pgserve 2.6.6 → 2.6.8

package/CHANGELOG.md

@@ -14,6 +14,78 @@ All notable changes to `pgserve` are documented here. The format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.6.8] - 2026-05-12
+
+**Final v2.x maintenance release with full signed-tarball GH Release.**
+v2.6.7 closed the `autopg --version` smoke gate but Build Tarballs
+still failed on the next smoke check — `postgres --version` couldn't
+load `libicui18n.so.60`. Root cause: `fetch-postgres-bins.sh` was
+copying `native/bin` + `native/share` from the npm
+`@embedded-postgres` payload but skipping `native/lib`, AND was not
+recreating the SONAME symlinks described in `pg-symlinks.json`
+(`libicui18n.so.60 → libicui18n.so.60.2`).
+
+### Fixed
+
+- `scripts/fetch-postgres-bins.sh:stage_from_pkg` now copies
+  `native/lib/` into the staging directory + replays
+  `native/pg-symlinks.json` to recreate the 14 SONAME aliases. The
+  postgres binary's RPATH is `../lib/` (origin-relative), so all
+  bundled deps (libxml2, libssl, libcrypto, libz, libicudata,
+  libicui18n, libicuuc, libecpg, libpgtypes, libpq, …) now resolve at
+  runtime regardless of what the host system has installed.
+
+### Validated
+
+- Local reproduction: extracted tarball, ran
+  `./postgres/bin/postgres --version` →
+  `postgres (PostgreSQL) 18.3` ✅
+
+### Cohort wrap-up
+
+This is the LAST `pgserve`-named npm publish. Subsequent development
+moves to the `autopg` package starting at v3.0.0 from the new
+`automagik-dev/autopg` repo (post org transfer). Consumers like
+`@withone/cli` (`pgserve: ^2.x`) stay on npm latest indefinitely;
+v2.6.8 is the cohort's final stable polish.
+
+## [2.6.7] - 2026-05-12
+
+**Stability-focused follow-up to v2.6.6** — closes the missing
+`autopg --version` handler that was causing every `Build *` platform
+job to fail the real-mode tarball smoke gate at v2.6.4 / v2.6.5 / v2.6.6.
+
+### Fixed
+
+- `bin/postgres-server.js` — handle `autopg --version` / `autopg -v` by
+  emitting `autopg <VERSION>\n` and exiting 0. The compiled bun binary
+  is what `tests/integration/tarball-smoke.sh --real` exec-checks; the
+  previous fall-through to `printHelp() + exit 1` surfaced as the
+  misleading "binary not executable" smoke failure. Version resolution
+  honors (in order): the bun compile-time `--define BUILD_VERSION=...`
+  injection from `scripts/build-binary.sh:104`, the
+  `AUTOPG_BUILD_VERSION` env override, and the sibling `package.json`
+  for dev runs.
+
+### What this unblocks
+
+- Real-mode smoke gate now passes → Build Tarballs job uploads
+  per-platform artifacts.
+- Sign + Attest workflow (workflow_run after Build Tarballs) actually
+  fires with non-empty inputs → cosign sign-blob, SLSA L3 provenance,
+  and GitHub Attestations API attestation per tarball succeed.
+- release-publish workflow (workflow_run after Sign + Attest) creates
+  the `v2.6.7` GitHub Release with the 12 signed assets (4 platforms
+  × tarball + bundle + intoto.jsonl) attached.
+
+### Same payload as v2.6.4 / v2.6.5 / v2.6.6
+
+The npm runtime surface is identical across the 2.6.4–2.6.7 cluster.
+Consumers like `@withone/cli` (`pgserve: ^2.2.3`) pick up the latest
+on next install regardless of which version they previously resolved.
+v2.6.7 is the version that ALSO ships the GH Release with signed
+tarballs — that's the only delta visible to operators.
+
 ## [2.6.6] - 2026-05-12
 
 **Hot-fix follow-up to v2.6.5.** v2.6.5 published to npm but build-tarballs

package/bin/postgres-server.js

@@ -33,7 +33,47 @@ process.on('uncaughtException', (error) => {
 
 const args = process.argv.slice(2);
 
-if (args[0] === 'postmaster') {
+// `--version` / `-v` short-circuit — the compiled `autopg` binary
+// (bun --compile of this entry point) is the artifact that
+// `tests/integration/tarball-smoke.sh --real` exec-checks with
+// `autopg --version`. Without this branch the binary falls through to
+// `printHelp() + exit 1` and surfaces as the misleading
+// "binary not executable" smoke failure across every platform build.
+//
+// Version resolution order:
+//   1. BUILD_VERSION compile-time constant (bun --compile --define BUILD_VERSION="'<v>'"
+//      from scripts/build-binary.sh:104 — replaces the identifier in the
+//      compiled binary with the literal version string)
+//   2. AUTOPG_BUILD_VERSION env (operator override / dev runs)
+//   3. package.json sibling (dev runs from source via `bun bin/postgres-server.js`)
+//   4. literal 'unknown' (defensive)
+if (args[0] === '--version' || args[0] === '-v') {
+  let version = 'unknown';
+  // The compile-time --define replaces the bare identifier; wrap in
+  // typeof check so the source still parses + runs in non-compiled
+  // contexts where BUILD_VERSION is genuinely undefined.
+   
+  if (typeof BUILD_VERSION !== 'undefined' && BUILD_VERSION) {
+     
+    version = BUILD_VERSION;
+  } else if (typeof process.env.AUTOPG_BUILD_VERSION === 'string' && process.env.AUTOPG_BUILD_VERSION.length > 0) {
+    version = process.env.AUTOPG_BUILD_VERSION;
+  } else {
+    try {
+      const { readFileSync } = await import('node:fs');
+      const { fileURLToPath } = await import('node:url');
+      const { dirname, join } = await import('node:path');
+      const here = dirname(fileURLToPath(import.meta.url));
+      const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+      version = pkg.version;
+    } catch {
+      // fall through to 'unknown'
+    }
+  }
+  // tarball-smoke.sh asserts `autopg ${VERSION}` on stdout line 1.
+  process.stdout.write(`autopg ${version}\n`);
+  process.exit(0);
+} else if (args[0] === 'postmaster') {
   await runPostmasterSubcommand(args.slice(1));
 } else if (args[0] === 'serve') {
   // Alias `serve` → `postmaster` for symmetry with the v2.3 alias surface.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pgserve",
-  "version": "2.6.6",
+  "version": "2.6.8",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",

package/scripts/fetch-postgres-bins.sh

@@ -142,6 +142,56 @@ EOF
 
   cp -R "${native}/bin"   "${out_dir}/bin"
   cp -R "${native}/share" "${out_dir}/share" 2>/dev/null || mkdir -p "${out_dir}/share"
+
+  # The postgres binary's RPATH is `../lib/` (origin-relative), so it
+  # looks for libxml2 / libssl / libcrypto / libicu* in
+  # ${out_dir}/lib at runtime. The npm payload bundles all of these
+  # under native/lib (verified: libicui18n.so.60.2, libssl.so.1.1,
+  # etc. — 25 MB of bundled deps). Without copying lib/ the tarball
+  # extracts a postgres binary that fails with
+  # `error while loading shared libraries: libicui18n.so.60: cannot
+  # open shared object file: No such file or directory` on any
+  # platform that doesn't ship libicu60 system-wide (Ubuntu >= 20.04
+  # ships libicu70/74; only 18.04 ships libicu60).
+  #
+  # The package's normal postinstall creates SONAME symlinks
+  # (libicui18n.so.60 → libicui18n.so.60.2) from pg-symlinks.json, but
+  # we install with `--ignore-scripts` (security posture), so we must
+  # replay the symlink manifest manually. Without these symlinks the
+  # binary still can't find libicui18n.so.60 because npm packs only
+  # the real `.so.60.2` files, not the SONAME aliases.
+  if [[ -d "${native}/lib" ]]; then
+    cp -R "${native}/lib" "${out_dir}/lib"
+  fi
+
+  if [[ -f "${native}/pg-symlinks.json" ]]; then
+    # Strip the `native/` prefix from `source` + `target` and recreate
+    # symlinks under out_dir using relative names. Uses node so we get
+    # robust JSON parsing without yanking jq in as a dep.
+    OUT_DIR="$out_dir" MANIFEST="${native}/pg-symlinks.json" node -e '
+      const fs = require("fs");
+      const path = require("path");
+      const out = process.env.OUT_DIR;
+      const manifest = JSON.parse(fs.readFileSync(process.env.MANIFEST, "utf8"));
+      let made = 0;
+      for (const entry of manifest) {
+        // {"source":"native/lib/libicui18n.so.60.2","target":"native/lib/libicui18n.so.60"}
+        const src = entry.source.replace(/^native\//, "");
+        const tgt = entry.target.replace(/^native\//, "");
+        const tgtPath = path.join(out, tgt);
+        const srcRel = path.basename(src);
+        try { fs.unlinkSync(tgtPath); } catch {}
+        try {
+          fs.mkdirSync(path.dirname(tgtPath), { recursive: true });
+          fs.symlinkSync(srcRel, tgtPath);
+          made++;
+        } catch (err) {
+          console.error("  symlink failed: " + tgt + " -> " + srcRel + ": " + err.message);
+        }
+      }
+      console.error("    -> created " + made + " library SONAME symlinks");
+    ' || echo "    -> warning: pg-symlinks.json processing failed (postgres may not load shared libs)"
+  fi
   popd >/dev/null
 }