neonctl 2.22.2 → 2.23.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/README.md +84 -0
  2. package/analytics.js +5 -2
  3. package/commands/branches.js +9 -1
  4. package/commands/connection_string.js +9 -1
  5. package/commands/functions.js +268 -0
  6. package/commands/index.js +4 -0
  7. package/commands/neon_auth.js +1013 -0
  8. package/commands/projects.js +9 -1
  9. package/commands/psql.js +6 -1
  10. package/functions_api.js +43 -0
  11. package/package.json +15 -5
  12. package/psql/cli.js +51 -0
  13. package/psql/command/cmd_cond.js +437 -0
  14. package/psql/command/cmd_connect.js +815 -0
  15. package/psql/command/cmd_copy.js +1025 -0
  16. package/psql/command/cmd_describe.js +1810 -0
  17. package/psql/command/cmd_format.js +909 -0
  18. package/psql/command/cmd_io.js +2187 -0
  19. package/psql/command/cmd_lo.js +385 -0
  20. package/psql/command/cmd_meta.js +970 -0
  21. package/psql/command/cmd_misc.js +187 -0
  22. package/psql/command/cmd_pipeline.js +1141 -0
  23. package/psql/command/cmd_restrict.js +171 -0
  24. package/psql/command/cmd_show.js +751 -0
  25. package/psql/command/dispatch.js +343 -0
  26. package/psql/command/inputQueue.js +42 -0
  27. package/psql/command/shared.js +71 -0
  28. package/psql/complete/filenames.js +139 -0
  29. package/psql/complete/index.js +104 -0
  30. package/psql/complete/matcher.js +314 -0
  31. package/psql/complete/psqlVars.js +247 -0
  32. package/psql/complete/queries.js +491 -0
  33. package/psql/complete/rules.js +2387 -0
  34. package/psql/core/common.js +1250 -0
  35. package/psql/core/help.js +576 -0
  36. package/psql/core/mainloop.js +1353 -0
  37. package/psql/core/prompt.js +437 -0
  38. package/psql/core/settings.js +684 -0
  39. package/psql/core/sqlHelp.js +1066 -0
  40. package/psql/core/startup.js +840 -0
  41. package/psql/core/syncVars.js +116 -0
  42. package/psql/core/variables.js +287 -0
  43. package/psql/describe/formatters.js +1277 -0
  44. package/psql/describe/processNamePattern.js +270 -0
  45. package/psql/describe/queries.js +2373 -0
  46. package/psql/describe/versionGate.js +43 -0
  47. package/psql/index.js +2005 -0
  48. package/psql/io/history.js +299 -0
  49. package/psql/io/input.js +120 -0
  50. package/psql/io/lineEditor/buffer.js +323 -0
  51. package/psql/io/lineEditor/complete.js +227 -0
  52. package/psql/io/lineEditor/filename.js +159 -0
  53. package/psql/io/lineEditor/index.js +891 -0
  54. package/psql/io/lineEditor/keymap.js +738 -0
  55. package/psql/io/lineEditor/vt100.js +363 -0
  56. package/psql/io/pgpass.js +202 -0
  57. package/psql/io/pgservice.js +194 -0
  58. package/psql/io/psqlrc.js +422 -0
  59. package/psql/print/aligned.js +1756 -0
  60. package/psql/print/asciidoc.js +248 -0
  61. package/psql/print/crosstab.js +460 -0
  62. package/psql/print/csv.js +92 -0
  63. package/psql/print/html.js +258 -0
  64. package/psql/print/json.js +96 -0
  65. package/psql/print/latex.js +396 -0
  66. package/psql/print/pager.js +265 -0
  67. package/psql/print/troff.js +258 -0
  68. package/psql/print/unaligned.js +118 -0
  69. package/psql/print/units.js +135 -0
  70. package/psql/scanner/slash.js +513 -0
  71. package/psql/scanner/sql.js +910 -0
  72. package/psql/scanner/stringutils.js +390 -0
  73. package/psql/types/backslash.js +1 -0
  74. package/psql/types/connection.js +1 -0
  75. package/psql/types/index.js +7 -0
  76. package/psql/types/printer.js +1 -0
  77. package/psql/types/repl.js +1 -0
  78. package/psql/types/scanner.js +24 -0
  79. package/psql/types/settings.js +1 -0
  80. package/psql/types/variables.js +1 -0
  81. package/psql/wire/connection.js +2844 -0
  82. package/psql/wire/copy.js +108 -0
  83. package/psql/wire/notify.js +59 -0
  84. package/psql/wire/pipeline.js +519 -0
  85. package/psql/wire/protocol.js +466 -0
  86. package/psql/wire/sasl.js +296 -0
  87. package/psql/wire/tls.js +596 -0
  88. package/test_utils/fixtures.js +1 -0
  89. package/utils/esbuild.js +147 -0
  90. package/utils/psql.js +107 -11
  91. package/utils/zip.js +4 -0
  92. package/writer.js +1 -1
  93. package/commands/auth.test.js +0 -211
  94. package/commands/branches.test.js +0 -460
  95. package/commands/checkout.test.js +0 -170
  96. package/commands/connection_string.test.js +0 -196
  97. package/commands/data_api.test.js +0 -169
  98. package/commands/databases.test.js +0 -39
  99. package/commands/help.test.js +0 -9
  100. package/commands/init.test.js +0 -56
  101. package/commands/ip_allow.test.js +0 -59
  102. package/commands/link.test.js +0 -381
  103. package/commands/operations.test.js +0 -7
  104. package/commands/orgs.test.js +0 -7
  105. package/commands/projects.test.js +0 -144
  106. package/commands/psql.test.js +0 -49
  107. package/commands/roles.test.js +0 -37
  108. package/commands/set_context.test.js +0 -159
  109. package/commands/vpc_endpoints.test.js +0 -69
  110. package/context.test.js +0 -119
  111. package/env.test.js +0 -55
  112. package/utils/formats.test.js +0 -32
  113. package/writer.test.js +0 -104
@@ -0,0 +1,363 @@
1
+ /**
2
+ * VT100/xterm input decoder and CSI escape helpers.
3
+ *
4
+ * Input side: a streaming decoder that consumes raw bytes from stdin and
5
+ * emits `KeyEvent`s. Handles:
6
+ *
7
+ * - Printable ASCII (0x20..0x7e)
8
+ * - Control bytes (0x00..0x1f, plus 0x7f → backspace)
9
+ * - CSI sequences (`\x1b[...`): arrow keys, Home/End, Delete, PageUp/Dn,
10
+ * bracketed paste markers
11
+ * - SS3 sequences (`\x1bO<x>`) for application-mode arrows
12
+ * - Alt-X sequences (`\x1b<letter>`) for Meta keystrokes
13
+ * - Multi-byte UTF-8 codepoints (accumulated until complete)
14
+ *
15
+ * Output side: small helpers wrapping CSI escapes used by the renderer.
16
+ *
17
+ * The decoder is allocation-light: input chunks are appended to a private
18
+ * buffer, then drained from the head. We never throw on malformed input —
19
+ * leftover bytes that can't be decoded become a single `KeyEvent` with
20
+ * `key: 'unknown'` so the editor can ring the bell instead of dying.
21
+ */
22
+ /** Convenience: build a control-character event for byte `b` in 0x01..0x1f. */
23
+ const controlEvent = (b) => {
24
+ // ^A == 0x01 maps back to 'a'. Lowercase keeps things consistent.
25
+ const letter = String.fromCharCode(b + 0x60);
26
+ return { key: 'char', char: letter, ctrl: true };
27
+ };
28
+ /** Streaming decoder. Owns a small pending-byte buffer. */
29
+ export class Vt100Decoder {
30
+ constructor(opts = {}) {
31
+ this.pending = [];
32
+ /** UTF-8 continuation accumulator. */
33
+ this.utf8Bytes = [];
34
+ this.utf8Expect = 0;
35
+ /** Active bare-Esc timer, if one is pending. */
36
+ this.escTimer = null;
37
+ /** True while we're sitting on a buffered Esc waiting for follow-on. */
38
+ this.escPending = false;
39
+ this.escTimeoutMs = opts.escTimeoutMs ?? 0;
40
+ this.onTimeoutEvent = opts.onTimeoutEvent;
41
+ }
42
+ /** Reset internal state. Useful before re-entering raw mode after a fork. */
43
+ reset() {
44
+ this.pending.length = 0;
45
+ this.utf8Bytes.length = 0;
46
+ this.utf8Expect = 0;
47
+ this.clearEscTimer();
48
+ this.escPending = false;
49
+ }
50
+ clearEscTimer() {
51
+ if (this.escTimer !== null) {
52
+ clearTimeout(this.escTimer);
53
+ this.escTimer = null;
54
+ }
55
+ }
56
+ /**
57
+ * Feed a chunk of input. Returns zero or more `KeyEvent`s; bytes that
58
+ * form an incomplete sequence are buffered until the next call.
59
+ */
60
+ push(chunk) {
61
+ // A follow-on byte arrived: cancel any pending Esc timer; the standard
62
+ // sequence consumption path will see the Esc + byte together.
63
+ if (chunk.length > 0 && this.escPending) {
64
+ this.clearEscTimer();
65
+ this.escPending = false;
66
+ }
67
+ for (const b of chunk)
68
+ this.pending.push(b);
69
+ const out = [];
70
+ // Drain as long as we can make progress.
71
+ for (;;) {
72
+ const before = this.pending.length;
73
+ const ev = this.tryConsume();
74
+ if (ev === null) {
75
+ // Need more bytes.
76
+ if (this.pending.length !== before) {
77
+ // Bytes were consumed without emitting an event (UTF-8 prefix).
78
+ // Loop again to try further.
79
+ continue;
80
+ }
81
+ break;
82
+ }
83
+ out.push(ev);
84
+ if (this.pending.length === 0)
85
+ break;
86
+ }
87
+ return out;
88
+ }
89
+ /**
90
+ * Try to consume one key sequence from the head of `pending`. Returns
91
+ * the event, or `null` if more input is needed. May consume bytes
92
+ * without emitting (UTF-8 lead byte → continuation).
93
+ */
94
+ tryConsume() {
95
+ if (this.pending.length === 0)
96
+ return null;
97
+ const b = this.pending[0];
98
+ // Mid-UTF-8 sequence: accumulate continuation bytes.
99
+ if (this.utf8Expect > 0) {
100
+ if ((b & 0xc0) !== 0x80) {
101
+ // Invalid continuation: drop the lead and continuations, emit unknown.
102
+ this.utf8Bytes.length = 0;
103
+ this.utf8Expect = 0;
104
+ this.pending.shift();
105
+ return { key: 'unknown', raw: new Uint8Array([b]) };
106
+ }
107
+ this.utf8Bytes.push(b);
108
+ this.pending.shift();
109
+ this.utf8Expect--;
110
+ if (this.utf8Expect === 0) {
111
+ const bytes = Uint8Array.from(this.utf8Bytes);
112
+ this.utf8Bytes.length = 0;
113
+ const decoded = utf8Decode(bytes);
114
+ return { key: 'char', char: decoded };
115
+ }
116
+ return null;
117
+ }
118
+ // ASCII printable.
119
+ if (b >= 0x20 && b <= 0x7e) {
120
+ this.pending.shift();
121
+ return { key: 'char', char: String.fromCharCode(b) };
122
+ }
123
+ // Common controls.
124
+ if (b === 0x09) {
125
+ this.pending.shift();
126
+ return { key: 'tab' };
127
+ }
128
+ if (b === 0x0a || b === 0x0d) {
129
+ this.pending.shift();
130
+ return { key: 'enter' };
131
+ }
132
+ if (b === 0x7f || b === 0x08) {
133
+ this.pending.shift();
134
+ return { key: 'backspace' };
135
+ }
136
+ if (b === 0x1b) {
137
+ // Escape: maybe alone, maybe the lead of a CSI/SS3/Meta sequence.
138
+ return this.consumeEscape();
139
+ }
140
+ if (b < 0x20) {
141
+ this.pending.shift();
142
+ return controlEvent(b);
143
+ }
144
+ // UTF-8 lead byte.
145
+ if ((b & 0xe0) === 0xc0) {
146
+ this.utf8Expect = 1;
147
+ this.utf8Bytes = [b];
148
+ this.pending.shift();
149
+ return null;
150
+ }
151
+ if ((b & 0xf0) === 0xe0) {
152
+ this.utf8Expect = 2;
153
+ this.utf8Bytes = [b];
154
+ this.pending.shift();
155
+ return null;
156
+ }
157
+ if ((b & 0xf8) === 0xf0) {
158
+ this.utf8Expect = 3;
159
+ this.utf8Bytes = [b];
160
+ this.pending.shift();
161
+ return null;
162
+ }
163
+ // Stray high byte. Emit unknown.
164
+ this.pending.shift();
165
+ return { key: 'unknown', raw: new Uint8Array([b]) };
166
+ }
167
+ /**
168
+ * Called when the head byte is 0x1b. Tries to consume an escape
169
+ * sequence; returns `null` if more bytes are needed.
170
+ *
171
+ * When only the Esc byte sits in the buffer we have two strategies:
172
+ *
173
+ * 1) `escTimeoutMs === 0` (default for non-LineEditor callers): emit
174
+ * the bare `escape` immediately. Matches the pre-polish behaviour.
175
+ * 2) `escTimeoutMs > 0`: park the Esc byte, arm a `setTimeout`. If a
176
+ * follow-on byte arrives within the window, `push()` cancels the
177
+ * timer and the normal Esc-prefix path runs. Otherwise the timer
178
+ * fires and we synthesise an `escape` event into the host queue.
179
+ */
180
+ consumeEscape() {
181
+ if (this.pending.length === 1) {
182
+ if (this.escTimeoutMs === 0) {
183
+ this.pending.shift();
184
+ return { key: 'escape' };
185
+ }
186
+ // Already waiting? Don't re-arm the timer.
187
+ if (this.escPending)
188
+ return null;
189
+ this.escPending = true;
190
+ this.escTimer = setTimeout(() => {
191
+ this.escTimer = null;
192
+ // If the buffer head is still a lone Esc, drain it as a bare escape.
193
+ if (this.escPending && this.pending[0] === 0x1b) {
194
+ this.pending.shift();
195
+ this.escPending = false;
196
+ this.onTimeoutEvent?.({ key: 'escape' });
197
+ }
198
+ else {
199
+ this.escPending = false;
200
+ }
201
+ }, this.escTimeoutMs);
202
+ return null;
203
+ }
204
+ const b1 = this.pending[1];
205
+ // Esc [ ... — CSI sequence
206
+ if (b1 === 0x5b /* '[' */) {
207
+ return this.consumeCsi();
208
+ }
209
+ // Esc O X — SS3 (application-mode arrows on many terminals)
210
+ if (b1 === 0x4f /* 'O' */) {
211
+ if (this.pending.length < 3)
212
+ return null;
213
+ const b2 = this.pending[2];
214
+ this.pending.splice(0, 3);
215
+ return ss3ToEvent(b2);
216
+ }
217
+ // Esc <byte> — Alt/Meta combination.
218
+ if (b1 < 0x20) {
219
+ // Esc + control byte. Treat as Alt-Ctrl-X; we don't currently bind any.
220
+ this.pending.splice(0, 2);
221
+ const inner = controlEvent(b1);
222
+ inner.meta = true;
223
+ return inner;
224
+ }
225
+ if (b1 === 0x7f) {
226
+ this.pending.splice(0, 2);
227
+ return { key: 'backspace', meta: true };
228
+ }
229
+ if (b1 >= 0x20 && b1 <= 0x7e) {
230
+ this.pending.splice(0, 2);
231
+ return { key: 'char', char: String.fromCharCode(b1), meta: true };
232
+ }
233
+ // Unknown Esc-X sequence; consume both and emit unknown.
234
+ const raw = Uint8Array.from(this.pending.slice(0, 2));
235
+ this.pending.splice(0, 2);
236
+ return { key: 'unknown', raw };
237
+ }
238
+ consumeCsi() {
239
+ // Format: ESC [ (parameter bytes 0x30..0x3f)* (intermediate bytes 0x20..0x2f)* (final byte 0x40..0x7e)
240
+ // We start at pending[2] (after ESC '[').
241
+ let i = 2;
242
+ while (i < this.pending.length) {
243
+ const b = this.pending[i];
244
+ if (b >= 0x40 && b <= 0x7e)
245
+ break;
246
+ i++;
247
+ }
248
+ if (i === this.pending.length)
249
+ return null; // need more bytes
250
+ // Examine parameter bytes between pending[2] and pending[i-1].
251
+ const params = this.pending.slice(2, i);
252
+ const final = this.pending[i];
253
+ const seqLen = i + 1;
254
+ const consume = () => {
255
+ this.pending.splice(0, seqLen);
256
+ };
257
+ // Bracketed paste markers: ESC [ 200 ~ and ESC [ 201 ~
258
+ if (final === 0x7e /* '~' */) {
259
+ const paramStr = String.fromCharCode(...params);
260
+ consume();
261
+ switch (paramStr) {
262
+ case '1':
263
+ case '7':
264
+ return { key: 'home' };
265
+ case '2':
266
+ return { key: 'unknown' }; // Insert; we don't handle it.
267
+ case '3':
268
+ return { key: 'delete' };
269
+ case '4':
270
+ case '8':
271
+ return { key: 'end' };
272
+ case '5':
273
+ return { key: 'pageup' };
274
+ case '6':
275
+ return { key: 'pagedown' };
276
+ case '200':
277
+ return { key: 'paste-start' };
278
+ case '201':
279
+ return { key: 'paste-end' };
280
+ default:
281
+ return { key: 'unknown' };
282
+ }
283
+ }
284
+ // Letter finals (A/B/C/D/H/F).
285
+ // Param string may carry modifiers: e.g. "1;3" → Alt-arrow.
286
+ const paramStr = String.fromCharCode(...params);
287
+ consume();
288
+ const meta = paramStr.endsWith(';3') || paramStr.endsWith(';7');
289
+ switch (final) {
290
+ case 0x41 /* 'A' */:
291
+ return meta ? { key: 'up', meta: true } : { key: 'up' };
292
+ case 0x42 /* 'B' */:
293
+ return meta ? { key: 'down', meta: true } : { key: 'down' };
294
+ case 0x43 /* 'C' */:
295
+ return meta ? { key: 'right', meta: true } : { key: 'right' };
296
+ case 0x44 /* 'D' */:
297
+ return meta ? { key: 'left', meta: true } : { key: 'left' };
298
+ case 0x48 /* 'H' */:
299
+ return { key: 'home' };
300
+ case 0x46 /* 'F' */:
301
+ return { key: 'end' };
302
+ case 0x5a /* 'Z' */:
303
+ // Shift-Tab; treat as plain Tab for now (no reverse cycling yet).
304
+ return { key: 'tab', meta: true };
305
+ default:
306
+ return {
307
+ key: 'unknown',
308
+ raw: Uint8Array.from(this.pending.slice(0, seqLen)),
309
+ };
310
+ }
311
+ }
312
+ }
313
+ /** Decode a small UTF-8 byte sequence (1..4 bytes) into a string. */
314
+ const utf8Decode = (bytes) => {
315
+ // Node provides TextDecoder; available on all supported runtimes (Node 18+).
316
+ return new TextDecoder('utf-8', { fatal: false }).decode(bytes);
317
+ };
318
+ /** Translate an SS3 final byte (after `ESC O`) into a key event. */
319
+ const ss3ToEvent = (b) => {
320
+ switch (b) {
321
+ case 0x41:
322
+ return { key: 'up' };
323
+ case 0x42:
324
+ return { key: 'down' };
325
+ case 0x43:
326
+ return { key: 'right' };
327
+ case 0x44:
328
+ return { key: 'left' };
329
+ case 0x48:
330
+ return { key: 'home' };
331
+ case 0x46:
332
+ return { key: 'end' };
333
+ default:
334
+ return { key: 'unknown', raw: new Uint8Array([0x1b, 0x4f, b]) };
335
+ }
336
+ };
337
+ // ---------------------------------------------------------------------------
338
+ // CSI output helpers
339
+ // ---------------------------------------------------------------------------
340
+ /** Move cursor up N rows. */
341
+ export const csiUp = (n) => (n > 0 ? `\x1b[${n}A` : '');
342
+ /** Move cursor down N rows. */
343
+ export const csiDown = (n) => (n > 0 ? `\x1b[${n}B` : '');
344
+ /** Move cursor right N columns. */
345
+ export const csiRight = (n) => (n > 0 ? `\x1b[${n}C` : '');
346
+ /** Move cursor left N columns. */
347
+ export const csiLeft = (n) => (n > 0 ? `\x1b[${n}D` : '');
348
+ /** Move cursor to column N (1-based). */
349
+ export const csiToColumn = (col) => `\x1b[${col}G`;
350
+ /** Erase from cursor to end-of-line. */
351
+ export const csiEraseToEol = () => '\x1b[K';
352
+ /** Erase entire screen and move cursor to home. */
353
+ export const csiClearScreen = () => '\x1b[2J\x1b[H';
354
+ /** Carriage return: move to column 1 without writing a newline. */
355
+ export const CR = '\r';
356
+ /** Newline (LF). */
357
+ export const LF = '\n';
358
+ /** Enable bracketed paste mode (DEC private mode 2004). */
359
+ export const enableBracketedPaste = () => '\x1b[?2004h';
360
+ /** Disable bracketed paste mode. */
361
+ export const disableBracketedPaste = () => '\x1b[?2004l';
362
+ /** Audible bell. */
363
+ export const BEL = '\x07';
@@ -0,0 +1,202 @@
1
+ /**
2
+ * `~/.pgpass` password-file support.
3
+ *
4
+ * TypeScript port of the relevant portion of `src/interfaces/libpq/fe-connect.c`
5
+ * (`passwordFromFile`) plus the path/permission rules described in upstream
6
+ * psql's docs (`doc/src/sgml/libpq.sgml`, "The Password File" chapter).
7
+ *
8
+ * On-disk format:
9
+ *
10
+ * host:port:database:user:password
11
+ *
12
+ * - One entry per line.
13
+ * - Comments start with `#` and run to the end of the line.
14
+ * - Any field may be `*` to match anything.
15
+ * - A literal `:` or `\` in any field must be escaped with `\` (so a password
16
+ * containing `:` is written `\:`, a literal `\` becomes `\\`). The escape
17
+ * applies after the `#` stripping but before field splitting — libpq itself
18
+ * only honours the escape during field tokenisation.
19
+ *
20
+ * Permission check (POSIX only):
21
+ *
22
+ * libpq refuses to read a .pgpass with group or world read/write bits set.
23
+ * The exact check is `(st.st_mode & (S_IRWXG | S_IRWXO))` — i.e. `0o077`
24
+ * masked against the mode. We mirror that: if any of those bits are set we
25
+ * skip the file and emit a single warning to stderr. Windows skips the check
26
+ * entirely (libpq does the same — `geteuid` / `S_IRWXG` aren't portable).
27
+ */
28
+ import { promises as fs } from 'node:fs';
29
+ import * as os from 'node:os';
30
+ import * as path from 'node:path';
31
+ const isWindows = process.platform === 'win32';
32
+ /**
33
+ * Return the default `.pgpass` path:
34
+ *
35
+ * - `$PGPASSFILE` if set and non-empty
36
+ * - `%APPDATA%\postgresql\pgpass.conf` on Windows
37
+ * - `$HOME/.pgpass` (falling back to `os.homedir()`) otherwise
38
+ *
39
+ * Pure function — `env` defaults to `process.env` but can be injected for
40
+ * tests.
41
+ */
42
+ export const defaultPgPassPath = (env = process.env) => {
43
+ const explicit = env.PGPASSFILE;
44
+ if (explicit !== undefined && explicit.length > 0)
45
+ return explicit;
46
+ if (isWindows) {
47
+ const appdata = env.APPDATA;
48
+ if (appdata !== undefined && appdata.length > 0) {
49
+ return path.join(appdata, 'postgresql', 'pgpass.conf');
50
+ }
51
+ // Fall through to homedir() if APPDATA isn't set — degrade gracefully on
52
+ // a minimally configured Windows session.
53
+ }
54
+ const home = env.HOME ?? os.homedir();
55
+ return path.join(home, '.pgpass');
56
+ };
57
+ /**
58
+ * Split a `.pgpass` line into its five fields, respecting `\:` and `\\`
59
+ * escapes. Returns `null` for lines that don't yield exactly five fields
60
+ * (malformed entries are silently ignored, matching libpq).
61
+ *
62
+ * Escape semantics (mirroring libpq's `passwordFromFile`):
63
+ * - `\X` for any X consumes the backslash and emits X literally; the only
64
+ * escapes intended for `.pgpass` are `\:` (literal colon) and `\\`
65
+ * (literal backslash), but libpq's decoder is lenient.
66
+ * - A trailing backslash at end-of-line is dropped.
67
+ */
68
+ /** Un-escape `\X` → `X` (a trailing lone backslash is kept). */
69
+ const decodeBackslashes = (s) => {
70
+ let out = '';
71
+ for (let i = 0; i < s.length; i++) {
72
+ if (s[i] === '\\' && i + 1 < s.length) {
73
+ out += s[i + 1];
74
+ i += 1;
75
+ continue;
76
+ }
77
+ out += s[i];
78
+ }
79
+ return out;
80
+ };
81
+ const splitLine = (line) => {
82
+ // Split on UN-escaped `:` only, PRESERVING backslashes inside each field.
83
+ // The match fields (host/port/database/user) are kept RAW so the wildcard
84
+ // test can distinguish a bare `*` (wildcard) from `\*` (literal `*`) — see
85
+ // fieldMatches / review item #21. libpq does the same: its wildcard check
86
+ // is `strcmp(rawtoken, "*")`, and unescaping happens only during the
87
+ // char-by-char comparison. The password is the returned secret, so it is
88
+ // fully decoded here.
89
+ const fields = [];
90
+ let current = '';
91
+ for (let i = 0; i < line.length; i++) {
92
+ const ch = line[i];
93
+ if (ch === '\\' && i + 1 < line.length) {
94
+ current += '\\' + line[i + 1];
95
+ i += 1;
96
+ continue;
97
+ }
98
+ if (ch === ':') {
99
+ fields.push(current);
100
+ current = '';
101
+ continue;
102
+ }
103
+ current += ch;
104
+ }
105
+ fields.push(current);
106
+ if (fields.length !== 5)
107
+ return null;
108
+ return {
109
+ host: fields[0],
110
+ port: fields[1],
111
+ database: fields[2],
112
+ user: fields[3],
113
+ password: decodeBackslashes(fields[4]),
114
+ };
115
+ };
116
+ /**
117
+ * Read and parse a `.pgpass` file. Resolves to `[]` for:
118
+ *
119
+ * - missing file (ENOENT / ENOTDIR)
120
+ * - empty file
121
+ * - permission gate failure on POSIX (a warning is written to `stderr`)
122
+ *
123
+ * Other I/O errors (EACCES on a directory we can stat, EIO, …) also resolve
124
+ * to `[]` since libpq treats `.pgpass` as best-effort: a missing or
125
+ * unreadable file just falls through to the next password source.
126
+ */
127
+ export const loadPgPass = async (filePath, opts) => {
128
+ const env = opts?.env ?? process.env;
129
+ const stderr = opts?.stderr ?? process.stderr;
130
+ const resolved = filePath ?? defaultPgPassPath(env);
131
+ // Stat the file first so we can do the permission check before opening it.
132
+ // If it doesn't exist, bail out silently.
133
+ let stat;
134
+ try {
135
+ stat = await fs.stat(resolved);
136
+ }
137
+ catch (err) {
138
+ const code = err.code;
139
+ if (code === 'ENOENT' || code === 'ENOTDIR')
140
+ return [];
141
+ return [];
142
+ }
143
+ if (!stat.isFile())
144
+ return [];
145
+ if (!isWindows && (stat.mode & 0o077) !== 0) {
146
+ stderr.write(`WARNING: password file "${resolved}" has group or world access; permissions should be u=rw (0600) or less\n`);
147
+ return [];
148
+ }
149
+ let raw;
150
+ try {
151
+ raw = await fs.readFile(resolved, 'utf8');
152
+ }
153
+ catch {
154
+ return [];
155
+ }
156
+ const entries = [];
157
+ for (const line of raw.split(/\r?\n/)) {
158
+ const trimmed = line.replace(/^\s+/, '');
159
+ if (trimmed.length === 0)
160
+ continue;
161
+ if (trimmed.startsWith('#'))
162
+ continue;
163
+ const entry = splitLine(trimmed);
164
+ if (entry !== null)
165
+ entries.push(entry);
166
+ }
167
+ return entries;
168
+ };
169
+ /**
170
+ * Match a single field. `*` matches anything; otherwise an exact comparison.
171
+ */
172
+ const fieldMatches = (pattern, value) =>
173
+ // A bare `*` is the wildcard; `\*` decodes to a LITERAL `*` (review #21).
174
+ pattern === '*' || decodeBackslashes(pattern) === value;
175
+ /**
176
+ * Look up a password entry for the given `target`. Returns the first matching
177
+ * entry's password, or `undefined` if nothing matches.
178
+ *
179
+ * Match semantics mirror libpq:
180
+ * - Fields are compared exactly (no wildcards beyond `*`).
181
+ * - `port` is compared as a string against the target's numeric port.
182
+ * - Entries are scanned top-to-bottom; the first match wins (so callers
183
+ * should write specific entries before generic ones).
184
+ */
185
+ export const lookupPgPass = (entries, target) => {
186
+ const portStr = String(target.port);
187
+ for (const e of entries) {
188
+ if (!fieldMatches(e.host, target.host))
189
+ continue;
190
+ if (!fieldMatches(e.port, portStr))
191
+ continue;
192
+ if (!fieldMatches(e.database, target.database))
193
+ continue;
194
+ if (!fieldMatches(e.user, target.user))
195
+ continue;
196
+ // The password field is returned literally (already decoded by
197
+ // splitLine). It may be empty — libpq still treats that as "found a
198
+ // match"; we mirror that.
199
+ return e.password;
200
+ }
201
+ return undefined;
202
+ };