pgserve 2.2.1 → 2.2.3

package/CHANGELOG.md

@@ -14,6 +14,110 @@ All notable changes to `pgserve` are documented here. The format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.2.3] - 2026-05-03
+
+### Changed
+
+- **`autopg install` now auto-supervises the console UI under pm2** as a
+  separate process named `autopg-ui`. The bundled SPA from v2.2.2 is now
+  always available at `http://127.0.0.1:8433` after a fresh install — no
+  more "operator runs install, doesn't know the UI exists" gap.
+- **The console now requires a password** (Basic Auth). On first install
+  `autopg install` generates a 24-char admin password, prints it ONCE to
+  stdout, and stores the scrypt hash in `~/.autopg/admin.json` (mode
+  0600). Browsers prompt natively for the password on first visit and
+  cache it for the session.
+- **`autopg uninstall` removes both processes** (`autopg-ui` + `pgserve`)
+  cleanly.
+
+### Added
+
+- **`autopg auth rotate-admin-password`** — generates a new admin
+  password, prints once, updates `admin.json`. Existing browser sessions
+  re-prompt on their next request.
+- **`autopg auth show-admin-path`** — prints the path to `admin.json`.
+- **`--with-ui` flag on `autopg install`** — UI-only path. Refreshes
+  (or registers) just the `autopg-ui` pm2 process without touching the
+  daemon. Useful for changing UI host/port post-install or for
+  retrofitting the UI onto a v2.2.2 host without restarting postgres.
+- **`--redeploy` flag on `autopg install`** — full redeploy: tears down
+  both pm2 processes and reinstalls fresh. Equivalent to
+  `autopg uninstall && autopg install` in one command.
+- **`--no-ui` flag on `autopg install`** — opt out of the UI process for
+  CI / headless / server hosts that don't need a permanent localhost web
+  server.
+- **`--ui-port N` flag on `autopg install`** — override the default UI
+  port (8433).
+- **`--ui-host H` flag on `autopg install`** — override the default UI
+  bind host (127.0.0.1). Non-loopback values trigger a loud warning at
+  the UI server because the console has no TLS.
+- **`AUTOPG_DISABLE_AUTH=1` env var** — escape hatch for CI / smoke tests.
+  Only honored when the request comes from `127.0.0.1` / `::1`; cannot
+  accidentally expose an unauthenticated UI on a LAN.
+
+### Notes
+
+- **Re-run `autopg install` on existing v2.2.2 hosts** to pick up the UI
+  auto-supervise + admin password. Idempotent — the daemon is left
+  untouched. The first re-run prints the new admin password.
+- **UI process memory cap is 256MB**. Restart budget + exp-backoff are
+  shared with the daemon's hardened defaults.
+- **Single-user dev tool boundary, with auth at the door.** Loopback
+  binding + Basic Auth + scrypt-hashed password covers the
+  "random-local-process-curl'ing-settings" case. Multi-user hosts where
+  intra-UID isolation matters should use `--no-ui`.
+- **Hash scheme**: scrypt (RFC 7914, Node built-in since v10.5),
+  N=16384, r=8, p=1, 32-byte derived key, 32-byte salt. No npm dep
+  added.
+
+## [2.2.2] - 2026-05-03
+
+### Changed
+
+- **console: pre-bundle assets via `bun build`; drop CDN Babel dependency.**
+  The `autopg ui` console previously loaded `react@18`, `react-dom@18`, and
+  `@babel/standalone` from `unpkg.com` and transpiled `.jsx` files in the
+  browser. The console is now pre-bundled into `console/dist/app.js`
+  (~210KB minified) at publish time. Operators on offline / corporate-proxy
+  / flaky-network hosts now get a fully local UI. Eliminates ~150KB of
+  in-browser Babel work per page load.
+- **console: source moves to `console/src/`; npm tarball ships only
+  `console/dist/`.** Repo layout now has `console/src/` (editable sources,
+  gitignored from publish) and `console/dist/` (build artifact, in tarball,
+  gitignored in repo). `package.json#files` updated to ship `console/dist/`
+  only (drop ~80KB of unminified `.jsx` from npm install).
+- **`react@^18.3.1` and `react-dom@^18.3.1` added as runtime dependencies.**
+  Versions match the unpkg UMD scripts loaded by v2.2.1 and earlier — no
+  behavior change. Required for the bun-build pipeline to bundle them.
+
+### Added
+
+- **`bun run console:build`** — produces `console/dist/{app.js,index.html,*.css}`
+  via `bun build console/src/main.jsx --target browser --minify`. Wired into
+  `prepublishOnly` so npm publish always ships fresh artifacts.
+- **`bun run console:dev`** — incremental rebuild on file change for
+  contributors editing the SPA. Output goes to `console/dist/app.js`.
+- **`console/src/main.jsx`** — entry shim that imports `react` + `react-dom`,
+  exposes them on `globalThis`, then imports the existing flat-script `.jsx`
+  sources in original `<script>`-tag order. Preserves the SPA's existing
+  global-pattern code without rewriting every file.
+- **`tests/console/no-cdn.test.js`** — regression test that boots
+  `autopg ui`, asserts served HTML has zero `unpkg`/`jsdelivr`/`cdn.babel`/
+  `babel/standalone` references, and verifies `app.js` is reachable as a
+  static asset.
+
+### Notes
+
+- **Trust boundary:** `127.0.0.1` only, single-user, no auth, no TLS — same
+  as v2.2.x.
+- **`src/cli-ui.cjs#resolveConsoleRoot()`** prefers `console/dist/` when
+  present, falls back to `console/src/` for repo-checkout dev mode (with a
+  one-line stderr warning to remind contributors to run `console:build`).
+- **Bundle size deviation:** wish target was ≤100KB minified; realistic
+  baseline is ~210KB (React 18 alone is ~130KB minified+gzipped). The
+  100KB target was aspirational and unachievable without removing React;
+  CHANGELOG documents the actual figure for transparency.
+
 ## Unreleased — autopg console settings
 
 ### Added