migraguard 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/cli-contract.yaml +245 -16
  2. package/dist/cli.js +188 -52
  3. package/dist/cli.js.map +1 -1
  4. package/dist/index.d.ts +4 -0
  5. package/dist/index.js +38 -0
  6. package/dist/index.js.map +1 -1
  7. package/docs/cli-reference.md +443 -25
  8. package/package.json +2 -2
package/cli-contract.yaml CHANGED
@@ -77,9 +77,16 @@ commandSets:
77
77
  type: boolean
78
78
  default: false
79
79
 
80
+ - name: dry-run
81
+ aliases: [n]
82
+ description: Show what would be created without writing files.
83
+ schema:
84
+ type: boolean
85
+ default: false
86
+
80
87
  exits:
81
88
  '0':
82
- description: Migration file (or group directory) created successfully.
89
+ description: Migration file (or group directory) created successfully (or dry-run preview completed).
83
90
  stdout:
84
91
  format: text
85
92
  files:
@@ -105,6 +112,10 @@ commandSets:
105
112
  idempotent: false
106
113
  sideEffects:
107
114
  - file_write
115
+ sideEffectNote: Creates migration SQL file(s) in the configured migrations directory.
116
+ safeDryRunOption: dry-run
117
+ expectedDurationMs: 1000
118
+ retryableExitCodes: []
108
119
 
109
120
  # ── apply ────────────────────────────────────────
110
121
  apply:
@@ -168,7 +179,12 @@ commandSets:
168
179
  requires writing a compensating migration or restoring from backup.
169
180
  sideEffects:
170
181
  - database_write
182
+ sideEffectNote: >-
183
+ Executes SQL via native CLI and records results in schema_migrations.
184
+ Uses advisory lock to prevent concurrent execution.
171
185
  safeDryRunOption: dry-run
186
+ expectedDurationMs: 60000
187
+ retryableExitCodes: []
172
188
  recommendedBeforeUse:
173
189
  - Run migraguard check to verify metadata integrity.
174
190
  - Run migraguard lint to check for unsafe DDL patterns.
@@ -192,6 +208,11 @@ commandSets:
192
208
  format: text
193
209
 
194
210
  '1':
211
+ description: Unexpected error (file read failure, parse error).
212
+ stderr:
213
+ format: text
214
+
215
+ '10':
195
216
  description: Integrity check failed (tampered, missing, or extra files).
196
217
  stderr:
197
218
  format: text
@@ -201,6 +222,9 @@ commandSets:
201
222
  requiresConfirmation: false
202
223
  idempotent: true
203
224
  sideEffects: []
225
+ sideEffectNote: Read-only. Compares metadata.json against files on disk.
226
+ expectedDurationMs: 2000
227
+ retryableExitCodes: []
204
228
 
205
229
  # ── squash ───────────────────────────────────────
206
230
  squash:
@@ -211,6 +235,15 @@ commandSets:
211
235
  recovery and hotfix workflows. Original migration files are deleted.
212
236
  usage:
213
237
  - migraguard squash
238
+ - migraguard squash --dry-run
239
+
240
+ options:
241
+ - name: dry-run
242
+ aliases: [n]
243
+ description: Show what would be squashed without writing files.
244
+ schema:
245
+ type: boolean
246
+ default: false
214
247
 
215
248
  exits:
216
249
  '0':
@@ -240,6 +273,12 @@ commandSets:
240
273
  sideEffects:
241
274
  - file_write
242
275
  - file_delete
276
+ sideEffectNote: >-
277
+ Merges migration files into one and deletes originals.
278
+ Updates metadata.json.
279
+ safeDryRunOption: dry-run
280
+ expectedDurationMs: 3000
281
+ retryableExitCodes: []
243
282
  recommendedBeforeUse:
244
283
  - Ensure all pending files are ready for release.
245
284
  - Confirm no uncommitted changes to migration files.
@@ -290,6 +329,9 @@ commandSets:
290
329
  requiresConfirmation: false
291
330
  idempotent: true
292
331
  sideEffects: []
332
+ sideEffectNote: Read-only. Scans migration files against safety rules.
333
+ expectedDurationMs: 3000
334
+ retryableExitCodes: []
293
335
 
294
336
  # ── dump ─────────────────────────────────────────
295
337
  dump:
@@ -325,6 +367,11 @@ commandSets:
325
367
  sideEffects:
326
368
  - database_read
327
369
  - file_write
370
+ sideEffectNote: >-
371
+ Reads DB schema via pg_dump/mysqldump and writes normalized
372
+ output to schema.sql.
373
+ expectedDurationMs: 10000
374
+ retryableExitCodes: [1]
328
375
 
329
376
  # ── diff ─────────────────────────────────────────
330
377
  diff:
@@ -369,6 +416,11 @@ commandSets:
369
416
  idempotent: true
370
417
  sideEffects:
371
418
  - database_read
419
+ sideEffectNote: >-
420
+ Reads DB schema via pg_dump/mysqldump and compares with
421
+ saved schema.sql. No writes.
422
+ expectedDurationMs: 10000
423
+ retryableExitCodes: [1]
372
424
 
373
425
  # ── status ───────────────────────────────────────
374
426
  status:
@@ -406,6 +458,9 @@ commandSets:
406
458
  idempotent: true
407
459
  sideEffects:
408
460
  - database_read
461
+ sideEffectNote: Reads schema_migrations table and compares with local files.
462
+ expectedDurationMs: 5000
463
+ retryableExitCodes: [1]
409
464
 
410
465
  # ── resolve ──────────────────────────────────────
411
466
  resolve:
@@ -417,6 +472,7 @@ commandSets:
417
472
  addressed by other means.
418
473
  usage:
419
474
  - migraguard resolve 20260301_120000__create_users_table.sql
475
+ - migraguard resolve --dry-run 20260301_120000__create_users_table.sql
420
476
 
421
477
  arguments:
422
478
  - name: file
@@ -426,6 +482,14 @@ commandSets:
426
482
  schema:
427
483
  type: string
428
484
 
485
+ options:
486
+ - name: dry-run
487
+ aliases: [n]
488
+ description: Show what would be resolved without writing to DB.
489
+ schema:
490
+ type: boolean
491
+ default: false
492
+
429
493
  exits:
430
494
  '0':
431
495
  description: Migration marked as skipped.
@@ -447,6 +511,10 @@ commandSets:
447
511
  Re-apply the migration manually if needed.
448
512
  sideEffects:
449
513
  - database_write
514
+ sideEffectNote: Inserts a 'skipped' record into schema_migrations for the given file.
515
+ safeDryRunOption: dry-run
516
+ expectedDurationMs: 3000
517
+ retryableExitCodes: [1]
450
518
  recommendedBeforeUse:
451
519
  - Verify that the failure has been addressed by a subsequent migration or manual fix.
452
520
  - Run migraguard status to confirm the file is in failed state.
@@ -476,6 +544,9 @@ commandSets:
476
544
  requiresConfirmation: false
477
545
  idempotent: true
478
546
  sideEffects: []
547
+ sideEffectNote: Read-only. Lists leaf/latest migration files from metadata.
548
+ expectedDurationMs: 1000
549
+ retryableExitCodes: []
479
550
 
480
551
  # ── verify ───────────────────────────────────────
481
552
  verify:
@@ -512,7 +583,14 @@ commandSets:
512
583
  format: '{options.format}'
513
584
 
514
585
  '1':
586
+ description: Unexpected error (connection error, file parse failure).
587
+ stderr:
588
+ format: text
589
+
590
+ '10':
515
591
  description: One or more migrations failed idempotency verification.
592
+ stdout:
593
+ format: '{options.format}'
516
594
  stderr:
517
595
  format: text
518
596
 
@@ -523,6 +601,11 @@ commandSets:
523
601
  sideEffects:
524
602
  - database_read
525
603
  - database_write
604
+ sideEffectNote: >-
605
+ Creates and destroys a temporary shadow database to verify
606
+ idempotency. Does not modify the primary database.
607
+ expectedDurationMs: 60000
608
+ retryableExitCodes: [1]
526
609
  recommendedBeforeUse:
527
610
  - Ensure the database server is running and accessible.
528
611
 
@@ -562,6 +645,9 @@ commandSets:
562
645
  requiresConfirmation: false
563
646
  idempotent: true
564
647
  sideEffects: []
648
+ sideEffectNote: Read-only. Derives group state from schema_migrations records.
649
+ expectedDurationMs: 3000
650
+ retryableExitCodes: [1]
565
651
 
566
652
  # ── baseline ─────────────────────────────────────
567
653
  baseline:
@@ -573,6 +659,7 @@ commandSets:
573
659
  usage:
574
660
  - migraguard baseline
575
661
  - migraguard baseline --keep-since 20260301_120000__create_users_table.sql
662
+ - migraguard baseline --dry-run
576
663
 
577
664
  options:
578
665
  - name: keep-since
@@ -582,9 +669,16 @@ commandSets:
582
669
  schema:
583
670
  type: string
584
671
 
672
+ - name: dry-run
673
+ aliases: [n]
674
+ description: Show what would be baselined without writing files.
675
+ schema:
676
+ type: boolean
677
+ default: false
678
+
585
679
  exits:
586
680
  '0':
587
- description: Baseline created successfully.
681
+ description: Baseline created successfully (or dry-run preview completed).
588
682
  stdout:
589
683
  format: text
590
684
 
@@ -604,6 +698,12 @@ commandSets:
604
698
  sideEffects:
605
699
  - file_write
606
700
  - file_delete
701
+ sideEffectNote: >-
702
+ Dumps current DB schema to schema.sql, deletes squashed migration
703
+ files, updates metadata.json, and rewrites depends-on references.
704
+ safeDryRunOption: dry-run
705
+ expectedDurationMs: 30000
706
+ retryableExitCodes: []
607
707
  recommendedBeforeUse:
608
708
  - Ensure all migrations have been applied to all environments.
609
709
  - Back up migration files before running.
@@ -650,9 +750,16 @@ commandSets:
650
750
  schema:
651
751
  type: string
652
752
 
753
+ - name: dry-run
754
+ aliases: [n]
755
+ description: Show what would be recorded without writing to DB.
756
+ schema:
757
+ type: boolean
758
+ default: false
759
+
653
760
  exits:
654
761
  '0':
655
- description: Phase state transition recorded.
762
+ description: Phase state transition recorded (or dry-run preview completed).
656
763
  stdout:
657
764
  format: text
658
765
 
@@ -673,6 +780,10 @@ commandSets:
673
780
  status value to manually correct, or reset group state in the database.
674
781
  sideEffects:
675
782
  - database_write
783
+ sideEffectNote: Inserts a phase state transition record into schema_migrations.
784
+ safeDryRunOption: dry-run
785
+ expectedDurationMs: 5000
786
+ retryableExitCodes: [1]
676
787
  recommendedBeforeUse:
677
788
  - Run migraguard group-status <group> to verify current phase state before advancing.
678
789
 
@@ -710,9 +821,16 @@ commandSets:
710
821
  schema:
711
822
  type: string
712
823
 
824
+ - name: dry-run
825
+ aliases: [n]
826
+ description: Show what would be applied without executing SQL.
827
+ schema:
828
+ type: boolean
829
+ default: false
830
+
713
831
  exits:
714
832
  '0':
715
- description: Phase applied successfully.
833
+ description: Phase applied successfully (or dry-run preview completed).
716
834
  stdout:
717
835
  format: text
718
836
 
@@ -733,6 +851,12 @@ commandSets:
733
851
  migration or restore from backup if rollback is needed.
734
852
  sideEffects:
735
853
  - database_write
854
+ sideEffectNote: >-
855
+ Executes a phase SQL file via native CLI and records the
856
+ result in schema_migrations. Uses advisory lock.
857
+ safeDryRunOption: dry-run
858
+ expectedDurationMs: 30000
859
+ retryableExitCodes: []
736
860
  recommendedBeforeUse:
737
861
  - Run migraguard group-status to verify current phase state.
738
862
 
@@ -790,6 +914,11 @@ commandSets:
790
914
  format: text
791
915
 
792
916
  '1':
917
+ description: Unexpected error (connection error, invalid condition syntax).
918
+ stderr:
919
+ format: text
920
+
921
+ '10':
793
922
  description: One or more gate conditions not satisfied.
794
923
  stderr:
795
924
  format: text
@@ -799,6 +928,9 @@ commandSets:
799
928
  requiresConfirmation: false
800
929
  idempotent: true
801
930
  sideEffects: []
931
+ sideEffectNote: Read-only. Evaluates gate conditions against schema_migrations state.
932
+ expectedDurationMs: 5000
933
+ retryableExitCodes: [1]
802
934
 
803
935
  # ── deps ─────────────────────────────────────────
804
936
  deps:
@@ -845,6 +977,11 @@ commandSets:
845
977
  idempotent: true
846
978
  sideEffects:
847
979
  - file_write
980
+ sideEffectNote: >-
981
+ Reads migration files and outputs dependency graph.
982
+ Writes HTML file only when --html is specified.
983
+ expectedDurationMs: 3000
984
+ retryableExitCodes: []
848
985
 
849
986
  # ── audit ─────────────────────────────────────────
850
987
  audit:
@@ -900,13 +1037,24 @@ commandSets:
900
1037
  enum: [warning, error, critical]
901
1038
  default: error
902
1039
 
1040
+ - name: output
1041
+ aliases: [o]
1042
+ description: Write result to a file instead of stdout.
1043
+ valueName: file
1044
+ schema:
1045
+ type: string
1046
+ file:
1047
+ mode: write
1048
+ mediaType: application/json
1049
+ encoding: utf-8
1050
+
903
1051
  - name: report-format
904
1052
  description: Output format for the audit report.
905
1053
  valueName: fmt
906
1054
  schema:
907
1055
  type: string
908
- enum: [text, json]
909
- default: text
1056
+ enum: [json, text, yaml]
1057
+ default: json
910
1058
 
911
1059
  exits:
912
1060
  '0':
@@ -947,9 +1095,13 @@ commandSets:
947
1095
  riskLevel: low
948
1096
  requiresConfirmation: false
949
1097
  idempotent: true
950
- sideEffects:
951
- - network
1098
+ sideEffects: [network]
1099
+ sideEffectNote: >-
1100
+ Network calls to LLM provider when adapter is not mock.
1101
+ Filesystem write only when --output is specified.
952
1102
  safeDryRunOption: dry-run
1103
+ expectedDurationMs: 120000
1104
+ retryableExitCodes: [12]
953
1105
 
954
1106
  # ── propose-expand-contract ───────────────────────
955
1107
  propose-expand-contract:
@@ -1005,11 +1157,38 @@ commandSets:
1005
1157
  type: boolean
1006
1158
  default: false
1007
1159
 
1160
+ - name: fail-on
1161
+ description: Minimum severity that causes a non-zero exit.
1162
+ valueName: level
1163
+ schema:
1164
+ type: string
1165
+ enum: [warning, error, critical]
1166
+ default: error
1167
+
1168
+ - name: output
1169
+ aliases: [o]
1170
+ description: Write result to a file instead of stdout.
1171
+ valueName: file
1172
+ schema:
1173
+ type: string
1174
+ file:
1175
+ mode: write
1176
+ mediaType: application/json
1177
+ encoding: utf-8
1178
+
1179
+ - name: report-format
1180
+ description: Output format for the proposal report.
1181
+ valueName: fmt
1182
+ schema:
1183
+ type: string
1184
+ enum: [json, text, yaml]
1185
+ default: json
1186
+
1008
1187
  exits:
1009
1188
  '0':
1010
1189
  description: Proposal generated successfully.
1011
1190
  stdout:
1012
- format: json
1191
+ format: '{options.report-format}'
1013
1192
  schema:
1014
1193
  $ref: '#/components/schemas/ExpandContractProposal'
1015
1194
 
@@ -1023,6 +1202,13 @@ commandSets:
1023
1202
  stderr:
1024
1203
  format: text
1025
1204
 
1205
+ '10':
1206
+ description: Completed with blocking findings.
1207
+ stdout:
1208
+ format: '{options.report-format}'
1209
+ schema:
1210
+ $ref: '#/components/schemas/ExpandContractProposal'
1211
+
1026
1212
  '11':
1027
1213
  description: Runtime dependency missing (agent-contracts-runtime).
1028
1214
  stderr:
@@ -1037,10 +1223,13 @@ commandSets:
1037
1223
  riskLevel: low
1038
1224
  requiresConfirmation: false
1039
1225
  idempotent: true
1040
- sideEffects:
1041
- - network
1042
- - file_write
1226
+ sideEffects: [network, file_write]
1227
+ sideEffectNote: >-
1228
+ Network calls to LLM provider when adapter is not mock.
1229
+ Filesystem write when --output or --output-dir is specified.
1043
1230
  safeDryRunOption: dry-run
1231
+ expectedDurationMs: 120000
1232
+ retryableExitCodes: [12]
1044
1233
 
1045
1234
  # ── explain ───────────────────────────────────────
1046
1235
  explain:
@@ -1084,11 +1273,38 @@ commandSets:
1084
1273
  type: boolean
1085
1274
  default: false
1086
1275
 
1276
+ - name: fail-on
1277
+ description: Minimum severity that causes a non-zero exit.
1278
+ valueName: level
1279
+ schema:
1280
+ type: string
1281
+ enum: [warning, error, critical]
1282
+ default: error
1283
+
1284
+ - name: output
1285
+ aliases: [o]
1286
+ description: Write result to a file instead of stdout.
1287
+ valueName: file
1288
+ schema:
1289
+ type: string
1290
+ file:
1291
+ mode: write
1292
+ mediaType: application/json
1293
+ encoding: utf-8
1294
+
1295
+ - name: report-format
1296
+ description: Output format for the explanation report.
1297
+ valueName: fmt
1298
+ schema:
1299
+ type: string
1300
+ enum: [json, text, yaml]
1301
+ default: json
1302
+
1087
1303
  exits:
1088
1304
  '0':
1089
1305
  description: Explanation generated.
1090
1306
  stdout:
1091
- format: json
1307
+ format: '{options.report-format}'
1092
1308
  schema:
1093
1309
  $ref: '#/components/schemas/ExplainResult'
1094
1310
 
@@ -1102,6 +1318,13 @@ commandSets:
1102
1318
  stderr:
1103
1319
  format: text
1104
1320
 
1321
+ '10':
1322
+ description: Completed with blocking findings.
1323
+ stdout:
1324
+ format: '{options.report-format}'
1325
+ schema:
1326
+ $ref: '#/components/schemas/ExplainResult'
1327
+
1105
1328
  '11':
1106
1329
  description: Runtime dependency missing (agent-contracts-runtime).
1107
1330
  stderr:
@@ -1116,14 +1339,20 @@ commandSets:
1116
1339
  riskLevel: low
1117
1340
  requiresConfirmation: false
1118
1341
  idempotent: true
1119
- sideEffects:
1120
- - network
1342
+ sideEffects: [network]
1343
+ sideEffectNote: >-
1344
+ Network calls to LLM provider when adapter is not mock.
1345
+ Filesystem write only when --output is specified.
1121
1346
  safeDryRunOption: dry-run
1347
+ expectedDurationMs: 120000
1348
+ retryableExitCodes: [12]
1122
1349
 
1123
1350
  components:
1124
1351
  schemas:
1125
1352
  # ── AI Agent Interoperability Schemas (SSoT) ─────────
1126
1353
 
1354
+ # Conforms to agent-contracts dsl_base/components.yaml#/schemas/agent-evidence.
1355
+ # Canonical property names are kind/target/location/excerpt (NOT type/content/source).
1127
1356
  AgentEvidence:
1128
1357
  type: object
1129
1358
  description: Evidence supporting an agent finding.
@@ -1300,7 +1529,7 @@ components:
1300
1529
  description: >-
1301
1530
  Result from explain command. Contains a human-readable explanation
1302
1531
  of another command's output, suitable for PR comments or release decisions.
1303
- required: [summary, riskLevel, explanation]
1532
+ required: [summary, riskLevel, findings, explanation]
1304
1533
  properties:
1305
1534
  summary:
1306
1535
  type: string