v0.9.0

Highlights

• scythe lint now runs the canonical audit rule packs by default, dialect-gated by the configured [[sql]].engine. Rules whose dialects list excludes the engine are silently skipped, so a mysql project does not see postgres-only SC-MIG* findings. No CLI flag — the rules ship in default_registry() and respect the existing [lint] severity overrides.
• New scythe-audit pre-commit hook published via .pre-commit-hooks.yaml. Runs the SC-SEC*/SC-RLS*/SC-MIG*/SC-CHK* packs over staged .sql files without requiring a scythe.toml. Defaults to postgres; override per-hook with args: [--dialect, mysql].
• Three new audit rule packs land in this release:
  • Row Level Security — SC-RLS01 policy-references-user-metadata, SC-RLS02 policy-always-permissive, SC-RLS03 policy-uses-uncached-auth-function. Walks CreatePolicy.using / .with_check typed Expr ASTs; SC-RLS03 stops at Expr::Subquery boundaries (the safe form).
  • CHECK quality — SC-CHK01 check-constraint-always-true. Catches column-level, table-level, and ALTER TABLE ADD CONSTRAINT CHECKs whose expression is a tautology (true, 1 = 1, NULL, or parenthesised variants). Lives in a new Antipattern category.
  • Splinter-inspired security/migration ports — SC-SEC12 function-search-path-mutable, SC-MIG19 unsupported-reg-types. Detection logic is clean-room reimplementations against sqlparser ASTs (splinter has no LICENSE file; ATTRIBUTIONS.md documents the courtesy attribution).
• Migration safety rule pack extended from SC-MIG01..05 to SC-MIG01..19, covering NULL-contract integrity, column-type preferences, constraint-lock hazards, and reg* OID type bans alongside the original DDL hazards.
• Oracle bindings upgraded to sibyl 0.7. The codegen emitter was rewritten for sibyl 0.7's API breaks: sibyl::prelude removed, Varchar::as_str() no longer returns Result, Date::timestamp() replaced with date_and_time() tuple + chrono. The integration test selects ["tokio", "nonblocking"] because sibyl 0.7's impl Debug for LOB requires one of those cfgs to compile at all. Trade-off: decimal → f64 in the Oracle manifest because sibyl 0.7 has no ToSql/FromSql for rust_decimal::Decimal.
• sqlx 0.8 → 0.9 in the Rust integration test crates. sqlx 0.9 tightened raw_sql/query to require SqlSafeStr; templates wrap runtime strings with sqlx::AssertSqlSafe.
• Five test_engines codegen test failures resolved. MSSQL DATETIMEOFFSET → datetime_tz, Redshift SUPER → json, Oracle NUMBER(p, s) → decimal (was falling through to the unknown-type fallback). Two stale fixture expectations corrected.
• Pre-commit hook chain aligned with the polyrepo's shared source. Nine individual hook repos consolidated to kreuzberg-dev/pre-commit-hooks v2.1.10 for general/markdown/rust/shell/actions/typos/ai-rulez. rustdoc-lint, markdownlint-rumdl-strict, and rust-max-lines are listed but commented out with TODOs covering the gaps (~449 missing-doc errors, 35 long-line MD files, 4 source files over 1,000 LOC) — each is its own focused remediation.

See CHANGELOG.md for the full per-rule, per-matcher breakdown.

Upgrade notes

• Pin pre-commit hooks to rev: v0.9.0 to pick up scythe-audit.
• Oracle users on Rust: sibyl 0.7 + nonblocking feature is required. The integration test still expects Oracle Instant Client at link time.
• mysql/sqlite/mssql projects: scythe lint will start running the dialect-agnostic audit rules (SC-SEC01/02/03/06/07/08/09 and SC-CHK01). All postgres-specific rules are silently skipped.