postgresai 0.14.0-beta.12 → 0.14.0-beta.14

package/test/init.test.ts

@@ -1,5 +1,7 @@
-import { describe, test, expect, beforeAll } from "bun:test";
+import { describe, test, expect, beforeAll, afterAll } from "bun:test";
 import { resolve } from "path";
+import * as fs from "fs";
+import * as os from "os";
 
 // Import from source directly since we're using Bun
 import * as init from "../lib/init";
@@ -87,7 +89,7 @@ describe("init module", () => {
     expect(roleStep.sql).toMatch(/create\s+user\s+"user ""with"" quotes ✓"/i);
     expect(roleStep.sql).toMatch(/alter\s+user\s+"user ""with"" quotes ✓"/i);
 
-    const permStep = plan.steps.find((s: { name: string }) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s: { name: string }) => s.name === "03.permissions");
     expect(permStep).toBeTruthy();
     expect(permStep.sql).toMatch(/grant connect on database "db name ""with"" quotes ✓" to "user ""with"" quotes ✓"/i);
   });
@@ -150,6 +152,42 @@ describe("init module", () => {
     expect(plan.steps.some((s: { optional?: boolean }) => s.optional)).toBe(true);
   });
 
+  test("buildInitPlan skips role creation for supabase provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    expect(plan.steps.some((s) => s.name === "01.role")).toBe(false);
+    expect(plan.steps.some((s) => s.name === "03.permissions")).toBe(true);
+  });
+
+  test("buildInitPlan removes ALTER USER for supabase provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeDefined();
+    expect(permStep!.sql.toLowerCase()).not.toMatch(/alter user/);
+  });
+
+  test("buildInitPlan includes role creation for unknown provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "some-custom-provider",
+    });
+    expect(plan.steps.some((s) => s.name === "01.role")).toBe(true);
+  });
+
   test("resolveAdminConnection accepts positional URI", () => {
     const r = init.resolveAdminConnection({ conn: "postgresql://u:p@h:5432/d" });
     expect(r.clientConfig.connectionString).toBeTruthy();
@@ -288,6 +326,91 @@ describe("init module", () => {
     expect(calls[calls.length - 1].toLowerCase()).toBe("rollback;");
   });
 
+  test("verifyInitSetup skips search_path check for supabase provider", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        // Return empty rolconfig - would fail without provider=supabase
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: null }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    // With provider=supabase, should pass even without search_path
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should not have queried for rolconfig since we skip search_path check
+    expect(calls.some((c) => c.includes("select rolconfig"))).toBe(false);
+  });
+
+  test("buildInitPlan preserves comments when filtering ALTER USER", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeDefined();
+    // Should have removed ALTER USER but kept comments
+    expect(permStep!.sql.toLowerCase()).not.toMatch(/^\s*alter\s+user/m);
+    // Should still have comment lines
+    expect(permStep!.sql).toMatch(/^--/m);
+  });
+
+  test("validateProvider returns null for known providers", () => {
+    expect(init.validateProvider(undefined)).toBe(null);
+    expect(init.validateProvider("self-managed")).toBe(null);
+    expect(init.validateProvider("supabase")).toBe(null);
+  });
+
+  test("validateProvider returns warning for unknown providers", () => {
+    const warning = init.validateProvider("unknown-provider");
+    expect(warning).not.toBe(null);
+    expect(warning).toMatch(/Unknown provider/);
+    expect(warning).toMatch(/unknown-provider/);
+  });
+
   test("redactPasswordsInSql redacts password literals with embedded quotes", async () => {
     const plan = await init.buildInitPlan({
       database: "mydb",
@@ -300,6 +423,179 @@ describe("init module", () => {
     const redacted = init.redactPasswordsInSql(step.sql);
     expect(redacted).toMatch(/password '<redacted>'/i);
   });
+
+  // Tests for buildUninitPlan
+  test("buildUninitPlan generates correct steps with dropRole=true", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    expect(plan.database).toBe("mydb");
+    expect(plan.monitoringUser).toBe(DEFAULT_MONITORING_USER);
+    expect(plan.dropRole).toBe(true);
+    expect(plan.steps.length).toBe(3);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+      "03.drop_role",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop when dropRole=false", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: false,
+    });
+
+    expect(plan.dropRole).toBe(false);
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop for supabase provider", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+      provider: "supabase",
+    });
+
+    // Even with dropRole=true, supabase provider skips role operations
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.some((s) => s.name === "03.drop_role")).toBe(false);
+  });
+
+  test("buildUninitPlan handles special characters in identifiers", async () => {
+    const monitoringUser = 'user "with" quotes';
+    const database = 'db "name"';
+    const plan = await init.buildUninitPlan({
+      database,
+      monitoringUser,
+      dropRole: true,
+    });
+
+    // Check that identifiers are properly quoted in SQL
+    const dropHelpersStep = plan.steps.find((s) => s.name === "01.drop_helpers");
+    expect(dropHelpersStep).toBeTruthy();
+
+    const revokeStep = plan.steps.find((s) => s.name === "02.revoke_permissions");
+    expect(revokeStep).toBeTruthy();
+    expect(revokeStep!.sql).toContain('"user ""with"" quotes"');
+    expect(revokeStep!.sql).toContain('"db ""name"""');
+
+    const dropRoleStep = plan.steps.find((s) => s.name === "03.drop_role");
+    expect(dropRoleStep).toBeTruthy();
+    // Uses ROLE_LITERAL (single-quoted) for format('%I', ...) in dynamic SQL
+    expect(dropRoleStep!.sql).toContain("'user \"with\" quotes'");
+  });
+
+  test("buildUninitPlan rejects identifiers with null bytes", async () => {
+    await expect(
+      init.buildUninitPlan({
+        database: "mydb",
+        monitoringUser: "bad\0user",
+        dropRole: true,
+      })
+    ).rejects.toThrow(/Identifier cannot contain null bytes/);
+  });
+
+  test("applyUninitPlan continues on errors and reports them", async () => {
+    const plan = {
+      monitoringUser: DEFAULT_MONITORING_USER,
+      database: "mydb",
+      dropRole: true,
+      steps: [
+        { name: "01.drop_helpers", sql: "drop function if exists postgres_ai.test()" },
+        { name: "02.revoke_permissions", sql: "select 1/0" }, // Will fail
+        { name: "03.drop_role", sql: "select 1" },
+      ],
+    };
+
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string) => {
+        calls.push(sql);
+        if (sql === "begin;") return { rowCount: 1 };
+        if (sql === "commit;") return { rowCount: 1 };
+        if (sql === "rollback;") return { rowCount: 1 };
+        if (sql.includes("1/0")) throw new Error("division by zero");
+        return { rowCount: 1 };
+      },
+    };
+
+    const result = await init.applyUninitPlan({ client: client as any, plan: plan as any });
+
+    // Should have applied steps 1 and 3, with step 2 in errors
+    expect(result.applied).toContain("01.drop_helpers");
+    expect(result.applied).toContain("03.drop_role");
+    expect(result.applied).not.toContain("02.revoke_permissions");
+    expect(result.errors.length).toBe(1);
+    expect(result.errors[0]).toMatch(/02\.revoke_permissions.*division by zero/);
+  });
+
+  test("buildInitPlan includes 02.extensions step with pg_stat_statements", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const extStep = plan.steps.find((s) => s.name === "02.extensions");
+    expect(extStep).toBeTruthy();
+    // Should create pg_stat_statements with IF NOT EXISTS
+    expect(extStep!.sql).toMatch(/create extension if not exists pg_stat_statements/i);
+  });
+
+  test("buildInitPlan creates extensions before permissions", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const stepNames = plan.steps.map((s) => s.name);
+    const extIndex = stepNames.indexOf("02.extensions");
+    const permIndex = stepNames.indexOf("03.permissions");
+    expect(extIndex).toBeGreaterThanOrEqual(0);
+    expect(permIndex).toBeGreaterThanOrEqual(0);
+    // Extensions should come before permissions
+    expect(extIndex).toBeLessThan(permIndex);
+  });
+
+  test("buildInitPlan uses IF NOT EXISTS for postgres_ai schema (idempotent)", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should use IF NOT EXISTS for idempotent behavior
+    expect(permStep!.sql).toMatch(/create schema if not exists postgres_ai/i);
+  });
+
+  test("buildUninitPlan does NOT drop pg_stat_statements extension", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    // Check all steps - none should drop pg_stat_statements
+    for (const step of plan.steps) {
+      expect(step.sql.toLowerCase()).not.toMatch(/drop extension.*pg_stat_statements/);
+    }
+  });
 });
 
 describe("CLI commands", () => {
@@ -317,6 +613,41 @@ describe("CLI commands", () => {
     expect(r.stdout).toMatch(new RegExp(`grant connect on database "mydb" to "${DEFAULT_MONITORING_USER}"`, "i"));
   });
 
+  test("cli: prepare-db --print-sql with --provider supabase skips role step", () => {
+    const r = runCli(["prepare-db", "--print-sql", "-d", "mydb", "--password", "monpw", "--provider", "supabase"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/provider: supabase/);
+    // Should not have 01.role step
+    expect(r.stdout).not.toMatch(/-- 01\.role/);
+    // Should have 02.extensions and 03.permissions steps
+    expect(r.stdout).toMatch(/-- 02\.extensions/);
+    expect(r.stdout).toMatch(/-- 03\.permissions/);
+  });
+
+  test("cli: prepare-db warns about unknown provider", () => {
+    const r = runCli(["prepare-db", "--print-sql", "-d", "mydb", "--password", "monpw", "--provider", "unknown-cloud"]);
+    expect(r.status).toBe(0);
+    // Should warn about unknown provider
+    expect(r.stderr).toMatch(/Unknown provider.*unknown-cloud/);
+  });
+
+  test("cli: prepare-db --reset-password with supabase provider would have no role step", async () => {
+    // When using supabase provider, the role creation step is skipped.
+    // This means --reset-password (which only runs 01.role) would have no steps.
+    // The CLI should error in this case. We test the underlying plan logic here.
+    const plan = await (await import("../lib/init")).buildInitPlan({
+      database: "mydb",
+      monitoringUser: "mon",
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    // Simulate what --reset-password does: filter to only 01.role step
+    const resetPasswordSteps = plan.steps.filter((s) => s.name === "01.role");
+    // For supabase, this should be empty (role creation is skipped)
+    expect(resetPasswordSteps.length).toBe(0);
+  });
+
   test("pgai wrapper forwards to postgresai CLI", () => {
     const r = runPgai(["--help"]);
     expect(r.status).toBe(0);
@@ -414,4 +745,172 @@ describe("CLI commands", () => {
     expect(r.status).not.toBe(0);
     expect(r.stderr).toMatch(/Cannot use --api-key with --demo mode/);
   });
+
+  // Tests for unprepare-db command
+  test("cli: unprepare-db with missing connection prints help/options", () => {
+    const r = runCli(["unprepare-db"]);
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/--print-sql/);
+    expect(r.stderr).toMatch(/--monitoring-user/);
+  });
+
+  test("cli: unprepare-db --print-sql works without connection (offline mode)", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/SQL plan \(offline; not connected\)/);
+    expect(r.stdout).toMatch(/drop schema if exists postgres_ai/i);
+  });
+
+  test("cli: unprepare-db --print-sql with --keep-role skips role drop", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--keep-role"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/drop role: false/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+    // Should have 01 and 02 steps
+    expect(r.stdout).toMatch(/-- 01\.drop_helpers/);
+    expect(r.stdout).toMatch(/-- 02\.revoke_permissions/);
+  });
+
+  test("cli: unprepare-db --print-sql with --provider supabase skips role step", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--provider", "supabase"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/provider: supabase/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+  });
+
+  test("cli: unprepare-db command exists and shows help", () => {
+    const r = runCli(["unprepare-db", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--keep-role/);
+    expect(r.stdout).toMatch(/--print-sql/);
+    expect(r.stdout).toMatch(/--force/);
+  });
+});
+
+// Check if Docker is available for imageTag tests
+function isDockerAvailable(): boolean {
+  try {
+    const result = Bun.spawnSync(["docker", "info"], { timeout: 5000 });
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+
+const dockerAvailable = isDockerAvailable();
+
+describe.skipIf(!dockerAvailable)("imageTag priority behavior", () => {
+  // Tests for the imageTag priority: --tag flag > PGAI_TAG env var > pkg.version
+  // This verifies the fix that prevents stale .env PGAI_TAG from being used
+  // These tests require Docker and spawn subprocesses so need longer timeout
+
+  let tempDir: string;
+
+  beforeAll(() => {
+    tempDir = fs.mkdtempSync(resolve(os.tmpdir(), "pgai-test-"));
+  });
+
+  afterAll(() => {
+    if (tempDir && fs.existsSync(tempDir)) {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  test("stale .env PGAI_TAG is NOT used - CLI version takes precedence", () => {
+    // Create a stale .env with an old tag value
+    const testDir = resolve(tempDir, "stale-tag-test");
+    fs.mkdirSync(testDir, { recursive: true });
+    fs.writeFileSync(resolve(testDir, ".env"), "PGAI_TAG=beta\n");
+    // Create minimal docker-compose.yml so resolvePaths() finds it
+    fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
+
+    // Run from the test directory (so resolvePaths finds docker-compose.yml)
+    // Note: Command may hang on Docker check in CI without Docker, so we use a timeout
+    const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+    const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+    const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
+      env: { ...process.env, PGAI_TAG: undefined },
+      cwd: testDir,
+      timeout: 30000, // Kill subprocess after 30s if it hangs on Docker
+    });
+
+    // Read the .env that was written
+    const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
+
+    // The .env should NOT contain the stale "beta" tag - it should use pkg.version
+    expect(envContent).not.toMatch(/PGAI_TAG=beta/);
+    // It should contain the CLI version (0.0.0-dev.0 in dev)
+    expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
+  }, 60000);
+
+  test("--tag flag takes priority over pkg.version", () => {
+    const testDir = resolve(tempDir, "tag-flag-test");
+    fs.mkdirSync(testDir, { recursive: true });
+    fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
+
+    const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+    const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+    const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--tag", "v1.2.3-custom", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
+      env: { ...process.env, PGAI_TAG: undefined },
+      cwd: testDir,
+      timeout: 30000,
+    });
+
+    const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
+    expect(envContent).toMatch(/PGAI_TAG=v1\.2\.3-custom/);
+
+    // Verify stdout confirms the tag being used
+    const stdout = new TextDecoder().decode(result.stdout);
+    expect(stdout).toMatch(/Using image tag: v1\.2\.3-custom/);
+  }, 60000);
+
+  test("PGAI_TAG env var is intentionally ignored (Bun auto-loads .env)", () => {
+    // Note: We do NOT use process.env.PGAI_TAG because Bun auto-loads .env files,
+    // which would cause stale .env values to pollute the environment.
+    // Users should use --tag flag to override, not env vars.
+    const testDir = resolve(tempDir, "env-var-ignored-test");
+    fs.mkdirSync(testDir, { recursive: true });
+    fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
+
+    const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+    const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+    const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
+      env: { ...process.env, PGAI_TAG: "v2.0.0-from-env" },
+      cwd: testDir,
+      timeout: 30000,
+    });
+
+    const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
+    // PGAI_TAG env var should be IGNORED - uses pkg.version instead
+    expect(envContent).not.toMatch(/PGAI_TAG=v2\.0\.0-from-env/);
+    expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
+  }, 60000);
+
+  test("existing registry and password are preserved while tag is updated", () => {
+    const testDir = resolve(tempDir, "preserve-test");
+    fs.mkdirSync(testDir, { recursive: true });
+    // Create .env with stale tag but valid registry and password
+    fs.writeFileSync(resolve(testDir, ".env"),
+      "PGAI_TAG=stale-tag\nPGAI_REGISTRY=my.registry.com\nGF_SECURITY_ADMIN_PASSWORD=secret123\n");
+    fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
+
+    const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+    const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+    const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
+      env: { ...process.env, PGAI_TAG: undefined },
+      cwd: testDir,
+      timeout: 30000,
+    });
+
+    const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
+
+    // Tag should be updated (not stale-tag)
+    expect(envContent).not.toMatch(/PGAI_TAG=stale-tag/);
+
+    // But registry and password should be preserved
+    expect(envContent).toMatch(/PGAI_REGISTRY=my\.registry\.com/);
+    expect(envContent).toMatch(/GF_SECURITY_ADMIN_PASSWORD=secret123/);
+  }, 60000);
 });