@pgplex/pgconsole 0.0.3 → 0.1.0

package/dist/server.mjs

@@ -41058,7 +41058,7 @@ async function loadConfig(configPath) {
   const path5 = configPath || "pgconsole.toml";
   if (!existsSync(path5)) {
     throw new Error(`Config file not found: ${path5}
-See https://docs.pgconsole.com/configuration/toml-config`);
+See https://docs.pgconsole.com/configuration/config`);
   }
   const content = readFileSync(path5, "utf-8");
   const parsed = parse2(content);
@@ -41271,57 +41271,36 @@ See https://docs.pgconsole.com/configuration/toml-config`);
     if (a.jwt_secret.length < 32) {
       throw new Error("Auth jwt_secret must be at least 32 characters");
     }
-    let providers = void 0;
+    const providers = [];
     const rawProviders = a.providers;
-    if (rawProviders) {
-      providers = {};
-      for (const key of Object.keys(rawProviders)) {
-        const raw = rawProviders[key];
-        if (key === "google") {
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Google provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Google provider missing required field: client_secret");
-          }
-          providers.google = {
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        } else if (key === "keycloak") {
-          if (!raw.issuer_url || typeof raw.issuer_url !== "string") {
-            throw new Error("Keycloak provider missing required field: issuer_url");
-          }
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Keycloak provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Keycloak provider missing required field: client_secret");
-          }
-          providers.keycloak = {
-            issuer_url: raw.issuer_url.replace(/\/+$/, ""),
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        } else if (key === "okta") {
-          if (!raw.issuer_url || typeof raw.issuer_url !== "string") {
-            throw new Error("Okta provider missing required field: issuer_url");
-          }
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Okta provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Okta provider missing required field: client_secret");
-          }
-          providers.okta = {
-            issuer_url: raw.issuer_url.replace(/\/+$/, ""),
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        }
+    const validProviderTypes = ["google", "keycloak", "okta"];
+    if (rawProviders && Array.isArray(rawProviders)) {
+      for (const entry of rawProviders) {
+        const raw = entry;
+        if (!raw.type || typeof raw.type !== "string") {
+          throw new Error("Auth provider missing required field: type");
+        }
+        if (!validProviderTypes.includes(raw.type)) {
+          throw new Error(`Auth provider has invalid type: ${raw.type}. Must be one of: ${validProviderTypes.join(", ")}`);
+        }
+        if (!raw.client_id || typeof raw.client_id !== "string") {
+          throw new Error(`${raw.type} provider missing required field: client_id`);
+        }
+        if (!raw.client_secret || typeof raw.client_secret !== "string") {
+          throw new Error(`${raw.type} provider missing required field: client_secret`);
+        }
+        if ((raw.type === "keycloak" || raw.type === "okta") && (!raw.issuer_url || typeof raw.issuer_url !== "string")) {
+          throw new Error(`${raw.type} provider missing required field: issuer_url`);
+        }
+        providers.push({
+          type: raw.type,
+          client_id: raw.client_id,
+          client_secret: raw.client_secret,
+          issuer_url: typeof raw.issuer_url === "string" ? raw.issuer_url.replace(/\/+$/, "") : void 0
+        });
       }
     }
-    const hasOAuthProvider = providers?.google || providers?.keycloak || providers?.okta;
+    const hasOAuthProvider = providers.length > 0;
     if (hasOAuthProvider && !external_url) {
       throw new Error("[general] external_url is required when OAuth providers are enabled");
     }
@@ -41375,7 +41354,7 @@ See https://docs.pgconsole.com/configuration/toml-config`);
     }
   }
   const iam = [];
-  const validPermissions = ["read", "write", "ddl", "admin"];
+  const validPermissions = ["read", "write", "ddl", "admin", "explain", "execute", "export"];
   const rawIAM = parsed.iam || [];
   for (let i2 = 0; i2 < rawIAM.length; i2++) {
     const rule = rawIAM[i2];
@@ -41395,10 +41374,13 @@ See https://docs.pgconsole.com/configuration/toml-config`);
       if (typeof perm !== "string") {
         throw new Error(`IAM rule ${ruleNum} has invalid permission: must be string`);
       }
-      if (!validPermissions.includes(perm)) {
-        throw new Error(`IAM rule ${ruleNum} has invalid permission: ${perm}. Must be one of: ${validPermissions.join(", ")}`);
+      if (perm === "*") {
+        permissions.push(...validPermissions);
+      } else if (!validPermissions.includes(perm)) {
+        throw new Error(`IAM rule ${ruleNum} has invalid permission: ${perm}. Must be one of: ${validPermissions.join(", ")}, *`);
+      } else {
+        permissions.push(perm);
       }
-      permissions.push(perm);
     }
     if (!Array.isArray(rule.members) || rule.members.length === 0) {
       throw new Error(`IAM rule ${ruleNum} missing required field: members (must be non-empty array)`);
@@ -41409,7 +41391,7 @@ See https://docs.pgconsole.com/configuration/toml-config`);
         throw new Error(`IAM rule ${ruleNum} has invalid member: must be non-empty string`);
       }
       const m2 = member.trim();
-      if (m2 === "allAuthenticatedUsers") {
+      if (m2 === "*") {
         members.push(m2);
       } else if (m2.startsWith("user:")) {
         const email = m2.slice(5);
@@ -41427,7 +41409,7 @@ See https://docs.pgconsole.com/configuration/toml-config`);
         }
         members.push(m2);
       } else {
-        throw new Error(`IAM rule ${ruleNum} has invalid member format: ${m2}. Must be "allAuthenticatedUsers", "user:xxx", or "group:xxx"`);
+        throw new Error(`IAM rule ${ruleNum} has invalid member format: ${m2}. Must be "*", "user:xxx", or "group:xxx"`);
       }
     }
     iam.push({ connection, permissions, members });
@@ -41452,13 +41434,6 @@ See https://docs.pgconsole.com/configuration/toml-config`);
       throw new Error(`Too many [[users]] entries: ${users.length} configured but current license only allows ${limit2}. Remove users or upgrade your license.`);
     }
   }
-  console.log(`Loaded ${users.length} user(s), ${groups.length} group(s), ${labels.length} label(s) and ${connections.length} connection(s) from ${path5}`);
-  if (ai) {
-    console.log(`AI configured with ${ai.providers.length} provider(s)`);
-  }
-  if (iam.length > 0) {
-    console.log(`IAM configured with ${iam.length} rule(s)`);
-  }
 }
 function getLabels() {
   return loadedConfig.labels;
@@ -41476,6 +41451,9 @@ function getConnectionById(id) {
 function getAuthConfig() {
   return loadedConfig.auth;
 }
+function getAuthProvider(type) {
+  return loadedConfig.auth?.providers.find((p) => p.type === type);
+}
 function getUsers() {
   return loadedConfig.users;
 }
@@ -41638,11 +41616,24 @@ function auditSQL(actor, connection, database, sql, success, duration_ms, row_co
   if (error) event.error = error;
   emit(event);
 }
+function auditExport(actor, connection, database, sql, row_count, format) {
+  emit({
+    type: "audit",
+    ts: now(),
+    action: "data.export",
+    actor,
+    connection,
+    database,
+    sql,
+    row_count,
+    format
+  });
+}
 
 // server/lib/oauth/google.ts
 function registerGoogleOAuth(router3, opts) {
   router3.get("/google", (_req, res) => {
-    const google = getAuthConfig()?.providers?.google;
+    const google = getAuthProvider("google");
     if (!google) {
       return res.status(400).json({ error: "Google OAuth not configured" });
     }
@@ -41659,7 +41650,7 @@ function registerGoogleOAuth(router3, opts) {
     return res.redirect(`https://accounts.google.com/o/oauth2/v2/auth?${params}`);
   });
   router3.get("/google/callback", async (req, res) => {
-    const google = getAuthConfig()?.providers?.google;
+    const google = getAuthProvider("google");
     const externalUrl = getExternalUrl();
     if (!google) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -41729,7 +41720,7 @@ function registerGoogleOAuth(router3, opts) {
 // server/lib/oauth/keycloak.ts
 function registerKeycloakOAuth(router3, opts) {
   router3.get("/keycloak", (_req, res) => {
-    const keycloak = getAuthConfig()?.providers?.keycloak;
+    const keycloak = getAuthProvider("keycloak");
     if (!keycloak) {
       return res.status(400).json({ error: "Keycloak not configured" });
     }
@@ -41746,7 +41737,7 @@ function registerKeycloakOAuth(router3, opts) {
     return res.redirect(`${keycloak.issuer_url}/protocol/openid-connect/auth?${params}`);
   });
   router3.get("/keycloak/callback", async (req, res) => {
-    const keycloak = getAuthConfig()?.providers?.keycloak;
+    const keycloak = getAuthProvider("keycloak");
     const externalUrl = getExternalUrl();
     if (!keycloak) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -41813,7 +41804,7 @@ function registerKeycloakOAuth(router3, opts) {
 // server/lib/oauth/okta.ts
 function registerOktaOAuth(router3, opts) {
   router3.get("/okta", (_req, res) => {
-    const okta = getAuthConfig()?.providers?.okta;
+    const okta = getAuthProvider("okta");
     if (!okta) {
       return res.status(400).json({ error: "Okta not configured" });
     }
@@ -41830,7 +41821,7 @@ function registerOktaOAuth(router3, opts) {
     return res.redirect(`${okta.issuer_url}/v1/authorize?${params}`);
   });
   router3.get("/okta/callback", async (req, res) => {
-    const okta = getAuthConfig()?.providers?.okta;
+    const okta = getAuthProvider("okta");
     const externalUrl = getExternalUrl();
     if (!okta) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -42018,14 +42009,12 @@ router.get("/providers", (_req, res) => {
   const plan = getPlan();
   const providers = [];
   if (getUsers().some((u) => u.password)) providers.push({ name: "basic" });
-  if (config?.providers) {
-    for (const key of Object.keys(config.providers)) {
-      const feat = SSO_FEATURE[key];
-      if (feat && !feature(feat, plan)) {
-        providers.push({ name: key, requiredPlan: requiredPlan(feat) });
-      } else {
-        providers.push({ name: key });
-      }
+  for (const provider of config?.providers ?? []) {
+    const feat = SSO_FEATURE[provider.type];
+    if (feat && !feature(feat, plan)) {
+      providers.push({ name: provider.type, requiredPlan: requiredPlan(feat) });
+    } else {
+      providers.push({ name: provider.type });
     }
   }
   return res.json({ providers });
@@ -56349,6 +56338,93 @@ var TerminateSessionResponse = class _TerminateSessionResponse extends Message {
     return proto3.util.equals(_TerminateSessionResponse, a, b);
   }
 };
+var AuditExportRequest = class _AuditExportRequest extends Message {
+  /**
+   * @generated from field: string connection_id = 1;
+   */
+  connectionId = "";
+  /**
+   * @generated from field: string sql = 2;
+   */
+  sql = "";
+  /**
+   * @generated from field: int32 row_count = 3;
+   */
+  rowCount = 0;
+  /**
+   * @generated from field: string format = 4;
+   */
+  format = "";
+  constructor(data) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+  static runtime = proto3;
+  static typeName = "query.v1.AuditExportRequest";
+  static fields = proto3.util.newFieldList(() => [
+    {
+      no: 1,
+      name: "connection_id",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    },
+    {
+      no: 2,
+      name: "sql",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    },
+    {
+      no: 3,
+      name: "row_count",
+      kind: "scalar",
+      T: 5
+      /* ScalarType.INT32 */
+    },
+    {
+      no: 4,
+      name: "format",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    }
+  ]);
+  static fromBinary(bytes, options) {
+    return new _AuditExportRequest().fromBinary(bytes, options);
+  }
+  static fromJson(jsonValue, options) {
+    return new _AuditExportRequest().fromJson(jsonValue, options);
+  }
+  static fromJsonString(jsonString, options) {
+    return new _AuditExportRequest().fromJsonString(jsonString, options);
+  }
+  static equals(a, b) {
+    return proto3.util.equals(_AuditExportRequest, a, b);
+  }
+};
+var AuditExportResponse = class _AuditExportResponse extends Message {
+  constructor(data) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+  static runtime = proto3;
+  static typeName = "query.v1.AuditExportResponse";
+  static fields = proto3.util.newFieldList(() => []);
+  static fromBinary(bytes, options) {
+    return new _AuditExportResponse().fromBinary(bytes, options);
+  }
+  static fromJson(jsonValue, options) {
+    return new _AuditExportResponse().fromJson(jsonValue, options);
+  }
+  static fromJsonString(jsonString, options) {
+    return new _AuditExportResponse().fromJsonString(jsonString, options);
+  }
+  static equals(a, b) {
+    return proto3.util.equals(_AuditExportResponse, a, b);
+  }
+};
 
 // src/gen/query_connect.ts
 var QueryService = {
@@ -56515,6 +56591,15 @@ var QueryService = {
       I: TerminateSessionRequest,
       O: TerminateSessionResponse,
       kind: MethodKind.Unary
+    },
+    /**
+     * @generated from rpc query.v1.QueryService.AuditExport
+     */
+    auditExport: {
+      name: "AuditExport",
+      I: AuditExportRequest,
+      O: AuditExportResponse,
+      kind: MethodKind.Unary
     }
   }
 };
@@ -57488,16 +57573,21 @@ function setConnectionVersion(connectionId, version) {
   const info = { version };
   connectionCache.set(connectionId, info);
 }
-function extractPostgresVersion(versionString) {
+async function testAndCacheConnection(client, connectionId) {
+  await client`SELECT 1`;
+  const versionResult = await client`SELECT version()`;
+  const versionString = versionResult[0]?.version || "";
   const match = versionString.match(/PostgreSQL (\d+)/);
   if (!match?.[1]) {
     throw new Error(`Failed to extract PostgreSQL version from: ${versionString}`);
   }
-  return match[1];
+  const version = match[1];
+  setConnectionVersion(connectionId, version);
+  return version;
 }
 
 // server/lib/iam.ts
-var ALL_PERMISSIONS = ["read", "write", "ddl", "admin"];
+var ALL_PERMISSIONS = ["read", "write", "ddl", "admin", "explain", "execute", "export"];
 function requirePermission(user, connectionId, permission, action) {
   if (!user) {
     throw new ConnectError("Authentication required", Code.Unauthenticated);
@@ -57542,7 +57632,7 @@ function getUserPermissions(email, connectionId) {
       continue;
     }
     const matches = rule.members.some((member) => {
-      if (member === "allAuthenticatedUsers") {
+      if (member === "*") {
         return true;
       }
       if (member.startsWith("user:")) {
@@ -57644,11 +57734,7 @@ var connectionServiceHandlers = {
       sslMode: conn.ssl_mode || "prefer"
     }, user?.email);
     try {
-      await client`SELECT 1`;
-      const versionResult = await client`SELECT version()`;
-      const versionString = versionResult[0]?.version || "";
-      const version = extractPostgresVersion(versionString);
-      setConnectionVersion(req.id, version);
+      await testAndCacheConnection(client, req.id);
       const latencyMs = Date.now() - start2;
       return { success: true, error: "", latencyMs };
     } catch (err) {
@@ -57757,6 +57843,7 @@ function transformStatement(node, source) {
   if ("AlterPublicationStmt" in obj) return { kind: "alter_publication", source };
   if ("ReassignOwnedStmt" in obj) return { kind: "reassign_owned", source };
   if ("DropOwnedStmt" in obj) return { kind: "drop_owned", source };
+  if ("CallStmt" in obj) return { kind: "call", source };
   return { kind: "unknown", raw: node, source };
 }
 function transformSelect(raw) {
@@ -62078,9 +62165,14 @@ function getRequiredPermission(kind) {
   switch (kind) {
     // Read-only
     case "select":
-    case "explain":
     case "show":
       return "read";
+    // Explain
+    case "explain":
+      return "explain";
+    // Execute (stored procedures)
+    case "call":
+      return "execute";
     // DML (data modification)
     case "insert":
     case "update":
@@ -62105,7 +62197,7 @@ function getRequiredPermission(kind) {
     case "revoke":
     case "refresh_matview":
       return "ddl";
-    // COPY depends on direction
+    // COPY (data import/export via server filesystem)
     case "copy":
       return "write";
     // Session/transaction control - safe operations
@@ -63195,6 +63287,21 @@ var queryServiceHandlers = {
         error: err instanceof Error ? err.message : "Failed to terminate session"
       };
     }
+  },
+  async auditExport(req, context) {
+    if (!req.connectionId) {
+      throw new ConnectError("connection_id is required", Code.InvalidArgument);
+    }
+    const user = await getUserFromContext(context.values);
+    if (!user) {
+      throw new ConnectError("Authentication required", Code.Unauthenticated);
+    }
+    const conn = getConnectionById(req.connectionId);
+    if (!conn) {
+      throw new ConnectError("Connection not found", Code.NotFound);
+    }
+    auditExport(user.email, req.connectionId, conn.database, req.sql, req.rowCount, req.format);
+    return {};
   }
 };
 
@@ -92448,11 +92555,7 @@ async function testAllConnections() {
         sslMode: conn.ssl_mode || "prefer"
       });
       try {
-        await client`SELECT 1`;
-        const versionResult = await client`SELECT version()`;
-        const versionString = versionResult[0]?.version || "";
-        const version = extractPostgresVersion(versionString);
-        setConnectionVersion(conn.id, version);
+        const version = await testAndCacheConnection(client, conn.id);
         console.log(`  \u2713 ${conn.name} (PostgreSQL ${version})`);
       } finally {
         await client.end();
@@ -92527,8 +92630,10 @@ app.use((req, res, next) => {
 async function start() {
   const args = parseArgs();
   const port = args.port || process.env.PORT || 9876;
+  const configPath = args.config || "pgconsole.toml";
   try {
-    await loadConfig(args.config);
+    await loadConfig(configPath);
+    console.log(`\u2713 Loaded config from: ${path4.resolve(configPath)}`);
   } catch (error) {
     console.error("Failed to load config:", error instanceof Error ? error.message : error);
     process.exit(1);
@@ -92546,9 +92651,40 @@ async function start() {
     console.error("\nConnection test failed:", error instanceof Error ? error.message : error);
     process.exit(1);
   }
-  app.listen(port, () => {
+  const server = app.listen(port, () => {
+    console.log(`
+                                                      ___
+                                                     /\\_ \\
+ _____      __     ___    ___     ___     ____    ___\\//\\ \\      __
+/\\ '__\`\\  /'_ \`\\  /'___\\ / __\`\\ /' _ \`\\  /',__\\  / __\`\\\\ \\ \\   /'__\`\\
+\\ \\ \\L\\ \\/\\ \\L\\ \\/\\ \\__//\\ \\L\\ \\/\\ \\/\\ \\/\\__, \`\\/\\ \\L\\ \\\\_\\ \\_/\\  __/
+ \\ \\ ,__/\\ \\____ \\ \\____\\ \\____/\\ \\_\\ \\_\\/\\____/\\ \\____//\\____\\ \\____\\
+  \\ \\ \\/  \\/___L\\ \\/____/\\/___/  \\/_/\\/_/\\/___/  \\/___/ \\/____/\\/____/
+   \\ \\_\\    /\\____/
+    \\/_/    \\_/__/
+
+    Version ${"0.1.0"}
+`);
     console.log(`Server running on http://localhost:${port}`);
+    const browserUrl = false ? `http://localhost:5173` : getExternalUrl() || `http://localhost:${port}`;
+    console.log(`Open in browser: ${browserUrl}`);
   });
+  server.on("error", (err) => {
+    if (err.code === "EADDRINUSE") {
+      console.error(`Error: Port ${port} is already in use.`);
+    } else {
+      console.error(`Error starting server: ${err.message}`);
+    }
+    process.exit(1);
+  });
+  const shutdown = () => {
+    console.log("\nShutting down...");
+    server.close(() => {
+      process.exit(0);
+    });
+  };
+  process.on("SIGTERM", shutdown);
+  process.on("SIGINT", shutdown);
 }
 start();
 /*! Bundled license information: