATIONS:-$(env_file_value WPMOO_ALLOW_MIGRATIONS)}"
-  [[ "$value" == "1" ]]
+  [[ "$value" == "1" ]] || approval_active "migration-risk" "$command" "$env_name"
 }
 
 has_recent_snapshot() {
   local dir
-  for dir in backups backup snapshots; do
+  for dir in backups/snapshots backups backup snapshots; do
     [[ -d "$dir" ]] || continue
     if find "$dir" -type f \\( -name "*.dump" -o -name "*.sql" -o -name "*.sql.gz" -o -name "*.zip" -o -name "*.tar" -o -name "*.tar.gz" \\) -mtime -1 -print -quit 2>/dev/null | grep -q .; then
       return 0
@@ -622,12 +675,62 @@ has_recent_snapshot() {
   return 1
 }
 
+snapshot_stem() {
+  local file="$1"
+  file="\${file##*/}"
+  file="\${file%.filestore.tar.gz}"
+  file="\${file%.sql.gz}"
+  file="\${file%.tar.gz}"
+  file="\${file%.dump}"
+  file="\${file%.sql}"
+  file="\${file%.zip}"
+  file="\${file%.tar}"
+  printf '%s' "$file"
+}
+
+json_string_value() {
+  local key="$1"
+  local file="$2"
+  [[ -f "$file" ]] || return 0
+  sed -n "s/.*\\"$key\\"[[:space:]]*:[[:space:]]*\\"\\([^\\"]*\\)\\".*/\\1/p" "$file" | head -n 1
+}
+
+list_snapshots() {
+  local found=0 dir dump stem manifest database created filestore
+  for dir in backups/snapshots backups backup snapshots; do
+    [[ -d "$dir" ]] || continue
+    while IFS= read -r dump; do
+      [[ -n "$dump" ]] || continue
+      found=1
+      stem="$(snapshot_stem "$dump")"
+      manifest="$dir/$stem.json"
+      database="$(json_string_value database "$manifest")"
+      created="$(json_string_value created_at "$manifest")"
+      filestore="$dir/$stem.filestore.tar.gz"
+      echo "- $stem"
+      [[ -n "$created" ]] && echo "  Created: $created"
+      echo "  Database: \${database:-unknown}"
+      echo "  Dump: $dump"
+      if [[ -f "$filestore" ]]; then
+        echo "  Filestore: $filestore (found)"
+      else
+        echo "  Filestore: missing (missing)"
+      fi
+    done < <(find "$dir" -maxdepth 1 -type f \\( -name "*.dump" -o -name "*.sql" -o -name "*.sql.gz" \\) | sort)
+  done
+
+  if [[ "$found" -eq 0 ]]; then
+    echo "No database snapshots found."
+    echo "Next: run ./moo snapshot [db] [snapshot-name]."
+  fi
+}
+
 require_recent_snapshot_or_override() {
   local command="$1"
   local env_name
   env_name="$(selected_env)"
   if [[ "$env_name" == "stage" || "$env_name" == "prod" ]]; then
-    if ! allow_no_recent_snapshot && ! has_recent_snapshot; then
+    if ! allow_no_recent_snapshot "$command" "$env_name" && ! has_recent_snapshot; then
       echo "Refusing destructive command '$command' in WPMOO_ENV=$env_name without a recent database snapshot. Create a snapshot first or set WPMOO_ALLOW_NO_RECENT_SNAPSHOT=1 to run it intentionally." >&2
       exit 1
     fi
@@ -650,7 +753,7 @@ require_migrations_allowed() {
   local env_name
   env_name="$(selected_env)"
   if [[ "$env_name" == "stage" || "$env_name" == "prod" ]]; then
-    if ! allow_migrations && has_migration_risk; then
+    if ! allow_migrations "$command" "$env_name" && has_migration_risk; then
       echo "Refusing migration-risk command '$command' in WPMOO_ENV=$env_name. Review detected migration scripts or set WPMOO_ALLOW_MIGRATIONS=1 to run it intentionally." >&2
       exit 1
     fi
@@ -662,7 +765,7 @@ require_stage_lifecycle_allowed() {
   local env_name
   env_name="$(selected_env)"
   if [[ "$env_name" == "stage" ]]; then
-    if ! allow_stage_lifecycle; then
+    if ! allow_stage_lifecycle "$command" "$env_name"; then
       echo "Refusing stage lifecycle command '$command' in WPMOO_ENV=stage. Set WPMOO_ALLOW_STAGE_LIFECYCLE=1 to run it intentionally." >&2
       exit 1
     fi
@@ -674,7 +777,7 @@ require_prod_lifecycle_allowed() {
   local env_name
   env_name="$(selected_env)"
   if [[ "$env_name" == "prod" ]]; then
-    if ! allow_prod_lifecycle; then
+    if ! allow_prod_lifecycle "$command" "$env_name"; then
       echo "Refusing production lifecycle command '$command' in WPMOO_ENV=prod. Set WPMOO_ALLOW_PROD_LIFECYCLE=1 to run it intentionally." >&2
       exit 1
     fi
@@ -795,6 +898,12 @@ case "$command" in
     ;;
   "snapshot")
     shift
+    if [[ "\${1:-}" == "--list" ]]; then
+      shift
+      require_no_args "$command" "$@"
+      list_snapshots
+      exit 0
+    fi
     positional_args "$command" 0 2 "$@"
     run_script ./scripts/snapshot.sh "$@"
     ;;
@@ -929,12 +1038,35 @@ import { access, readdir, readFile, stat } from 'node:fs/promises';
 import { basename, isAbsolute, join, relative } from 'node:path';
 
 const args = process.argv.slice(2);
-if (!args.every((arg) => arg === '--json')) {
-  console.error('Usage: ./moo status [--json]');
-  process.exit(2);
+function parseJsonOption(argv) {
+  let json = false;
+  for (const arg of argv) {
+    if (arg === '--json') {
+      json = true;
+      continue;
+    }
+
+    if (arg.startsWith('--json=')) {
+      const value = arg.slice('--json='.length).toLowerCase().trim();
+      if (['true', '1', 'yes', 'y'].includes(value)) {
+        json = true;
+        continue;
+      }
+      if (['false', '0', 'no', 'n'].includes(value)) {
+        json = false;
+        continue;
+      }
+      console.error('Invalid boolean value for --json: ' + arg.slice('--json='.length));
+      process.exit(2);
+    }
+
+    console.error('Usage: ./moo status [--json]');
+    process.exit(2);
+  }
+  return json;
 }
 
-const json = args.includes('--json');
+const json = parseJsonOption(args);
 const target = process.cwd();
 const metadataPath = '.wpmoo/odoo.json';
 const validSourceTypes = new Set(['private', 'oca', 'external']);
@@ -1515,7 +1647,7 @@ Useful maintenance commands:
 \`\`\`bash
 ./moo lint
 ./moo resetdb [db] [module[,module]]
-./moo snapshot [db] [snapshot-name]
+./moo snapshot [--list] [db] [snapshot-name]
 ./moo restore-snapshot [--dry-run] <snapshot-name> [db]
 ./moo pot <module[,module]> [db] [output]
 \`\`\`

package/docs/1-0-readiness.md

@@ -74,8 +74,8 @@ Ready:
   preview/read-only paths.
 - Migration-risk lifecycle commands can require `WPMOO_ALLOW_MIGRATIONS=1`.
 - Environment-variable approvals remain supported through 1.x.
-- Timestamped approval files may be added as an additive safety layer, not as a
-  replacement for env flags in 1.x.
+- `.wpmoo/approvals.jsonl` adds time-bounded local approvals as an additive
+  safety layer, not as a replacement for env flags in 1.x.
 
 ## Release Artifact Policy
 
@@ -94,19 +94,43 @@ Ready:
 
 ## Current Audit
 
-Last updated: 2026-05-21.
+Last updated: 2026-05-22.
 
 Completed checks:
 
-- Full local gate for Train 8 passed on 2026-05-21:
+- Full local gate through Train 19 passed on 2026-05-22:
   `npm run typecheck`, `npm test`, `npm run build`, and `git diff --check`.
-- Coverage passed on 2026-05-21: 72 test files, 682 tests, 92.32%
-  statements, 87.56% branches, 96.74% functions, and 92.32% lines.
-- Published CLI smoke passed against `@wpmoo/toolkit@0.9.27` with `npm exec`
-  for `wpmoo --version`, `wpmoo --help`, and `wpmoo doctor --help`.
+- Coverage passed on 2026-05-22: 75 test files, 722 tests, 92.00%
+  statements, 87.59% branches, 96.30% functions, and 92.00% lines.
+- Local release packaging passed for the 1.0 release-candidate surface with
+  `npm --cache /private/tmp/wpmoo-npm-cache pack --dry-run`; the package
+  contained 70 files and the expected `dist`, `docs/assets`, `docs/*.md`,
+  `README.md`, `LICENSE`, and `package.json` entries.
+- Local dist CLI smoke passed for `node dist/cli.js --version`, `--help`,
+  `create --help`, `doctor --help`, and `status --help`.
+- The generated-environment acceptance flow remains covered by
+  `test/smoke-published-script.test.ts`, including create, source list/sync,
+  safe reset preview, `doctor --fix`, snapshot, and restore dry-run steps.
 - Placeholder review found no `TODO`, `FIXME`, `TBD`, or `coming soon`
   markers in `README.md`, `docs`, or `src`.
 - Local markdown link review passed across `README.md` and `docs/*.md`.
+- Published CLI smoke previously passed against `@wpmoo/toolkit@0.9.27` with
+  `npm exec` for `wpmoo --version`, `wpmoo --help`, and
+  `wpmoo doctor --help`.
+
+Release-candidate notes:
+
+- Local `npm exec --package file:...` smoke against the generated tarball did
+  not complete in this restricted environment because package installation and
+  dependency resolution timed out before the CLI could run. This is not treated
+  as a product regression, but it prevents treating the current line as final
+  `1.0.0` evidence before a registry-backed smoke completes.
+- The next patch release should be published as `0.9.30`. Do not tag `1.0.0`
+  until `WPMOO_SMOKE_ENVIRONMENT=1 npm run smoke:published -- "$VERSION"`
+  passes against a registry-resolved package.
+- After a registry-backed generated-environment smoke passes, the remaining
+  1.0 decision is procedural: bump to `1.0.0`, rerun the full gate, rerun
+  `npm run release:check`, tag, and verify the required scoped artifacts.
 
 Final policy decisions:
 
@@ -117,7 +141,7 @@ Final policy decisions:
 - Pre-1.0 generated environments are supported through safe reset and
   doctor-guided generated-file migration checks that preserve source code and
   local runtime data.
-- Environment-variable approvals remain supported through 1.x; timestamped
-  approval files may be added only as an additive safety layer.
+- Environment-variable approvals remain supported through 1.x;
+  `.wpmoo/approvals.jsonl` is additive and local-only.
 - Generated-environment acceptance smoke is mandatory for a `1.0.0` release
   candidate.