postgresai 0.14.0-beta.13 → 0.14.0-beta.15

package/scripts/embed-checkup-dictionary.ts

@@ -0,0 +1,106 @@
+#!/usr/bin/env bun
+/**
+ * Build script to fetch checkup dictionary from API and embed it.
+ *
+ * This script fetches from https://postgres.ai/api/general/checkup_dictionary
+ * and generates cli/lib/checkup-dictionary-embedded.ts with the data embedded.
+ *
+ * The generated file is NOT committed to git - it's regenerated at build time.
+ *
+ * Usage: bun run scripts/embed-checkup-dictionary.ts
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+
+// API endpoint - always available without auth
+const DICTIONARY_URL = "https://postgres.ai/api/general/checkup_dictionary";
+
+// Output path relative to cli/ directory
+const CLI_DIR = path.resolve(__dirname, "..");
+const OUTPUT_PATH = path.resolve(CLI_DIR, "lib/checkup-dictionary-embedded.ts");
+
+// Request timeout (10 seconds)
+const FETCH_TIMEOUT_MS = 10_000;
+
+interface CheckupDictionaryEntry {
+  code: string;
+  title: string;
+  description: string;
+  category: string;
+  sort_order: number | null;
+  is_system_report: boolean;
+}
+
+function generateTypeScript(data: CheckupDictionaryEntry[], sourceUrl: string): string {
+  const lines: string[] = [
+    "// AUTO-GENERATED FILE - DO NOT EDIT",
+    `// Generated from: ${sourceUrl}`,
+    `// Generated at: ${new Date().toISOString()}`,
+    "// To regenerate: bun run embed-checkup-dictionary",
+    "",
+    'import { CheckupDictionaryEntry } from "./checkup-dictionary";',
+    "",
+    "/**",
+    " * Embedded checkup dictionary data fetched from API at build time.",
+    " * Contains all available checkup report codes, titles, and metadata.",
+    " */",
+    `export const CHECKUP_DICTIONARY_DATA: CheckupDictionaryEntry[] = ${JSON.stringify(data, null, 2)};`,
+    "",
+  ];
+  return lines.join("\n");
+}
+
+async function fetchWithTimeout(url: string, timeoutMs: number): Promise<Response> {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
+  try {
+    const response = await fetch(url, { signal: controller.signal });
+    return response;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+async function main() {
+  console.log(`Fetching checkup dictionary from: ${DICTIONARY_URL}`);
+
+  try {
+    const response = await fetchWithTimeout(DICTIONARY_URL, FETCH_TIMEOUT_MS);
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+    }
+
+    const data: CheckupDictionaryEntry[] = await response.json();
+
+    if (!Array.isArray(data)) {
+      throw new Error("Expected array response from API");
+    }
+
+    // Validate entries have required fields
+    for (const entry of data) {
+      if (!entry.code || !entry.title) {
+        throw new Error(`Invalid entry missing code or title: ${JSON.stringify(entry)}`);
+      }
+    }
+
+    const tsCode = generateTypeScript(data, DICTIONARY_URL);
+    fs.writeFileSync(OUTPUT_PATH, tsCode, "utf8");
+
+    console.log(`Generated: ${OUTPUT_PATH}`);
+    console.log(`Dictionary contains ${data.length} entries`);
+  } catch (err) {
+    const errorMsg = err instanceof Error ? err.message : String(err);
+    console.warn(`Warning: Failed to fetch checkup dictionary: ${errorMsg}`);
+    console.warn("Generating empty dictionary as fallback");
+
+    // Generate empty dictionary to allow build to proceed
+    const fallbackTs = generateTypeScript([], `N/A (fetch failed: ${errorMsg})`);
+    fs.writeFileSync(OUTPUT_PATH, fallbackTs, "utf8");
+    console.log(`Generated fallback dictionary at ${OUTPUT_PATH}`);
+  }
+}
+
+main();

package/sql/02.extensions.sql

@@ -0,0 +1,8 @@
+-- Extensions required for postgres_ai monitoring
+
+-- Enable pg_stat_statements for query performance monitoring
+-- Note: Uses IF NOT EXISTS because extension may already be installed.
+-- We do NOT drop this extension in unprepare-db since it may have been pre-existing.
+create extension if not exists pg_stat_statements;
+
+

package/sql/{02.permissions.sql → 03.permissions.sql}

@@ -8,6 +8,7 @@ grant pg_monitor to {{ROLE_IDENT}};
 grant select on pg_catalog.pg_index to {{ROLE_IDENT}};
 
 -- Create postgres_ai schema for our objects
+-- Using IF NOT EXISTS for idempotency - prepare-db can be run multiple times
 create schema if not exists postgres_ai;
 grant usage on schema postgres_ai to {{ROLE_IDENT}};
 

package/sql/uninit/01.helpers.sql

@@ -0,0 +1,5 @@
+-- Drop helper functions created by prepare-db (template-filled by cli/lib/init.ts)
+-- Run before dropping the postgres_ai schema.
+
+drop function if exists postgres_ai.explain_generic(text, text, text);
+drop function if exists postgres_ai.table_describe(text);

package/sql/uninit/02.permissions.sql

@@ -0,0 +1,30 @@
+-- Revoke permissions and drop objects created by prepare-db (template-filled by cli/lib/init.ts)
+
+-- Drop the postgres_ai.pg_statistic view
+drop view if exists postgres_ai.pg_statistic;
+
+-- Drop the postgres_ai schema (CASCADE to handle any remaining objects)
+drop schema if exists postgres_ai cascade;
+
+-- Revoke permissions from the monitoring role
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  revoke pg_monitor from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist, nothing to revoke
+end $$;
+
+do $$ begin
+  revoke select on pg_catalog.pg_index from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+do $$ begin
+  revoke connect on database {{DB_IDENT}} from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+-- Note: USAGE on public is typically granted by default; we don't revoke it
+-- to avoid breaking other applications that may rely on it.

package/sql/uninit/03.role.sql

@@ -0,0 +1,27 @@
+-- Drop the monitoring role created by prepare-db (template-filled by cli/lib/init.ts)
+-- This must run after revoking all permissions from the role.
+
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  -- Reassign owned objects to current user before dropping
+  -- This handles any objects that might have been created by the role
+  begin
+    execute format('reassign owned by %I to current_user', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, nothing to reassign
+  end;
+
+  -- Drop owned objects (in case reassign didn't work for some objects)
+  begin
+    execute format('drop owned by %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist
+  end;
+
+  -- Drop the role
+  begin
+    execute format('drop role %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, that's fine
+  end;
+end $$;

package/test/checkup.test.ts

@@ -85,28 +85,27 @@ describe("createBaseReport", () => {
 
 // Tests for CHECK_INFO
 describe("CHECK_INFO and REPORT_GENERATORS", () => {
-  const expectedChecks: Record<string, string> = {
-    A002: "Postgres major version",
-    A003: "Postgres settings",
-    A004: "Cluster information",
-    A007: "Altered settings",
-    A013: "Postgres minor version",
-    D004: "pg_stat_statements and pg_stat_kcache settings",
-    F001: "Autovacuum: current settings",
-    G001: "Memory-related settings",
-    H001: "Invalid indexes",
-    H002: "Unused indexes",
-    H004: "Redundant indexes",
-  };
-
-  test("CHECK_INFO contains all expected checks with correct descriptions", () => {
-    for (const [checkId, description] of Object.entries(expectedChecks)) {
-      expect(checkup.CHECK_INFO[checkId]).toBe(description);
+  // Express-mode checks that have generators
+  const expressCheckIds = ["A002", "A003", "A004", "A007", "A013", "D001", "D004", "F001", "G001", "G003", "H001", "H002", "H004"];
+
+  test("CHECK_INFO contains all express-mode checks", () => {
+    for (const checkId of expressCheckIds) {
+      expect(checkup.CHECK_INFO[checkId]).toBeDefined();
+      expect(typeof checkup.CHECK_INFO[checkId]).toBe("string");
+      expect(checkup.CHECK_INFO[checkId].length).toBeGreaterThan(0);
     }
   });
 
+  test("CHECK_INFO titles are loaded from embedded dictionary", () => {
+    // Verify a few known titles match the API dictionary
+    // These are canonical titles from postgres.ai/api/general/checkup_dictionary
+    expect(checkup.CHECK_INFO["A002"]).toBe("Postgres major version");
+    expect(checkup.CHECK_INFO["H001"]).toBe("Invalid indexes");
+    expect(checkup.CHECK_INFO["H002"]).toBe("Unused indexes");
+  });
+
   test("REPORT_GENERATORS has function for each check", () => {
-    for (const checkId of Object.keys(expectedChecks)) {
+    for (const checkId of expressCheckIds) {
       expect(typeof checkup.REPORT_GENERATORS[checkId]).toBe("function");
     }
   });

package/test/init.test.ts

@@ -89,7 +89,7 @@ describe("init module", () => {
     expect(roleStep.sql).toMatch(/create\s+user\s+"user ""with"" quotes ✓"/i);
     expect(roleStep.sql).toMatch(/alter\s+user\s+"user ""with"" quotes ✓"/i);
 
-    const permStep = plan.steps.find((s: { name: string }) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s: { name: string }) => s.name === "03.permissions");
     expect(permStep).toBeTruthy();
     expect(permStep.sql).toMatch(/grant connect on database "db name ""with"" quotes ✓" to "user ""with"" quotes ✓"/i);
   });
@@ -161,7 +161,7 @@ describe("init module", () => {
       provider: "supabase",
     });
     expect(plan.steps.some((s) => s.name === "01.role")).toBe(false);
-    expect(plan.steps.some((s) => s.name === "02.permissions")).toBe(true);
+    expect(plan.steps.some((s) => s.name === "03.permissions")).toBe(true);
   });
 
   test("buildInitPlan removes ALTER USER for supabase provider", async () => {
@@ -172,7 +172,7 @@ describe("init module", () => {
       includeOptionalPermissions: false,
       provider: "supabase",
     });
-    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
     expect(permStep).toBeDefined();
     expect(permStep!.sql.toLowerCase()).not.toMatch(/alter user/);
   });
@@ -390,7 +390,7 @@ describe("init module", () => {
       includeOptionalPermissions: false,
       provider: "supabase",
     });
-    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
     expect(permStep).toBeDefined();
     // Should have removed ALTER USER but kept comments
     expect(permStep!.sql.toLowerCase()).not.toMatch(/^\s*alter\s+user/m);
@@ -423,6 +423,179 @@ describe("init module", () => {
     const redacted = init.redactPasswordsInSql(step.sql);
     expect(redacted).toMatch(/password '<redacted>'/i);
   });
+
+  // Tests for buildUninitPlan
+  test("buildUninitPlan generates correct steps with dropRole=true", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    expect(plan.database).toBe("mydb");
+    expect(plan.monitoringUser).toBe(DEFAULT_MONITORING_USER);
+    expect(plan.dropRole).toBe(true);
+    expect(plan.steps.length).toBe(3);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+      "03.drop_role",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop when dropRole=false", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: false,
+    });
+
+    expect(plan.dropRole).toBe(false);
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop for supabase provider", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+      provider: "supabase",
+    });
+
+    // Even with dropRole=true, supabase provider skips role operations
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.some((s) => s.name === "03.drop_role")).toBe(false);
+  });
+
+  test("buildUninitPlan handles special characters in identifiers", async () => {
+    const monitoringUser = 'user "with" quotes';
+    const database = 'db "name"';
+    const plan = await init.buildUninitPlan({
+      database,
+      monitoringUser,
+      dropRole: true,
+    });
+
+    // Check that identifiers are properly quoted in SQL
+    const dropHelpersStep = plan.steps.find((s) => s.name === "01.drop_helpers");
+    expect(dropHelpersStep).toBeTruthy();
+
+    const revokeStep = plan.steps.find((s) => s.name === "02.revoke_permissions");
+    expect(revokeStep).toBeTruthy();
+    expect(revokeStep!.sql).toContain('"user ""with"" quotes"');
+    expect(revokeStep!.sql).toContain('"db ""name"""');
+
+    const dropRoleStep = plan.steps.find((s) => s.name === "03.drop_role");
+    expect(dropRoleStep).toBeTruthy();
+    // Uses ROLE_LITERAL (single-quoted) for format('%I', ...) in dynamic SQL
+    expect(dropRoleStep!.sql).toContain("'user \"with\" quotes'");
+  });
+
+  test("buildUninitPlan rejects identifiers with null bytes", async () => {
+    await expect(
+      init.buildUninitPlan({
+        database: "mydb",
+        monitoringUser: "bad\0user",
+        dropRole: true,
+      })
+    ).rejects.toThrow(/Identifier cannot contain null bytes/);
+  });
+
+  test("applyUninitPlan continues on errors and reports them", async () => {
+    const plan = {
+      monitoringUser: DEFAULT_MONITORING_USER,
+      database: "mydb",
+      dropRole: true,
+      steps: [
+        { name: "01.drop_helpers", sql: "drop function if exists postgres_ai.test()" },
+        { name: "02.revoke_permissions", sql: "select 1/0" }, // Will fail
+        { name: "03.drop_role", sql: "select 1" },
+      ],
+    };
+
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string) => {
+        calls.push(sql);
+        if (sql === "begin;") return { rowCount: 1 };
+        if (sql === "commit;") return { rowCount: 1 };
+        if (sql === "rollback;") return { rowCount: 1 };
+        if (sql.includes("1/0")) throw new Error("division by zero");
+        return { rowCount: 1 };
+      },
+    };
+
+    const result = await init.applyUninitPlan({ client: client as any, plan: plan as any });
+
+    // Should have applied steps 1 and 3, with step 2 in errors
+    expect(result.applied).toContain("01.drop_helpers");
+    expect(result.applied).toContain("03.drop_role");
+    expect(result.applied).not.toContain("02.revoke_permissions");
+    expect(result.errors.length).toBe(1);
+    expect(result.errors[0]).toMatch(/02\.revoke_permissions.*division by zero/);
+  });
+
+  test("buildInitPlan includes 02.extensions step with pg_stat_statements", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const extStep = plan.steps.find((s) => s.name === "02.extensions");
+    expect(extStep).toBeTruthy();
+    // Should create pg_stat_statements with IF NOT EXISTS
+    expect(extStep!.sql).toMatch(/create extension if not exists pg_stat_statements/i);
+  });
+
+  test("buildInitPlan creates extensions before permissions", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const stepNames = plan.steps.map((s) => s.name);
+    const extIndex = stepNames.indexOf("02.extensions");
+    const permIndex = stepNames.indexOf("03.permissions");
+    expect(extIndex).toBeGreaterThanOrEqual(0);
+    expect(permIndex).toBeGreaterThanOrEqual(0);
+    // Extensions should come before permissions
+    expect(extIndex).toBeLessThan(permIndex);
+  });
+
+  test("buildInitPlan uses IF NOT EXISTS for postgres_ai schema (idempotent)", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should use IF NOT EXISTS for idempotent behavior
+    expect(permStep!.sql).toMatch(/create schema if not exists postgres_ai/i);
+  });
+
+  test("buildUninitPlan does NOT drop pg_stat_statements extension", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    // Check all steps - none should drop pg_stat_statements
+    for (const step of plan.steps) {
+      expect(step.sql.toLowerCase()).not.toMatch(/drop extension.*pg_stat_statements/);
+    }
+  });
 });
 
 describe("CLI commands", () => {
@@ -446,8 +619,9 @@ describe("CLI commands", () => {
     expect(r.stdout).toMatch(/provider: supabase/);
     // Should not have 01.role step
     expect(r.stdout).not.toMatch(/-- 01\.role/);
-    // Should have 02.permissions step
-    expect(r.stdout).toMatch(/-- 02\.permissions/);
+    // Should have 02.extensions and 03.permissions steps
+    expect(r.stdout).toMatch(/-- 02\.extensions/);
+    expect(r.stdout).toMatch(/-- 03\.permissions/);
   });
 
   test("cli: prepare-db warns about unknown provider", () => {
@@ -571,11 +745,66 @@ describe("CLI commands", () => {
     expect(r.status).not.toBe(0);
     expect(r.stderr).toMatch(/Cannot use --api-key with --demo mode/);
   });
+
+  // Tests for unprepare-db command
+  test("cli: unprepare-db with missing connection prints help/options", () => {
+    const r = runCli(["unprepare-db"]);
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/--print-sql/);
+    expect(r.stderr).toMatch(/--monitoring-user/);
+  });
+
+  test("cli: unprepare-db --print-sql works without connection (offline mode)", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/SQL plan \(offline; not connected\)/);
+    expect(r.stdout).toMatch(/drop schema if exists postgres_ai/i);
+  });
+
+  test("cli: unprepare-db --print-sql with --keep-role skips role drop", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--keep-role"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/drop role: false/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+    // Should have 01 and 02 steps
+    expect(r.stdout).toMatch(/-- 01\.drop_helpers/);
+    expect(r.stdout).toMatch(/-- 02\.revoke_permissions/);
+  });
+
+  test("cli: unprepare-db --print-sql with --provider supabase skips role step", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--provider", "supabase"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/provider: supabase/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+  });
+
+  test("cli: unprepare-db command exists and shows help", () => {
+    const r = runCli(["unprepare-db", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--keep-role/);
+    expect(r.stdout).toMatch(/--print-sql/);
+    expect(r.stdout).toMatch(/--force/);
+  });
 });
 
-describe("imageTag priority behavior", () => {
+// Check if Docker is available for imageTag tests
+function isDockerAvailable(): boolean {
+  try {
+    const result = Bun.spawnSync(["docker", "info"], { timeout: 5000 });
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+
+const dockerAvailable = isDockerAvailable();
+
+describe.skipIf(!dockerAvailable)("imageTag priority behavior", () => {
   // Tests for the imageTag priority: --tag flag > PGAI_TAG env var > pkg.version
   // This verifies the fix that prevents stale .env PGAI_TAG from being used
+  // These tests require Docker and spawn subprocesses so need longer timeout
 
   let tempDir: string;
 
@@ -598,11 +827,13 @@ describe("imageTag priority behavior", () => {
     fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
 
     // Run from the test directory (so resolvePaths finds docker-compose.yml)
+    // Note: Command may hang on Docker check in CI without Docker, so we use a timeout
     const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
     const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000, // Kill subprocess after 30s if it hangs on Docker
     });
 
     // Read the .env that was written
@@ -612,7 +843,7 @@ describe("imageTag priority behavior", () => {
     expect(envContent).not.toMatch(/PGAI_TAG=beta/);
     // It should contain the CLI version (0.0.0-dev.0 in dev)
     expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
-  });
+  }, 60000);
 
   test("--tag flag takes priority over pkg.version", () => {
     const testDir = resolve(tempDir, "tag-flag-test");
@@ -624,6 +855,7 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--tag", "v1.2.3-custom", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
@@ -632,7 +864,7 @@ describe("imageTag priority behavior", () => {
     // Verify stdout confirms the tag being used
     const stdout = new TextDecoder().decode(result.stdout);
     expect(stdout).toMatch(/Using image tag: v1\.2\.3-custom/);
-  });
+  }, 60000);
 
   test("PGAI_TAG env var is intentionally ignored (Bun auto-loads .env)", () => {
     // Note: We do NOT use process.env.PGAI_TAG because Bun auto-loads .env files,
@@ -647,13 +879,14 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: "v2.0.0-from-env" },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
     // PGAI_TAG env var should be IGNORED - uses pkg.version instead
     expect(envContent).not.toMatch(/PGAI_TAG=v2\.0\.0-from-env/);
     expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
-  });
+  }, 60000);
 
   test("existing registry and password are preserved while tag is updated", () => {
     const testDir = resolve(tempDir, "preserve-test");
@@ -668,6 +901,7 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
@@ -678,5 +912,5 @@ describe("imageTag priority behavior", () => {
     // But registry and password should be preserved
     expect(envContent).toMatch(/PGAI_REGISTRY=my\.registry\.com/);
     expect(envContent).toMatch(/GF_SECURITY_ADMIN_PASSWORD=secret123/);
-  });
+  }, 60000);
 });