Harden analyzer trust and release guardrails

README.md

@@ -402,11 +402,13 @@ ALTER TABLE users DROP CONSTRAINT chk_email_verified;
 
 ### GitHub Actions
 
+Use a concrete migration path here. The Action does not shell-expand globs, so `migrations/*.sql` belongs in a `run:` step instead.
+
 ```yaml
 - name: Check migration safety
   uses: flvmnt/pgfence@v1
   with:
-    path: migrations/*.sql
+    path: migrations/add-users.sql
     max-risk: medium
 ```
 
@@ -415,7 +417,7 @@ ALTER TABLE users DROP CONSTRAINT chk_email_verified;
 ```yaml
 - name: Analyze migrations
   run: |
-    npx pgfence analyze --output github migrations/*.sql > pgfence-report.md
+    npx @flvmnt/pgfence analyze --output github migrations/*.sql > pgfence-report.md
 - name: Comment on PR
   uses: marocchino/sticky-pull-request-comment@v2
   with:

action.yml

@@ -38,7 +38,14 @@ runs:
         INPUT_DB_URL: ${{ inputs.db-url }}
         INPUT_STATS_FILE: ${{ inputs.stats-file }}
       run: |
-        ARGS=("$INPUT_PATH" "--ci" "--max-risk" "$INPUT_MAX_RISK")
+        shopt -s nullglob
+        FILES=($INPUT_PATH)
+        if [ "${#FILES[@]}" -eq 0 ]; then
+          echo "No files matched path: $INPUT_PATH"
+          exit 1
+        fi
+
+        ARGS=("${FILES[@]}" "--ci" "--max-risk" "$INPUT_MAX_RISK")
         if [ "$INPUT_FORMAT" != "auto" ]; then
           ARGS+=("--format" "$INPUT_FORMAT")
         fi

package.json

@@ -17,7 +17,9 @@
   },
   "scripts": {
     "dev": "tsx watch src/index.ts",
-    "build": "tsc",
+    "clean": "node -e \"require('node:fs').rmSync('dist', { recursive: true, force: true })\"",
+    "build": "pnpm clean && tsc",
+    "prepack": "pnpm build",
     "test": "vitest run tests/",
     "test:watch": "vitest tests/",
     "lint": "eslint src/ tests/",

scripts/check-public-boundaries.sh

@@ -39,7 +39,15 @@ fi
 PACK_JSON=$(npm pack --dry-run --json)
 
 PACK_JSON="$PACK_JSON" node <<'NODE'
-const pack = JSON.parse(process.env.PACK_JSON ?? '[]');
+function parsePackJson(raw) {
+  const jsonStart = raw.search(/\[\s*{/s);
+  if (jsonStart === -1) {
+    throw new Error('npm pack --json did not emit a JSON payload');
+  }
+  return JSON.parse(raw.slice(jsonStart));
+}
+
+const pack = parsePackJson(process.env.PACK_JSON ?? '[]');
 const files = pack.flatMap((entry) => entry.files ?? []).map((file) => file.path);
 const forbidden = files.filter((file) => /^(src\/cloud\/|src\/agent\/|dist\/cloud\/|dist\/agent\/|tests\/cloud\/)/.test(file));
 if (forbidden.length > 0) {
@@ -55,6 +63,31 @@ if (missing.length > 0) {
   for (const file of missing) console.error(file);
   process.exit(1);
 }
+
+const { execSync } = require('node:child_process');
+const trackedSources = new Set(
+  execSync('git ls-files src', { encoding: 'utf8' })
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.endsWith('.ts')),
+);
+
+const distArtifacts = files.filter((file) => /^dist\/.+\.(?:js|js\.map|d\.ts|d\.ts\.map)$/.test(file));
+const orphanArtifacts = distArtifacts.filter((file) => {
+  const sourcePath = file
+    .replace(/^dist\//, 'src/')
+    .replace(/\.d\.ts\.map$/, '.ts')
+    .replace(/\.d\.ts$/, '.ts')
+    .replace(/\.js\.map$/, '.ts')
+    .replace(/\.js$/, '.ts');
+  return !trackedSources.has(sourcePath);
+});
+
+if (orphanArtifacts.length > 0) {
+  console.error('ERROR: npm package contains dist artifacts without tracked source files:');
+  for (const file of orphanArtifacts) console.error(file);
+  process.exit(1);
+}
 NODE
 
 echo "Public repo boundaries look good."

src/analyzer.ts

@@ -285,7 +285,7 @@ export function applyRules(
   results.push(...checkBestPractices(stmt));
   results.push(...checkPreferRobustStmts(stmt));
   results.push(...checkAlterEnum(stmt, config));
-  results.push(...checkReindex(stmt));
+  results.push(...checkReindex(stmt, config.minPostgresVersion));
   results.push(...checkRefreshMatView(stmt));
   results.push(...checkTrigger(stmt));
   results.push(...checkPartition(stmt, config));

src/extractors/typeorm.ts

@@ -111,6 +111,7 @@ export async function extractTypeORMSQLFromSource(
             line: loc.line,
             column: loc.column,
             message: `TypeORM builder API detected (${upInfo.paramName}.${methodName}) -- pgfence can only analyze ${upInfo.paramName}.query() raw SQL calls`,
+            unanalyzable: true,
           });
           return;
         }

src/init.ts

@@ -1,6 +1,10 @@
 import { existsSync } from 'node:fs';
-import { mkdir, writeFile, chmod } from 'node:fs/promises';
-import { join } from 'node:path';
+import { chmod, mkdir, readFile, writeFile } from 'node:fs/promises';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { join, resolve } from 'node:path';
+
+const execFileAsync = promisify(execFile);
 
 const PRE_COMMIT_HOOK_CONTENT = `#!/bin/sh
 # pgfence pre-commit hook
@@ -25,50 +29,54 @@ fi
 `;
 
 export async function installHooks(): Promise<void> {
-    const cwd = process.cwd();
-    const huskyPath = join(cwd, '.husky');
-    const gitHooksPath = join(cwd, '.git', 'hooks');
+  const cwd = process.cwd();
+  const huskyPath = join(cwd, '.husky');
 
-    let targetDir: string;
-    let usingHusky = false;
+  let targetDir: string;
+  let usingHusky = false;
 
-    if (existsSync(huskyPath)) {
-        targetDir = huskyPath;
-        usingHusky = true;
-    } else if (existsSync(join(cwd, '.git'))) {
-        if (!existsSync(gitHooksPath)) {
-            await mkdir(gitHooksPath, { recursive: true });
-        }
-        targetDir = gitHooksPath;
-    } else {
-        throw new Error('Neither .husky nor .git directory found. Are you in a git repository?');
+  if (existsSync(huskyPath)) {
+    targetDir = huskyPath;
+    usingHusky = true;
+  } else {
+    try {
+      const { stdout } = await execFileAsync('git', ['rev-parse', '--git-path', 'hooks'], { cwd });
+      targetDir = resolve(cwd, stdout.trim());
+      if (!targetDir) {
+        throw new Error('git did not return a hooks directory');
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new Error(`Neither .husky nor a git hooks directory could be resolved. Are you in a git repository? ${message}`);
     }
+  }
 
-    const hookFile = join(targetDir, 'pre-commit');
+  const hookFile = join(targetDir, 'pre-commit');
 
-    let existingContent = '';
-    try {
-        const { readFile } = await import('node:fs/promises');
-        existingContent = await readFile(hookFile, 'utf8');
-    } catch (err: unknown) {
-        const error = err as { code?: string };
-        if (error.code !== 'ENOENT') throw err;
-    }
+  let existingContent = '';
+  try {
+    existingContent = await readFile(hookFile, 'utf8');
+  } catch (err: unknown) {
+    const error = err as { code?: string };
+    if (error.code !== 'ENOENT') throw err;
+  }
 
-    if (existingContent.includes('pgfence analyze')) {
-        console.log(`✅ pgfence pre-commit hook is already installed in ${targetDir}`);
-        return;
-    }
+  if (existingContent.includes('pgfence analyze')) {
+    console.log(`✅ pgfence pre-commit hook is already installed in ${targetDir}`);
+    return;
+  }
 
-    const newContent = existingContent
-        ? existingContent + '\n' + PRE_COMMIT_HOOK_CONTENT.replace('#!/bin/sh\n', '')
-        : PRE_COMMIT_HOOK_CONTENT;
+  const existingBody = existingContent.replace(/^#![^\n]*\n?/, '');
+  const newContent = existingBody
+    ? `${PRE_COMMIT_HOOK_CONTENT}\n# Existing pre-commit hook preserved below\n${existingBody}`
+    : PRE_COMMIT_HOOK_CONTENT;
 
-    await writeFile(hookFile, newContent);
-    await chmod(hookFile, '755');
+  await mkdir(targetDir, { recursive: true });
+  await writeFile(hookFile, newContent);
+  await chmod(hookFile, '755');
 
-    console.log(`✅ pgfence pre-commit hook installed successfully in ${targetDir}`);
-    if (usingHusky) {
-        console.log('💡 Note: You are using husky. Ensure husky is installed and enabled.');
-    }
+  console.log(`✅ pgfence pre-commit hook installed successfully in ${targetDir}`);
+  if (usingHusky) {
+    console.log('💡 Note: You are using husky. Ensure husky is installed and enabled.');
+  }
 }

src/lsp/code-actions.ts

@@ -55,6 +55,51 @@ function isExecutableSafeRewrite(safeRewrite: SafeRewrite): boolean {
   return hasExecutableStep;
 }
 
+function statementStartInsertPos(text: string, startOffset: number): Position {
+  const startPos = offsetToPosition(text, startOffset);
+  const startChar = text.charCodeAt(startOffset);
+  if (startChar === 10 || startChar === 13) {
+    return Position.create(startPos.line + 1, 0);
+  }
+  return Position.create(startPos.line, 0);
+}
+
+function rangesEqual(
+  left: { start: { line: number; character: number }; end: { line: number; character: number } },
+  right: { start: { line: number; character: number }; end: { line: number; character: number } },
+): boolean {
+  return (
+    left.start.line === right.start.line &&
+    left.start.character === right.start.character &&
+    left.end.line === right.end.line &&
+    left.end.character === right.end.character
+  );
+}
+
+function getPolicyIgnoreInsertPos(
+  analysis: AnalyzeTextResult,
+  diagnostic: CodeActionParams['context']['diagnostics'][number],
+  text: string,
+): Position {
+  for (let i = 0; i < analysis.policyViolations.length; i++) {
+    const violation = analysis.policyViolations[i];
+    if (violation.ruleId !== diagnostic.code) continue;
+
+    const sourceRange = analysis.policySourceRanges[i];
+    if (!sourceRange) {
+      return Position.create(0, 0);
+    }
+
+    const startPos = offsetToPosition(text, sourceRange.startOffset);
+    const endPos = offsetToPosition(text, sourceRange.endOffset);
+    if (!rangesEqual({ start: startPos, end: endPos }, diagnostic.range)) continue;
+
+    return statementStartInsertPos(text, sourceRange.startOffset);
+  }
+
+  return Position.create(0, 0);
+}
+
 /**
  * Generate code actions for diagnostics in the requested range.
  */
@@ -108,8 +153,7 @@ export function getCodeActions(
       }
 
       // 2. Ignore this rule for this statement
-      const ignoreLine = startPos.line;
-      const ignoreInsertPos = Position.create(ignoreLine, 0);
+      const ignoreInsertPos = statementStartInsertPos(text, range.startOffset);
       actions.push({
         title: `pgfence-ignore: ${check.ruleId}`,
         kind: CodeActionKind.QuickFix,
@@ -131,6 +175,7 @@ export function getCodeActions(
     if (!matchedCheck) {
       for (const violation of analysis.policyViolations) {
         if (violation.ruleId !== ruleId) continue;
+        const ignoreInsertPos = getPolicyIgnoreInsertPos(analysis, diagnostic, text);
 
         actions.push({
           title: `pgfence-ignore: ${violation.ruleId}`,
@@ -139,7 +184,7 @@ export function getCodeActions(
           edit: {
             changes: {
               [params.textDocument.uri]: [
-                TextEdit.insert(Position.create(0, 0), `-- pgfence-ignore: ${violation.ruleId}\n`),
+                TextEdit.insert(ignoreInsertPos, `-- pgfence-ignore: ${violation.ruleId}\n`),
               ],
             },
           },

src/plugins.ts

@@ -11,7 +11,7 @@ import { pathToFileURL } from 'node:url';
 import type { ParsedStatement } from './parser.js';
 import type { CheckResult, ExtractionWarning, PgfenceConfig, PolicyViolation } from './types.js';
 
-const ALLOWED_PLUGIN_EXTENSIONS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts']);
+const ALLOWED_PLUGIN_EXTENSIONS = new Set(['.js', '.mjs', '.cjs']);
 
 function isWithinRoot(root: string, candidate: string): boolean {
   const relative = path.relative(root, candidate);