pgserve 2.6.0 → 2.6.4

package/src/gc/audit-log.js

@@ -29,6 +29,8 @@ export const AUDIT_DIR_NAME = 'audit';
 export const AUDIT_FILE_PREFIX = 'gc-';
 export const AUDIT_FILE_MODE = 0o600;
 export const AUDIT_DIR_MODE = 0o700;
+export const AUDIT_DEFAULT_RETENTION_DAYS = 90;
+const AUDIT_FILENAME_RE = /^gc-(\d{4})-(\d{2})-(\d{2})\.log$/;
 
 /**
  * @typedef {Object} GcAuditEvent
@@ -147,4 +149,94 @@ export function readGcAuditDay({ homeDir = os.homedir(), date = new Date() } = {
   return out;
 }
 
+/**
+ * Rotate audit logs by deleting `gc-<YYYY-MM-DD>.log` files older than
+ * `retentionDays` (default 90). Each deletion writes a `rotate` audit event
+ * to today's log so the rotation itself is auditable.
+ *
+ * Boundary guard: NEVER deletes the current day's log file, even if the
+ * retention math would otherwise include it (clock skew, manual mtime edits,
+ * timezone-confusion regressions). The current day is determined from
+ * `today` (UTC) — the same date the next `writeGcAudit` call would use.
+ *
+ * Files whose names do not match `gc-<YYYY-MM-DD>.log` are skipped — the
+ * rotator only touches its own log files.
+ *
+ * Returns `{ deleted: string[], kept: string[], errors: Array<{file,error}> }`
+ * so callers can surface a summary line without re-walking the directory.
+ */
+export function rotateGcAuditLogs({
+  homeDir = os.homedir(),
+  retentionDays = AUDIT_DEFAULT_RETENTION_DAYS,
+  today = new Date(),
+} = {}) {
+  if (!Number.isFinite(retentionDays) || retentionDays < 0) {
+    throw new TypeError('rotateGcAuditLogs: retentionDays must be a non-negative number');
+  }
+  if (!(today instanceof Date) || Number.isNaN(today.getTime())) {
+    throw new TypeError('rotateGcAuditLogs: today must be a valid Date');
+  }
+  const dir = getAuditDir({ homeDir });
+  const result = { deleted: [], kept: [], errors: [] };
+  let entries;
+  try {
+    entries = fs.readdirSync(dir);
+  } catch (err) {
+    if (err.code === 'ENOENT') return result;
+    throw err;
+  }
+  const todayStr = formatUtcDate(today);
+  const cutoffMs = Date.UTC(
+    today.getUTCFullYear(),
+    today.getUTCMonth(),
+    today.getUTCDate(),
+  ) - retentionDays * 24 * 60 * 60 * 1000;
+  for (const name of entries) {
+    const match = AUDIT_FILENAME_RE.exec(name);
+    if (!match) continue;
+    const [, yyyy, mm, dd] = match;
+    const dateStr = `${yyyy}-${mm}-${dd}`;
+    if (dateStr === todayStr) {
+      // Boundary guard — the current day's log is always retained.
+      result.kept.push(name);
+      continue;
+    }
+    const fileMs = Date.UTC(Number(yyyy), Number(mm) - 1, Number(dd));
+    if (fileMs >= cutoffMs) {
+      result.kept.push(name);
+      continue;
+    }
+    const full = path.join(dir, name);
+    try {
+      fs.unlinkSync(full);
+      result.deleted.push(name);
+      writeGcAudit(
+        {
+          action: 'rotate',
+          detail: `deleted ${name} (>${retentionDays} days old)`,
+        },
+        { homeDir, date: today },
+      );
+    } catch (err) {
+      result.errors.push({ file: name, error: err.message });
+      // Record the per-file failure in today's audit log so an operator
+      // investigating "why is gc-2026-01-01.log still here?" can find the
+      // exact reason (permission denied / file in use / etc.) instead of
+      // only seeing the rotate-summary count.
+      try {
+        writeGcAudit(
+          {
+            action: 'rotate-error',
+            detail: `failed to delete ${name}: ${err.message}`,
+          },
+          { homeDir, date: today },
+        );
+      } catch {
+        /* best-effort — never let audit-write failure abort the rotation pass */
+      }
+    }
+  }
+  return result;
+}
+
 export const __testInternals = Object.freeze({ formatUtcDate });

package/src/postgres.js

@@ -1049,8 +1049,23 @@ export class PostgresManager extends EventEmitter {
         if (!expected) {
           this.socketDir = null;
           this.databaseDir = null;
+          // B5 (v2.6.3): include the captured postgres stderr/stdout tail
+          // in the WARN so operators tailing pm2 logs see the actual cause
+          // (e.g. "FATAL: could not bind IPv4 address ... Address already
+          // in use", "FATAL: data directory ... has wrong ownership", etc.)
+          // instead of just "subprocess exited unexpectedly". The tail is
+          // capped at 4 KB so a runaway log spam can't bloat the WARN
+          // payload; the bottom of startupOutput is where the fatal
+          // diagnostic typically lands. Empty string when postgres exited
+          // before producing any output (rare; preserved as 'no postgres
+          // output captured' so the field stays present in structured
+          // logs).
+          const STDERR_TAIL_BUDGET = 4096;
+          const tail = startupOutput.length > STDERR_TAIL_BUDGET
+            ? startupOutput.slice(-STDERR_TAIL_BUDGET)
+            : startupOutput;
           this.logger?.warn(
-            { code },
+            { code, postgresStderrTail: tail.trim() || 'no postgres output captured' },
             'PostgreSQL subprocess exited unexpectedly — socketDir/databaseDir reset'
           );
         }

package/src/schema/autopg-meta.js

@@ -0,0 +1,120 @@
+/**
+ * `autopg_meta` table bootstrap.
+ *
+ * pgserve singleton (v2.6) — `autopg-distribution-cutover-finalize`
+ * wish, Group 3 (`pgserve create-app` + manifest LOCK 1).
+ *
+ * Source-of-truth split (per wish Decision #2 / G3 deliverable 4):
+ *
+ *   `autopg_meta` is the single source of truth for "which apps are
+ *   registered with this pgserve instance + what cosign trust roots are
+ *   locked at create-app time." The per-consumer manifest file at
+ *   `~/.autopg/<sanitized-slug>/manifest.json` (and the sibling
+ *   `admin.json`) are derived caches; on divergence, the table wins.
+ *
+ *   The `--fix` mutation modes that would regenerate the cache files
+ *   from the table are NOT implemented in v2.4 read-only V1
+ *   (src/commands/doctor.js:440-442 prints "--fix tiered modes are not
+ *   implemented in v2.4"). Until those land, the cache-recovery story is
+ *   manual: operator deletes the per-consumer dir + re-runs
+ *   `pgserve create-app <slug>`. The verb is idempotent and preserves
+ *   the locked_roots already on the row (idempotent re-run touches
+ *   `last_updated` ONLY).
+ *
+ * Why a separate table from `pgserve_meta`: different lifecycle.
+ *   `pgserve_meta` is per-database (provision/gc cohort, fingerprint as
+ *   PK). `autopg_meta` is per-consumer-app (slug as PK), and an app can
+ *   exist before any of its DBs do. Splitting the tables keeps each
+ *   bootstrap genuinely additive + lets the wish Group 4/5 work
+ *   (per-consumer doctor surface) reach for autopg_meta without
+ *   crossing into pgserve_meta's invariants.
+ *
+ * Idempotency: every statement uses `IF NOT EXISTS` (table, indexes).
+ * Re-running on an already-bootstrapped database is a no-op.
+ */
+
+export const AUTOPG_META_TABLE = 'autopg_meta';
+
+/**
+ * Base columns owned by this module.
+ *
+ *   - slug:           PRIMARY KEY — the sanitized consumer slug
+ *                     (sanitizeSlug from src/provision/db-naming.js)
+ *   - manifest_path:  NOT NULL — absolute path to the cache manifest
+ *                     file at ~/.autopg/<slug>/manifest.json
+ *   - locked_roots:   NOT NULL — JSONB array shaped like
+ *                     TRUSTED_IDENTITIES entries, frozen-at-create
+ *   - created_at:     NOT NULL DEFAULT now() — set on insert
+ *   - last_updated:   NOT NULL DEFAULT now() — touched by every
+ *                     create-app re-run; locked_roots stays untouched
+ */
+export const AUTOPG_META_COLUMNS = Object.freeze([
+  'slug',
+  'manifest_path',
+  'locked_roots',
+  'created_at',
+  'last_updated',
+]);
+
+// Schema-qualified name. The doctor / verifier read paths probe
+// `to_regclass('public.autopg_meta')`; an unqualified CREATE TABLE
+// could land in a non-public schema if a non-default search_path is
+// configured on the active role, leaving subsequent reads unable to
+// find it. Match the qualification convention pgserve_meta uses.
+const QUALIFIED = `public.${AUTOPG_META_TABLE}`;
+
+/**
+ * Idempotent statements that CREATE the table + supporting indexes.
+ * Returned as an array so callers can run each one individually for
+ * clear error reporting (mirrors src/schema/pgserve-meta.js shape).
+ */
+export function getBootstrapStatements() {
+  return [
+    [
+      `CREATE TABLE IF NOT EXISTS ${QUALIFIED} (`,
+      '  slug          TEXT        PRIMARY KEY,',
+      '  manifest_path TEXT        NOT NULL,',
+      '  locked_roots  JSONB       NOT NULL,',
+      '  created_at    TIMESTAMPTZ NOT NULL DEFAULT now(),',
+      '  last_updated  TIMESTAMPTZ NOT NULL DEFAULT now()',
+      ')',
+    ].join('\n'),
+    `CREATE INDEX IF NOT EXISTS ${AUTOPG_META_TABLE}_last_updated_idx ON ${QUALIFIED} (last_updated)`,
+  ];
+}
+
+/**
+ * Single SQL string variant — convenient for embedding the bootstrap in
+ * a transaction or pg-init script.
+ */
+export function getBootstrapSQL() {
+  return `${getBootstrapStatements().join(';\n\n')};\n`;
+}
+
+/**
+ * Apply the bootstrap via a node-postgres-compatible client. The client
+ * must expose an async `query(sql)` method (matches both `pg.Client` and
+ * `pg.PoolClient`). Returns the list of statements executed.
+ *
+ * Statements run sequentially so a failure on the index half doesn't
+ * masquerade as success after the table half ran.
+ */
+export async function bootstrapAutopgMeta(client) {
+  if (!client || typeof client.query !== 'function') {
+    throw new TypeError('bootstrapAutopgMeta: client must expose an async query() method');
+  }
+  const statements = getBootstrapStatements();
+  for (const sql of statements) {
+    await client.query(sql);
+  }
+  return statements;
+}
+
+/**
+ * Predicate the doctor / verify read paths can call before deciding
+ * whether to query the table. Callers pass the result of
+ * `SELECT to_regclass('public.autopg_meta') IS NOT NULL`.
+ */
+export function tableExistsFromRegclass(toRegclassResult) {
+  return toRegclassResult === true;
+}