postgresai 0.14.0-dev.54 → 0.14.0-dev.55

package/README.md

@@ -303,17 +303,24 @@ Normalization:
 
 ### Examples
 
-Linux/macOS (bash/zsh):
+For production (uses default URLs):
 
 ```bash
+# Production auth - uses console.postgres.ai by default
+postgresai auth --debug
+```
+
+For staging/development environments:
+
+```bash
+# Linux/macOS (bash/zsh)
 export PGAI_API_BASE_URL=https://v2.postgres.ai/api/general/
 export PGAI_UI_BASE_URL=https://console-dev.postgres.ai
 postgresai auth --debug
 ```
 
-Windows PowerShell:
-
 ```powershell
+# Windows PowerShell
 $env:PGAI_API_BASE_URL = "https://v2.postgres.ai/api/general/"
 $env:PGAI_UI_BASE_URL = "https://console-dev.postgres.ai"
 postgresai auth --debug
@@ -330,6 +337,27 @@ postgresai auth --debug \
 Notes:
 - If `PGAI_UI_BASE_URL` is not set, the default is `https://console.postgres.ai`.
 
+## Development
+
+### Testing
+
+The CLI uses [Bun](https://bun.sh/) as the test runner with built-in coverage reporting.
+
+```bash
+# Run tests with coverage (default)
+bun run test
+
+# Run tests without coverage (faster iteration during development)
+bun run test:fast
+
+# Run tests with coverage and show report location
+bun run test:coverage
+```
+
+Coverage configuration is in `bunfig.toml`. Reports are generated in `coverage/` directory:
+- `coverage/lcov-report/index.html` - HTML coverage report
+- `coverage/lcov.info` - LCOV format for CI integration
+
 ## Requirements
 
 - Node.js 18 or higher

package/bin/postgres-ai.ts

@@ -1185,17 +1185,33 @@ mon
 
     // Update .env with custom tag if provided
     const envFile = path.resolve(projectDir, ".env");
-    const imageTag = opts.tag || pkg.version;
 
-    // Build .env content
-    const envLines: string[] = [`PGAI_TAG=${imageTag}`];
-    // Preserve GF_SECURITY_ADMIN_PASSWORD if it exists
+    // Build .env content, preserving important existing values
+    // Read existing .env first to preserve CI/custom settings
+    let existingTag: string | null = null;
+    let existingRegistry: string | null = null;
+    let existingPassword: string | null = null;
+
     if (fs.existsSync(envFile)) {
       const existingEnv = fs.readFileSync(envFile, "utf8");
+      // Extract existing values
+      const tagMatch = existingEnv.match(/^PGAI_TAG=(.+)$/m);
+      if (tagMatch) existingTag = tagMatch[1].trim();
+      const registryMatch = existingEnv.match(/^PGAI_REGISTRY=(.+)$/m);
+      if (registryMatch) existingRegistry = registryMatch[1].trim();
       const pwdMatch = existingEnv.match(/^GF_SECURITY_ADMIN_PASSWORD=(.+)$/m);
-      if (pwdMatch) {
-        envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${pwdMatch[1]}`);
-      }
+      if (pwdMatch) existingPassword = pwdMatch[1].trim();
+    }
+
+    // Priority: CLI --tag flag > existing .env > package version
+    const imageTag = opts.tag || existingTag || pkg.version;
+
+    const envLines: string[] = [`PGAI_TAG=${imageTag}`];
+    if (existingRegistry) {
+      envLines.push(`PGAI_REGISTRY=${existingRegistry}`);
+    }
+    if (existingPassword) {
+      envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
     }
     fs.writeFileSync(envFile, envLines.join("\n") + "\n", { encoding: "utf8", mode: 0o600 });
 
@@ -2102,7 +2118,8 @@ auth
       }
 
       // Step 3: Open browser
-      const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}`;
+      // Pass api_url so UI calls oauth_approve on the same backend where oauth_init created the session
+      const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}&api_url=${encodeURIComponent(apiBaseUrl)}`;
 
       if (opts.debug) {
         console.log(`Debug: Auth URL: ${authUrl}`);

package/bunfig.toml

@@ -6,6 +6,14 @@
 # Integration tests that connect to databases need longer timeouts
 timeout = 30000
 
-# Coverage settings (if needed in future)
-# coverage = true
-# coverageDir = "coverage"
+# Coverage settings - enabled by default for test runs
+coverage = true
+coverageDir = "coverage"
+
+# Skip coverage for test files and node_modules
+coverageSkipTestFiles = true
+
+# Reporter format for CI integration
+# - text: console output with summary table
+# - lcov: standard format for coverage tools
+coverageReporter = ["text", "lcov"]

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.54",
+  version: "0.14.0-dev.55",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -13096,6 +13096,8 @@ var package_default = {
     "start:node": "node ./dist/bin/postgres-ai.js --help",
     dev: "bun run embed-metrics && bun --watch ./bin/postgres-ai.ts",
     test: "bun run embed-metrics && bun test",
+    "test:fast": "bun run embed-metrics && bun test --coverage=false",
+    "test:coverage": "bun run embed-metrics && bun test --coverage && echo 'Coverage report: cli/coverage/lcov-report/index.html'",
     typecheck: "bun run embed-metrics && bunx tsc --noEmit"
   },
   dependencies: {
@@ -15885,7 +15887,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.54";
+var version = "0.14.0-dev.55";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -15920,6 +15922,8 @@ var package_default2 = {
     "start:node": "node ./dist/bin/postgres-ai.js --help",
     dev: "bun run embed-metrics && bun --watch ./bin/postgres-ai.ts",
     test: "bun run embed-metrics && bun test",
+    "test:fast": "bun run embed-metrics && bun test --coverage=false",
+    "test:coverage": "bun run embed-metrics && bun test --coverage && echo 'Coverage report: cli/coverage/lcov-report/index.html'",
     typecheck: "bun run embed-metrics && bunx tsc --noEmit"
   },
   dependencies: {
@@ -26723,14 +26727,28 @@ mon.command("local-install").description("install local monitoring stack (genera
   console.log(`Project directory: ${projectDir}
 `);
   const envFile = path5.resolve(projectDir, ".env");
-  const imageTag = opts.tag || package_default.version;
-  const envLines = [`PGAI_TAG=${imageTag}`];
+  let existingTag = null;
+  let existingRegistry = null;
+  let existingPassword = null;
   if (fs5.existsSync(envFile)) {
     const existingEnv = fs5.readFileSync(envFile, "utf8");
+    const tagMatch = existingEnv.match(/^PGAI_TAG=(.+)$/m);
+    if (tagMatch)
+      existingTag = tagMatch[1].trim();
+    const registryMatch = existingEnv.match(/^PGAI_REGISTRY=(.+)$/m);
+    if (registryMatch)
+      existingRegistry = registryMatch[1].trim();
     const pwdMatch = existingEnv.match(/^GF_SECURITY_ADMIN_PASSWORD=(.+)$/m);
-    if (pwdMatch) {
-      envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${pwdMatch[1]}`);
-    }
+    if (pwdMatch)
+      existingPassword = pwdMatch[1].trim();
+  }
+  const imageTag = opts.tag || existingTag || package_default.version;
+  const envLines = [`PGAI_TAG=${imageTag}`];
+  if (existingRegistry) {
+    envLines.push(`PGAI_REGISTRY=${existingRegistry}`);
+  }
+  if (existingPassword) {
+    envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
   }
   fs5.writeFileSync(envFile, envLines.join(`
 `) + `
@@ -27535,7 +27553,7 @@ Please verify the --api-base-url parameter.`);
       process.exit(1);
       return;
     }
-    const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}`;
+    const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}&api_url=${encodeURIComponent(apiBaseUrl)}`;
     if (opts.debug) {
       console.log(`Debug: Auth URL: ${authUrl}`);
     }

package/lib/metrics-embedded.ts

@@ -1,6 +1,6 @@
 // AUTO-GENERATED FILE - DO NOT EDIT
 // Generated from config/pgwatch-prometheus/metrics.yml by scripts/embed-metrics.ts
-// Generated at: 2025-12-28T15:08:23.760Z
+// Generated at: 2025-12-29T17:55:05.936Z
 
 /**
  * Metric definition from metrics.yml

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.54",
+  "version": "0.14.0-dev.55",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,
@@ -32,6 +32,8 @@
     "start:node": "node ./dist/bin/postgres-ai.js --help",
     "dev": "bun run embed-metrics && bun --watch ./bin/postgres-ai.ts",
     "test": "bun run embed-metrics && bun test",
+    "test:fast": "bun run embed-metrics && bun test --coverage=false",
+    "test:coverage": "bun run embed-metrics && bun test --coverage && echo 'Coverage report: cli/coverage/lcov-report/index.html'",
     "typecheck": "bun run embed-metrics && bunx tsc --noEmit"
   },
   "dependencies": {

package/test/auth.test.ts

@@ -0,0 +1,258 @@
+import { describe, test, expect } from "bun:test";
+import { resolve } from "path";
+
+import * as util from "../lib/util";
+import * as pkce from "../lib/pkce";
+import * as authServer from "../lib/auth-server";
+
+function runCli(args: string[], env: Record<string, string> = {}) {
+  const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+  const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+  const result = Bun.spawnSync([bunBin, cliPath, ...args], {
+    env: { ...process.env, ...env },
+  });
+  return {
+    status: result.exitCode,
+    stdout: new TextDecoder().decode(result.stdout),
+    stderr: new TextDecoder().decode(result.stderr),
+  };
+}
+
+describe("URL resolution", () => {
+  test("resolveBaseUrls returns correct production defaults", () => {
+    const result = util.resolveBaseUrls();
+    expect(result.apiBaseUrl).toBe("https://postgres.ai/api/general");
+    expect(result.uiBaseUrl).toBe("https://console.postgres.ai");
+  });
+
+  test("resolveBaseUrls strips trailing slashes", () => {
+    const result = util.resolveBaseUrls({
+      apiBaseUrl: "https://example.com/api/",
+      uiBaseUrl: "https://example.com/",
+    });
+    expect(result.apiBaseUrl).toBe("https://example.com/api");
+    expect(result.uiBaseUrl).toBe("https://example.com");
+  });
+
+  test("resolveBaseUrls respects environment variables", () => {
+    const originalApiUrl = process.env.PGAI_API_BASE_URL;
+    const originalUiUrl = process.env.PGAI_UI_BASE_URL;
+
+    try {
+      process.env.PGAI_API_BASE_URL = "https://custom-api.example.com/api/";
+      process.env.PGAI_UI_BASE_URL = "https://custom-ui.example.com/";
+
+      const result = util.resolveBaseUrls();
+      expect(result.apiBaseUrl).toBe("https://custom-api.example.com/api");
+      expect(result.uiBaseUrl).toBe("https://custom-ui.example.com");
+    } finally {
+      if (originalApiUrl === undefined) {
+        delete process.env.PGAI_API_BASE_URL;
+      } else {
+        process.env.PGAI_API_BASE_URL = originalApiUrl;
+      }
+      if (originalUiUrl === undefined) {
+        delete process.env.PGAI_UI_BASE_URL;
+      } else {
+        process.env.PGAI_UI_BASE_URL = originalUiUrl;
+      }
+    }
+  });
+
+  test("resolveBaseUrls prefers CLI options over env vars", () => {
+    const originalApiUrl = process.env.PGAI_API_BASE_URL;
+
+    try {
+      process.env.PGAI_API_BASE_URL = "https://env.example.com/api/";
+
+      const result = util.resolveBaseUrls({
+        apiBaseUrl: "https://cli-option.example.com/api/",
+      });
+      expect(result.apiBaseUrl).toBe("https://cli-option.example.com/api");
+    } finally {
+      if (originalApiUrl === undefined) {
+        delete process.env.PGAI_API_BASE_URL;
+      } else {
+        process.env.PGAI_API_BASE_URL = originalApiUrl;
+      }
+    }
+  });
+
+  test("resolveBaseUrls uses config baseUrl for API", () => {
+    const result = util.resolveBaseUrls({}, { baseUrl: "https://config.example.com/api/" });
+    expect(result.apiBaseUrl).toBe("https://config.example.com/api");
+    // UI should still use default since config doesn't have uiBaseUrl
+    expect(result.uiBaseUrl).toBe("https://console.postgres.ai");
+  });
+
+  test("normalizeBaseUrl throws on invalid URL", () => {
+    expect(() => util.normalizeBaseUrl("not-a-url")).toThrow(/Invalid base URL/);
+  });
+
+  test("normalizeBaseUrl accepts valid URLs", () => {
+    expect(util.normalizeBaseUrl("https://example.com")).toBe("https://example.com");
+    expect(util.normalizeBaseUrl("https://example.com/")).toBe("https://example.com");
+    expect(util.normalizeBaseUrl("https://example.com/api/")).toBe("https://example.com/api");
+  });
+});
+
+describe("PKCE module", () => {
+  test("generateCodeVerifier returns correct length string", () => {
+    const verifier = pkce.generateCodeVerifier();
+    expect(typeof verifier).toBe("string");
+    expect(verifier.length).toBeGreaterThanOrEqual(43);
+    expect(verifier.length).toBeLessThanOrEqual(128);
+  });
+
+  test("generateCodeChallenge returns base64url encoded SHA256", () => {
+    const verifier = pkce.generateCodeVerifier();
+    const challenge = pkce.generateCodeChallenge(verifier);
+    expect(typeof challenge).toBe("string");
+    expect(challenge.length).toBeGreaterThan(0);
+    // Base64url encoding should not contain + or / characters
+    expect(challenge).not.toMatch(/[+/]/);
+  });
+
+  test("generateState returns random string", () => {
+    const state1 = pkce.generateState();
+    const state2 = pkce.generateState();
+    expect(typeof state1).toBe("string");
+    expect(state1.length).toBeGreaterThan(0);
+    expect(state1).not.toBe(state2); // Should be random
+  });
+
+  test("generatePKCEParams returns all required parameters", () => {
+    const params = pkce.generatePKCEParams();
+    expect(params.codeVerifier).toBeTruthy();
+    expect(params.codeChallenge).toBeTruthy();
+    expect(params.codeChallengeMethod).toBe("S256");
+    expect(params.state).toBeTruthy();
+  });
+});
+
+describe("Auth callback server", () => {
+  test("createCallbackServer returns correct interface", () => {
+    const server = authServer.createCallbackServer(0, "test-state", 1000);
+    expect(server.server).toBeTruthy();
+    expect(server.server.stop).toBeInstanceOf(Function);
+    expect(server.promise).toBeInstanceOf(Promise);
+    expect(server.ready).toBeInstanceOf(Promise);
+    expect(server.getPort).toBeInstanceOf(Function);
+
+    // Clean up
+    server.server.stop();
+  });
+
+  test("createCallbackServer binds to a port", async () => {
+    const server = authServer.createCallbackServer(0, "test-state", 5000);
+    const port = await server.ready;
+    expect(typeof port).toBe("number");
+    expect(port).toBeGreaterThan(0);
+
+    // Clean up
+    server.server.stop();
+  });
+
+  test("createCallbackServer responds to callback requests", async () => {
+    const testState = "test-state-" + Math.random().toString(36).substring(7);
+    const server = authServer.createCallbackServer(0, testState, 5000);
+    const port = await server.ready;
+
+    // Simulate OAuth callback
+    const testCode = "test-auth-code";
+    const callbackUrl = `http://127.0.0.1:${port}/callback?code=${testCode}&state=${testState}`;
+
+    const fetchPromise = fetch(callbackUrl);
+    const result = await server.promise;
+
+    expect(result.code).toBe(testCode);
+    expect(result.state).toBe(testState);
+
+    // Check response
+    const response = await fetchPromise;
+    expect(response.status).toBe(200);
+    const text = await response.text();
+    expect(text).toMatch(/Authentication successful/);
+  });
+
+  test("createCallbackServer rejects on state mismatch", async () => {
+    const server = authServer.createCallbackServer(0, "expected-state", 5000);
+    const port = await server.ready;
+
+    const callbackUrl = `http://127.0.0.1:${port}/callback?code=test-code&state=wrong-state`;
+
+    const fetchPromise = fetch(callbackUrl);
+
+    await expect(server.promise).rejects.toThrow(/State mismatch/);
+
+    const response = await fetchPromise;
+    expect(response.status).toBe(400);
+  });
+
+  test("createCallbackServer handles OAuth errors", async () => {
+    const server = authServer.createCallbackServer(0, "test-state", 5000);
+    const port = await server.ready;
+
+    const callbackUrl = `http://127.0.0.1:${port}/callback?error=access_denied&error_description=User%20denied%20access`;
+
+    const fetchPromise = fetch(callbackUrl);
+
+    await expect(server.promise).rejects.toThrow(/OAuth error: access_denied/);
+
+    const response = await fetchPromise;
+    expect(response.status).toBe(400);
+  });
+
+  test("createCallbackServer times out", async () => {
+    const server = authServer.createCallbackServer(0, "test-state", 100); // 100ms timeout
+    await server.ready;
+
+    await expect(server.promise).rejects.toThrow(/timeout/i);
+  });
+});
+
+describe("CLI auth commands", () => {
+  test("cli: auth login --help shows all options", () => {
+    const r = runCli(["auth", "login", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--set-key/);
+    expect(r.stdout).toMatch(/--debug/);
+  });
+
+  test("cli: auth show-key --help works", () => {
+    const r = runCli(["auth", "show-key", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/show.*key/i);
+  });
+
+  test("cli: auth remove-key --help works", () => {
+    const r = runCli(["auth", "remove-key", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/remove.*key/i);
+  });
+});
+
+describe("maskSecret utility", () => {
+  test("masks short secrets completely", () => {
+    expect(util.maskSecret("abc")).toBe("****");
+    expect(util.maskSecret("12345678")).toBe("****");
+  });
+
+  test("masks medium secrets with visible ends", () => {
+    const masked = util.maskSecret("1234567890123456");
+    // maskSecret shows first 4 chars, middle masked, last 4 chars for 16-char strings
+    expect(masked).toMatch(/^1234\*+3456$/);
+  });
+
+  test("masks long secrets appropriately", () => {
+    const secret = "abcdefghij1234567890klmnopqrstuvwxyz";
+    const masked = util.maskSecret(secret);
+    expect(masked.startsWith("abcdefghij12")).toBe(true);
+    expect(masked.endsWith("wxyz")).toBe(true);
+    expect(masked).toMatch(/\*+/);
+  });
+
+  test("handles empty string", () => {
+    expect(util.maskSecret("")).toBe("");
+  });
+});