migraguard 0.6.2 → 0.7.0

package/dist/cli.js

@@ -9,6 +9,7 @@ import { dirname, resolve, join } from 'path';
 import { existsSync } from 'fs';
 import { randomBytes, createHash } from 'crypto';
 import libpg from 'libpg-query';
+import { Parser } from 'node-sql-parser';
 import { pathToFileURL } from 'url';
 import { diffLines } from 'diff';
 import { tmpdir } from 'os';
@@ -189,43 +190,66 @@ var DEFAULT_DUMP = {
   excludeOwners: true,
   excludePrivileges: true
 };
+var DEFAULT_PG_LINT_RULES = {
+  "require-concurrent-index": "error",
+  "require-if-not-exists": "error",
+  "require-lock-timeout": "error",
+  "ban-concurrent-index-in-transaction": "error",
+  "adding-not-nullable-field": "error",
+  "constraint-missing-not-valid": "error",
+  "require-analyze-after-index": "error",
+  "require-create-or-replace-view": "error",
+  "ban-drop-cascade": "error",
+  "require-statement-timeout": "error",
+  "require-reset-timeouts": "error",
+  "ban-truncate": "error",
+  "ban-update-without-where": "error",
+  "ban-delete-without-where": "error",
+  "ban-drop-column": "error",
+  "ban-alter-column-type": "error",
+  "require-drop-index-concurrently": "error",
+  "require-unique-via-concurrent-index": "error",
+  "ban-validate-constraint-same-file": "error",
+  "ban-bare-analyze": "error",
+  "require-if-not-exists-materialized-view": "error",
+  "ban-refresh-materialized-view-in-migration": "error",
+  "ban-select-star-in-view": "error",
+  "ban-rename-column": "error",
+  "ban-rename-table": "error",
+  "ban-drop-table": "error",
+  "require-pk-via-concurrent-index": "error",
+  "ban-set-not-null": "error",
+  "ban-alter-enum-in-transaction": "error",
+  "ban-vacuum-full": "error",
+  "ban-cluster": "error",
+  "ban-reindex": "error",
+  "ban-alter-system": "error",
+  "ban-set-session-replication-role": "error"
+};
+var DEFAULT_GENERIC_LINT_RULES = {
+  "require-if-not-exists": "error",
+  "ban-drop-column": "error",
+  "ban-alter-column-type": "error",
+  "ban-rename-column": "error",
+  "ban-rename-table": "error",
+  "ban-drop-table": "error",
+  "ban-update-without-where": "error",
+  "ban-delete-without-where": "error",
+  "ban-truncate": "error",
+  "adding-not-nullable-field": "error",
+  "require-create-or-replace-view": "error",
+  "ban-select-star-in-view": "error",
+  "ban-drop-cascade": "error",
+  "backfill-requires-where-clause": "error",
+  "backfill-ban-ddl": "error",
+  "contract-requires-allow-directive": "error",
+  "expand-requires-idempotent-pattern": "error"
+};
+function getDefaultLintRules(dialect) {
+  return dialect === "postgresql" ? DEFAULT_PG_LINT_RULES : DEFAULT_GENERIC_LINT_RULES;
+}
 var DEFAULT_LINT = {
-  rules: {
-    "require-concurrent-index": "error",
-    "require-if-not-exists": "error",
-    "require-lock-timeout": "error",
-    "ban-concurrent-index-in-transaction": "error",
-    "adding-not-nullable-field": "error",
-    "constraint-missing-not-valid": "error",
-    "require-analyze-after-index": "error",
-    "require-create-or-replace-view": "error",
-    "ban-drop-cascade": "error",
-    "require-statement-timeout": "error",
-    "require-reset-timeouts": "error",
-    "ban-truncate": "error",
-    "ban-update-without-where": "error",
-    "ban-delete-without-where": "error",
-    "ban-drop-column": "error",
-    "ban-alter-column-type": "error",
-    "require-drop-index-concurrently": "error",
-    "require-unique-via-concurrent-index": "error",
-    "ban-validate-constraint-same-file": "error",
-    "ban-bare-analyze": "error",
-    "require-if-not-exists-materialized-view": "error",
-    "ban-refresh-materialized-view-in-migration": "error",
-    "ban-select-star-in-view": "error",
-    "ban-rename-column": "error",
-    "ban-rename-table": "error",
-    "ban-drop-table": "error",
-    "require-pk-via-concurrent-index": "error",
-    "ban-set-not-null": "error",
-    "ban-alter-enum-in-transaction": "error",
-    "ban-vacuum-full": "error",
-    "ban-cluster": "error",
-    "ban-reindex": "error",
-    "ban-alter-system": "error",
-    "ban-set-session-replication-role": "error"
-  }
+  rules: DEFAULT_PG_LINT_RULES
 };
 function applyEnvOverrides(connection) {
   return {
@@ -261,12 +285,15 @@ function findConfigFile(startDir) {
   }
 }
 function buildConfig(raw, configDir) {
+  const dialect = raw.dialect ?? "postgresql";
   const connection = {
     ...DEFAULT_CONNECTION,
     ...raw.connection
   };
+  const defaultRules = getDefaultLintRules(dialect);
   return {
     configDir,
+    dialect,
     ...raw.model ? { model: raw.model } : {},
     migrationsDirs: resolveMigrationsDirs(raw),
     schemaFile: raw.schemaFile ?? "db/schema.sql",
@@ -277,7 +304,7 @@ function buildConfig(raw, configDir) {
     lint: {
       ...DEFAULT_LINT,
       ...raw.lint,
-      rules: { ...DEFAULT_LINT.rules, ...raw.lint?.rules }
+      rules: { ...defaultRules, ...raw.lint?.rules }
     }
   };
 }
@@ -745,6 +772,142 @@ function isMetadataJson(data) {
     (m) => typeof m === "object" && m !== null && typeof m["file"] === "string" && typeof m["checksum"] === "string"
   );
 }
+function toParserDatabase(dialect) {
+  return dialect === "mysql" ? "MySQL" : "SQLite";
+}
+function analyzeGenericSql(sql, dialect) {
+  const creates = [];
+  const references = [];
+  const createdTableNames = /* @__PURE__ */ new Set();
+  const parser = new Parser();
+  let stmts;
+  try {
+    const ast = parser.astify(sql, { database: toParserDatabase(dialect) });
+    stmts = Array.isArray(ast) ? ast : [ast];
+  } catch {
+    return { creates, references };
+  }
+  for (const stmt of stmts) {
+    const type = stmt.type;
+    const keyword = stmt.keyword;
+    if (type === "create" && keyword === "table") {
+      extractCreateTable(stmt, creates, references, createdTableNames);
+    } else if (type === "create" && keyword === "index") {
+      extractCreateIndex(stmt, references);
+    } else if (type === "alter") {
+      extractAlter(stmt, references);
+    } else if (type === "create" && keyword === "view") {
+      extractCreateView(stmt, creates, references);
+    } else if (type === "drop") {
+      extractDrop(stmt, references);
+    }
+  }
+  const filteredRefs = references.filter(
+    (ref) => !createdTableNames.has(ref.name)
+  );
+  return { creates, references: filteredRefs };
+}
+function tableName(table) {
+  if (!table?.table) return "";
+  if (table.db) return `${table.db}.${table.table}`;
+  return table.table;
+}
+function extractCreateTable(stmt, creates, references, createdTableNames) {
+  const tables = stmt.table;
+  const name = tableName(tables?.[0]);
+  if (!name) return;
+  creates.push({ type: "table", name });
+  createdTableNames.add(name);
+  const defs = stmt.create_definitions;
+  if (!defs) return;
+  for (const def of defs) {
+    if (def.resource === "column") {
+      extractColumnFk(def, references);
+    }
+    if (def.constraint_type === "FOREIGN KEY") {
+      extractFkRef(def, references);
+    }
+  }
+}
+function extractColumnFk(colDef, references) {
+  const refDef = colDef.reference_definition;
+  if (!refDef) return;
+  extractFkRef(refDef, references);
+}
+function extractFkRef(def, references) {
+  const refDef = def.reference_definition ?? def;
+  const refTables = refDef.table;
+  const name = tableName(refTables?.[0]);
+  if (name) {
+    references.push({ type: "table", name });
+  }
+}
+function extractCreateIndex(stmt, references) {
+  const table = stmt.table;
+  const name = tableName(table);
+  if (name) {
+    references.push({ type: "table", name });
+  }
+}
+function extractAlter(stmt, references) {
+  const tables = stmt.table;
+  const name = tableName(tables?.[0]);
+  if (name) {
+    references.push({ type: "table", name });
+  }
+  const exprs = stmt.expr;
+  if (!exprs) return;
+  for (const expr of exprs) {
+    if (expr.action === "add" && expr.resource === "constraint") {
+      const createDefs = expr.create_definitions;
+      if (createDefs) {
+        extractFkRef(createDefs, references);
+      }
+    }
+    if (expr.action === "add" && expr.resource === "column") {
+      extractColumnFk(expr, references);
+    }
+  }
+}
+function extractCreateView(stmt, creates, references) {
+  const view = stmt.view;
+  if (view?.view) {
+    creates.push({ type: "view", name: view.view });
+  }
+  const select = stmt.select;
+  if (select) {
+    collectFromTables(select, references);
+  }
+}
+function collectFromTables(node, references) {
+  const from = node.from;
+  if (from) {
+    for (const entry of from) {
+      const name = entry.table;
+      if (name) {
+        references.push({ type: "table", name });
+      }
+    }
+  }
+}
+function extractDrop(stmt, references) {
+  const keyword = stmt.keyword;
+  let objType = "table";
+  if (keyword === "table") objType = "table";
+  else if (keyword === "view") objType = "view";
+  else if (keyword === "index") objType = "index";
+  else return;
+  const names = stmt.name;
+  if (!names) return;
+  for (const entry of names) {
+    const name = tableName(entry);
+    if (name) {
+      references.push({ type: objType, name });
+    }
+  }
+}
+
+// src/deps.ts
 function normalizeTableName(name, schema) {
   if (!name) return "";
   if (schema && schema !== "public") {
@@ -787,9 +950,9 @@ async function analyzeSql(sql) {
 function extractCreateStmt(node, creates, references, createdTableNames) {
   const rel = node.relation;
   if (!rel?.relname) return;
-  const tableName = normalizeTableName(rel.relname, rel.schemaname);
-  creates.push({ type: "table", name: tableName });
-  createdTableNames.add(tableName);
+  const tableName2 = normalizeTableName(rel.relname, rel.schemaname);
+  creates.push({ type: "table", name: tableName2 });
+  createdTableNames.add(tableName2);
   const tableElts = node.tableElts;
   if (!tableElts) return;
   for (const elt of tableElts) {
@@ -961,9 +1124,9 @@ function parseExplicitDepsFromConfig(config) {
   }
   return result;
 }
-async function analyzeFile(filePath, fileName) {
+async function analyzeFile(filePath, fileName, dialect) {
   const sql = await readFile(filePath, "utf-8");
-  const { creates, references } = await analyzeSql(sql);
+  const { creates, references } = dialect && dialect !== "postgresql" ? analyzeGenericSql(sql, dialect) : await analyzeSql(sql);
   return { fileName, creates, references };
 }
 async function buildDependencyGraph(config) {
@@ -974,7 +1137,7 @@ async function buildDependencyGraphFromFiles(files, config) {
   const fileNames = files.map((f) => f.fileName);
   const fileDeps = /* @__PURE__ */ new Map();
   for (const file of files) {
-    const deps = await analyzeFile(file.filePath, file.fileName);
+    const deps = await analyzeFile(file.filePath, file.fileName, config.dialect);
     fileDeps.set(file.fileName, deps);
   }
   const objectCreators = /* @__PURE__ */ new Map();
@@ -2329,11 +2492,11 @@ var requireConcurrentIndex = {
     return {
       IndexStmt(node, ctx) {
         const rel = node.relation;
-        const tableName = rel?.relname ?? "(unknown)";
-        const isNewTable = ctx.createdTables.has(tableName);
+        const tableName2 = rel?.relname ?? "(unknown)";
+        const isNewTable = ctx.createdTables.has(tableName2);
         if (!node.concurrent && !isNewTable) {
           ctx.report({
-            message: `CREATE INDEX on "${tableName}" without CONCURRENTLY`,
+            message: `CREATE INDEX on "${tableName2}" without CONCURRENTLY`,
             hint: "Use CREATE INDEX CONCURRENTLY to avoid blocking writes"
           });
         }
@@ -3334,6 +3497,538 @@ var ALL_RULES = [
   backfillBanDdl,
   contractRequiresAllowDirective
 ];
+var ALLOW_DIRECTIVE_RE2 = /^--\s*migraguard:allow\s+(.+)$/gm;
+function parseAllowDirectives2(sql) {
+  const allowed = /* @__PURE__ */ new Set();
+  let match;
+  while ((match = ALLOW_DIRECTIVE_RE2.exec(sql)) !== null) {
+    for (const id of match[1].split(/[,\s]+/).filter(Boolean)) {
+      allowed.add(id);
+    }
+  }
+  ALLOW_DIRECTIVE_RE2.lastIndex = 0;
+  return allowed;
+}
+function toParserDatabase2(dialect) {
+  return dialect === "mysql" ? "MySQL" : "SQLite";
+}
+function stmtKey(stmt) {
+  const type = stmt.type;
+  if (type === "create") {
+    const kw = stmt.keyword;
+    if (kw === "table") return "create_table";
+    if (kw === "index") return "create_index";
+    if (kw === "view") return "create_view";
+    return null;
+  }
+  if (type === "alter") return "alter";
+  if (type === "drop") return "drop";
+  if (type === "update") return "update";
+  if (type === "delete") return "delete";
+  if (type === "truncate") return "truncate";
+  if (type === "transaction") return "transaction";
+  return null;
+}
+async function runGenericRules(sql, rules, dialect) {
+  const violations = [];
+  const allowed = parseAllowDirectives2(sql);
+  const activeRules = rules.filter((r) => !allowed.has(r.id));
+  if (activeRules.length === 0) return violations;
+  const visitors = [];
+  for (const rule of activeRules) {
+    visitors.push({ ruleId: rule.id, handlers: rule.create() });
+  }
+  const createdTables = /* @__PURE__ */ new Set();
+  let inTransaction = false;
+  const parser = new Parser();
+  let stmts = [];
+  try {
+    const ast = parser.astify(sql, { database: toParserDatabase2(dialect) });
+    stmts = Array.isArray(ast) ? ast : [ast];
+  } catch {
+  }
+  for (const stmt of stmts) {
+    const type = stmt.type;
+    const keyword = stmt.keyword;
+    if (type === "create" && keyword === "table") {
+      const tables = stmt.table;
+      if (tables?.[0]?.table) createdTables.add(tables[0].table);
+    }
+    if (type === "transaction") {
+      const expr = stmt.expr;
+      const action = expr?.action;
+      const val = action?.value?.toLowerCase();
+      if (val === "begin" || val === "start") inTransaction = true;
+      else if (val === "commit" || val === "rollback") inTransaction = false;
+    }
+    const key = stmtKey(stmt);
+    if (!key) continue;
+    const ctx = {
+      report: null,
+      createdTables,
+      inTransaction,
+      rawSql: sql
+    };
+    for (const { ruleId, handlers } of visitors) {
+      const handler = handlers[key];
+      if (!handler) continue;
+      ctx.report = (v) => violations.push({ rule: ruleId, ...v });
+      handler(stmt, ctx);
+    }
+  }
+  const endCtx = {
+    report: null,
+    createdTables,
+    inTransaction,
+    rawSql: sql
+  };
+  for (const { ruleId, handlers } of visitors) {
+    const endHandler = handlers["_End"];
+    if (!endHandler) continue;
+    endCtx.report = (v) => violations.push({ rule: ruleId, ...v });
+    endHandler({}, endCtx);
+  }
+  return violations;
+}
+
+// src/generic/rules/require-if-not-exists.ts
+var requireIfNotExists2 = {
+  id: "require-if-not-exists",
+  description: "CREATE must use IF NOT EXISTS, DROP must use IF EXISTS",
+  create() {
+    return {
+      create_table(node, ctx) {
+        if (!node.if_not_exists) {
+          const tables = node.table;
+          ctx.report({
+            message: `CREATE TABLE ${tables?.[0]?.table ?? "(unknown)"} without IF NOT EXISTS`,
+            hint: "Use CREATE TABLE IF NOT EXISTS for idempotent migrations"
+          });
+        }
+      },
+      create_index(node, ctx) {
+        if (!node.if_not_exists) {
+          const index = typeof node.index === "string" ? node.index : node.index?.name ?? "";
+          ctx.report({
+            message: `CREATE INDEX ${index} without IF NOT EXISTS`,
+            hint: "Use CREATE INDEX IF NOT EXISTS for idempotent migrations"
+          });
+        }
+      },
+      drop(node, ctx) {
+        if (!node.prefix) {
+          ctx.report({
+            message: "DROP without IF EXISTS",
+            hint: "Use DROP ... IF EXISTS for idempotent migrations"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-drop-column.ts
+var banDropColumn2 = {
+  id: "ban-drop-column",
+  description: "DROP COLUMN is irreversible and may break dependent objects",
+  create() {
+    return {
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action !== "drop" || expr.resource !== "column") continue;
+          const tables = node.table;
+          const col = expr.column;
+          ctx.report({
+            message: `DROP COLUMN "${col?.column ?? "(unknown)"}" on "${tables?.[0]?.table ?? "(unknown)"}"`,
+            hint: "DROP COLUMN is irreversible. Consider deprecating the column first, then dropping in a later migration"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-alter-column-type.ts
+var banAlterColumnType2 = {
+  id: "ban-alter-column-type",
+  description: "ALTER COLUMN TYPE may rewrite the table and acquire long locks",
+  create() {
+    return {
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action !== "modify") continue;
+          const tables = node.table;
+          const col = expr.column;
+          ctx.report({
+            message: `ALTER COLUMN TYPE on "${tables?.[0]?.table ?? "(unknown)"}".${col?.column ?? "(unknown)"}`,
+            hint: "Type changes may rewrite the table. Use add-column \u2192 backfill \u2192 swap \u2192 drop-column instead"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-rename-column.ts
+var banRenameColumn2 = {
+  id: "ban-rename-column",
+  description: "Renaming a column may break existing clients",
+  create() {
+    return {
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action !== "rename" || expr.resource !== "column") continue;
+          const tables = node.table;
+          const oldCol = expr.old_column;
+          const newCol = expr.column;
+          ctx.report({
+            message: `Renaming column "${oldCol?.column ?? "(unknown)"}" to "${newCol?.column ?? "(unknown)"}" on "${tables?.[0]?.table ?? "(unknown)"}"`,
+            hint: "Column renames break existing queries and application code. Consider adding a new column and deprecating the old one"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-rename-table.ts
+var banRenameTable2 = {
+  id: "ban-rename-table",
+  description: "Renaming a table may break existing clients",
+  create() {
+    return {
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action !== "rename" || expr.resource !== "table") continue;
+          const tables = node.table;
+          const newName = expr.table;
+          ctx.report({
+            message: `Renaming table "${tables?.[0]?.table ?? "(unknown)"}" to "${newName ?? "(unknown)"}"`,
+            hint: "Table renames break existing queries. Consider using a VIEW to alias the new name"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-drop-table.ts
+var banDropTable2 = {
+  id: "ban-drop-table",
+  description: "DROP TABLE is irreversible and may break existing clients",
+  create() {
+    return {
+      drop(node, ctx) {
+        if (node.keyword !== "table") return;
+        const names = node.name;
+        const tableNames = names?.map((n) => n.table).filter(Boolean);
+        ctx.report({
+          message: `DROP TABLE${tableNames?.length ? ` "${tableNames.join('", "')}"` : ""}`,
+          hint: "DROP TABLE is irreversible. Ensure the table is no longer referenced by application code before dropping"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-update-without-where.ts
+var banUpdateWithoutWhere2 = {
+  id: "ban-update-without-where",
+  description: "UPDATE without WHERE affects all rows",
+  create() {
+    return {
+      update(node, ctx) {
+        if (node.where !== null && node.where !== void 0) return;
+        const tables = node.table;
+        ctx.report({
+          message: `UPDATE on "${tables?.[0]?.table ?? "(unknown)"}" without WHERE clause`,
+          hint: "Add a WHERE clause to limit affected rows"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-delete-without-where.ts
+var banDeleteWithoutWhere2 = {
+  id: "ban-delete-without-where",
+  description: "DELETE without WHERE affects all rows",
+  create() {
+    return {
+      delete(node, ctx) {
+        if (node.where !== null && node.where !== void 0) return;
+        const from = node.from;
+        ctx.report({
+          message: `DELETE on "${from?.[0]?.table ?? "(unknown)"}" without WHERE clause`,
+          hint: "Add a WHERE clause to limit affected rows"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-truncate.ts
+var banTruncate2 = {
+  id: "ban-truncate",
+  description: "TRUNCATE is irreversible",
+  create() {
+    return {
+      truncate(_node, ctx) {
+        ctx.report({
+          message: "TRUNCATE is not allowed in migrations",
+          hint: "Use DELETE with a WHERE clause, or manage data separately from schema migrations"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/adding-not-nullable-field.ts
+var addingNotNullableField2 = {
+  id: "adding-not-nullable-field",
+  description: "Adding a NOT NULL column requires a DEFAULT value",
+  create() {
+    return {
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action !== "add" || expr.resource !== "column") continue;
+          const nullable = expr.nullable;
+          const hasNotNull = nullable?.type === "not null";
+          const hasDefault = expr.default_val !== void 0 && expr.default_val !== null;
+          if (hasNotNull && !hasDefault) {
+            const col = expr.column;
+            ctx.report({
+              message: `Adding NOT NULL column "${col?.column ?? "(unknown)"}" without DEFAULT`,
+              hint: "Add a DEFAULT value or add the column as nullable first, then backfill, then set NOT NULL"
+            });
+          }
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/require-create-or-replace-view.ts
+var requireCreateOrReplaceView2 = {
+  id: "require-create-or-replace-view",
+  description: "CREATE VIEW should use CREATE OR REPLACE VIEW (or IF NOT EXISTS for SQLite)",
+  create() {
+    return {
+      create_view(node, ctx) {
+        if (node.replace) return;
+        if (node.if_not_exists) return;
+        const view = node.view;
+        ctx.report({
+          message: `CREATE VIEW ${view?.view ?? ""} without OR REPLACE / IF NOT EXISTS`,
+          hint: "Use CREATE OR REPLACE VIEW (MySQL) or CREATE VIEW IF NOT EXISTS (SQLite) for idempotent migrations"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-select-star-in-view.ts
+function hasSelectStar(select) {
+  const columns = select.columns;
+  if (!columns) return false;
+  for (const col of columns) {
+    const expr = col.expr;
+    if (expr?.column === "*") return true;
+  }
+  return false;
+}
+var banSelectStarInView2 = {
+  id: "ban-select-star-in-view",
+  description: "SELECT * in VIEW definitions makes schema changes unsafe",
+  create() {
+    return {
+      create_view(node, ctx) {
+        const select = node.select;
+        if (!select) return;
+        if (!hasSelectStar(select)) return;
+        const view = node.view;
+        ctx.report({
+          message: `SELECT * in VIEW "${view?.view ?? "(unknown)"}"`,
+          hint: "List columns explicitly \u2014 SELECT * breaks migrations when base table columns change"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/ban-drop-cascade.ts
+var CASCADE_RE = /\bDROP\s+(?:TABLE|INDEX|VIEW|SEQUENCE|FUNCTION|TRIGGER)\b[^;]*\bCASCADE\b/gi;
+var banDropCascade2 = {
+  id: "ban-drop-cascade",
+  description: "DROP ... CASCADE is dangerous \u2014 dependencies are silently dropped",
+  create() {
+    return {
+      _End(_node, ctx) {
+        CASCADE_RE.lastIndex = 0;
+        if (CASCADE_RE.test(ctx.rawSql)) {
+          ctx.report({
+            message: "DROP with CASCADE",
+            hint: "Avoid CASCADE \u2014 drop dependent objects explicitly to maintain traceability"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/backfill-requires-where-clause.ts
+var backfillRequiresWhereClause2 = {
+  id: "backfill-requires-where-clause",
+  description: "Backfill phase UPDATE/DELETE must have WHERE clause",
+  applicablePhases: ["backfill"],
+  create() {
+    return {
+      update(node, ctx) {
+        if (node.where !== null && node.where !== void 0) return;
+        const tables = node.table;
+        ctx.report({
+          message: `UPDATE on "${tables?.[0]?.table ?? "(unknown)"}" without WHERE clause in backfill phase`,
+          hint: "Add a WHERE clause to batch backfill operations safely"
+        });
+      },
+      delete(node, ctx) {
+        if (node.where !== null && node.where !== void 0) return;
+        const from = node.from;
+        ctx.report({
+          message: `DELETE on "${from?.[0]?.table ?? "(unknown)"}" without WHERE clause in backfill phase`,
+          hint: "Add a WHERE clause to batch operations safely"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/backfill-ban-ddl.ts
+var backfillBanDdl2 = {
+  id: "backfill-ban-ddl",
+  description: "Backfill phase must not contain DDL statements",
+  applicablePhases: ["backfill"],
+  create() {
+    return {
+      create_table(_node, ctx) {
+        ctx.report({
+          message: "CREATE TABLE is not allowed in backfill phase",
+          hint: "DDL changes belong in the expand or contract phase, not backfill"
+        });
+      },
+      create_index(_node, ctx) {
+        ctx.report({
+          message: "CREATE INDEX is not allowed in backfill phase",
+          hint: "DDL changes belong in the expand phase, not backfill"
+        });
+      },
+      alter(_node, ctx) {
+        ctx.report({
+          message: "ALTER TABLE is not allowed in backfill phase",
+          hint: "DDL changes belong in the expand or contract phase, not backfill"
+        });
+      },
+      drop(_node, ctx) {
+        ctx.report({
+          message: "DROP is not allowed in backfill phase",
+          hint: "DDL changes belong in the contract phase, not backfill"
+        });
+      }
+    };
+  }
+};
+
+// src/generic/rules/contract-requires-allow-directive.ts
+var contractRequiresAllowDirective2 = {
+  id: "contract-requires-allow-directive",
+  description: "Contract phase DROP operations must have migraguard:allow directives",
+  applicablePhases: ["contract"],
+  create() {
+    return {
+      drop(node, ctx) {
+        const keyword = node.keyword;
+        if (keyword === "table" || keyword === "index") {
+          ctx.report({
+            message: "DROP statement in contract phase requires explicit migraguard:allow directive",
+            hint: 'Add "-- migraguard:allow ban-drop-table" or similar before this statement'
+          });
+        }
+      },
+      alter(node, ctx) {
+        const exprs = node.expr;
+        if (!exprs) return;
+        for (const expr of exprs) {
+          if (expr.action === "drop" && expr.resource === "column") {
+            ctx.report({
+              message: "ALTER TABLE DROP COLUMN in contract phase requires explicit migraguard:allow directive",
+              hint: 'Add "-- migraguard:allow ban-drop-column" before this statement'
+            });
+          }
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/expand-requires-idempotent-pattern.ts
+var expandRequiresIdempotentPattern2 = {
+  id: "expand-requires-idempotent-pattern",
+  description: "Expand phase must use idempotent patterns (IF NOT EXISTS)",
+  applicablePhases: ["expand"],
+  create() {
+    return {
+      create_table(node, ctx) {
+        if (!node.if_not_exists) {
+          const tables = node.table;
+          ctx.report({
+            message: `CREATE TABLE ${tables?.[0]?.table ?? ""} without IF NOT EXISTS in expand phase`,
+            hint: "Use CREATE TABLE IF NOT EXISTS for idempotent expand migrations"
+          });
+        }
+      },
+      create_index(node, ctx) {
+        if (!node.if_not_exists) {
+          const index = typeof node.index === "string" ? node.index : node.index?.name ?? "";
+          ctx.report({
+            message: `CREATE INDEX ${index} without IF NOT EXISTS in expand phase`,
+            hint: "Use CREATE INDEX IF NOT EXISTS for idempotent expand migrations"
+          });
+        }
+      }
+    };
+  }
+};
+
+// src/generic/rules/index.ts
+var ALL_GENERIC_RULES = [
+  requireIfNotExists2,
+  banDropColumn2,
+  banAlterColumnType2,
+  banRenameColumn2,
+  banRenameTable2,
+  banDropTable2,
+  banUpdateWithoutWhere2,
+  banDeleteWithoutWhere2,
+  banTruncate2,
+  addingNotNullableField2,
+  requireCreateOrReplaceView2,
+  banSelectStarInView2,
+  banDropCascade2,
+  backfillRequiresWhereClause2,
+  backfillBanDdl2,
+  contractRequiresAllowDirective2,
+  expandRequiresIdempotentPattern2
+];
 
 // src/commands/lint.ts
 async function loadCustomRules(config) {
@@ -3366,6 +4061,12 @@ function getSeverity(config, ruleId) {
   return config.lint.rules[ruleId] ?? "error";
 }
 async function commandLint(config) {
+  if (config.dialect !== "postgresql") {
+    return commandLintGeneric(config);
+  }
+  return commandLintPg(config);
+}
+async function commandLintPg(config) {
   const files = await scanMigrations(config);
   if (files.length === 0) {
     console.log(chalk.yellow("No migration files to lint."));
@@ -3399,12 +4100,64 @@ async function commandLint(config) {
     totalWarnings += fileWarnings;
     printViolations(f.fileName, violations);
   }
-  if (totalErrors > 0 || totalWarnings > 0) {
+  printSummary(files.length, totalErrors, totalWarnings);
+  return {
+    ok: totalErrors === 0,
+    filesLinted: files.length,
+    errors: totalErrors,
+    warnings: totalWarnings
+  };
+}
+async function commandLintGeneric(config) {
+  const dialect = config.dialect;
+  const files = await scanMigrations(config);
+  if (files.length === 0) {
+    console.log(chalk.yellow("No migration files to lint."));
+    return { ok: true, filesLinted: 0, errors: 0, warnings: 0 };
+  }
+  const activeRules = ALL_GENERIC_RULES.filter(
+    (r) => getSeverity(config, r.id) !== "off"
+  );
+  if (activeRules.length === 0) {
+    console.log(chalk.yellow("All lint rules are disabled."));
+    return { ok: true, filesLinted: files.length, errors: 0, warnings: 0 };
+  }
+  let totalErrors = 0;
+  let totalWarnings = 0;
+  for (const f of files) {
+    const sql = await readFile(f.filePath, "utf-8");
+    const fileRules = activeRules.filter((r) => {
+      if (!r.applicablePhases) return true;
+      if (!f.phase) return false;
+      return r.applicablePhases.includes(f.phase);
+    });
+    const raw = await runGenericRules(sql, fileRules, dialect);
+    if (raw.length === 0) continue;
+    const violations = raw.map((v) => ({
+      ...v,
+      severity: getSeverity(config, v.rule) === "warn" ? "warn" : "error"
+    }));
+    const fileErrors = violations.filter((v) => v.severity === "error").length;
+    const fileWarnings = violations.filter((v) => v.severity === "warn").length;
+    totalErrors += fileErrors;
+    totalWarnings += fileWarnings;
+    printViolations(f.fileName, violations);
+  }
+  printSummary(files.length, totalErrors, totalWarnings);
+  return {
+    ok: totalErrors === 0,
+    filesLinted: files.length,
+    errors: totalErrors,
+    warnings: totalWarnings
+  };
+}
+function printSummary(filesCount, errors, warnings) {
+  if (errors > 0 || warnings > 0) {
     const parts = [];
-    if (totalErrors > 0) parts.push(`${totalErrors} error(s)`);
-    if (totalWarnings > 0) parts.push(`${totalWarnings} warning(s)`);
+    if (errors > 0) parts.push(`${errors} error(s)`);
+    if (warnings > 0) parts.push(`${warnings} warning(s)`);
     const summary = parts.join(", ");
-    if (totalErrors > 0) {
+    if (errors > 0) {
       console.error(chalk.red(`
 Lint failed: ${summary}.`));
     } else {
@@ -3412,14 +4165,8 @@ Lint failed: ${summary}.`));
 Lint: ${summary}.`));
     }
   } else {
-    console.log(chalk.green(`\u2713 ${files.length} file(s) passed lint.`));
+    console.log(chalk.green(`\u2713 ${filesCount} file(s) passed lint.`));
   }
-  return {
-    ok: totalErrors === 0,
-    filesLinted: files.length,
-    errors: totalErrors,
-    warnings: totalWarnings
-  };
 }
 function printViolations(fileName, violations) {
   console.error(chalk.red(`