pgserve 2.2.0 → 2.2.2

package/src/upgrade/steps/env-refresh.js

@@ -0,0 +1,89 @@
+/**
+ * Step 4 — App env file refresh. Regenerates ~/.autopg/<name>.env with
+ * canonical port. Verifies SCRAM cred works; warns if rotation needed.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { execSync } from 'node:child_process';
+
+export const name = 'env-refresh';
+const CANONICAL_PORT = 8432;
+
+function getAutopgRoot() {
+  return process.env.AUTOPG_CONFIG_DIR || process.env.PGSERVE_CONFIG_DIR || `${process.env.HOME}/.autopg`;
+}
+
+function listAppEnvFiles() {
+  const root = getAutopgRoot();
+  if (!fs.existsSync(root)) return [];
+  return fs.readdirSync(root)
+    .filter((f) => f.endsWith('.env') && !f.startsWith('.'))
+    .map((f) => path.join(root, f));
+}
+
+function parseEnv(content) {
+  const out = {};
+  for (const line of content.split('\n')) {
+    const m = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
+    if (m) out[m[1]] = m[2].replace(/^"(.*)"$/, '$1');
+  }
+  return out;
+}
+
+function buildUrl({ user, password, port, db }) {
+  const enc = (s) => encodeURIComponent(s);
+  return `postgresql://${enc(user)}:${enc(password)}@127.0.0.1:${port}/${db}`;
+}
+
+function tryConnect(url) {
+  try {
+    execSync(`psql ${JSON.stringify(url)} -At -c "SELECT 1"`, { stdio: 'pipe', env: process.env });
+    return true;
+  } catch { return false; }
+}
+
+export async function plan() {
+  const files = listAppEnvFiles();
+  if (files.length === 0) return 'no app .env files found in autopg root';
+  return `would verify+rewrite ${files.length} env file(s): ${files.map((f) => path.basename(f)).join(', ')}`;
+}
+
+export async function execute({ warn }) {
+  const files = listAppEnvFiles();
+  if (files.length === 0) return { status: 'SKIP', detail: 'no .env files' };
+
+  let updated = 0, valid = 0;
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, 'utf8');
+      const env = parseEnv(content);
+      const url = env.DATABASE_URL || env.PG_URL || env.POSTGRES_URL;
+      if (!url) {
+        warn(`[env-refresh] ${path.basename(file)}: no DATABASE_URL key`);
+        continue;
+      }
+      const parsed = new URL(url);
+      const newUrl = buildUrl({
+        user: decodeURIComponent(parsed.username),
+        password: decodeURIComponent(parsed.password),
+        port: CANONICAL_PORT,
+        db: parsed.pathname.replace(/^\//, ''),
+      });
+
+      if (tryConnect(newUrl)) {
+        valid++;
+        if (newUrl !== url) {
+          const newContent = content.replace(/^(DATABASE_URL|PG_URL|POSTGRES_URL)=.*/m, `$1=${newUrl}`);
+          fs.writeFileSync(file, newContent, { mode: 0o600 });
+          updated++;
+        }
+      } else {
+        warn(`[env-refresh] ${path.basename(file)}: SCRAM cred fails — rotate via \`autopg rotate <app>\``);
+      }
+    } catch (err) {
+      warn(`[env-refresh] ${path.basename(file)} failed: ${err.message}`);
+    }
+  }
+  return { status: 'OK', detail: `validated ${valid}/${files.length}, rewrote ${updated}` };
+}

package/src/upgrade/steps/health-validate.js

@@ -0,0 +1,53 @@
+/**
+ * Step 6 — Health validation. pg_isready + per-DB plpgsql smoke test.
+ */
+
+import { execSync } from 'node:child_process';
+
+export const name = 'health-validate';
+const CANONICAL_PORT = 8432;
+const SYSTEM_DBS = new Set(['template0', 'template1']);
+
+function pgIsReady() {
+  try { execSync(`pg_isready -h 127.0.0.1 -p ${CANONICAL_PORT}`, { stdio: 'pipe' }); return true; }
+  catch { return false; }
+}
+
+function listAllDbs() {
+  const env = { ...process.env, PGPASSWORD: process.env.PGPASSWORD || 'postgres' };
+  const out = execSync(
+    `psql -h 127.0.0.1 -p ${CANONICAL_PORT} -U postgres -At -c "SELECT datname FROM pg_database WHERE NOT datistemplate"`,
+    { env, stdio: ['ignore', 'pipe', 'pipe'] },
+  ).toString().trim();
+  return out ? out.split('\n').filter(Boolean) : [];
+}
+
+function plpgsqlSmoke(db) {
+  try {
+    const env = { ...process.env, PGPASSWORD: process.env.PGPASSWORD || 'postgres' };
+    execSync(
+      `psql -h 127.0.0.1 -p ${CANONICAL_PORT} -U postgres -d ${db} -At -c "DO \\$\\$ BEGIN RAISE NOTICE 'ok'; END; \\$\\$"`,
+      { env, stdio: 'pipe' },
+    );
+    return true;
+  } catch { return false; }
+}
+
+export async function plan() {
+  return `would check pg_isready on :${CANONICAL_PORT} + plpgsql smoke test in each user DB`;
+}
+
+export async function execute({ warn }) {
+  if (!pgIsReady()) return { status: 'FAIL', detail: `pg_isready failed on port ${CANONICAL_PORT}` };
+  let dbs;
+  try { dbs = listAllDbs(); } catch (err) { return { status: 'FAIL', detail: `cannot list DBs: ${err.message}` }; }
+
+  let pass = 0, fail = 0;
+  for (const db of dbs) {
+    if (SYSTEM_DBS.has(db)) continue;
+    if (plpgsqlSmoke(db)) pass++;
+    else { fail++; warn(`[health-validate] plpgsql smoke FAIL in ${db}`); }
+  }
+  if (fail > 0) return { status: 'FAIL', detail: `${pass}/${pass + fail} DBs healthy; ${fail} failure(s)` };
+  return { status: 'OK', detail: `pg_isready OK, plpgsql healthy in ${pass}/${pass} DBs` };
+}

package/src/upgrade/steps/plpgsql-resolve.js

@@ -0,0 +1,66 @@
+/**
+ * Step 3 — plpgsql extension re-resolve.
+ * DROP+CREATE plpgsql per user DB to refresh `.so` path against current $libdir.
+ * Skips DBs with user-owned plpgsql functions (CASCADE would drop them).
+ */
+
+import { execSync } from 'node:child_process';
+
+export const name = 'plpgsql-resolve';
+const CANONICAL_PORT = 8432;
+const SYSTEM_DBS = new Set(['postgres', 'template0', 'template1']);
+
+function pgQuery({ db, sql, captureStdout = false }) {
+  const env = { ...process.env, PGPASSWORD: process.env.PGPASSWORD || 'postgres' };
+  const cmd = `psql -h 127.0.0.1 -p ${CANONICAL_PORT} -U postgres -d ${db} -At -c ${JSON.stringify(sql)}`;
+  return captureStdout
+    ? execSync(cmd, { env, stdio: ['ignore', 'pipe', 'pipe'] }).toString().trim()
+    : execSync(cmd, { env, stdio: 'pipe' });
+}
+
+function listUserDbs() {
+  const out = pgQuery({
+    db: 'postgres',
+    sql: "SELECT datname FROM pg_database WHERE NOT datistemplate AND datname != 'postgres' ORDER BY datname",
+    captureStdout: true,
+  });
+  return out ? out.split('\n').filter(Boolean) : [];
+}
+
+function hasUserOwnedPlpgsqlFunctions(db) {
+  const out = pgQuery({
+    db,
+    sql: "SELECT count(*) FROM pg_proc p JOIN pg_language l ON p.prolang = l.oid WHERE l.lanname = 'plpgsql' AND p.proowner != 10",
+    captureStdout: true,
+  });
+  return parseInt(out, 10) > 0;
+}
+
+export async function plan() {
+  let dbs;
+  try { dbs = listUserDbs(); } catch (err) { return `cannot enumerate DBs: ${err.message}`; }
+  return `would DROP+CREATE plpgsql in ${dbs.length} user DB(s): ${dbs.join(', ')}`;
+}
+
+export async function execute({ warn }) {
+  let dbs;
+  try { dbs = listUserDbs(); } catch (err) { return { status: 'FAIL', detail: `cannot enumerate DBs: ${err.message}` }; }
+  if (dbs.length === 0) return { status: 'SKIP', detail: 'no user DBs to refresh' };
+
+  let refreshed = 0, skipped = 0;
+  for (const db of dbs) {
+    if (SYSTEM_DBS.has(db)) { skipped++; continue; }
+    try {
+      if (hasUserOwnedPlpgsqlFunctions(db)) {
+        warn(`[plpgsql-resolve] skip ${db}: user-owned plpgsql functions present (DROP CASCADE would lose them)`);
+        skipped++; continue;
+      }
+      pgQuery({ db, sql: 'DROP EXTENSION IF EXISTS plpgsql CASCADE; CREATE EXTENSION plpgsql' });
+      refreshed++;
+    } catch (err) {
+      warn(`[plpgsql-resolve] ${db} failed: ${err.message}`);
+      skipped++;
+    }
+  }
+  return { status: 'OK', detail: `refreshed ${refreshed} DB(s), skipped ${skipped}` };
+}

package/src/upgrade/steps/port-reconcile.js

@@ -0,0 +1,52 @@
+/**
+ * Step 1 — Port reconciliation. Ensures pgserve listens on canonical 8432.
+ * If running on a different port, stop and relaunch on 8432. Idempotent.
+ */
+
+import { execSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const name = 'port-reconcile';
+const CANONICAL_PORT = 8432;
+
+function readPostmasterPid(dataDir) {
+  try {
+    const content = fs.readFileSync(path.join(dataDir, 'postmaster.pid'), 'utf8');
+    const lines = content.trim().split('\n');
+    return { pid: parseInt(lines[0], 10), port: parseInt(lines[3], 10) };
+  } catch {
+    return null;
+  }
+}
+
+function getDataDir() {
+  return process.env.PGSERVE_DATA || `${process.env.HOME}/.pgserve/data`;
+}
+
+export async function plan() {
+  const info = readPostmasterPid(getDataDir());
+  if (!info) return 'no running pgserve detected — nothing to reconcile';
+  if (info.port === CANONICAL_PORT) return `already on port ${CANONICAL_PORT}, no action needed`;
+  return `would stop pgserve PID ${info.pid} (port ${info.port}) and relaunch on ${CANONICAL_PORT}`;
+}
+
+export async function execute({ log, warn }) {
+  const info = readPostmasterPid(getDataDir());
+  if (!info) return { status: 'SKIP', detail: 'no running pgserve' };
+  if (info.port === CANONICAL_PORT) return { status: 'SKIP', detail: `already on ${CANONICAL_PORT}` };
+
+  log(`stopping pgserve PID ${info.pid} (port ${info.port})`);
+  try {
+    execSync(`pm2 restart pgserve --update-env -- --port ${CANONICAL_PORT}`, { stdio: 'pipe' });
+    return { status: 'OK', detail: `pm2 restart pgserve on port ${CANONICAL_PORT}` };
+  } catch (pm2Err) {
+    warn(`pm2 restart failed (${pm2Err.message}) — falling back to direct pg_ctl`);
+    try {
+      execSync(`pg_ctl -D ${getDataDir()} -m fast stop`, { stdio: 'pipe' });
+      return { status: 'OK', detail: `stopped pgserve; relaunch via pm2 or autopg install` };
+    } catch (ctlErr) {
+      throw new Error(`port reconcile failed: pm2 (${pm2Err.message}) and pg_ctl (${ctlErr.message})`);
+    }
+  }
+}

package/console/README.md

@@ -1,131 +0,0 @@
-# `console/` — autopg console
-
-Local web console served by `autopg ui`. React + Babel via CDN, no build
-step. Single-user dev tool — binds 127.0.0.1 only, no auth, no TLS.
-
-## Run
-
-```bash
-autopg ui                 # walks 8433–8533 picking the first free port
-autopg ui --port 8500     # bind exactly 8500 or fail
-autopg ui --no-open       # skip browser launch (CI / headless)
-```
-
-`pgserve ui …` is a forever alias of the same command.
-
-The server boots in-process via `node:http` and serves this directory as
-its document root. Four helper endpoints are mounted alongside the static
-assets — every mutation shells out to the CLI rather than calling the
-daemon directly, so the console works with or without a running daemon.
-
-| Endpoint | Backed by |
-|----------|-----------|
-| `GET /api/settings` | `loadEffectiveConfig()` → `{ settings, sources, etag }` |
-| `PUT /api/settings` | `writeSettings(body, { ifMatch })` (409 on stale `If-Match`) |
-| `POST /api/restart` | `cli-restart.cjs` (pm2-aware) |
-| `GET /api/status`   | shells out to `autopg status --json` |
-
-## Layout
-
-```
-console/
-├── README.md                   # this file
-├── index.html                  # entry — pinned React + Babel CDN scripts
-├── app.jsx                     # shell + sidebar router (11 routes)
-├── api.js                      # fetch wrapper, holds latest etag, surfaces ETAG_MISMATCH
-├── components.jsx              # shared widgets (Seg, Toggle, Field, …)
-├── data.jsx                    # demo data fixtures (used by placeholder screens)
-├── tweaks-panel.jsx            # theme/phosphor/density/CRT toggles (persists to settings.ui)
-├── colors_and_type.css         # design tokens
-├── console.css                 # layout + screen styles
-└── screens/
-    ├── settings.jsx            # ✅ functional — 6-section schema editor
-    ├── databases.jsx           # [ coming soon ]
-    ├── tables.jsx              # [ coming soon ]
-    ├── sql.jsx                 # [ coming soon ]
-    ├── optimizer.jsx           # [ coming soon ]
-    ├── security.jsx            # [ coming soon ]
-    ├── ingress.jsx             # [ coming soon ]
-    ├── health.jsx              # [ coming soon ] — next wish
-    ├── sync.jsx                # [ coming soon ]
-    ├── rlm-trace.jsx           # [ coming soon ]
-    └── rlm-sim.jsx             # [ coming soon ]
-```
-
-## Screen rollout
-
-| Screen | Status | Notes |
-|--------|--------|-------|
-| Settings | ✅ functional | 6 sections, type-aware controls, raw GUC passthrough, etag concurrency, env-override chip |
-| Health | 🟡 next | Live cluster health metrics — next wish |
-| Databases | ⚪ placeholder | List + create + drop |
-| Tables | ⚪ placeholder | Per-DB table inspector |
-| SQL | ⚪ placeholder | Ad-hoc query runner |
-| Optimizer | ⚪ placeholder | Plan inspector / GUC tuner suggestions |
-| Security | ⚪ placeholder | Roles, RLS, audit log |
-| Ingress | ⚪ placeholder | Listener / TLS / token surface |
-| Sync | ⚪ placeholder | Replication-slot status |
-| RLM-trace | ⚪ placeholder | RLM agent trace viewer (depends on rlmx) |
-| RLM-sim | ⚪ placeholder | RLM scenario simulator (depends on rlmx) |
-
-## Local dev loop
-
-The console is shipped as static files — no build, no bundler. Edit the
-`.jsx` files in place; refresh the browser tab to pick up the change
-(Babel transpiles in the browser at load time). The CDN scripts are
-pinned with SRI integrity hashes — bumping React or Babel requires
-re-pinning the matching `integrity="sha384-…"` attribute in
-[`index.html`](./index.html).
-
-```bash
-autopg ui --no-open --port 8500 &
-open http://127.0.0.1:8500
-# … edit screens/settings.jsx, refresh browser …
-kill %1
-```
-
-The Settings screen reads live state from `~/.autopg/settings.json`
-through the helper endpoints, so changes survive reload and round-trip
-through `autopg config get` from another shell.
-
-### Concurrency model
-
-`api.js` stores the etag returned by every successful GET and sends it
-back as `If-Match` on the next PUT. If a parallel `autopg config set` (or
-another browser tab) drifts the file, the PUT comes back as
-`409 ETAG_MISMATCH` with a fresh `currentEtag`. The Settings screen
-catches this and shows a "settings changed, reload?" banner instead of
-overwriting the operator's other changes.
-
-### Env-override chip
-
-`GET /api/settings` returns a `sources` map (one entry per leaf:
-`'default' | 'file' | 'env:<NAME>'`). Rows whose source starts with
-`env:` render a yellow `OVERRIDDEN BY ENV` chip — Save still writes the
-file, but `loadEffectiveConfig()` will keep returning the env value
-until the env var is unset or the daemon is restarted with a clean
-environment.
-
-## Design system
-
-The console UI is derived from the `pgserve-console` design kit at
-`namastex-design-system/ui_kits/pgserve-console`. The CSS files
-(`colors_and_type.css`, `console.css`) and the shared widgets
-(`components.jsx`, `tweaks-panel.jsx`) are copied verbatim — the
-soft rename only touches the topbar identity (`pgserve` → `autopg`)
-and the Settings screen, which was rewritten to match the
-6-section schema documented in
-[`docs/settings-schema.md`](../docs/settings-schema.md).
-
-## What's deliberately not here
-
-- **No build step.** Pre-bundling is a future optimization. The CDN +
-  Babel-in-browser path is intentional for v1 — zero infrastructure.
-- **No daemon HTTP API.** The CLI is the source of truth; every UI
-  mutation shells out. This means the UI works ahead of `autopg
-  install` (you can configure before the daemon ever runs) and
-  cannot leak privileges through a long-lived listening socket.
-- **No multi-user / multi-machine access.** 127.0.0.1 only, by
-  design.
-- **No telemetry, no analytics.** Static page + four endpoints, all
-  local.

package/console/api.js

@@ -1,173 +0,0 @@
-/* autopg console · API client.
- *
- * Wraps the four helper endpoints exposed by `autopg ui`:
- *   GET  /api/settings   →  { settings, sources, etag, path }
- *   PUT  /api/settings   →  { ok, etag } | { error: { code, message, field? } }
- *   POST /api/restart    →  { ok } | { error }
- *   GET  /api/status     →  whatever `pgserve status --json` returns
- *
- * The latest etag from a successful GET is cached on the module so PUTs can
- * send `If-Match` without the caller threading it through manually. PUT
- * replies update the cached etag too so successive saves chain cleanly.
- *
- * Errors from the server come back as `{ error: { code, message, field? } }`.
- * The wrapper raises a structured `ApiError` (with `.code`, `.field`,
- * `.message`, `.status`, `.currentEtag?`) so screens can branch on the code
- * without parsing strings. ETAG_MISMATCH is surfaced as a normal rejection
- * with `error.code === 'ETAG_MISMATCH'` plus `error.currentEtag` so the
- * Settings screen can show a "settings changed, reload?" banner.
- */
-(function (root) {
-  'use strict';
-
-  const STATE = { etag: null };
-
-  class ApiError extends Error {
-    constructor({ code, message, field, status, currentEtag }) {
-      super(message || code || 'api error');
-      this.name = 'ApiError';
-      this.code = code || 'UNKNOWN';
-      if (field) this.field = field;
-      if (typeof status === 'number') this.status = status;
-      if (currentEtag) this.currentEtag = currentEtag;
-    }
-  }
-
-  async function parseJson(res) {
-    const text = await res.text();
-    if (!text) return {};
-    try {
-      return JSON.parse(text);
-    } catch {
-      return { _raw: text };
-    }
-  }
-
-  async function getSettings() {
-    const res = await fetch('/api/settings', {
-      method: 'GET',
-      headers: { accept: 'application/json' },
-      cache: 'no-store',
-    });
-    const body = await parseJson(res);
-    if (!res.ok) {
-      throw new ApiError({
-        code: body?.error?.code,
-        message: body?.error?.message,
-        field: body?.error?.field,
-        status: res.status,
-      });
-    }
-    if (body && body.etag) STATE.etag = body.etag;
-    return body;
-  }
-
-  async function putSettings(patch, { ifMatch } = {}) {
-    const etag = ifMatch ?? STATE.etag;
-    if (!etag) {
-      throw new ApiError({
-        code: 'PRECONDITION_REQUIRED',
-        message: 'no etag cached — call getSettings() before putSettings()',
-        status: 428,
-      });
-    }
-    const res = await fetch('/api/settings', {
-      method: 'PUT',
-      headers: {
-        'content-type': 'application/json',
-        'if-match': etag,
-        accept: 'application/json',
-      },
-      body: JSON.stringify(patch ?? {}),
-    });
-    const body = await parseJson(res);
-    if (res.status === 409) {
-      // Update the cached etag so the next reload has the latest.
-      if (body && body.currentEtag) STATE.etag = body.currentEtag;
-      throw new ApiError({
-        code: body?.error?.code || 'ETAG_MISMATCH',
-        message: body?.error?.message || 'settings changed on disk',
-        status: 409,
-        currentEtag: body?.currentEtag,
-      });
-    }
-    if (!res.ok) {
-      throw new ApiError({
-        code: body?.error?.code,
-        message: body?.error?.message,
-        field: body?.error?.field,
-        status: res.status,
-      });
-    }
-    if (body && body.etag) STATE.etag = body.etag;
-    return body;
-  }
-
-  async function restart() {
-    const res = await fetch('/api/restart', {
-      method: 'POST',
-      headers: { accept: 'application/json' },
-    });
-    const body = await parseJson(res);
-    if (!res.ok) {
-      throw new ApiError({
-        code: body?.error?.code,
-        message: body?.error?.message,
-        status: res.status,
-      });
-    }
-    return body;
-  }
-
-  async function getStatus() {
-    const res = await fetch('/api/status', {
-      method: 'GET',
-      headers: { accept: 'application/json' },
-      cache: 'no-store',
-    });
-    const body = await parseJson(res);
-    if (!res.ok) {
-      throw new ApiError({
-        code: body?.error?.code,
-        message: body?.error?.message,
-        status: res.status,
-      });
-    }
-    return body;
-  }
-
-  // Live pgserve stats — connections + databases. Always returns a body
-  // (status 200) even when the daemon is unreachable; check `body.ok`.
-  // Safe to poll from the topbar without try/catch error handling.
-  async function getStats() {
-    try {
-      const res = await fetch('/api/stats', {
-        method: 'GET',
-        headers: { accept: 'application/json' },
-        cache: 'no-store',
-      });
-      return await parseJson(res);
-    } catch (err) {
-      return { ok: false, reason: 'fetch-failed', message: err.message };
-    }
-  }
-
-  function getCachedEtag() {
-    return STATE.etag;
-  }
-
-  function setCachedEtag(etag) {
-    STATE.etag = etag || null;
-  }
-
-  root.AutopgApi = {
-    getSettings,
-    putSettings,
-    restart,
-    getStatus,
-    getStats,
-    getCachedEtag,
-    setCachedEtag,
-    ApiError,
-  };
-})(typeof window !== 'undefined' ? window : globalThis);