pgserve 2.4.0 → 2.6.0

package/src/security/blocked-versions.js

@@ -0,0 +1,103 @@
+/**
+ * Hardcoded blocklist — pgserve-singleton-no-proxy wish, Group 5.
+ *
+ * Compile-time list of pgserve versions that `pgserve install` and
+ * `pgserve update` MUST refuse, with a clear diagnostic. The trust root
+ * is opaque to operators: they cannot edit this file at runtime, only
+ * receive an updated list via `pgserve update`.
+ *
+ * Per SHARED-DESIGN.md §2.5: this is the ONLY revocation surface for v2.4+.
+ * No Rekor consultation, no revoked.json sync, no DNS-served blocklist.
+ * The list grows when a known-bad version ships and gets pinned here, then
+ * an updated pgserve release rolls out via the normal channel.
+ *
+ * Format: array of { version, reason, advisoryUrl? } records.
+ *   - version: exact semver string. Range matchers are intentionally
+ *     unsupported — every blocked version is named explicitly so an
+ *     auditor reading this file knows exactly what is rejected.
+ *   - reason: one-line operator-facing explanation (printed on refusal).
+ *   - advisoryUrl: optional pointer to a CVE/security advisory for the
+ *     blocked release.
+ */
+
+/**
+ * @typedef {Object} BlockedVersion
+ * @property {string} version  Exact semver string (no ranges).
+ * @property {string} reason   Operator-facing diagnostic line.
+ * @property {string} [advisoryUrl]  Pointer to CVE/security advisory.
+ */
+
+/** @type {readonly BlockedVersion[]} */
+export const BLOCKED_VERSIONS = Object.freeze([
+  // Empty by default. Populate as known-bad versions are identified.
+  // Example shape (uncomment + edit when a real block is needed):
+  //   { version: '2.6.0', reason: 'Postmaster crash on Linux ARM64 — see #999', advisoryUrl: 'https://github.com/namastexlabs/pgserve/security/advisories/GHSA-xxxx' },
+]);
+
+/**
+ * Test-only override. The compile-time list is frozen so production code
+ * cannot mutate it; tests need a way to inject blocked entries to exercise
+ * the throw path. Populated via __addBlockedForTest() and consulted by
+ * findBlocked() when non-empty. Cleared via __clearBlockedTestOverridesForTest().
+ *
+ * @type {BlockedVersion[]}
+ */
+const _testOverrides = [];
+
+/**
+ * Test-only — register an additional blocked entry for the lifetime of a
+ * test. Call __clearBlockedTestOverridesForTest() in afterEach to keep
+ * tests isolated.
+ *
+ * @param {BlockedVersion} entry
+ */
+export function __addBlockedForTest(entry) {
+  if (!entry || typeof entry.version !== 'string' || typeof entry.reason !== 'string') {
+    throw new Error('__addBlockedForTest: entry needs { version, reason }');
+  }
+  _testOverrides.push(entry);
+}
+
+/** Test-only — drop all entries registered via __addBlockedForTest. */
+export function __clearBlockedTestOverridesForTest() {
+  _testOverrides.length = 0;
+}
+
+/**
+ * Find the blocklist entry for an exact version string, if any.
+ * Considers both the compile-time BLOCKED_VERSIONS list and any test
+ * overrides registered via __addBlockedForTest().
+ *
+ * @param {string} version
+ * @returns {BlockedVersion | undefined}
+ */
+export function findBlocked(version) {
+  if (typeof version !== 'string' || version.length === 0) return undefined;
+  const fromOverrides = _testOverrides.find((b) => b.version === version);
+  if (fromOverrides) return fromOverrides;
+  return BLOCKED_VERSIONS.find((b) => b.version === version);
+}
+
+/**
+ * Assert that a version is not blocked. Throws an Error with a stable,
+ * grep-able prefix (`EBLOCKEDVERSION`) when the version is blocked, so
+ * callers (cli-install / upgrade) can detect it and exit with a known code.
+ *
+ * @param {string} version
+ * @throws {Error} when version is blocked
+ */
+export function assertNotBlocked(version) {
+  const hit = findBlocked(version);
+  if (!hit) return;
+  const lines = [
+    `EBLOCKEDVERSION: pgserve@${version} is blocked.`,
+    `  reason: ${hit.reason}`,
+  ];
+  if (hit.advisoryUrl) lines.push(`  advisory: ${hit.advisoryUrl}`);
+  lines.push('  remediation: install a different version (run `pgserve update` for the latest).');
+  const err = new Error(lines.join('\n'));
+  err.code = 'EBLOCKEDVERSION';
+  err.version = version;
+  err.reason = hit.reason;
+  throw err;
+}

package/src/upgrade/index.js

@@ -20,11 +20,16 @@ import * as plpgsqlResolve from './steps/plpgsql-resolve.js';
 import * as envRefresh from './steps/env-refresh.js';
 import * as consumerSignal from './steps/consumer-signal.js';
 import * as healthValidate from './steps/health-validate.js';
+import * as cosignMetaMigration from './steps/cosign-meta-migration.js';
 
 export const STEPS = [
   { name: 'port-reconcile', impl: portReconcile },
   { name: 'binary-cache-flush', impl: binaryCacheFlush },
   { name: 'plpgsql-resolve', impl: plpgsqlResolve },
+  // pgserve singleton (v2.4) — `pgserve-singleton-no-proxy` wish, Group 4.
+  // Adds the additive `verified_*` columns to `pgserve_meta`. Runs after
+  // plpgsql-resolve so the extension is available; idempotent per-DB.
+  { name: 'cosign-meta-migration', impl: cosignMetaMigration },
   { name: 'env-refresh', impl: envRefresh },
   { name: 'consumer-signal', impl: consumerSignal },
   { name: 'health-validate', impl: healthValidate },

package/src/upgrade/steps/binary-cache-flush.js

@@ -57,8 +57,8 @@ export async function execute({ log, warn }) {
 
   if (!downloadFn) {
     warn(`binary needs refresh (pinned=${pinned}, cached=${marker || 'missing'}) but autopg postgres module not exposing download API`);
-    warn(`operator action: rerun \`bun install -g @automagik/autopg@latest\``);
-    return { status: 'FAIL', detail: 'binary refresh needs autopg npm reinstall' };
+    warn(`operator action: rerun \`curl -fsSL https://raw.githubusercontent.com/namastexlabs/pgserve/main/install.sh | bash\` to refresh from GitHub Releases`);
+    return { status: 'FAIL', detail: 'binary refresh needs install.sh rerun (no npm dependency)' };
   }
   log(`re-downloading PG ${pinned} into ${cacheDir}`);
   await downloadFn({ version: pinned, targetDir: cacheDir });

package/src/upgrade/steps/cosign-meta-migration.js

@@ -0,0 +1,123 @@
+/**
+ * Step — pgserve_meta cosign columns (additive).
+ *
+ * pgserve singleton (v2.4) — `pgserve-singleton-no-proxy` wish, Group 4.
+ *
+ * Adds `verified_at`, `verified_identity`, `verified_tier` to every
+ * `pgserve_meta` table the upgrade step finds. The schema delta is
+ * additive (Decision P4) — pre-cosign rows continue to work, columns are
+ * NULL until Group 3's `pgserve provision` writes them.
+ *
+ * Runs idempotently: `ADD COLUMN IF NOT EXISTS` plus a guarded DO-block
+ * for the CHECK constraint. Re-running on an already-migrated host is a
+ * no-op. If `pgserve_meta` does not exist (fresh install before G3 has
+ * provisioned anything) the step is a SKIP.
+ */
+
+import { spawnSync } from 'node:child_process';
+
+import { getMigrationStatements } from '../../cosign/schema.js';
+
+export const name = 'cosign-meta-migration';
+const CANONICAL_PORT = 5432;
+const SYSTEM_DBS = new Set(['template0', 'template1']);
+
+// PR #79 fix: previous implementation used execSync with a template string +
+// JSON.stringify(sql). The migration SQL contains `DO $$ ... $$` blocks; bash
+// expands `$$` to its PID, corrupting the SQL before psql sees it. Switch to
+// spawnSync (shell:false) with the SQL fed through stdin — no shell parsing,
+// no expansion, no injection surface.
+function pgQuery({ db, sql, captureStdout = false, port = CANONICAL_PORT }) {
+  const env = { ...process.env, PGPASSWORD: process.env.PGPASSWORD || 'postgres' };
+  const result = spawnSync(
+    'psql',
+    ['-h', '127.0.0.1', '-p', String(port), '-U', 'postgres', '-d', db, '-At', '-f', '-'],
+    { env, input: sql, stdio: ['pipe', 'pipe', 'pipe'] }
+  );
+  if (result.status !== 0) {
+    const stderr = (result.stderr || Buffer.from('')).toString();
+    const err = new Error(`psql exited ${result.status}: ${stderr.trim()}`);
+    err.status = result.status;
+    err.stderr = stderr;
+    throw err;
+  }
+  const stdout = (result.stdout || Buffer.from('')).toString();
+  return captureStdout ? stdout.trim() : stdout;
+}
+
+function listUserDbs() {
+  const out = pgQuery({
+    db: 'postgres',
+    sql: "SELECT datname FROM pg_database WHERE NOT datistemplate ORDER BY datname",
+    captureStdout: true,
+  });
+  return out ? out.split('\n').filter(Boolean).filter((d) => !SYSTEM_DBS.has(d)) : [];
+}
+
+function pgserveMetaExists(db) {
+  const out = pgQuery({
+    db,
+    sql: "SELECT to_regclass('public.pgserve_meta') IS NOT NULL",
+    captureStdout: true,
+  });
+  return out === 't' || out === 'true';
+}
+
+export async function plan() {
+  let dbs;
+  try {
+    dbs = listUserDbs();
+  } catch (err) {
+    return `cannot enumerate DBs: ${err.message}`;
+  }
+  if (dbs.length === 0) return 'no user DBs — skip';
+  const targets = [];
+  for (const db of dbs) {
+    try {
+      if (pgserveMetaExists(db)) targets.push(db);
+    } catch {
+      // Skip silently — DB might be unreachable, listed but not connectable.
+    }
+  }
+  if (targets.length === 0) return 'no DB hosts pgserve_meta yet — skip';
+  return `would apply additive cosign columns to pgserve_meta in: ${targets.join(', ')}`;
+}
+
+export async function execute({ log, warn }) {
+  let dbs;
+  try {
+    dbs = listUserDbs();
+  } catch (err) {
+    return { status: 'FAIL', detail: `cannot enumerate DBs: ${err.message}` };
+  }
+  if (dbs.length === 0) return { status: 'SKIP', detail: 'no user DBs to migrate' };
+
+  const statements = getMigrationStatements();
+  let migrated = 0;
+  let skipped = 0;
+  for (const db of dbs) {
+    let exists;
+    try {
+      exists = pgserveMetaExists(db);
+    } catch (err) {
+      warn(`[cosign-meta-migration] ${db}: cannot probe pgserve_meta — ${err.message}`);
+      skipped++;
+      continue;
+    }
+    if (!exists) {
+      skipped++;
+      continue;
+    }
+    try {
+      for (const sql of statements) {
+        pgQuery({ db, sql });
+      }
+      log(`[cosign-meta-migration] ${db}: applied ${statements.length} idempotent statement(s)`);
+      migrated++;
+    } catch (err) {
+      warn(`[cosign-meta-migration] ${db}: failed — ${err.message}`);
+      skipped++;
+    }
+  }
+  return { status: 'OK', detail: `migrated ${migrated} DB(s), skipped ${skipped}` };
+}