postgresai 0.14.0-dev.42 → 0.14.0-dev.44

package/test/init.test.ts

@@ -0,0 +1,345 @@
+import { describe, test, expect, beforeAll } from "bun:test";
+import { resolve } from "path";
+
+// Import from source directly since we're using Bun
+import * as init from "../lib/init";
+const DEFAULT_MONITORING_USER = init.DEFAULT_MONITORING_USER;
+
+function runCli(args: string[], env: Record<string, string> = {}) {
+  const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+  const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+  const result = Bun.spawnSync([bunBin, cliPath, ...args], {
+    env: { ...process.env, ...env },
+  });
+  return {
+    status: result.exitCode,
+    stdout: new TextDecoder().decode(result.stdout),
+    stderr: new TextDecoder().decode(result.stderr),
+  };
+}
+
+function runPgai(args: string[], env: Record<string, string> = {}) {
+  // For testing, run the CLI directly since pgai is just a thin wrapper
+  // In production, pgai wrapper will properly resolve and spawn the postgresai CLI
+  const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+  const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+  const result = Bun.spawnSync([bunBin, cliPath, ...args], {
+    env: { ...process.env, ...env },
+  });
+  return {
+    status: result.exitCode,
+    stdout: new TextDecoder().decode(result.stdout),
+    stderr: new TextDecoder().decode(result.stderr),
+  };
+}
+
+describe("init module", () => {
+  test("maskConnectionString hides password when present", () => {
+    const masked = init.maskConnectionString("postgresql://user:secret@localhost:5432/mydb");
+    expect(masked).toMatch(/postgresql:\/\/user:\*{5}@localhost:5432\/mydb/);
+    expect(masked).not.toMatch(/secret/);
+  });
+
+  test("parseLibpqConninfo parses basic host/dbname/user/port/password", () => {
+    const cfg = init.parseLibpqConninfo("dbname=mydb host=localhost user=alice port=5432 password=secret");
+    expect(cfg.database).toBe("mydb");
+    expect(cfg.host).toBe("localhost");
+    expect(cfg.user).toBe("alice");
+    expect(cfg.port).toBe(5432);
+    expect(cfg.password).toBe("secret");
+  });
+
+  test("parseLibpqConninfo supports quoted values", () => {
+    const cfg = init.parseLibpqConninfo("dbname='my db' host='local host'");
+    expect(cfg.database).toBe("my db");
+    expect(cfg.host).toBe("local host");
+  });
+
+  test("buildInitPlan includes a race-safe role DO block", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    expect(plan.database).toBe("mydb");
+    const roleStep = plan.steps.find((s: { name: string }) => s.name === "01.role");
+    expect(roleStep).toBeTruthy();
+    expect(roleStep.sql).toMatch(/do\s+\$\$/i);
+    expect(roleStep.sql).toMatch(/create\s+user/i);
+    expect(roleStep.sql).toMatch(/alter\s+user/i);
+    expect(plan.steps.some((s: { optional?: boolean }) => s.optional)).toBe(false);
+  });
+
+  test("buildInitPlan handles special characters in monitoring user and database identifiers", async () => {
+    const monitoringUser = 'user "with" quotes ✓';
+    const database = 'db name "with" quotes ✓';
+    const plan = await init.buildInitPlan({
+      database,
+      monitoringUser,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const roleStep = plan.steps.find((s: { name: string }) => s.name === "01.role");
+    expect(roleStep).toBeTruthy();
+    expect(roleStep.sql).toMatch(/create\s+user\s+"user ""with"" quotes ✓"/i);
+    expect(roleStep.sql).toMatch(/alter\s+user\s+"user ""with"" quotes ✓"/i);
+
+    const permStep = plan.steps.find((s: { name: string }) => s.name === "02.permissions");
+    expect(permStep).toBeTruthy();
+    expect(permStep.sql).toMatch(/grant connect on database "db name ""with"" quotes ✓" to "user ""with"" quotes ✓"/i);
+  });
+
+  test("buildInitPlan keeps backslashes in passwords (no unintended escaping)", async () => {
+    const pw = String.raw`pw\with\backslash`;
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: pw,
+      includeOptionalPermissions: false,
+    });
+    const roleStep = plan.steps.find((s: { name: string }) => s.name === "01.role");
+    expect(roleStep).toBeTruthy();
+    expect(roleStep.sql).toContain(`password '${pw}'`);
+  });
+
+  test("buildInitPlan rejects identifiers with null bytes", async () => {
+    await expect(
+      init.buildInitPlan({
+        database: "mydb",
+        monitoringUser: "bad\0user",
+        monitoringPassword: "pw",
+        includeOptionalPermissions: false,
+      })
+    ).rejects.toThrow(/Identifier cannot contain null bytes/);
+  });
+
+  test("buildInitPlan rejects literals with null bytes", async () => {
+    await expect(
+      init.buildInitPlan({
+        database: "mydb",
+        monitoringUser: DEFAULT_MONITORING_USER,
+        monitoringPassword: "pw\0bad",
+        includeOptionalPermissions: false,
+      })
+    ).rejects.toThrow(/Literal cannot contain null bytes/);
+  });
+
+  test("buildInitPlan inlines password safely for CREATE/ALTER ROLE grammar", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pa'ss",
+      includeOptionalPermissions: false,
+    });
+    const step = plan.steps.find((s: { name: string }) => s.name === "01.role");
+    expect(step).toBeTruthy();
+    expect(step.sql).toMatch(/password 'pa''ss'/);
+    expect(step.params).toBeUndefined();
+  });
+
+  test("buildInitPlan includes optional steps when enabled", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: true,
+    });
+    expect(plan.steps.some((s: { optional?: boolean }) => s.optional)).toBe(true);
+  });
+
+  test("resolveAdminConnection accepts positional URI", () => {
+    const r = init.resolveAdminConnection({ conn: "postgresql://u:p@h:5432/d" });
+    expect(r.clientConfig.connectionString).toBeTruthy();
+    expect(r.display).not.toMatch(/:p@/);
+  });
+
+  test("resolveAdminConnection accepts positional conninfo", () => {
+    const r = init.resolveAdminConnection({ conn: "dbname=mydb host=localhost user=alice" });
+    expect(r.clientConfig.database).toBe("mydb");
+    expect(r.clientConfig.host).toBe("localhost");
+    expect(r.clientConfig.user).toBe("alice");
+  });
+
+  test("resolveAdminConnection rejects invalid psql-like port", () => {
+    expect(() => init.resolveAdminConnection({ host: "localhost", port: "abc", username: "u", dbname: "d" }))
+      .toThrow(/Invalid port value/);
+  });
+
+  test("resolveAdminConnection rejects when only PGPASSWORD is provided (no connection details)", () => {
+    expect(() => init.resolveAdminConnection({ envPassword: "pw" })).toThrow(/Connection is required/);
+  });
+
+  test("resolveAdminConnection rejects when connection is missing", () => {
+    expect(() => init.resolveAdminConnection({})).toThrow(/Connection is required/);
+  });
+
+  test("resolveMonitoringPassword auto-generates a strong, URL-safe password by default", async () => {
+    const r = await init.resolveMonitoringPassword({ monitoringUser: DEFAULT_MONITORING_USER });
+    expect(r.generated).toBe(true);
+    expect(typeof r.password).toBe("string");
+    expect(r.password.length).toBeGreaterThanOrEqual(30);
+    expect(r.password).toMatch(/^[A-Za-z0-9_-]+$/);
+  });
+
+  test("applyInitPlan preserves Postgres error fields on step failures", async () => {
+    const plan = {
+      monitoringUser: DEFAULT_MONITORING_USER,
+      database: "mydb",
+      steps: [{ name: "01.role", sql: "select 1" }],
+    };
+
+    const pgErr = Object.assign(new Error("permission denied to create role"), {
+      code: "42501",
+      detail: "some detail",
+      hint: "some hint",
+      schema: "pg_catalog",
+      table: "pg_roles",
+      constraint: "some_constraint",
+      routine: "aclcheck_error",
+    });
+
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string) => {
+        calls.push(sql);
+        if (sql === "begin;") return { rowCount: 1 };
+        if (sql === "rollback;") return { rowCount: 1 };
+        if (sql === "select 1") throw pgErr;
+        throw new Error(`unexpected sql: ${sql}`);
+      },
+    };
+
+    try {
+      await init.applyInitPlan({ client: client as any, plan: plan as any });
+      expect(true).toBe(false); // Should not reach here
+    } catch (e: any) {
+      expect(e).toBeInstanceOf(Error);
+      expect(e.message).toMatch(/Failed at step "01\.role":/);
+      expect(e.code).toBe("42501");
+      expect(e.detail).toBe("some detail");
+      expect(e.hint).toBe("some hint");
+      expect(e.schema).toBe("pg_catalog");
+      expect(e.table).toBe("pg_roles");
+      expect(e.constraint).toBe("some_constraint");
+      expect(e.routine).toBe("aclcheck_error");
+    }
+
+    expect(calls).toEqual(["begin;", "select 1", "rollback;"]);
+  });
+
+  test("verifyInitSetup runs inside a repeatable read snapshot and rolls back", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege") && String(sql).includes("pg_catalog.pg_index")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass('postgres_ai.pg_statistic')")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege") && String(sql).includes("postgres_ai.pg_statistic")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+
+    expect(calls.length).toBeGreaterThan(2);
+    expect(calls[0].toLowerCase()).toMatch(/^begin isolation level repeatable read/);
+    expect(calls[calls.length - 1].toLowerCase()).toBe("rollback;");
+  });
+
+  test("redactPasswordsInSql redacts password literals with embedded quotes", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pa'ss",
+      includeOptionalPermissions: false,
+    });
+    const step = plan.steps.find((s: { name: string }) => s.name === "01.role");
+    expect(step).toBeTruthy();
+    const redacted = init.redactPasswordsInSql(step.sql);
+    expect(redacted).toMatch(/password '<redacted>'/i);
+  });
+});
+
+describe("CLI commands", () => {
+  test("cli: prepare-db with missing connection prints help/options", () => {
+    const r = runCli(["prepare-db"]);
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/--print-sql/);
+    expect(r.stderr).toMatch(/--monitoring-user/);
+  });
+
+  test("cli: prepare-db --print-sql works without connection (offline mode)", () => {
+    const r = runCli(["prepare-db", "--print-sql", "-d", "mydb", "--password", "monpw"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/SQL plan \(offline; not connected\)/);
+    expect(r.stdout).toMatch(new RegExp(`grant connect on database "mydb" to "${DEFAULT_MONITORING_USER}"`, "i"));
+  });
+
+  test("pgai wrapper forwards to postgresai CLI", () => {
+    const r = runPgai(["--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/postgresai|PostgresAI/i);
+  });
+
+  test("cli: prepare-db command exists and shows help", () => {
+    const r = runCli(["prepare-db", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/monitoring user/i);
+    expect(r.stdout).toMatch(/--print-sql/);
+  });
+
+  test("cli: mon local-install command exists and shows help", () => {
+    const r = runCli(["mon", "local-install", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--demo/);
+    expect(r.stdout).toMatch(/--api-key/);
+  });
+
+  test("cli: auth login --help shows --set-key option", () => {
+    const r = runCli(["auth", "login", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--set-key/);
+  });
+});

package/test/schema-validation.test.ts

@@ -0,0 +1,188 @@
+/**
+ * JSON Schema validation tests for H001, H002, H004 express checkup reports.
+ * These tests validate that the generated reports match the schemas in reporter/schemas/.
+ */
+import { describe, test, expect } from "bun:test";
+import { resolve } from "path";
+import { readFileSync } from "fs";
+import Ajv2020 from "ajv/dist/2020";
+
+import * as checkup from "../lib/checkup";
+
+const ajv = new Ajv2020({ allErrors: true, strict: false });
+const schemasDir = resolve(import.meta.dir, "../../reporter/schemas");
+
+function loadSchema(checkId: string): object {
+  const schemaPath = resolve(schemasDir, `${checkId}.schema.json`);
+  return JSON.parse(readFileSync(schemaPath, "utf8"));
+}
+
+function validateReport(report: any, checkId: string): { valid: boolean; errors: string[] } {
+  const schema = loadSchema(checkId);
+  const validate = ajv.compile(schema);
+  const valid = validate(report);
+  const errors = validate.errors?.map(e => `${e.instancePath}: ${e.message}`) || [];
+  return { valid: !!valid, errors };
+}
+
+// Mock client for testing
+function createMockClient(options: {
+  versionRows?: any[];
+  invalidIndexesRows?: any[];
+  unusedIndexesRows?: any[];
+  redundantIndexesRows?: any[];
+} = {}) {
+  const {
+    versionRows = [
+      { name: "server_version", setting: "16.3" },
+      { name: "server_version_num", setting: "160003" },
+    ],
+    invalidIndexesRows = [],
+    unusedIndexesRows = [],
+    redundantIndexesRows = [],
+  } = options;
+
+  return {
+    query: async (sql: string) => {
+      if (sql.includes("server_version") && sql.includes("server_version_num") && !sql.includes("order by")) {
+        return { rows: versionRows };
+      }
+      if (sql.includes("current_database()") && sql.includes("pg_database_size")) {
+        return { rows: [{ datname: "testdb", size_bytes: "1073741824" }] };
+      }
+      if (sql.includes("stats_reset") && sql.includes("pg_stat_database")) {
+        return { rows: [{ 
+          stats_reset_epoch: "1704067200", 
+          stats_reset_time: "2024-01-01 00:00:00+00",
+          days_since_reset: "30",
+          postmaster_startup_epoch: "1704067200",
+          postmaster_startup_time: "2024-01-01 00:00:00+00"
+        }] };
+      }
+      if (sql.includes("indisvalid = false")) {
+        return { rows: invalidIndexesRows };
+      }
+      if (sql.includes("Never Used Indexes") && sql.includes("idx_scan = 0")) {
+        return { rows: unusedIndexesRows };
+      }
+      if (sql.includes("redundant_indexes") && sql.includes("columns like")) {
+        return { rows: redundantIndexesRows };
+      }
+      throw new Error(`Unexpected query: ${sql}`);
+    },
+  };
+}
+
+describe("H001 schema validation", () => {
+  test("H001 report with empty data validates against schema", async () => {
+    const mockClient = createMockClient({ invalidIndexesRows: [] });
+    const report = await checkup.generateH001(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H001");
+    if (!result.valid) {
+      console.error("H001 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+
+  test("H001 report with data validates against schema", async () => {
+    const mockClient = createMockClient({
+      invalidIndexesRows: [
+        { 
+          schema_name: "public", 
+          table_name: "users", 
+          index_name: "users_email_idx", 
+          relation_name: "users",
+          index_size_bytes: "1048576",
+          supports_fk: false
+        },
+      ],
+    });
+    const report = await checkup.generateH001(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H001");
+    if (!result.valid) {
+      console.error("H001 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+});
+
+describe("H002 schema validation", () => {
+  test("H002 report with empty data validates against schema", async () => {
+    const mockClient = createMockClient({ unusedIndexesRows: [] });
+    const report = await checkup.generateH002(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H002");
+    if (!result.valid) {
+      console.error("H002 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+
+  test("H002 report with data validates against schema", async () => {
+    const mockClient = createMockClient({
+      unusedIndexesRows: [
+        { 
+          schema_name: "public", 
+          table_name: "logs", 
+          index_name: "logs_created_idx",
+          index_definition: "CREATE INDEX logs_created_idx ON public.logs USING btree (created_at)",
+          reason: "Never Used Indexes",
+          idx_scan: "0",
+          index_size_bytes: "8388608",
+          idx_is_btree: true,
+          supports_fk: false
+        },
+      ],
+    });
+    const report = await checkup.generateH002(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H002");
+    if (!result.valid) {
+      console.error("H002 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+});
+
+describe("H004 schema validation", () => {
+  test("H004 report with empty data validates against schema", async () => {
+    const mockClient = createMockClient({ redundantIndexesRows: [] });
+    const report = await checkup.generateH004(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H004");
+    if (!result.valid) {
+      console.error("H004 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+
+  test("H004 report with data validates against schema", async () => {
+    const mockClient = createMockClient({
+      redundantIndexesRows: [
+        { 
+          schema_name: "public", 
+          table_name: "orders", 
+          index_name: "orders_user_id_idx",
+          relation_name: "orders",
+          access_method: "btree",
+          reason: "public.orders_user_id_created_idx",
+          index_size_bytes: "2097152",
+          table_size_bytes: "16777216",
+          index_usage: "0",
+          supports_fk: false,
+          index_definition: "CREATE INDEX orders_user_id_idx ON public.orders USING btree (user_id)"
+        },
+      ],
+    });
+    const report = await checkup.generateH004(mockClient as any, "node-01");
+    
+    const result = validateReport(report, "H004");
+    if (!result.valid) {
+      console.error("H004 validation errors:", result.errors);
+    }
+    expect(result.valid).toBe(true);
+  });
+});
+

package/tsconfig.json

@@ -1,28 +1,20 @@
 {
   "compilerOptions": {
-    "target": "ES2020",
-    "module": "node16",
-    "lib": ["ES2020"],
-    "outDir": "./dist",
-    "rootDir": "./",
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ESNext"],
+    "types": ["bun-types"],
     "strict": true,
     "esModuleInterop": true,
     "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true,
+    "noEmit": true,
     "resolveJsonModule": true,
-    "declaration": true,
-    "declarationMap": true,
-    "sourceMap": true,
-    "moduleResolution": "node16",
-    "types": ["node"]
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": false,
+    "allowSyntheticDefaultImports": true,
+    "forceConsistentCasingInFileNames": true
   },
-  "include": [
-    "bin/**/*",
-    "lib/**/*"
-  ],
-  "exclude": [
-    "node_modules",
-    "dist"
-  ]
+  "include": ["bin/**/*", "lib/**/*", "test/**/*"],
+  "exclude": ["node_modules", "dist"]
 }
-

package/dist/bin/postgres-ai.d.ts

@@ -1,3 +0,0 @@
-#!/usr/bin/env node
-export {};
-//# sourceMappingURL=postgres-ai.d.ts.map

package/dist/bin/postgres-ai.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"postgres-ai.d.ts","sourceRoot":"","sources":["../../bin/postgres-ai.ts"],"names":[],"mappings":""}