postgresai 0.14.0-beta.3 → 0.14.0-beta.4

package/lib/config.ts

@@ -9,6 +9,7 @@ export interface Config {
   apiKey: string | null;
   baseUrl: string | null;
   orgId: number | null;
+  defaultProject: string | null;
 }
 
 /**
@@ -46,6 +47,7 @@ export function readConfig(): Config {
     apiKey: null,
     baseUrl: null,
     orgId: null,
+    defaultProject: null,
   };
 
   // Try user-level config first
@@ -57,6 +59,7 @@ export function readConfig(): Config {
       config.apiKey = parsed.apiKey || null;
       config.baseUrl = parsed.baseUrl || null;
       config.orgId = parsed.orgId || null;
+      config.defaultProject = parsed.defaultProject || null;
       return config;
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);

package/lib/init.ts

@@ -17,11 +17,135 @@ export type PgClientConfig = {
   ssl?: boolean | TlsConnectionOptions;
 };
 
+/**
+ * Convert PostgreSQL sslmode to node-postgres ssl config.
+ */
+function sslModeToConfig(mode: string): boolean | TlsConnectionOptions {
+  if (mode.toLowerCase() === "disable") return false;
+  if (mode.toLowerCase() === "verify-full" || mode.toLowerCase() === "verify-ca") return true;
+  // For require/prefer/allow: encrypt without certificate verification
+  return { rejectUnauthorized: false };
+}
+
+/** Extract sslmode from a PostgreSQL connection URI. */
+function extractSslModeFromUri(uri: string): string | undefined {
+  try {
+    return new URL(uri).searchParams.get("sslmode") ?? undefined;
+  } catch {
+    return uri.match(/[?&]sslmode=([^&]+)/i)?.[1];
+  }
+}
+
+/** Remove sslmode parameter from a PostgreSQL connection URI. */
+function stripSslModeFromUri(uri: string): string {
+  try {
+    const u = new URL(uri);
+    u.searchParams.delete("sslmode");
+    return u.toString();
+  } catch {
+    // Fallback regex for malformed URIs
+    return uri
+      .replace(/[?&]sslmode=[^&]*/gi, "")
+      .replace(/\?&/, "?")
+      .replace(/\?$/, "");
+  }
+}
+
 export type AdminConnection = {
   clientConfig: PgClientConfig;
   display: string;
+  /** True if SSL fallback is enabled (try SSL first, fall back to non-SSL on failure). */
+  sslFallbackEnabled?: boolean;
 };
 
+/**
+ * Check if an error indicates SSL negotiation failed and fallback to non-SSL should be attempted.
+ * This mimics libpq's sslmode=prefer behavior.
+ * 
+ * IMPORTANT: This should NOT match certificate errors (expired, invalid, self-signed)
+ * as those are real errors the user needs to fix, not negotiation failures.
+ */
+function isSslNegotiationError(err: unknown): boolean {
+  if (!err || typeof err !== "object") return false;
+  const e = err as any;
+  const msg = typeof e.message === "string" ? e.message.toLowerCase() : "";
+  const code = typeof e.code === "string" ? e.code : "";
+  
+  // Specific patterns that indicate server doesn't support SSL (should fallback)
+  const fallbackPatterns = [
+    "the server does not support ssl",
+    "ssl off",
+    "server does not support ssl connections",
+  ];
+  
+  for (const pattern of fallbackPatterns) {
+    if (msg.includes(pattern)) return true;
+  }
+  
+  // PostgreSQL error code 08P01 (protocol violation) during initial connection
+  // often indicates SSL negotiation mismatch, but only if the message suggests it
+  if (code === "08P01" && (msg.includes("ssl") || msg.includes("unsupported"))) {
+    return true;
+  }
+  
+  return false;
+}
+
+/**
+ * Connect to PostgreSQL with sslmode=prefer-like behavior.
+ * If sslFallbackEnabled is true, tries SSL first, then falls back to non-SSL on failure.
+ */
+export async function connectWithSslFallback(
+  ClientClass: new (config: PgClientConfig) => PgClient,
+  adminConn: AdminConnection,
+  verbose?: boolean
+): Promise<{ client: PgClient; usedSsl: boolean }> {
+  const tryConnect = async (config: PgClientConfig): Promise<PgClient> => {
+    const client = new ClientClass(config);
+    await client.connect();
+    return client;
+  };
+
+  // If SSL was explicitly set or no SSL configured, just try once
+  if (!adminConn.sslFallbackEnabled) {
+    const client = await tryConnect(adminConn.clientConfig);
+    return { client, usedSsl: !!adminConn.clientConfig.ssl };
+  }
+
+  // sslmode=prefer behavior: try SSL first, fallback to non-SSL
+  try {
+    const client = await tryConnect(adminConn.clientConfig);
+    return { client, usedSsl: true };
+  } catch (sslErr) {
+    if (!isSslNegotiationError(sslErr)) {
+      // Not an SSL error, don't retry
+      throw sslErr;
+    }
+
+    if (verbose) {
+      console.log("SSL connection failed, retrying without SSL...");
+    }
+
+    // Retry without SSL
+    const noSslConfig: PgClientConfig = { ...adminConn.clientConfig, ssl: false };
+    try {
+      const client = await tryConnect(noSslConfig);
+      return { client, usedSsl: false };
+    } catch (noSslErr) {
+      // If non-SSL also fails, check if it's "SSL required" - throw that instead
+      if (isSslNegotiationError(noSslErr)) {
+        const msg = (noSslErr as any)?.message || "";
+        if (msg.toLowerCase().includes("ssl") && msg.toLowerCase().includes("required")) {
+          // Server requires SSL but SSL attempt failed - throw original SSL error
+          throw sslErr;
+        }
+      }
+      // Throw the non-SSL error (it's more relevant since SSL attempt also failed)
+      throw noSslErr;
+    }
+  }
+}
+
 export type InitStep = {
   name: string;
   sql: string;
@@ -35,13 +159,21 @@ export type InitPlan = {
   steps: InitStep[];
 };
 
-function packageRootDirFromCompiled(): string {
-  // dist/lib/init.js -> <pkg>/dist/lib ; package root is ../..
-  return path.resolve(__dirname, "..", "..");
-}
-
 function sqlDir(): string {
-  return path.join(packageRootDirFromCompiled(), "sql");
+  // Handle both development and production paths
+  // Development: lib/init.ts -> ../sql
+  // Production (bundled): dist/bin/postgres-ai.js -> ../sql (copied during build)
+  const candidates = [
+    path.resolve(__dirname, "..", "sql"),       // bundled: dist/bin -> dist/sql
+    path.resolve(__dirname, "..", "..", "sql"), // dev from lib: lib -> ../sql
+  ];
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error(`SQL directory not found. Searched: ${candidates.join(", ")}`);
 }
 
 function loadSqlTemplate(filename: string): string {
@@ -142,6 +274,7 @@ function tokenizeConninfo(input: string): string[] {
 export function parseLibpqConninfo(input: string): PgClientConfig {
   const tokens = tokenizeConninfo(input);
   const cfg: PgClientConfig = {};
+  let sslmode: string | undefined;
 
   for (const t of tokens) {
     const eq = t.indexOf("=");
@@ -170,12 +303,20 @@ export function parseLibpqConninfo(input: string): PgClientConfig {
       case "database":
         cfg.database = val;
         break;
-      // ignore everything else (sslmode, options, application_name, etc.)
+      case "sslmode":
+        sslmode = val;
+        break;
+      // ignore everything else (options, application_name, etc.)
       default:
         break;
     }
   }
 
+  // Apply SSL configuration based on sslmode
+  if (sslmode) {
+    cfg.ssl = sslModeToConfig(sslmode);
+  }
+
   return cfg;
 }
 
@@ -202,6 +343,9 @@ export function resolveAdminConnection(opts: {
   const conn = (opts.conn || "").trim();
   const dbUrlFlag = (opts.dbUrlFlag || "").trim();
 
+  // Resolve explicit SSL setting from environment (undefined = auto-detect)
+  const explicitSsl = process.env.PGSSLMODE;
+
   // NOTE: passwords alone (PGPASSWORD / --admin-password) do NOT constitute a connection.
   // We require at least some connection addressing (host/port/user/db) if no positional arg / --db-url is provided.
   const hasConnDetails = !!(opts.host || opts.port || opts.username || opts.dbname);
@@ -213,12 +357,40 @@ export function resolveAdminConnection(opts: {
   if (conn || dbUrlFlag) {
     const v = conn || dbUrlFlag;
     if (isLikelyUri(v)) {
-      return { clientConfig: { connectionString: v }, display: maskConnectionString(v) };
+      const urlSslMode = extractSslModeFromUri(v);
+      const effectiveSslMode = explicitSsl || urlSslMode;
+      // SSL priority: PGSSLMODE env > URL param > auto (sslmode=prefer behavior)
+      const sslConfig = effectiveSslMode
+        ? sslModeToConfig(effectiveSslMode)
+        : { rejectUnauthorized: false }; // Default: try SSL (with fallback)
+      // Enable fallback for: no explicit mode OR explicit "prefer"/"allow"
+      const shouldFallback = !effectiveSslMode || 
+        effectiveSslMode.toLowerCase() === "prefer" || 
+        effectiveSslMode.toLowerCase() === "allow";
+      // Strip sslmode from URI so pg uses our ssl config object instead
+      const cleanUri = stripSslModeFromUri(v);
+      return {
+        clientConfig: { connectionString: cleanUri, ssl: sslConfig },
+        display: maskConnectionString(v),
+        sslFallbackEnabled: shouldFallback,
+      };
     }
     // libpq conninfo (dbname=... host=...)
     const cfg = parseLibpqConninfo(v);
     if (opts.envPassword && !cfg.password) cfg.password = opts.envPassword;
-    return { clientConfig: cfg, display: describePgConfig(cfg) };
+    const cfgHadSsl = cfg.ssl !== undefined;
+    if (cfg.ssl === undefined) {
+      if (explicitSsl) cfg.ssl = sslModeToConfig(explicitSsl);
+      else cfg.ssl = { rejectUnauthorized: false }; // Default: try SSL (with fallback)
+    }
+    // Enable fallback for: no explicit mode OR explicit "prefer"/"allow"
+    const shouldFallback = (!explicitSsl && !cfgHadSsl) || 
+      (!!explicitSsl && (explicitSsl.toLowerCase() === "prefer" || explicitSsl.toLowerCase() === "allow"));
+    return {
+      clientConfig: cfg,
+      display: describePgConfig(cfg),
+      sslFallbackEnabled: shouldFallback,
+    };
   }
 
   if (!hasConnDetails) {
@@ -239,7 +411,15 @@ export function resolveAdminConnection(opts: {
   if (opts.dbname) cfg.database = opts.dbname;
   if (opts.adminPassword) cfg.password = opts.adminPassword;
   if (opts.envPassword && !cfg.password) cfg.password = opts.envPassword;
-  return { clientConfig: cfg, display: describePgConfig(cfg) };
+  if (explicitSsl) {
+    cfg.ssl = sslModeToConfig(explicitSsl);
+    // Enable fallback for explicit "prefer"/"allow"
+    const shouldFallback = explicitSsl.toLowerCase() === "prefer" || explicitSsl.toLowerCase() === "allow";
+    return { clientConfig: cfg, display: describePgConfig(cfg), sslFallbackEnabled: shouldFallback };
+  }
+  // Default: try SSL with fallback (sslmode=prefer behavior)
+  cfg.ssl = { rejectUnauthorized: false };
+  return { clientConfig: cfg, display: describePgConfig(cfg), sslFallbackEnabled: true };
 }
 
 function generateMonitoringPassword(): string {
@@ -313,6 +493,12 @@ end $$;`;
     sql: applyTemplate(loadSqlTemplate("02.permissions.sql"), vars),
   });
 
+  // Helper functions (SECURITY DEFINER) for plan analysis and table info
+  steps.push({
+    name: "05.helpers",
+    sql: applyTemplate(loadSqlTemplate("05.helpers.sql"), vars),
+  });
+
   if (params.includeOptionalPermissions) {
     steps.push(
       {
@@ -339,78 +525,70 @@ export async function applyInitPlan(params: {
   const applied: string[] = [];
   const skippedOptional: string[] = [];
 
-  // Apply non-optional steps in a single transaction.
-  await params.client.query("begin;");
-  try {
-    for (const step of params.plan.steps.filter((s) => !s.optional)) {
+  // Helper to wrap a step execution in begin/commit
+  const executeStep = async (step: InitStep): Promise<void> => {
+    await params.client.query("begin;");
+    try {
+      await params.client.query(step.sql, step.params as any);
+      await params.client.query("commit;");
+    } catch (e) {
+      // Rollback errors should never mask the original failure.
       try {
-        await params.client.query(step.sql, step.params as any);
-        applied.push(step.name);
-      } catch (e) {
-        const msg = e instanceof Error ? e.message : String(e);
-        const errAny = e as any;
-        const wrapped: any = new Error(`Failed at step "${step.name}": ${msg}`);
-        // Preserve useful Postgres error fields so callers can provide better hints / diagnostics.
-        const pgErrorFields = [
-          "code",
-          "detail",
-          "hint",
-          "position",
-          "internalPosition",
-          "internalQuery",
-          "where",
-          "schema",
-          "table",
-          "column",
-          "dataType",
-          "constraint",
-          "file",
-          "line",
-          "routine",
-        ] as const;
-        if (errAny && typeof errAny === "object") {
-          for (const field of pgErrorFields) {
-            if (errAny[field] !== undefined) wrapped[field] = errAny[field];
-          }
-        }
-        if (e instanceof Error && e.stack) {
-          wrapped.stack = e.stack;
-        }
-        throw wrapped;
+        await params.client.query("rollback;");
+      } catch {
+        // ignore
       }
+      throw e;
     }
-    await params.client.query("commit;");
-  } catch (e) {
-    // Rollback errors should never mask the original failure.
+  };
+
+  // Apply non-optional steps, each in its own transaction
+  for (const step of params.plan.steps.filter((s) => !s.optional)) {
     try {
-      await params.client.query("rollback;");
-    } catch {
-      // ignore
+      await executeStep(step);
+      applied.push(step.name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      const errAny = e as any;
+      const wrapped: any = new Error(`Failed at step "${step.name}": ${msg}`);
+      // Preserve useful Postgres error fields so callers can provide better hints / diagnostics.
+      const pgErrorFields = [
+        "code",
+        "detail",
+        "hint",
+        "position",
+        "internalPosition",
+        "internalQuery",
+        "where",
+        "schema",
+        "table",
+        "column",
+        "dataType",
+        "constraint",
+        "file",
+        "line",
+        "routine",
+      ] as const;
+      if (errAny && typeof errAny === "object") {
+        for (const field of pgErrorFields) {
+          if (errAny[field] !== undefined) wrapped[field] = errAny[field];
+        }
+      }
+      if (e instanceof Error && e.stack) {
+        wrapped.stack = e.stack;
+      }
+      throw wrapped;
     }
-    throw e;
   }
 
-  // Apply optional steps outside of the transaction so a failure doesn't abort everything.
+  // Apply optional steps, each in its own transaction (failure doesn't abort)
   for (const step of params.plan.steps.filter((s) => s.optional)) {
     try {
-      // Run each optional step in its own mini-transaction to avoid partial application.
-      await params.client.query("begin;");
-      try {
-        await params.client.query(step.sql, step.params as any);
-        await params.client.query("commit;");
-        applied.push(step.name);
-      } catch {
-        try {
-          await params.client.query("rollback;");
-        } catch {
-          // ignore rollback errors
-        }
-        skippedOptional.push(step.name);
-        // best-effort: ignore
-      }
+      await executeStep(step);
+      applied.push(step.name);
     } catch {
-      // If we can't even begin/commit, treat as skipped.
       skippedOptional.push(step.name);
+      // best-effort: ignore
     }
   }
 
@@ -470,16 +648,25 @@ export async function verifyInitSetup(params: {
       missingRequired.push("SELECT on pg_catalog.pg_index");
     }
 
-    const viewExistsRes = await params.client.query("select to_regclass('public.pg_statistic') is not null as ok");
+    // Check postgres_ai schema exists and is usable
+    const schemaExistsRes = await params.client.query(
+      "select has_schema_privilege($1, 'postgres_ai', 'USAGE') as ok",
+      [role]
+    );
+    if (!schemaExistsRes.rows?.[0]?.ok) {
+      missingRequired.push("USAGE on schema postgres_ai");
+    }
+
+    const viewExistsRes = await params.client.query("select to_regclass('postgres_ai.pg_statistic') is not null as ok");
     if (!viewExistsRes.rows?.[0]?.ok) {
-      missingRequired.push("view public.pg_statistic exists");
+      missingRequired.push("view postgres_ai.pg_statistic exists");
     } else {
       const viewPrivRes = await params.client.query(
-        "select has_table_privilege($1, 'public.pg_statistic', 'SELECT') as ok",
+        "select has_table_privilege($1, 'postgres_ai.pg_statistic', 'SELECT') as ok",
         [role]
       );
       if (!viewPrivRes.rows?.[0]?.ok) {
-        missingRequired.push("SELECT on view public.pg_statistic");
+        missingRequired.push("SELECT on view postgres_ai.pg_statistic");
       }
     }
 
@@ -497,13 +684,30 @@ export async function verifyInitSetup(params: {
     if (typeof spLine !== "string" || !spLine) {
       missingRequired.push("role search_path is set");
     } else {
-      // We accept any ordering as long as public and pg_catalog are included.
+      // We accept any ordering as long as postgres_ai, public, and pg_catalog are included.
       const sp = spLine.toLowerCase();
-      if (!sp.includes("public") || !sp.includes("pg_catalog")) {
-        missingRequired.push("role search_path includes public and pg_catalog");
+      if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
+        missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
       }
     }
 
+    // Check for helper functions
+    const explainFnRes = await params.client.query(
+      "select has_function_privilege($1, 'postgres_ai.explain_generic(text, text, text)', 'EXECUTE') as ok",
+      [role]
+    );
+    if (!explainFnRes.rows?.[0]?.ok) {
+      missingRequired.push("EXECUTE on postgres_ai.explain_generic(text, text, text)");
+    }
+
+    const tableDescribeFnRes = await params.client.query(
+      "select has_function_privilege($1, 'postgres_ai.table_describe(text)', 'EXECUTE') as ok",
+      [role]
+    );
+    if (!tableDescribeFnRes.rows?.[0]?.ok) {
+      missingRequired.push("EXECUTE on postgres_ai.table_describe(text)");
+    }
+
     if (params.includeOptionalPermissions) {
       // Optional RDS/Aurora extras
       {