pgserve 2.4.0 → 2.6.0

package/README.md

@@ -101,17 +101,14 @@ psql postgresql://localhost:8432/myapp
 ## Installation
 
 ```bash
-# Zero install (recommended)
-npx pgserve
-
-# Global install
-npm install -g pgserve
+# Canonical install — signed binary from GitHub Releases
+curl -fsSL https://raw.githubusercontent.com/namastexlabs/pgserve/main/install.sh | bash
 
-# Project dependency
-npm install pgserve
+# Pinned version
+PGSERVE_VERSION=v2.6.0 curl -fsSL .../install.sh | bash
 ```
 
-> PostgreSQL binaries are automatically downloaded on first run (~100MB).
+> `install.sh` fetches the signed tarball from GitHub Releases and verifies it via `gh attestation verify` (Sigstore Rekor public-good). Requires the [`gh` CLI](https://cli.github.com/). pgserve no longer depends on npm — the install + upgrade path is binary tarballs all the way down.
 
 ### Windows
 

package/bin/pgserve-wrapper.cjs

@@ -43,6 +43,29 @@ const __installSubcommands = new Set([
   'upgrade',
   'restart',
   'ui',
+  // pgserve singleton (v2.4) — `pgserve-singleton-no-proxy` wish, Group 4.
+  // `verify` shells out to cosign + writes an HMAC cache token. Pure node
+  // (no bun) so it must skip the bun probe like the install surface above.
+  'verify',
+  // pgserve singleton (v2.4) — wish Group 3, read-only V1. `doctor` runs
+  // entirely in node (admin.json + supervisor probes + socket reachability)
+  // and must skip the bun probe so it works on any installed binary.
+  'doctor',
+  // pgserve singleton (v2.4) — wish Group 3. `trust` manages the
+  // user-extensible cosign trust store at ~/.pgserve/trust/identities.json.
+  // Pure node, must skip bun probe.
+  'trust',
+  // pgserve singleton (v2.4) — wish Group 3, verb 3. `gc` shells out to
+  // psql to scan pgserve_meta + pg_database, classify orphans, and
+  // (under --apply) DROP DATABASE. Pure node + child_process, must skip
+  // the bun probe.
+  'gc',
+  // pgserve singleton (v2.4) — wish Group 3, verb 4. `provision` shells
+  // out to psql to CREATE ROLE / CREATE DATABASE / GRANT / INSERT INTO
+  // pgserve_meta. Idempotency-driven (no advisory lock — see
+  // src/commands/provision.js header for why). Pure node + child_process,
+  // must skip bun probe.
+  'provision',
 ]);
 if (__subcommand && __installSubcommands.has(__subcommand)) {
   const cli = require(path.join(__dirname, '..', 'src', 'cli-install.cjs'));

package/bin/postgres-server.js

@@ -17,6 +17,7 @@
 
 import { PostgresManager } from '../src/postgres.js';
 import { resolveSocketDir, ensureSocketDir } from '../src/lib/socket-dir.js';
+import { writeRuntimeJson, clearRuntimeJson } from '../src/lib/runtime-json.js';
 import { createLogger } from '../src/logger.js';
 
 // Global error handlers — surface unhandled rejections + uncaught errors
@@ -95,6 +96,27 @@ async function runPostmasterSubcommand(postmasterArgs) {
     process.exit(1);
   }
 
+  // cutover G19: drop a runtime discovery file at <socketDir>/runtime.json
+  // so consumers' UDS-first probes find the live socket without globbing
+  // ephemeral pid-stamped dirs. The file is intentionally separate from
+  // ~/.autopg/admin.json (which records supervisor metadata, not live
+  // socket info) — that split lets the postmaster restart under a new
+  // pid without rewriting the supervisor record. NO `supervisor` key
+  // here; the writer rejects it.
+  try {
+    writeRuntimeJson({
+      socketDir,
+      port: opts.port,
+      pid: manager.process?.pid ?? process.pid,
+      autopgPid: process.pid,
+    });
+  } catch (err) {
+    logger.warn(
+      { err: err.message },
+      'pgserve postmaster: runtime.json write failed; consumers will fall back to admin.json',
+    );
+  }
+
   logger.info(
     { port: opts.port, socketDir, dataDir: opts.dataDir },
     'pgserve postmaster: ready (Unix socket + TCP)',
@@ -102,6 +124,12 @@ async function runPostmasterSubcommand(postmasterArgs) {
 
   const shutdown = async (signal) => {
     logger.info({ signal }, 'pgserve postmaster: stopping');
+    // Clear runtime.json BEFORE stopping the postmaster so the moment
+    // a graceful-shutdown signal lands, fresh consumers see "no live
+    // socket" instead of racing against a stale-pid record. On crash
+    // (uncaughtException, backend died) the file is left behind; the
+    // operator-facing detector is `process.kill(record.autopgPid, 0)`.
+    clearRuntimeJson(socketDir);
     try {
       await manager.stop();
     } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pgserve",
-  "version": "2.4.0",
+  "version": "2.6.0",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",
@@ -30,6 +30,7 @@
     "console:dev": "bun build console/src/main.jsx --target browser --define 'process.env.NODE_ENV=\"development\"' --watch --outfile console/dist/app.js",
     "lint": "eslint src/ bin/",
     "lint:fix": "eslint src/ bin/ --fix",
+    "lint:audit": "bun scripts/audit-redaction-lint.js",
     "deadcode": "knip",
     "test:npx": "scripts/test-npx.sh",
     "test:bun-self-heal": "scripts/test-bun-self-heal.sh",

package/scripts/aggregate-manifest.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env bash
+#
+# aggregate-manifest.sh — Group 8 of autopg-distribution-cutover.
+#
+# Walks dist/autopg-<version>-<platform>.tar.gz, gathers each tarball's
+# SHA256 + signature URL + provenance URL + platform tuple, and emits
+# dist/manifest.json that consumers (install.sh, autopg update) read to
+# resolve a download for a given (channel, version, platform).
+#
+# This runs after Group 8 signing + provenance generation and before
+# Group 9 (CDN publish).
+#
+# Usage:
+#   bash scripts/aggregate-manifest.sh --version 2.260503.1
+#   bash scripts/aggregate-manifest.sh --version 2.260503.1 --base-url https://cdn.automagik.dev/autopg/stable/2.260503.1
+#
+# Output:
+#   dist/manifest.json
+#
+# Exit codes:
+#   0  ok
+#   1  IO failure
+#   2  invalid args / missing inputs
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+
+usage() {
+  cat <<EOF
+Usage: $0 --version <v> [--base-url <url>] [--channel <c>] [--cosign-pub-url <url>]
+
+  --version          autopg version, e.g. 2.260503.1 (or read from package.json)
+  --base-url         absolute base URL prefix for tarball URLs
+                     (default: relative — consumers resolve against the
+                      directory the manifest sits in).
+  --channel          channel hint embedded in the manifest (stable|beta|canary).
+                     default: stable
+  --cosign-pub-url   absolute URL to the published cosign public key.
+                     default: <base-url>/../../keys/cosign.pub for production
+                     (cdn.automagik.dev layout) or "keys/cosign.pub" relative.
+
+Reads:
+  dist/autopg-<version>-<platform>.tar.gz
+  dist/autopg-<version>-<platform>.tar.gz.sha256
+  dist/autopg-<version>-<platform>.tar.gz.sig          (optional)
+  dist/autopg-<version>-<platform>.tar.gz.intoto.jsonl (optional)
+
+Writes:
+  dist/manifest.json
+EOF
+}
+
+parse_args() {
+  VERSION="${AUTOPG_VERSION:-}"
+  BASE_URL=""
+  CHANNEL="stable"
+  COSIGN_PUB_URL=""
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --version)        VERSION="$2";        shift 2 ;;
+      --base-url)       BASE_URL="$2";       shift 2 ;;
+      --channel)        CHANNEL="$2";        shift 2 ;;
+      --cosign-pub-url) COSIGN_PUB_URL="$2"; shift 2 ;;
+      -h|--help)        usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+  if [[ -z "$VERSION" ]]; then
+    VERSION=$(node -p "require('${REPO_ROOT}/package.json').version" 2>/dev/null || echo "")
+  fi
+  if [[ -z "$VERSION" ]]; then
+    echo "error: --version required (or set in package.json)" >&2; exit 2
+  fi
+}
+
+# Portable SHA256 — sha256sum on linux, shasum -a 256 on macOS.
+sha256_of() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+  else
+    shasum -a 256 "$1" | awk '{print $1}'
+  fi
+}
+
+prefix_url() {
+  local rel="$1"
+  if [[ -n "$BASE_URL" ]]; then
+    printf '%s/%s' "${BASE_URL%/}" "$rel"
+  else
+    printf '%s' "$rel"
+  fi
+}
+
+emit_entry() {
+  local tarball="$1"
+  local first="$2"
+  local base platform sha sz
+  base=$(basename "$tarball")
+  # Strip "autopg-<version>-" prefix and ".tar.gz" suffix to get platform.
+  platform="${base#autopg-${VERSION}-}"
+  platform="${platform%.tar.gz}"
+
+  if [[ ! -f "${tarball}.sha256" ]]; then
+    echo "error: ${tarball}.sha256 missing — run assemble-tarball.sh first" >&2
+    return 1
+  fi
+  sha=$(awk '{print $1}' "${tarball}.sha256")
+  sz=$(stat -c %s "$tarball" 2>/dev/null || stat -f %z "$tarball")
+
+  local sig_url="" prov_url=""
+  if [[ -f "${tarball}.sig" ]]; then
+    sig_url=$(prefix_url "${base}.sig")
+  fi
+  if [[ -f "${tarball}.intoto.jsonl" ]]; then
+    prov_url=$(prefix_url "${base}.intoto.jsonl")
+  fi
+
+  if [[ "$first" -eq 0 ]]; then printf ',\n'; fi
+  printf '    {\n'
+  printf '      "platform": "%s",\n' "$platform"
+  printf '      "file": "%s",\n'     "$base"
+  printf '      "url": "%s",\n'      "$(prefix_url "$base")"
+  printf '      "sha256": "%s",\n'   "$sha"
+  printf '      "size": %d,\n'       "$sz"
+  printf '      "signature_url": "%s",\n' "$sig_url"
+  printf '      "provenance_url": "%s"\n' "$prov_url"
+  printf '    }'
+}
+
+main() {
+  parse_args "$@"
+  [[ -d "$DIST_DIR" ]] || { echo "error: $DIST_DIR not a directory" >&2; exit 2; }
+
+  local tarballs=()
+  while IFS= read -r line; do
+    tarballs+=("$line")
+  done < <(find "$DIST_DIR" -maxdepth 1 -name "autopg-${VERSION}-*.tar.gz" -type f | LC_ALL=C sort)
+
+  if [[ ${#tarballs[@]} -eq 0 ]]; then
+    echo "error: no autopg-${VERSION}-*.tar.gz files in ${DIST_DIR}" >&2
+    exit 2
+  fi
+
+  local generated_at
+  generated_at=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+  local out="${DIST_DIR}/manifest.json"
+  {
+    printf '{\n'
+    printf '  "name": "autopg",\n'
+    printf '  "version": "%s",\n' "$VERSION"
+    printf '  "channel": "%s",\n' "$CHANNEL"
+    printf '  "schemaVersion": 1,\n'
+    printf '  "generated_at": "%s",\n' "$generated_at"
+    local cpub
+    if [[ -n "$COSIGN_PUB_URL" ]]; then
+      cpub="$COSIGN_PUB_URL"
+    elif [[ -n "$BASE_URL" ]]; then
+      # CDN layout: <base>/autopg/<channel>/<version>/manifest.json
+      # Public key lives at: <base>/autopg/keys/cosign.pub
+      # If caller passes the full <base>/autopg/<channel>/<version> as
+      # base-url, walk two levels up to reach the keys/ sibling.
+      cpub="${BASE_URL%/*}"
+      cpub="${cpub%/*}/keys/cosign.pub"
+    else
+      cpub="keys/cosign.pub"
+    fi
+    printf '  "cosign_pub_url": "%s",\n' "$cpub"
+    printf '  "platforms": [\n'
+    local first=1
+    for t in "${tarballs[@]}"; do
+      emit_entry "$t" "$first"
+      first=0
+    done
+    printf '\n  ]\n'
+    printf '}\n'
+  } > "$out"
+
+  echo "==> manifest: $out ($(wc -l < "$out") lines, ${#tarballs[@]} platforms)"
+}
+
+main "$@"

package/scripts/assemble-tarball.sh

@@ -0,0 +1,191 @@
+#!/usr/bin/env bash
+#
+# assemble-tarball.sh — Group 7 of autopg-distribution-cutover.
+#
+# Assembles a single platform tarball with the locked shape:
+#
+#   autopg/
+#     autopg                  # static binary (from build-binary.sh)
+#     postgres/
+#       bin/*                 # postgres + initdb + libpq + ...
+#       share/*               # timezone data, locale, etc.
+#     manifest.json           # per-file SHA256 + size
+#
+# The tarball lives at:
+#   dist/autopg-<version>-<platform>.tar.gz
+# and a sibling .sha256 file holds the outer hash for Group 8 (cosign sign)
+# and Group 9 (CDN publish) to consume.
+#
+# Inputs come from dist/<platform>/autopg/{autopg, postgres/}, populated by
+# build-binary.sh + fetch-postgres-bins.sh.
+#
+# Usage:
+#   scripts/assemble-tarball.sh --platform linux-x64-glibc
+#   scripts/assemble-tarball.sh --all --version 2.260503.1
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+
+PLATFORMS=(linux-x64-glibc linux-x64-musl linux-arm64 darwin-x64 darwin-arm64)
+
+usage() {
+  cat <<EOF
+Usage: $0 (--platform <p> | --all) [--version <v>]
+
+Platforms: ${PLATFORMS[*]}
+
+Inputs (must already exist):
+  dist/<platform>/autopg/autopg               (build-binary.sh)
+  dist/<platform>/autopg/postgres/bin/*       (fetch-postgres-bins.sh)
+  dist/<platform>/autopg/postgres/share/*     (fetch-postgres-bins.sh)
+
+Outputs:
+  dist/autopg-<version>-<platform>.tar.gz
+  dist/autopg-<version>-<platform>.tar.gz.sha256
+EOF
+}
+
+parse_args() {
+  TARGET_PLATFORM=""
+  ASSEMBLE_ALL=0
+  VERSION="${AUTOPG_VERSION:-}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --platform) TARGET_PLATFORM="$2"; shift 2 ;;
+      --all)      ASSEMBLE_ALL=1; shift ;;
+      --version)  VERSION="$2"; shift 2 ;;
+      -h|--help)  usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+
+  if [[ "$ASSEMBLE_ALL" -eq 0 && -z "$TARGET_PLATFORM" ]]; then
+    echo "error: pass --platform <p> or --all" >&2; usage; exit 2
+  fi
+
+  if [[ -z "$VERSION" ]]; then
+    VERSION=$(node -p "require('${REPO_ROOT}/package.json').version" 2>/dev/null || echo "0.0.0")
+  fi
+}
+
+# Portable SHA256 — use sha256sum on linux, shasum -a 256 on macOS.
+sha256_of() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+  else
+    shasum -a 256 "$1" | awk '{print $1}'
+  fi
+}
+
+# Emit manifest.json for the given platform's staged tree.
+# Walks autopg/ relative to <root>/, skipping manifest.json itself.
+emit_manifest() {
+  local root="$1" platform="$2" out="$3"
+
+  pushd "$root" >/dev/null
+  {
+    printf '{\n'
+    printf '  "name": "autopg",\n'
+    printf '  "version": "%s",\n' "$VERSION"
+    printf '  "platform": "%s",\n' "$platform"
+    printf '  "schemaVersion": 1,\n'
+    printf '  "files": [\n'
+
+    local first=1
+    while IFS= read -r f; do
+      [[ "$f" == "autopg/manifest.json" ]] && continue
+      local h sz
+      h=$(sha256_of "$f")
+      sz=$(stat -c %s "$f" 2>/dev/null || stat -f %z "$f")
+      if [[ $first -eq 1 ]]; then
+        first=0
+      else
+        printf ',\n'
+      fi
+      printf '    { "path": "%s", "sha256": "%s", "size": %d }' "$f" "$h" "$sz"
+    done < <(find autopg -type f | LC_ALL=C sort)
+
+    printf '\n  ]\n'
+    printf '}\n'
+  } > "$out"
+  popd >/dev/null
+}
+
+# Verify staged inputs are present + executable.
+verify_inputs() {
+  local stage="$1" platform="$2"
+  local missing=0
+  for required in autopg/autopg autopg/postgres/bin/postgres; do
+    if [[ ! -f "${stage}/${required}" ]]; then
+      echo "error: ${platform}: missing ${required}" >&2
+      missing=1
+    fi
+  done
+  return $missing
+}
+
+assemble_one() {
+  local platform="$1"
+  local stage="${DIST_DIR}/${platform}"
+  local tarball="${DIST_DIR}/autopg-${VERSION}-${platform}.tar.gz"
+  local outer_sha="${tarball}.sha256"
+
+  if [[ ! -d "${stage}/autopg" ]]; then
+    echo "error: ${stage}/autopg/ does not exist (run build-binary.sh + fetch-postgres-bins.sh first)" >&2
+    return 1
+  fi
+
+  echo "==> [${platform}] assemble tarball"
+  # `assemble_one` is invoked from main as `assemble_one ... || rc=$?` which
+  # disables `set -e` for the duration of this function. Each potentially-
+  # failing command needs explicit `|| return 1` to halt early instead of
+  # silently producing a corrupt tarball (gemini bot review HIGH on PR #84).
+  verify_inputs "$stage" "$platform" || return 1
+
+  # 1) emit per-file manifest BEFORE the tarball is rolled — manifest is
+  #    bundled inside.
+  emit_manifest "$stage" "$platform" "${stage}/autopg/manifest.json" || return 1
+
+  # 2) ensure binaries are executable inside the tar.
+  chmod +x "${stage}/autopg/autopg" || true
+  find "${stage}/autopg/postgres/bin" -type f -exec chmod +x {} +
+
+  # 3) build deterministic tarball: sorted entries, locked mtime.
+  local tar_flags=()
+  if tar --help 2>&1 | grep -q -- '--sort=name'; then
+    tar_flags+=(--sort=name)
+  fi
+  if tar --help 2>&1 | grep -q -- '--mtime='; then
+    tar_flags+=(--mtime=2026-01-01)
+  fi
+  if tar --help 2>&1 | grep -q -- '--owner='; then
+    tar_flags+=(--owner=0 --group=0 --numeric-owner)
+  fi
+
+  tar -C "$stage" -czf "$tarball" "${tar_flags[@]}" autopg/ || return 1
+  echo "    ✓ tarball: $tarball ($(du -h "$tarball" | cut -f1))"
+
+  # 4) outer SHA256 — Group 8 cosign-signs this; Group 9 publishes both.
+  sha256_of "$tarball" > "$outer_sha" || return 1
+  echo "    ✓ sha256:  $(cat "$outer_sha")  $(basename "$tarball")"
+}
+
+main() {
+  parse_args "$@"
+  mkdir -p "$DIST_DIR"
+
+  local rc=0
+  if [[ "$ASSEMBLE_ALL" -eq 1 ]]; then
+    for p in "${PLATFORMS[@]}"; do
+      assemble_one "$p" || rc=$?
+    done
+  else
+    assemble_one "$TARGET_PLATFORM" || rc=$?
+  fi
+  exit $rc
+}
+
+main "$@"