npm - pgserve - Versions diffs - 2.1.3 → 2.2.1 - Mend

pgserve 2.1.3 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (235) hide show

package/CHANGELOG.md +96 -0
package/README.md +105 -1
package/bin/autopg-wrapper.cjs +16 -0
package/bin/pgserve-wrapper.cjs +32 -6
package/bin/postgres-server.js +56 -0
package/console/README.md +131 -0
package/console/api.js +173 -0
package/console/app.jsx +483 -0
package/console/colors_and_type.css +227 -0
package/console/components.jsx +167 -0
package/console/console.css +1666 -0
package/console/data.jsx +350 -0
package/console/index.html +31 -0
package/console/screens/databases.jsx +5 -0
package/console/screens/health.jsx +5 -0
package/console/screens/ingress.jsx +5 -0
package/console/screens/optimizer.jsx +5 -0
package/console/screens/rlm-sim.jsx +5 -0
package/console/screens/rlm-trace.jsx +5 -0
package/console/screens/security.jsx +5 -0
package/console/screens/settings.jsx +611 -0
package/console/screens/sql.jsx +5 -0
package/console/screens/sync.jsx +5 -0
package/console/screens/tables.jsx +5 -0
package/console/tweaks-panel.jsx +425 -0
package/package.json +14 -2
package/scripts/postinstall.cjs +60 -0
package/src/cli-config.cjs +310 -0
package/src/cli-install.cjs +112 -11
package/src/cli-restart.cjs +228 -0
package/src/cli-ui.cjs +580 -0
package/src/cluster.js +43 -38
package/src/postgres.js +141 -19
package/src/settings-loader.cjs +235 -0
package/src/settings-migrate.cjs +212 -0
package/src/settings-pg-args.cjs +146 -0
package/src/settings-schema.cjs +422 -0
package/src/settings-validator.cjs +416 -0
package/src/settings-writer.cjs +288 -0
package/src/upgrade/index.js +65 -0
package/src/upgrade/runner.js +23 -0
package/src/upgrade/steps/binary-cache-flush.js +67 -0
package/src/upgrade/steps/consumer-signal.js +40 -0
package/src/upgrade/steps/env-refresh.js +89 -0
package/src/upgrade/steps/health-validate.js +53 -0
package/src/upgrade/steps/plpgsql-resolve.js +66 -0
package/src/upgrade/steps/port-reconcile.js +52 -0
package/.claude/context/windows-debug.md +0 -119
package/.genie/AGENTS.md +0 -15
package/.genie/agents/README.md +0 -110
package/.genie/agents/analyze.md +0 -176
package/.genie/agents/forge.md +0 -290
package/.genie/agents/garbage-cleaner.md +0 -324
package/.genie/agents/garbage-collector.md +0 -596
package/.genie/agents/github-issue-gc.md +0 -618
package/.genie/agents/review.md +0 -380
package/.genie/agents/semantic-analyzer/find-duplicates.md +0 -90
package/.genie/agents/semantic-analyzer/find-orphans.md +0 -99
package/.genie/agents/semantic-analyzer.md +0 -101
package/.genie/agents/update.md +0 -182
package/.genie/agents/wish.md +0 -357
package/.genie/brainstorms/pgserve-v2/DESIGN.md +0 -174
package/.genie/code/AGENTS.md +0 -694
package/.genie/code/agents/audit/risk.md +0 -173
package/.genie/code/agents/audit/security.md +0 -189
package/.genie/code/agents/audit.md +0 -145
package/.genie/code/agents/challenge.md +0 -230
package/.genie/code/agents/change-reviewer.md +0 -295
package/.genie/code/agents/code-garbage-collector.md +0 -425
package/.genie/code/agents/code-quality.md +0 -410
package/.genie/code/agents/commit-suggester.md +0 -255
package/.genie/code/agents/commit.md +0 -124
package/.genie/code/agents/consensus.md +0 -204
package/.genie/code/agents/daily-standup.md +0 -722
package/.genie/code/agents/docgen.md +0 -48
package/.genie/code/agents/explore.md +0 -79
package/.genie/code/agents/fix.md +0 -100
package/.genie/code/agents/git/commit-advisory.md +0 -219
package/.genie/code/agents/git/workflows/issue.md +0 -244
package/.genie/code/agents/git/workflows/pr.md +0 -179
package/.genie/code/agents/git/workflows/release.md +0 -460
package/.genie/code/agents/git/workflows/report.md +0 -342
package/.genie/code/agents/git.md +0 -432
package/.genie/code/agents/implementor.md +0 -161
package/.genie/code/agents/install.md +0 -515
package/.genie/code/agents/issue-creator.md +0 -344
package/.genie/code/agents/polish.md +0 -116
package/.genie/code/agents/qa.md +0 -653
package/.genie/code/agents/refactor.md +0 -294
package/.genie/code/agents/release.md +0 -1129
package/.genie/code/agents/roadmap.md +0 -885
package/.genie/code/agents/tests.md +0 -557
package/.genie/code/agents/tracer.md +0 -50
package/.genie/code/agents/update/upstream-update.md +0 -85
package/.genie/code/agents/update/versions/generic-update.md +0 -305
package/.genie/code/agents/vibe.md +0 -1317
package/.genie/code/spells/agent-configuration.md +0 -58
package/.genie/code/spells/automated-rc-publishing.md +0 -106
package/.genie/code/spells/branch-tracker-guidance.md +0 -28
package/.genie/code/spells/debug.md +0 -320
package/.genie/code/spells/emoji-naming-convention.md +0 -303
package/.genie/code/spells/evidence-storage.md +0 -26
package/.genie/code/spells/file-naming-rules.md +0 -35
package/.genie/code/spells/forge-code-blueprints.md +0 -195
package/.genie/code/spells/genie-integration.md +0 -153
package/.genie/code/spells/publishing-protocol.md +0 -61
package/.genie/code/spells/team-consultation-protocol.md +0 -284
package/.genie/code/spells/tool-requirements.md +0 -20
package/.genie/code/spells/triad-maintenance-protocol.md +0 -154
package/.genie/code/teams/tech-council/council.md +0 -328
package/.genie/code/teams/tech-council/jt.md +0 -352
package/.genie/code/teams/tech-council/nayr.md +0 -305
package/.genie/code/teams/tech-council/oettam.md +0 -375
package/.genie/neurons/README.md +0 -193
package/.genie/neurons/forge.md +0 -106
package/.genie/neurons/genie.md +0 -63
package/.genie/neurons/review.md +0 -106
package/.genie/neurons/wish.md +0 -104
package/.genie/product/README.md +0 -20
package/.genie/product/cli-automation.md +0 -359
package/.genie/product/environment.md +0 -60
package/.genie/product/mission.md +0 -60
package/.genie/product/roadmap.md +0 -44
package/.genie/product/tech-stack.md +0 -34
package/.genie/product/templates/context-template.md +0 -218
package/.genie/product/templates/qa-done-report-template.md +0 -68
package/.genie/product/templates/review-report-template.md +0 -89
package/.genie/product/templates/wish-template.md +0 -120
package/.genie/scripts/helpers/analyze-commit.js +0 -195
package/.genie/scripts/helpers/bullet-counter.js +0 -194
package/.genie/scripts/helpers/bullet-find.js +0 -289
package/.genie/scripts/helpers/bullet-id.js +0 -244
package/.genie/scripts/helpers/check-secrets.js +0 -237
package/.genie/scripts/helpers/count-tokens.js +0 -200
package/.genie/scripts/helpers/create-frontmatter.js +0 -456
package/.genie/scripts/helpers/detect-markers.js +0 -293
package/.genie/scripts/helpers/detect-todos.js +0 -267
package/.genie/scripts/helpers/detect-unlabeled-blocks.js +0 -135
package/.genie/scripts/helpers/embeddings.js +0 -344
package/.genie/scripts/helpers/find-empty-sections.js +0 -158
package/.genie/scripts/helpers/index.js +0 -319
package/.genie/scripts/helpers/validate-frontmatter.js +0 -578
package/.genie/scripts/helpers/validate-links.js +0 -207
package/.genie/scripts/helpers/validate-paths.js +0 -373
package/.genie/spells/README.md +0 -9
package/.genie/spells/ace-protocol.md +0 -118
package/.genie/spells/ask-one-at-a-time.md +0 -175
package/.genie/spells/backup-analyzer.md +0 -542
package/.genie/spells/blocker.md +0 -12
package/.genie/spells/break-things-move-fast.md +0 -56
package/.genie/spells/context-candidates.md +0 -72
package/.genie/spells/context-critic.md +0 -51
package/.genie/spells/defer-to-expertise.md +0 -278
package/.genie/spells/delegate-dont-do.md +0 -292
package/.genie/spells/error-investigation-protocol.md +0 -328
package/.genie/spells/evidence-based-completion.md +0 -273
package/.genie/spells/experiment.md +0 -65
package/.genie/spells/file-creation-protocol.md +0 -229
package/.genie/spells/forge-integration.md +0 -281
package/.genie/spells/forge-orchestration.md +0 -514
package/.genie/spells/gather-context.md +0 -18
package/.genie/spells/global-health-check.md +0 -34
package/.genie/spells/global-noop-roundtrip.md +0 -25
package/.genie/spells/install-genie.md +0 -1232
package/.genie/spells/install.md +0 -82
package/.genie/spells/investigate-before-commit.md +0 -112
package/.genie/spells/know-yourself.md +0 -288
package/.genie/spells/learn.md +0 -828
package/.genie/spells/mcp-diagnostic-protocol.md +0 -246
package/.genie/spells/mcp-first.md +0 -124
package/.genie/spells/multi-step-execution.md +0 -67
package/.genie/spells/orchestration-boundary-protocol.md +0 -256
package/.genie/spells/orchestrator-not-implementor.md +0 -189
package/.genie/spells/prompt.md +0 -746
package/.genie/spells/reflect.md +0 -404
package/.genie/spells/routing-decision-matrix.md +0 -368
package/.genie/spells/run-in-parallel.md +0 -12
package/.genie/spells/session-state-updater-example.md +0 -196
package/.genie/spells/session-state-updater.md +0 -220
package/.genie/spells/track-long-running-tasks.md +0 -133
package/.genie/spells/troubleshoot-infrastructure.md +0 -176
package/.genie/spells/upgrade-genie.md +0 -415
package/.genie/spells/url-presentation-protocol.md +0 -301
package/.genie/spells/wish-initiation.md +0 -158
package/.genie/spells/wish-issue-linkage.md +0 -410
package/.genie/spells/wish-lifecycle.md +0 -100
package/.genie/state/provider-status.json +0 -3
package/.genie/state/version.json +0 -16
package/.genie/wishes/canonical-pgserve-pm2-supervision/WISH.md +0 -290
package/.genie/wishes/pgserve-v2/BRIEF-from-genie-pgserve.md +0 -99
package/.genie/wishes/pgserve-v2/WISH.md +0 -442
package/.genie/wishes/release-system-genie-pattern/WISH.md +0 -268
package/.genie/wishes/release-system-genie-pattern/validation.md +0 -205
package/.gitguardian.yaml +0 -29
package/.gitguardianignore +0 -16
package/.github/workflows/ci.yml +0 -122
package/.github/workflows/release.yml +0 -289
package/.github/workflows/version.yml +0 -228
package/.husky/pre-commit +0 -2
package/AGENTS.md +0 -433
package/CLAUDE.md +0 -1
package/Makefile +0 -285
package/assets/icon.ico +0 -0
package/bun.lock +0 -435
package/bunfig.toml +0 -28
package/ecosystem.config.cjs +0 -23
package/eslint.config.js +0 -63
package/examples/multi-tenant-demo.js +0 -104
package/install.sh +0 -123
package/knip.json +0 -9
package/tests/audit.test.js +0 -189
package/tests/backpressure.test.js +0 -167
package/tests/benchmarks/runner.js +0 -1197
package/tests/benchmarks/vector-generator.js +0 -368
package/tests/cli-install.test.js +0 -322
package/tests/control-db.test.js +0 -285
package/tests/daemon-args.test.js +0 -86
package/tests/daemon-control.test.js +0 -171
package/tests/daemon-fingerprint-integration.test.js +0 -111
package/tests/daemon-pr24-regression.test.js +0 -198
package/tests/fingerprint.test.js +0 -263
package/tests/fixtures/240-orphan-seed.sql +0 -30
package/tests/multi-tenant.test.js +0 -374
package/tests/orphan-cleanup.test.js +0 -390
package/tests/pg-version-regex.test.js +0 -129
package/tests/quick-bench.js +0 -135
package/tests/router-handshake-retry.test.js +0 -119
package/tests/router-handshake-watchdog.test.js +0 -110
package/tests/sdk.test.js +0 -71
package/tests/stale-postmaster-pid.test.js +0 -85
package/tests/stress-test.js +0 -439
package/tests/sync-perf-test.js +0 -150
package/tests/tcp-listen.test.js +0 -368
package/tests/tenancy.test.js +0 -403
package/tests/wrapper-supervision.test.js +0 -107

package/tests/tcp-listen.test.js DELETED Viewed

@@ -1,368 +0,0 @@
-/**
- * Group 6 — opt-in TCP listener + bearer-token auth.
- *
- * Coverage matches the wish acceptance criteria:
- *   • TCP connect without token denied (audit `tcp_token_denied`).
- *   • TCP connect with correct token reaches the right fingerprint's DB
- *     (audit `tcp_token_used`, libpq round-trips through the proxy).
- *   • Token revoke via revokeAllowedToken works (denies subsequent connects).
- *   • Without `--listen`, no TCP port bound (lifecycle assertion).
- */
-import { describe, test, expect } from 'bun:test';
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import net from 'net';
-import pg from 'pg';
-import {
-  PgserveDaemon,
-  resolveControlSocketPath,
-  resolvePidLockPath,
-  normalizeTcpListens,
-} from '../src/daemon.js';
-import { createLogger } from '../src/logger.js';
-import { configureAudit, AUDIT_EVENTS } from '../src/audit.js';
-import { recordDbCreated, addAllowedToken, revokeAllowedToken } from '../src/control-db.js';
-import { hashToken, parseTcpAuth } from '../src/tokens.js';
-const { Client } = pg;
-function silentLogger() {
-  return createLogger({ level: process.env.PGSERVE_TEST_LOG || 'warn' });
-}
-function makeIsolated(tag) {
-  const dir = path.join(os.tmpdir(), `pgserve-tcp-${tag}-${process.pid}-${Date.now()}`);
-  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
-  return dir;
-}
-function readAuditLines(logFile) {
-  if (!fs.existsSync(logFile)) return [];
-  return fs.readFileSync(logFile, 'utf8')
-    .split('\n')
-    .filter(Boolean)
-    .map((l) => JSON.parse(l));
-}
-async function pollForAudit(logFile, predicate, deadlineMs = 1500) {
-  const deadline = Date.now() + deadlineMs;
-  while (Date.now() < deadline) {
-    const lines = readAuditLines(logFile);
-    const hit = lines.find(predicate);
-    if (hit) return hit;
-    await new Promise(r => setTimeout(r, 25));
-  }
-  return null;
-}
-function freeTcpPort() {
-  return new Promise((resolve, reject) => {
-    const srv = net.createServer();
-    srv.unref();
-    srv.on('error', reject);
-    srv.listen(0, '127.0.0.1', () => {
-      const { port } = srv.address();
-      srv.close(() => resolve(port));
-    });
-  });
-}
-function findAuditEvent(logFile, event) {
-  return readAuditLines(logFile).filter((e) => e.event === event);
-}
-// --------------------------------------------------------------------------
-// Pure-input tests: parseTcpAuth + normalizeTcpListens — no daemon required.
-// --------------------------------------------------------------------------
-describe('Group 6 — token + listen parsers', () => {
-  test('parseTcpAuth accepts ?fingerprint=&token= form', () => {
-    const out = parseTcpAuth('?fingerprint=abc123def456&token=secret');
-    expect(out).toEqual({ fingerprint: 'abc123def456', token: 'secret' });
-  });
-  test('parseTcpAuth accepts the prefix-less form', () => {
-    const out = parseTcpAuth('fingerprint=abc123def456&token=secret');
-    expect(out).toEqual({ fingerprint: 'abc123def456', token: 'secret' });
-  });
-  test('parseTcpAuth rejects malformed inputs', () => {
-    expect(parseTcpAuth(null)).toBeNull();
-    expect(parseTcpAuth('')).toBeNull();
-    expect(parseTcpAuth('fingerprint=abc&token=secret')).toBeNull();   // not 12 hex
-    expect(parseTcpAuth('fingerprint=abc123def456')).toBeNull();       // missing token
-    expect(parseTcpAuth('token=secret')).toBeNull();                   // missing fingerprint
-    expect(parseTcpAuth('fingerprint=ZZZZZZZZZZZZ&token=x')).toBeNull(); // non-hex
-  });
-  test('normalizeTcpListens parses every documented form', () => {
-    expect(normalizeTcpListens(undefined)).toEqual([]);
-    expect(normalizeTcpListens('5432')).toEqual([{ host: '0.0.0.0', port: 5432 }]);
-    expect(normalizeTcpListens(':5432')).toEqual([{ host: '0.0.0.0', port: 5432 }]);
-    expect(normalizeTcpListens('127.0.0.1:5432')).toEqual([{ host: '127.0.0.1', port: 5432 }]);
-    expect(normalizeTcpListens(['127.0.0.1:6000', ':6001'])).toEqual([
-      { host: '127.0.0.1', port: 6000 },
-      { host: '0.0.0.0', port: 6001 },
-    ]);
-  });
-  test('normalizeTcpListens rejects invalid ports', () => {
-    expect(() => normalizeTcpListens('garbage')).toThrow();
-    expect(() => normalizeTcpListens(':99999')).toThrow();
-    expect(() => normalizeTcpListens(':0')).toThrow();
-  });
-});
-// --------------------------------------------------------------------------
-// End-to-end: daemon with --listen, real TCP psql-style connect.
-// --------------------------------------------------------------------------
-describe('Group 6 — daemon TCP path', () => {
-  test('without --listen no TCP port is bound', async () => {
-    const dir = makeIsolated('no-listen');
-    const auditLogFile = path.join(dir, 'audit.log');
-    const daemon = new PgserveDaemon({
-      controlSocketDir: dir,
-      controlSocketPath: resolveControlSocketPath(dir),
-      pidLockPath: resolvePidLockPath(dir),
-      pgPort: 16200,
-      auditLogFile,
-      auditTarget: 'file',
-      logger: silentLogger(),
-    });
-    await daemon.start();
-    try {
-      expect(daemon.tcpServers.length).toBe(0);
-      expect(daemon.tcpListens).toEqual([]);
-    } finally {
-      await daemon.stop();
-      configureAudit({
-        logFile: path.join(os.homedir(), '.pgserve', 'audit.log'),
-        target: process.env.PGSERVE_AUDIT_TARGET || 'file',
-      });
-      fs.rmSync(dir, { recursive: true, force: true });
-    }
-  });
-  test('TCP connect without token is denied + audited', async () => {
-    const dir = makeIsolated('deny');
-    const auditLogFile = path.join(dir, 'audit.log');
-    const tcpPort = await freeTcpPort();
-    const daemon = new PgserveDaemon({
-      controlSocketDir: dir,
-      controlSocketPath: resolveControlSocketPath(dir),
-      pidLockPath: resolvePidLockPath(dir),
-      pgPort: 16210,
-      auditLogFile,
-      auditTarget: 'file',
-      tcpListens: [`127.0.0.1:${tcpPort}`],
-      logger: silentLogger(),
-    });
-    await daemon.start();
-    try {
-      expect(daemon.tcpServers.length).toBe(1);
-      // Spin up a libpq client without an application_name token. The
-      // daemon must close the connection before the handshake completes.
-      const client = new Client({
-        host: '127.0.0.1',
-        port: tcpPort,
-        database: 'postgres',
-        user: 'postgres',
-        password: 'postgres',
-        connectionTimeoutMillis: 1000,
-      });
-      let captured;
-      try {
-        await client.connect();
-        await client.query('SELECT 1');
-      } catch (err) {
-        captured = err;
-      } finally {
-        try { await client.end(); } catch { /* swallow */ }
-      }
-      expect(captured).toBeDefined();
-      const denied = await pollForAudit(
-        auditLogFile,
-        (e) => e.event === AUDIT_EVENTS.TCP_TOKEN_DENIED,
-      );
-      expect(denied).not.toBeNull();
-      expect(denied.reason).toBeDefined();
-    } finally {
-      await daemon.stop();
-      configureAudit({
-        logFile: path.join(os.homedir(), '.pgserve', 'audit.log'),
-        target: process.env.PGSERVE_AUDIT_TARGET || 'file',
-      });
-      fs.rmSync(dir, { recursive: true, force: true });
-    }
-  });
-  test('TCP connect with valid token reaches the fingerprint DB', async () => {
-    const dir = makeIsolated('allow');
-    const auditLogFile = path.join(dir, 'audit.log');
-    const tcpPort = await freeTcpPort();
-    const fingerprint = 'a1b2c3d4e5f6';
-    const cleartext = 'super-secret-bearer-token';
-    const dbName = 'app_tcptest_a1b2c3d4e5f6';
-    const daemon = new PgserveDaemon({
-      controlSocketDir: dir,
-      controlSocketPath: resolveControlSocketPath(dir),
-      pidLockPath: resolvePidLockPath(dir),
-      pgPort: 16220,
-      auditLogFile,
-      auditTarget: 'file',
-      tcpListens: [`127.0.0.1:${tcpPort}`],
-      logger: silentLogger(),
-    });
-    await daemon.start();
-    try {
-      // Pre-seed pgserve_meta with a row for the fingerprint, then issue
-      // a token. Real production uses the issue-token CLI; the test goes
-      // through the same control-db path.
-      await daemon.pgManager.createDatabase(dbName);
-      await recordDbCreated(daemon._adminClient, {
-        databaseName: dbName,
-        fingerprint,
-        peerUid: process.getuid(),
-      });
-      await addAllowedToken(daemon._adminClient, {
-        fingerprint,
-        tokenId: 'token-id-1',
-        tokenHash: hashToken(cleartext),
-      });
-      // Connect via TCP with the token in application_name. Note: the
-      // libpq client requests `database: 'postgres'` — daemon must
-      // rewrite to the fingerprint's `dbName`.
-      const client = new Client({
-        host: '127.0.0.1',
-        port: tcpPort,
-        database: 'postgres',
-        user: 'postgres',
-        password: 'postgres',
-        application_name: `?fingerprint=${fingerprint}&token=${cleartext}`,
-        connectionTimeoutMillis: 2000,
-      });
-      await client.connect();
-      try {
-        const r = await client.query('SELECT current_database() AS db');
-        expect(r.rows[0].db).toBe(dbName);
-      } finally {
-        await client.end();
-      }
-      const used = await pollForAudit(
-        auditLogFile,
-        (e) => e.event === AUDIT_EVENTS.TCP_TOKEN_USED,
-      );
-      expect(used).not.toBeNull();
-      expect(used.fingerprint).toBe(fingerprint);
-      expect(used.token_id).toBe('token-id-1');
-      expect(used.database).toBe(dbName);
-    } finally {
-      await daemon.stop();
-      configureAudit({
-        logFile: path.join(os.homedir(), '.pgserve', 'audit.log'),
-        target: process.env.PGSERVE_AUDIT_TARGET || 'file',
-      });
-      fs.rmSync(dir, { recursive: true, force: true });
-    }
-  });
-  test('revoked token is denied on subsequent connects', async () => {
-    const dir = makeIsolated('revoke');
-    const auditLogFile = path.join(dir, 'audit.log');
-    const tcpPort = await freeTcpPort();
-    const fingerprint = 'feedfacecafe';
-    const cleartext = 'rotate-me';
-    const dbName = 'app_rev_feedfacecafe';
-    const daemon = new PgserveDaemon({
-      controlSocketDir: dir,
-      controlSocketPath: resolveControlSocketPath(dir),
-      pidLockPath: resolvePidLockPath(dir),
-      pgPort: 16230,
-      auditLogFile,
-      auditTarget: 'file',
-      tcpListens: [`127.0.0.1:${tcpPort}`],
-      logger: silentLogger(),
-    });
-    await daemon.start();
-    try {
-      await daemon.pgManager.createDatabase(dbName);
-      await recordDbCreated(daemon._adminClient, {
-        databaseName: dbName,
-        fingerprint,
-        peerUid: process.getuid(),
-      });
-      await addAllowedToken(daemon._adminClient, {
-        fingerprint,
-        tokenId: 'rev-token-1',
-        tokenHash: hashToken(cleartext),
-      });
-      // Sanity: token works pre-revoke.
-      const c1 = new Client({
-        host: '127.0.0.1',
-        port: tcpPort,
-        database: 'postgres',
-        user: 'postgres',
-        password: 'postgres',
-        application_name: `?fingerprint=${fingerprint}&token=${cleartext}`,
-        connectionTimeoutMillis: 2000,
-      });
-      await c1.connect();
-      await c1.query('SELECT 1');
-      await c1.end();
-      // Revoke the token; subsequent connect must fail and audit deny.
-      const auditCountBefore = findAuditEvent(auditLogFile, AUDIT_EVENTS.TCP_TOKEN_DENIED).length;
-      const affected = await revokeAllowedToken(daemon._adminClient, 'rev-token-1');
-      expect(affected).toBe(1);
-      const c2 = new Client({
-        host: '127.0.0.1',
-        port: tcpPort,
-        database: 'postgres',
-        user: 'postgres',
-        password: 'postgres',
-        application_name: `?fingerprint=${fingerprint}&token=${cleartext}`,
-        connectionTimeoutMillis: 1000,
-      });
-      let captured;
-      try {
-        await c2.connect();
-      } catch (err) {
-        captured = err;
-      } finally {
-        try { await c2.end(); } catch { /* swallow */ }
-      }
-      expect(captured).toBeDefined();
-      const deadline = Date.now() + 1500;
-      let auditCountAfter = auditCountBefore;
-      while (Date.now() < deadline) {
-        auditCountAfter = findAuditEvent(auditLogFile, AUDIT_EVENTS.TCP_TOKEN_DENIED).length;
-        if (auditCountAfter > auditCountBefore) break;
-        await new Promise(r => setTimeout(r, 25));
-      }
-      expect(auditCountAfter).toBeGreaterThan(auditCountBefore);
-    } finally {
-      await daemon.stop();
-      configureAudit({
-        logFile: path.join(os.homedir(), '.pgserve', 'audit.log'),
-        target: process.env.PGSERVE_AUDIT_TARGET || 'file',
-      });
-      fs.rmSync(dir, { recursive: true, force: true });
-    }
-  });
-});