postgresai 0.12.0-beta.7 → 0.14.0-dev.10

package/README.md

@@ -34,6 +34,53 @@ postgresai --help
 pgai --help  # short alias
 ```
 
+## init (create monitoring user in Postgres)
+
+This command creates (or updates) the `postgres_ai_mon` user and grants the permissions described in the root `README.md` (it is idempotent).
+
+Run without installing (positional connection string):
+
+```bash
+npx postgresai init postgresql://admin@host:5432/dbname
+```
+
+It also accepts libpq “conninfo” syntax:
+
+```bash
+npx postgresai init "dbname=dbname host=host user=admin"
+```
+
+And psql-like options:
+
+```bash
+npx postgresai init -h host -p 5432 -U admin -d dbname
+```
+
+Password input options (in priority order):
+- `--password <password>`
+- `PGAI_MON_PASSWORD` environment variable
+- if not provided: a strong password is generated automatically and printed once
+
+Optional permissions (RDS/self-managed extras from the root `README.md`) are enabled by default. To skip them:
+
+```bash
+npx postgresai init postgresql://admin@host:5432/dbname --skip-optional-permissions
+```
+
+### Print SQL / dry run
+
+To see what SQL would be executed (passwords redacted by default):
+
+```bash
+npx postgresai init postgresql://admin@host:5432/dbname --print-sql
+```
+
+To print SQL and exit without applying anything:
+
+```bash
+npx postgresai init postgresql://admin@host:5432/dbname --dry-run
+```
+
 ## Quick start
 
 ### Authentication

package/bin/postgres-ai.ts

@@ -15,6 +15,7 @@ import { URL } from "url";
 import { startMcpServer } from "../lib/mcp-server";
 import { fetchIssues, fetchIssueComments, createIssueComment, fetchIssue } from "../lib/issues";
 import { resolveBaseUrls } from "../lib/util";
+import { applyInitPlan, buildInitPlan, resolveAdminConnection, resolveMonitoringPassword } from "../lib/init";
 
 const execPromise = promisify(exec);
 const execFilePromise = promisify(execFile);
@@ -116,6 +117,182 @@ program
     "UI base URL for browser routes (overrides PGAI_UI_BASE_URL)"
   );
 
+program
+  .command("init [conn]")
+  .description("Create a monitoring user and grant all required permissions (idempotent)")
+  .option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)")
+  .option("-h, --host <host>", "PostgreSQL host (psql-like)")
+  .option("-p, --port <port>", "PostgreSQL port (psql-like)")
+  .option("-U, --username <username>", "PostgreSQL user (psql-like)")
+  .option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)")
+  .option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)")
+  .option("--monitoring-user <name>", "Monitoring role name to create/update", "postgres_ai_mon")
+  .option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)")
+  .option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false)
+  .option("--print-sql", "Print SQL steps before applying (passwords redacted by default)", false)
+  .option("--show-secrets", "When printing SQL, do not redact secrets (DANGEROUS)", false)
+  .option("--dry-run", "Print SQL steps and exit without applying changes", false)
+  .action(async (conn: string | undefined, opts: {
+    dbUrl?: string;
+    host?: string;
+    port?: string;
+    username?: string;
+    dbname?: string;
+    adminPassword?: string;
+    monitoringUser: string;
+    password?: string;
+    skipOptionalPermissions?: boolean;
+    printSql?: boolean;
+    showSecrets?: boolean;
+    dryRun?: boolean;
+  }) => {
+    let adminConn;
+    try {
+      adminConn = resolveAdminConnection({
+        conn,
+        dbUrlFlag: opts.dbUrl,
+        host: opts.host,
+        port: opts.port,
+        username: opts.username,
+        dbname: opts.dbname,
+        adminPassword: opts.adminPassword,
+        envPassword: process.env.PGPASSWORD,
+      });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      console.error(`✗ ${msg}`);
+      process.exitCode = 1;
+      return;
+    }
+
+    const includeOptionalPermissions = !opts.skipOptionalPermissions;
+
+    console.log(`Connecting to: ${adminConn.display}`);
+    console.log(`Monitoring user: ${opts.monitoringUser}`);
+    console.log(`Optional permissions: ${includeOptionalPermissions ? "enabled" : "skipped"}`);
+
+    const shouldPrintSql = !!opts.printSql || !!opts.dryRun;
+
+    // Use native pg client instead of requiring psql to be installed
+    const { Client } = require("pg");
+    const client = new Client(adminConn.clientConfig);
+
+    try {
+      await client.connect();
+
+      const roleRes = await client.query("select 1 from pg_catalog.pg_roles where rolname = $1", [
+        opts.monitoringUser,
+      ]);
+      const roleExists = roleRes.rowCount > 0;
+
+      const dbRes = await client.query("select current_database() as db");
+      const database = dbRes.rows?.[0]?.db;
+      if (typeof database !== "string" || !database) {
+        throw new Error("Failed to resolve current database name");
+      }
+
+      let monPassword: string;
+      try {
+        const resolved = await resolveMonitoringPassword({
+          passwordFlag: opts.password,
+          passwordEnv: process.env.PGAI_MON_PASSWORD,
+          monitoringUser: opts.monitoringUser,
+        });
+        monPassword = resolved.password;
+        if (resolved.generated) {
+          console.log(`Generated password for monitoring user ${opts.monitoringUser}: ${monPassword}`);
+          console.log("Store it securely (or rerun with --password / PGAI_MON_PASSWORD to set your own).");
+        }
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`✗ ${msg}`);
+        process.exitCode = 1;
+        return;
+      }
+
+      const plan = await buildInitPlan({
+        database,
+        monitoringUser: opts.monitoringUser,
+        monitoringPassword: monPassword,
+        includeOptionalPermissions,
+        roleExists,
+      });
+
+      if (shouldPrintSql) {
+        const redact = !opts.showSecrets;
+        const redactPasswords = (sql: string): string => {
+          if (!redact) return sql;
+          // Replace PASSWORD '<literal>' (handles doubled quotes inside).
+          return sql.replace(/password\s+'(?:''|[^'])*'/gi, "password '<redacted>'");
+        };
+
+        console.log("\n--- SQL plan ---");
+        for (const step of plan.steps) {
+          console.log(`\n-- ${step.name}${step.optional ? " (optional)" : ""}`);
+          console.log(redactPasswords(step.sql));
+        }
+        console.log("\n--- end SQL plan ---\n");
+        if (redact) {
+          console.log("Note: passwords are redacted in the printed SQL (use --show-secrets to print them).");
+        }
+      }
+
+      if (opts.dryRun) {
+        console.log("✓ dry-run completed (no changes were applied)");
+        return;
+      }
+
+      const { applied, skippedOptional } = await applyInitPlan({ client, plan });
+
+      console.log("✓ init completed");
+      if (skippedOptional.length > 0) {
+        console.log("⚠ Some optional steps were skipped (not supported or insufficient privileges):");
+        for (const s of skippedOptional) console.log(`- ${s}`);
+      }
+      // Keep output compact but still useful
+      if (process.stdout.isTTY) {
+        console.log(`Applied ${applied.length} steps`);
+      }
+    } catch (error) {
+      const errAny = error as any;
+      let message = "";
+      if (error instanceof Error && error.message) {
+        message = error.message;
+      } else if (errAny && typeof errAny === "object" && typeof errAny.message === "string" && errAny.message) {
+        message = errAny.message;
+      } else {
+        message = String(error);
+      }
+      if (!message || message === "[object Object]") {
+        message = "Unknown error";
+      }
+      console.error(`✗ init failed: ${message}`);
+      if (errAny && typeof errAny === "object") {
+        if (typeof errAny.code === "string" && errAny.code) {
+          console.error(`Error code: ${errAny.code}`);
+        }
+        if (typeof errAny.detail === "string" && errAny.detail) {
+          console.error(`Detail: ${errAny.detail}`);
+        }
+        if (typeof errAny.hint === "string" && errAny.hint) {
+          console.error(`Hint: ${errAny.hint}`);
+        }
+      }
+      if (errAny && typeof errAny === "object" && typeof errAny.code === "string") {
+        if (errAny.code === "42501") {
+          console.error("Hint: connect as a superuser (or a role with CREATEROLE and sufficient GRANT privileges).");
+        }
+      }
+      process.exitCode = 1;
+    } finally {
+      try {
+        await client.end();
+      } catch {
+        // ignore
+      }
+    }
+  });
+
 /**
  * Stub function for not implemented commands
  */

package/dist/bin/postgres-ai.js

@@ -49,6 +49,7 @@ const url_1 = require("url");
 const mcp_server_1 = require("../lib/mcp-server");
 const issues_1 = require("../lib/issues");
 const util_2 = require("../lib/util");
+const init_1 = require("../lib/init");
 const execPromise = (0, util_1.promisify)(child_process_1.exec);
 const execFilePromise = (0, util_1.promisify)(child_process_1.execFile);
 /**
@@ -98,6 +99,163 @@ program
     .option("--api-key <key>", "API key (overrides PGAI_API_KEY)")
     .option("--api-base-url <url>", "API base URL for backend RPC (overrides PGAI_API_BASE_URL)")
     .option("--ui-base-url <url>", "UI base URL for browser routes (overrides PGAI_UI_BASE_URL)");
+program
+    .command("init [conn]")
+    .description("Create a monitoring user and grant all required permissions (idempotent)")
+    .option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)")
+    .option("-h, --host <host>", "PostgreSQL host (psql-like)")
+    .option("-p, --port <port>", "PostgreSQL port (psql-like)")
+    .option("-U, --username <username>", "PostgreSQL user (psql-like)")
+    .option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)")
+    .option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)")
+    .option("--monitoring-user <name>", "Monitoring role name to create/update", "postgres_ai_mon")
+    .option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)")
+    .option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false)
+    .option("--print-sql", "Print SQL steps before applying (passwords redacted by default)", false)
+    .option("--show-secrets", "When printing SQL, do not redact secrets (DANGEROUS)", false)
+    .option("--dry-run", "Print SQL steps and exit without applying changes", false)
+    .action(async (conn, opts) => {
+    let adminConn;
+    try {
+        adminConn = (0, init_1.resolveAdminConnection)({
+            conn,
+            dbUrlFlag: opts.dbUrl,
+            host: opts.host,
+            port: opts.port,
+            username: opts.username,
+            dbname: opts.dbname,
+            adminPassword: opts.adminPassword,
+            envPassword: process.env.PGPASSWORD,
+        });
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`✗ ${msg}`);
+        process.exitCode = 1;
+        return;
+    }
+    const includeOptionalPermissions = !opts.skipOptionalPermissions;
+    console.log(`Connecting to: ${adminConn.display}`);
+    console.log(`Monitoring user: ${opts.monitoringUser}`);
+    console.log(`Optional permissions: ${includeOptionalPermissions ? "enabled" : "skipped"}`);
+    const shouldPrintSql = !!opts.printSql || !!opts.dryRun;
+    // Use native pg client instead of requiring psql to be installed
+    const { Client } = require("pg");
+    const client = new Client(adminConn.clientConfig);
+    try {
+        await client.connect();
+        const roleRes = await client.query("select 1 from pg_catalog.pg_roles where rolname = $1", [
+            opts.monitoringUser,
+        ]);
+        const roleExists = roleRes.rowCount > 0;
+        const dbRes = await client.query("select current_database() as db");
+        const database = dbRes.rows?.[0]?.db;
+        if (typeof database !== "string" || !database) {
+            throw new Error("Failed to resolve current database name");
+        }
+        let monPassword;
+        try {
+            const resolved = await (0, init_1.resolveMonitoringPassword)({
+                passwordFlag: opts.password,
+                passwordEnv: process.env.PGAI_MON_PASSWORD,
+                monitoringUser: opts.monitoringUser,
+            });
+            monPassword = resolved.password;
+            if (resolved.generated) {
+                console.log(`Generated password for monitoring user ${opts.monitoringUser}: ${monPassword}`);
+                console.log("Store it securely (or rerun with --password / PGAI_MON_PASSWORD to set your own).");
+            }
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            console.error(`✗ ${msg}`);
+            process.exitCode = 1;
+            return;
+        }
+        const plan = await (0, init_1.buildInitPlan)({
+            database,
+            monitoringUser: opts.monitoringUser,
+            monitoringPassword: monPassword,
+            includeOptionalPermissions,
+            roleExists,
+        });
+        if (shouldPrintSql) {
+            const redact = !opts.showSecrets;
+            const redactPasswords = (sql) => {
+                if (!redact)
+                    return sql;
+                // Replace PASSWORD '<literal>' (handles doubled quotes inside).
+                return sql.replace(/password\s+'(?:''|[^'])*'/gi, "password '<redacted>'");
+            };
+            console.log("\n--- SQL plan ---");
+            for (const step of plan.steps) {
+                console.log(`\n-- ${step.name}${step.optional ? " (optional)" : ""}`);
+                console.log(redactPasswords(step.sql));
+            }
+            console.log("\n--- end SQL plan ---\n");
+            if (redact) {
+                console.log("Note: passwords are redacted in the printed SQL (use --show-secrets to print them).");
+            }
+        }
+        if (opts.dryRun) {
+            console.log("✓ dry-run completed (no changes were applied)");
+            return;
+        }
+        const { applied, skippedOptional } = await (0, init_1.applyInitPlan)({ client, plan });
+        console.log("✓ init completed");
+        if (skippedOptional.length > 0) {
+            console.log("⚠ Some optional steps were skipped (not supported or insufficient privileges):");
+            for (const s of skippedOptional)
+                console.log(`- ${s}`);
+        }
+        // Keep output compact but still useful
+        if (process.stdout.isTTY) {
+            console.log(`Applied ${applied.length} steps`);
+        }
+    }
+    catch (error) {
+        const errAny = error;
+        let message = "";
+        if (error instanceof Error && error.message) {
+            message = error.message;
+        }
+        else if (errAny && typeof errAny === "object" && typeof errAny.message === "string" && errAny.message) {
+            message = errAny.message;
+        }
+        else {
+            message = String(error);
+        }
+        if (!message || message === "[object Object]") {
+            message = "Unknown error";
+        }
+        console.error(`✗ init failed: ${message}`);
+        if (errAny && typeof errAny === "object") {
+            if (typeof errAny.code === "string" && errAny.code) {
+                console.error(`Error code: ${errAny.code}`);
+            }
+            if (typeof errAny.detail === "string" && errAny.detail) {
+                console.error(`Detail: ${errAny.detail}`);
+            }
+            if (typeof errAny.hint === "string" && errAny.hint) {
+                console.error(`Hint: ${errAny.hint}`);
+            }
+        }
+        if (errAny && typeof errAny === "object" && typeof errAny.code === "string") {
+            if (errAny.code === "42501") {
+                console.error("Hint: connect as a superuser (or a role with CREATEROLE and sufficient GRANT privileges).");
+            }
+        }
+        process.exitCode = 1;
+    }
+    finally {
+        try {
+            await client.end();
+        }
+        catch {
+            // ignore
+        }
+    }
+});
 /**
  * Stub function for not implemented commands
  */