postgresai 0.14.0-beta.1 → 0.14.0-beta.10

package/dist/lib/pkce.js

@@ -1,101 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateCodeVerifier = generateCodeVerifier;
-exports.generateCodeChallenge = generateCodeChallenge;
-exports.generateState = generateState;
-exports.generatePKCEParams = generatePKCEParams;
-const crypto = __importStar(require("crypto"));
-/**
- * Generate a cryptographically random string for PKCE
- * @param length - Length of the string (43-128 characters per RFC 7636)
- * @returns Base64URL-encoded random string
- */
-function generateRandomString(length = 64) {
-    const bytes = crypto.randomBytes(length);
-    return base64URLEncode(bytes);
-}
-/**
- * Base64URL encode (without padding)
- * @param buffer - Buffer to encode
- * @returns Base64URL-encoded string
- */
-function base64URLEncode(buffer) {
-    return buffer
-        .toString("base64")
-        .replace(/\+/g, "-")
-        .replace(/\//g, "_")
-        .replace(/=/g, "");
-}
-/**
- * Generate PKCE code verifier
- * @returns Random code verifier (43-128 characters)
- */
-function generateCodeVerifier() {
-    return generateRandomString(32); // 32 bytes = 43 chars after base64url encoding
-}
-/**
- * Generate PKCE code challenge from verifier
- * Uses S256 method (SHA256)
- * @param verifier - Code verifier string
- * @returns Base64URL-encoded SHA256 hash of verifier
- */
-function generateCodeChallenge(verifier) {
-    const hash = crypto.createHash("sha256").update(verifier).digest();
-    return base64URLEncode(hash);
-}
-/**
- * Generate random state for CSRF protection
- * @returns Random state string
- */
-function generateState() {
-    return generateRandomString(16); // 16 bytes = 22 chars
-}
-/**
- * Generate complete PKCE parameters
- * @returns Object with verifier, challenge, challengeMethod, and state
- */
-function generatePKCEParams() {
-    const verifier = generateCodeVerifier();
-    const challenge = generateCodeChallenge(verifier);
-    const state = generateState();
-    return {
-        codeVerifier: verifier,
-        codeChallenge: challenge,
-        codeChallengeMethod: "S256",
-        state: state,
-    };
-}
-//# sourceMappingURL=pkce.js.map

package/dist/lib/pkce.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../lib/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCA,oDAEC;AAQD,sDAGC;AAMD,sCAEC;AAMD,gDAWC;AA7ED,+CAAiC;AAYjC;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,SAAiB,EAAE;IAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM;SACV,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB;IAClC,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,+CAA+C;AAClF,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CAAC,QAAgB;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IACnE,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa;IAC3B,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB;AACzD,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB;IAChC,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;IACxC,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,OAAO;QACL,YAAY,EAAE,QAAQ;QACtB,aAAa,EAAE,SAAS;QACxB,mBAAmB,EAAE,MAAM;QAC3B,KAAK,EAAE,KAAK;KACb,CAAC;AACJ,CAAC"}

package/dist/lib/util.d.ts

@@ -1,27 +0,0 @@
-export declare function maskSecret(secret: string): string;
-export interface RootOptsLike {
-    apiBaseUrl?: string;
-    uiBaseUrl?: string;
-}
-export interface ConfigLike {
-    baseUrl?: string | null;
-}
-export interface ResolvedBaseUrls {
-    apiBaseUrl: string;
-    uiBaseUrl: string;
-}
-/**
- * Normalize a base URL by trimming a single trailing slash and validating.
- * @throws Error if the URL is invalid
- */
-export declare function normalizeBaseUrl(value: string): string;
-/**
- * Resolve API and UI base URLs using precedence and normalize them.
- * Precedence (API): opts.apiBaseUrl → env.PGAI_API_BASE_URL → cfg.baseUrl → default
- * Precedence (UI):  opts.uiBaseUrl  → env.PGAI_UI_BASE_URL  → default
- */
-export declare function resolveBaseUrls(opts?: RootOptsLike, cfg?: ConfigLike, defaults?: {
-    apiBaseUrl?: string;
-    uiBaseUrl?: string;
-}): ResolvedBaseUrls;
-//# sourceMappingURL=util.d.ts.map

package/dist/lib/util.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../lib/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAKjD;AAGD,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUtD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,IAAI,CAAC,EAAE,YAAY,EACnB,GAAG,CAAC,EAAE,UAAU,EAChB,QAAQ,GAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAO,GACzD,gBAAgB,CAWlB"}

package/dist/lib/util.js

@@ -1,46 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.maskSecret = maskSecret;
-exports.normalizeBaseUrl = normalizeBaseUrl;
-exports.resolveBaseUrls = resolveBaseUrls;
-function maskSecret(secret) {
-    if (!secret)
-        return "";
-    if (secret.length <= 8)
-        return "****";
-    if (secret.length <= 16)
-        return `${secret.slice(0, 4)}${"*".repeat(secret.length - 8)}${secret.slice(-4)}`;
-    return `${secret.slice(0, Math.min(12, secret.length - 8))}${"*".repeat(Math.max(4, secret.length - 16))}${secret.slice(-4)}`;
-}
-/**
- * Normalize a base URL by trimming a single trailing slash and validating.
- * @throws Error if the URL is invalid
- */
-function normalizeBaseUrl(value) {
-    const trimmed = (value || "").replace(/\/$/, "");
-    try {
-        // Validate
-        // eslint-disable-next-line no-new
-        new URL(trimmed);
-    }
-    catch {
-        throw new Error(`Invalid base URL: ${value}`);
-    }
-    return trimmed;
-}
-/**
- * Resolve API and UI base URLs using precedence and normalize them.
- * Precedence (API): opts.apiBaseUrl → env.PGAI_API_BASE_URL → cfg.baseUrl → default
- * Precedence (UI):  opts.uiBaseUrl  → env.PGAI_UI_BASE_URL  → default
- */
-function resolveBaseUrls(opts, cfg, defaults = {}) {
-    const defApi = defaults.apiBaseUrl || "https://postgres.ai/api/general/";
-    const defUi = defaults.uiBaseUrl || "https://console.postgres.ai";
-    const apiCandidate = (opts?.apiBaseUrl || process.env.PGAI_API_BASE_URL || cfg?.baseUrl || defApi);
-    const uiCandidate = (opts?.uiBaseUrl || process.env.PGAI_UI_BASE_URL || defUi);
-    return {
-        apiBaseUrl: normalizeBaseUrl(apiCandidate),
-        uiBaseUrl: normalizeBaseUrl(uiCandidate),
-    };
-}
-//# sourceMappingURL=util.js.map

package/dist/lib/util.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../../lib/util.ts"],"names":[],"mappings":";;AAAA,gCAKC;AAqBD,4CAUC;AAOD,0CAeC;AA1DD,SAAgB,UAAU,CAAC,MAAc;IACvC,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE;QAAE,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3G,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAChI,CAAC;AAiBD;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,KAAa;IAC5C,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjD,IAAI,CAAC;QACH,WAAW;QACX,kCAAkC;QAClC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,qBAAqB,KAAK,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAC7B,IAAmB,EACnB,GAAgB,EAChB,WAAwD,EAAE;IAE1D,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,IAAI,kCAAkC,CAAC;IACzE,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,IAAI,6BAA6B,CAAC;IAElE,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,GAAG,EAAE,OAAO,IAAI,MAAM,CAAW,CAAC;IAC7G,MAAM,WAAW,GAAG,CAAC,IAAI,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,KAAK,CAAW,CAAC;IAEzF,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,YAAY,CAAC;QAC1C,SAAS,EAAE,gBAAgB,CAAC,WAAW,CAAC;KACzC,CAAC;AACJ,CAAC"}

package/dist/package.json

@@ -1,46 +0,0 @@
-{
-    "name": "postgresai",
-    "version": "0.14.0-beta.1",
-    "description": "postgres_ai CLI (Node.js)",
-    "license": "Apache-2.0",
-    "private": false,
-    "repository": {
-        "type": "git",
-        "url": "git+https://gitlab.com/postgres-ai/postgres_ai.git"
-    },
-    "homepage": "https://gitlab.com/postgres-ai/postgres_ai",
-    "bugs": {
-        "url": "https://gitlab.com/postgres-ai/postgres_ai/-/issues"
-    },
-    "bin": {
-        "postgres-ai": "./dist/bin/postgres-ai.js",
-        "postgresai": "./dist/bin/postgres-ai.js",
-        "pgai": "./dist/bin/postgres-ai.js"
-    },
-    "type": "commonjs",
-    "engines": {
-        "node": ">=18"
-    },
-    "scripts": {
-        "build": "tsc",
-        "prepare": "npm run build",
-        "start": "node ./dist/bin/postgres-ai.js --help",
-        "dev": "tsc --watch",
-        "test": "npm run build && node --test test/*.test.cjs"
-    },
-    "dependencies": {
-        "@modelcontextprotocol/sdk": "^1.20.2",
-        "commander": "^12.1.0",
-        "js-yaml": "^4.1.0",
-        "pg": "^8.16.3"
-    },
-    "devDependencies": {
-        "@types/js-yaml": "^4.0.9",
-        "@types/node": "^18.19.0",
-        "@types/pg": "^8.15.6",
-        "typescript": "^5.3.3"
-    },
-    "publishConfig": {
-        "access": "public"
-    }
-}

package/test/init.integration.test.cjs

@@ -1,368 +0,0 @@
-const test = require("node:test");
-const assert = require("node:assert/strict");
-const fs = require("node:fs");
-const os = require("node:os");
-const path = require("node:path");
-const net = require("node:net");
-const { spawn, spawnSync } = require("node:child_process");
-
-function sqlLiteral(value) {
-  return `'${String(value).replace(/'/g, "''")}'`;
-}
-
-function findOnPath(cmd) {
-  const which = spawnSync("sh", ["-lc", `command -v ${cmd}`], { encoding: "utf8" });
-  if (which.status === 0) return String(which.stdout || "").trim();
-  return null;
-}
-
-function findPgBin(cmd) {
-  const p = findOnPath(cmd);
-  if (p) return p;
-
-  // Debian/Ubuntu (GitLab CI node:*-bullseye images): binaries usually live here.
-  // We avoid filesystem globbing in JS and just ask the shell.
-  const probe = spawnSync(
-    "sh",
-    [
-      "-lc",
-      `ls -1 /usr/lib/postgresql/*/bin/${cmd} 2>/dev/null | head -n 1 || true`,
-    ],
-    { encoding: "utf8" }
-  );
-  const out = String(probe.stdout || "").trim();
-  if (out) return out;
-
-  return null;
-}
-
-function havePostgresBinaries() {
-  return !!(findPgBin("initdb") && findPgBin("postgres"));
-}
-
-async function getFreePort() {
-  return await new Promise((resolve, reject) => {
-    const srv = net.createServer();
-    srv.listen(0, "127.0.0.1", () => {
-      const addr = srv.address();
-      srv.close((err) => {
-        if (err) return reject(err);
-        resolve(addr.port);
-      });
-    });
-    srv.on("error", reject);
-  });
-}
-
-async function waitFor(fn, { timeoutMs = 10000, intervalMs = 100 } = {}) {
-  const start = Date.now();
-  // eslint-disable-next-line no-constant-condition
-  while (true) {
-    try {
-      return await fn();
-    } catch (e) {
-      if (Date.now() - start > timeoutMs) throw e;
-      await new Promise((r) => setTimeout(r, intervalMs));
-    }
-  }
-}
-
-async function withTempPostgres(t) {
-  const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "postgresai-init-"));
-  const dataDir = path.join(tmpRoot, "data");
-  const socketDir = path.join(tmpRoot, "sock");
-  fs.mkdirSync(socketDir, { recursive: true });
-
-  const initdb = findPgBin("initdb");
-  const postgresBin = findPgBin("postgres");
-  assert.ok(initdb && postgresBin, "PostgreSQL binaries not found (need initdb and postgres)");
-
-  const init = spawnSync(initdb, ["-D", dataDir, "-U", "postgres", "-A", "trust"], {
-    encoding: "utf8",
-  });
-  assert.equal(init.status, 0, init.stderr || init.stdout);
-
-  // Configure: local socket trust, TCP scram.
-  const hbaPath = path.join(dataDir, "pg_hba.conf");
-  fs.appendFileSync(
-    hbaPath,
-    "\n# Added by postgresai init integration tests\nlocal all all trust\nhost all all 127.0.0.1/32 scram-sha-256\nhost all all ::1/128 scram-sha-256\n",
-    "utf8"
-  );
-
-  const port = await getFreePort();
-
-  const postgresProc = spawn(postgresBin, ["-D", dataDir, "-k", socketDir, "-h", "127.0.0.1", "-p", String(port)], {
-    stdio: ["ignore", "pipe", "pipe"],
-  });
-
-  // Register cleanup immediately so failures below don't leave a running postgres and hang CI.
-  t.after(async () => {
-    postgresProc.kill("SIGTERM");
-    try {
-      await waitFor(
-        async () => {
-          if (postgresProc.exitCode === null) throw new Error("still running");
-        },
-        { timeoutMs: 5000, intervalMs: 100 }
-      );
-    } catch {
-      postgresProc.kill("SIGKILL");
-    }
-    fs.rmSync(tmpRoot, { recursive: true, force: true });
-  });
-
-  const { Client } = require("pg");
-
-  const connectLocal = async (database = "postgres") => {
-    // IMPORTANT: must match the port Postgres is started with; otherwise pg defaults to 5432 and the socket path won't exist.
-    const c = new Client({ host: socketDir, port, user: "postgres", database });
-    await c.connect();
-    return c;
-  };
-
-  await waitFor(async () => {
-    const c = await connectLocal();
-    await c.end();
-  });
-
-  const postgresPassword = "postgrespw";
-  {
-    const c = await connectLocal();
-    await c.query(`alter user postgres password ${sqlLiteral(postgresPassword)};`);
-    await c.query("create database testdb");
-    await c.end();
-  }
-
-  const adminUri = `postgresql://postgres:${postgresPassword}@127.0.0.1:${port}/testdb`;
-  return { port, socketDir, adminUri, postgresPassword };
-}
-
-async function runCliInit(args, env = {}) {
-  const node = process.execPath;
-  const cliPath = path.resolve(__dirname, "..", "dist", "bin", "postgres-ai.js");
-  const res = spawnSync(node, [cliPath, "init", ...args], {
-    encoding: "utf8",
-    env: { ...process.env, ...env },
-  });
-  return res;
-}
-
-test(
-  "integration: init supports URI / conninfo / psql-like connection styles",
-  { skip: !havePostgresBinaries() },
-  async (t) => {
-    const pg = await withTempPostgres(t);
-
-    // 1) positional URI
-    {
-      const r = await runCliInit([pg.adminUri, "--password", "monpw", "--skip-optional-permissions"]);
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-    }
-
-    // 2) conninfo
-    {
-      const conninfo = `dbname=testdb host=127.0.0.1 port=${pg.port} user=postgres password=${pg.postgresPassword}`;
-      const r = await runCliInit([conninfo, "--password", "monpw2", "--skip-optional-permissions"]);
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-    }
-
-    // 3) psql-like options (+ PGPASSWORD)
-    {
-      const r = await runCliInit(
-        [
-          "-h",
-          "127.0.0.1",
-          "-p",
-          String(pg.port),
-          "-U",
-          "postgres",
-          "-d",
-          "testdb",
-          "--password",
-          "monpw3",
-          "--skip-optional-permissions",
-        ],
-        { PGPASSWORD: pg.postgresPassword }
-      );
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-    }
-  }
-);
-
-test(
-  "integration: init requires explicit monitoring password in non-interactive mode (unless --print-password)",
-  { skip: !havePostgresBinaries() },
-  async (t) => {
-    const pg = await withTempPostgres(t);
-
-    // spawnSync captures stdout/stderr (non-TTY). We should not print a generated password unless explicitly requested.
-    {
-      const r = await runCliInit([pg.adminUri, "--skip-optional-permissions"]);
-      assert.notEqual(r.status, 0);
-      assert.match(r.stderr, /not printed in non-interactive mode/i);
-      assert.match(r.stderr, /--print-password/);
-    }
-
-    // With explicit opt-in, it should succeed (and will print the generated password).
-    {
-      const r = await runCliInit([pg.adminUri, "--print-password", "--skip-optional-permissions"]);
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-      assert.match(r.stdout, /Generated monitoring password for postgres_ai_mon/i);
-      assert.match(r.stdout, /PGAI_MON_PASSWORD=/);
-    }
-  }
-);
-
-test(
-  "integration: init fixes slightly-off permissions idempotently",
-  { skip: !havePostgresBinaries() },
-  async (t) => {
-    const pg = await withTempPostgres(t);
-    const { Client } = require("pg");
-
-    // Create monitoring role with wrong password, no grants.
-    {
-      const c = new Client({ connectionString: pg.adminUri });
-      await c.connect();
-      await c.query(
-        "do $$ begin if not exists (select 1 from pg_roles where rolname='postgres_ai_mon') then create role postgres_ai_mon login password 'wrong'; end if; end $$;"
-      );
-      await c.end();
-    }
-
-    // Run init (should grant everything).
-    {
-      const r = await runCliInit([pg.adminUri, "--password", "correctpw", "--skip-optional-permissions"]);
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-    }
-
-    // Verify privileges.
-    {
-      const c = new Client({ connectionString: pg.adminUri });
-      await c.connect();
-      const dbOk = await c.query(
-        "select has_database_privilege('postgres_ai_mon', current_database(), 'CONNECT') as ok"
-      );
-      assert.equal(dbOk.rows[0].ok, true);
-      const roleOk = await c.query("select pg_has_role('postgres_ai_mon', 'pg_monitor', 'member') as ok");
-      assert.equal(roleOk.rows[0].ok, true);
-      const idxOk = await c.query(
-        "select has_table_privilege('postgres_ai_mon', 'pg_catalog.pg_index', 'SELECT') as ok"
-      );
-      assert.equal(idxOk.rows[0].ok, true);
-      const viewOk = await c.query(
-        "select has_table_privilege('postgres_ai_mon', 'public.pg_statistic', 'SELECT') as ok"
-      );
-      assert.equal(viewOk.rows[0].ok, true);
-      const sp = await c.query("select rolconfig from pg_roles where rolname='postgres_ai_mon'");
-      assert.ok(Array.isArray(sp.rows[0].rolconfig));
-      assert.ok(sp.rows[0].rolconfig.some((v) => String(v).includes("search_path=")));
-      await c.end();
-    }
-
-    // Run init again (idempotent).
-    {
-      const r = await runCliInit([pg.adminUri, "--password", "correctpw", "--skip-optional-permissions"]);
-      assert.equal(r.status, 0, r.stderr || r.stdout);
-    }
-  }
-);
-
-test("integration: init reports nicely when lacking permissions", { skip: !havePostgresBinaries() }, async (t) => {
-  const pg = await withTempPostgres(t);
-  const { Client } = require("pg");
-
-  // Create limited user that can connect but cannot create roles / grant.
-  const limitedPw = "limitedpw";
-  {
-    const c = new Client({ connectionString: pg.adminUri });
-    await c.connect();
-    await c.query(`do $$ begin
-      if not exists (select 1 from pg_roles where rolname='limited') then
-        begin
-          create role limited login password ${sqlLiteral(limitedPw)};
-        exception when duplicate_object then
-          null;
-        end;
-      end if;
-    end $$;`);
-    await c.query("grant connect on database testdb to limited");
-    await c.end();
-  }
-
-  const limitedUri = `postgresql://limited:${limitedPw}@127.0.0.1:${pg.port}/testdb`;
-  const r = await runCliInit([limitedUri, "--password", "monpw", "--skip-optional-permissions"]);
-  assert.notEqual(r.status, 0);
-  assert.match(r.stderr, /init failed:/);
-  // Should include step context and hint.
-  assert.match(r.stderr, /Failed at step "/);
-  assert.match(r.stderr, /Permission error:/i);
-  assert.match(r.stderr, /How to fix:/i);
-  assert.match(r.stderr, /Hint: connect as a superuser/i);
-});
-
-test("integration: init --verify returns 0 when ok and non-zero when missing", { skip: !havePostgresBinaries() }, async (t) => {
-  const pg = await withTempPostgres(t);
-  const { Client } = require("pg");
-
-  // Prepare: run init
-  {
-    const r = await runCliInit([pg.adminUri, "--password", "monpw", "--skip-optional-permissions"]);
-    assert.equal(r.status, 0, r.stderr || r.stdout);
-  }
-
-  // Verify should pass
-  {
-    const r = await runCliInit([pg.adminUri, "--verify", "--skip-optional-permissions"]);
-    assert.equal(r.status, 0, r.stderr || r.stdout);
-    assert.match(r.stdout, /init verify: OK/i);
-  }
-
-  // Break a required privilege and ensure verify fails
-  {
-    const c = new Client({ connectionString: pg.adminUri });
-    await c.connect();
-    // pg_catalog tables are often readable via PUBLIC by default; revoke from PUBLIC too so the failure is deterministic.
-    await c.query("revoke select on pg_catalog.pg_index from public");
-    await c.query("revoke select on pg_catalog.pg_index from postgres_ai_mon");
-    await c.end();
-  }
-  {
-    const r = await runCliInit([pg.adminUri, "--verify", "--skip-optional-permissions"]);
-    assert.notEqual(r.status, 0);
-    assert.match(r.stderr, /init verify failed/i);
-    assert.match(r.stderr, /pg_catalog\.pg_index/i);
-  }
-});
-
-test("integration: init --reset-password updates the monitoring role login password", { skip: !havePostgresBinaries() }, async (t) => {
-  const pg = await withTempPostgres(t);
-  const { Client } = require("pg");
-
-  // Initial setup with password pw1
-  {
-    const r = await runCliInit([pg.adminUri, "--password", "pw1", "--skip-optional-permissions"]);
-    assert.equal(r.status, 0, r.stderr || r.stdout);
-  }
-
-  // Reset to pw2
-  {
-    const r = await runCliInit([pg.adminUri, "--reset-password", "--password", "pw2", "--skip-optional-permissions"]);
-    assert.equal(r.status, 0, r.stderr || r.stdout);
-    assert.match(r.stdout, /password reset/i);
-  }
-
-  // Connect as monitoring user with new password should work
-  {
-    const c = new Client({
-      connectionString: `postgresql://postgres_ai_mon:pw2@127.0.0.1:${pg.port}/testdb`,
-    });
-    await c.connect();
-    const ok = await c.query("select 1 as ok");
-    assert.equal(ok.rows[0].ok, 1);
-    await c.end();
-  }
-});
-
-