postgresai 0.14.0-dev.54 → 0.14.0-dev.56

package/README.md

@@ -303,17 +303,24 @@ Normalization:
 
 ### Examples
 
-Linux/macOS (bash/zsh):
+For production (uses default URLs):
 
 ```bash
+# Production auth - uses console.postgres.ai by default
+postgresai auth --debug
+```
+
+For staging/development environments:
+
+```bash
+# Linux/macOS (bash/zsh)
 export PGAI_API_BASE_URL=https://v2.postgres.ai/api/general/
 export PGAI_UI_BASE_URL=https://console-dev.postgres.ai
 postgresai auth --debug
 ```
 
-Windows PowerShell:
-
 ```powershell
+# Windows PowerShell
 $env:PGAI_API_BASE_URL = "https://v2.postgres.ai/api/general/"
 $env:PGAI_UI_BASE_URL = "https://console-dev.postgres.ai"
 postgresai auth --debug
@@ -330,6 +337,27 @@ postgresai auth --debug \
 Notes:
 - If `PGAI_UI_BASE_URL` is not set, the default is `https://console.postgres.ai`.
 
+## Development
+
+### Testing
+
+The CLI uses [Bun](https://bun.sh/) as the test runner with built-in coverage reporting.
+
+```bash
+# Run tests with coverage (default)
+bun run test
+
+# Run tests without coverage (faster iteration during development)
+bun run test:fast
+
+# Run tests with coverage and show report location
+bun run test:coverage
+```
+
+Coverage configuration is in `bunfig.toml`. Reports are generated in `coverage/` directory:
+- `coverage/lcov-report/index.html` - HTML coverage report
+- `coverage/lcov.info` - LCOV format for CI integration
+
 ## Requirements
 
 - Node.js 18 or higher

package/bin/postgres-ai.ts

@@ -1185,17 +1185,33 @@ mon
 
     // Update .env with custom tag if provided
     const envFile = path.resolve(projectDir, ".env");
-    const imageTag = opts.tag || pkg.version;
 
-    // Build .env content
-    const envLines: string[] = [`PGAI_TAG=${imageTag}`];
-    // Preserve GF_SECURITY_ADMIN_PASSWORD if it exists
+    // Build .env content, preserving important existing values
+    // Read existing .env first to preserve CI/custom settings
+    let existingTag: string | null = null;
+    let existingRegistry: string | null = null;
+    let existingPassword: string | null = null;
+
     if (fs.existsSync(envFile)) {
       const existingEnv = fs.readFileSync(envFile, "utf8");
+      // Extract existing values
+      const tagMatch = existingEnv.match(/^PGAI_TAG=(.+)$/m);
+      if (tagMatch) existingTag = tagMatch[1].trim();
+      const registryMatch = existingEnv.match(/^PGAI_REGISTRY=(.+)$/m);
+      if (registryMatch) existingRegistry = registryMatch[1].trim();
       const pwdMatch = existingEnv.match(/^GF_SECURITY_ADMIN_PASSWORD=(.+)$/m);
-      if (pwdMatch) {
-        envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${pwdMatch[1]}`);
-      }
+      if (pwdMatch) existingPassword = pwdMatch[1].trim();
+    }
+
+    // Priority: CLI --tag flag > existing .env > package version
+    const imageTag = opts.tag || existingTag || pkg.version;
+
+    const envLines: string[] = [`PGAI_TAG=${imageTag}`];
+    if (existingRegistry) {
+      envLines.push(`PGAI_REGISTRY=${existingRegistry}`);
+    }
+    if (existingPassword) {
+      envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
     }
     fs.writeFileSync(envFile, envLines.join("\n") + "\n", { encoding: "utf8", mode: 0o600 });
 
@@ -2102,7 +2118,8 @@ auth
       }
 
       // Step 3: Open browser
-      const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}`;
+      // Pass api_url so UI calls oauth_approve on the same backend where oauth_init created the session
+      const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}&api_url=${encodeURIComponent(apiBaseUrl)}`;
 
       if (opts.debug) {
         console.log(`Debug: Auth URL: ${authUrl}`);

package/bunfig.toml

@@ -6,6 +6,14 @@
 # Integration tests that connect to databases need longer timeouts
 timeout = 30000
 
-# Coverage settings (if needed in future)
-# coverage = true
-# coverageDir = "coverage"
+# Coverage settings - enabled by default for test runs
+coverage = true
+coverageDir = "coverage"
+
+# Skip coverage for test files and node_modules
+coverageSkipTestFiles = true
+
+# Reporter format for CI integration
+# - text: console output with summary table
+# - lcov: standard format for coverage tools
+coverageReporter = ["text", "lcov"]

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.54",
+  version: "0.14.0-dev.56",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -13090,12 +13090,14 @@ var package_default = {
   },
   scripts: {
     "embed-metrics": "bun run scripts/embed-metrics.ts",
-    build: `bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e "const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))"`,
+    build: `bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e "const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))" && cp -r ./sql ./dist/sql`,
     prepublishOnly: "npm run build",
     start: "bun ./bin/postgres-ai.ts --help",
     "start:node": "node ./dist/bin/postgres-ai.js --help",
     dev: "bun run embed-metrics && bun --watch ./bin/postgres-ai.ts",
     test: "bun run embed-metrics && bun test",
+    "test:fast": "bun run embed-metrics && bun test --coverage=false",
+    "test:coverage": "bun run embed-metrics && bun test --coverage && echo 'Coverage report: cli/coverage/lcov-report/index.html'",
     typecheck: "bun run embed-metrics && bunx tsc --noEmit"
   },
   dependencies: {
@@ -15885,7 +15887,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.54";
+var version = "0.14.0-dev.56";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -15914,12 +15916,14 @@ var package_default2 = {
   },
   scripts: {
     "embed-metrics": "bun run scripts/embed-metrics.ts",
-    build: `bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e "const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))"`,
+    build: `bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e "const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))" && cp -r ./sql ./dist/sql`,
     prepublishOnly: "npm run build",
     start: "bun ./bin/postgres-ai.ts --help",
     "start:node": "node ./dist/bin/postgres-ai.js --help",
     dev: "bun run embed-metrics && bun --watch ./bin/postgres-ai.ts",
     test: "bun run embed-metrics && bun test",
+    "test:fast": "bun run embed-metrics && bun test --coverage=false",
+    "test:coverage": "bun run embed-metrics && bun test --coverage && echo 'Coverage report: cli/coverage/lcov-report/index.html'",
     typecheck: "bun run embed-metrics && bunx tsc --noEmit"
   },
   dependencies: {
@@ -23470,10 +23474,9 @@ function resolveBaseUrls2(opts, cfg, defaults2 = {}) {
 
 // lib/init.ts
 import { randomBytes } from "crypto";
-import { URL as URL2 } from "url";
+import { URL as URL2, fileURLToPath } from "url";
 import * as fs3 from "fs";
 import * as path3 from "path";
-var __dirname = "/builds/postgres-ai/postgres_ai/cli/lib";
 var DEFAULT_MONITORING_USER = "postgres_ai_mon";
 function sslModeToConfig(mode) {
   if (mode.toLowerCase() === "disable")
@@ -23554,9 +23557,11 @@ async function connectWithSslFallback(ClientClass, adminConn, verbose) {
   }
 }
 function sqlDir() {
+  const currentFile = fileURLToPath(import.meta.url);
+  const currentDir = path3.dirname(currentFile);
   const candidates = [
-    path3.resolve(__dirname, "..", "sql"),
-    path3.resolve(__dirname, "..", "..", "sql")
+    path3.resolve(currentDir, "..", "sql"),
+    path3.resolve(currentDir, "..", "..", "sql")
   ];
   for (const candidate of candidates) {
     if (fs3.existsSync(candidate)) {
@@ -24513,6 +24518,7 @@ where
     quote_ident(pci.relname) as tag_index_name,
     quote_ident(pct.relname) as tag_table_name,
     coalesce(nullif(quote_ident(pn.nspname), 'public') || '.', '') || quote_ident(pct.relname) as tag_relation_name,
+    pg_get_indexdef(pidx.indexrelid) as index_definition,
     pg_relation_size(pidx.indexrelid) index_size_bytes,
     ((
       select count(1)
@@ -25150,6 +25156,7 @@ async function getInvalidIndexes(client, pgMajorVersion = 16) {
       relation_name: String(transformed.relation_name || ""),
       index_size_bytes: indexSizeBytes,
       index_size_pretty: formatBytes(indexSizeBytes),
+      index_definition: String(transformed.index_definition || ""),
       supports_fk: toBool(transformed.supports_fk)
     };
   });
@@ -26723,14 +26730,28 @@ mon.command("local-install").description("install local monitoring stack (genera
   console.log(`Project directory: ${projectDir}
 `);
   const envFile = path5.resolve(projectDir, ".env");
-  const imageTag = opts.tag || package_default.version;
-  const envLines = [`PGAI_TAG=${imageTag}`];
+  let existingTag = null;
+  let existingRegistry = null;
+  let existingPassword = null;
   if (fs5.existsSync(envFile)) {
     const existingEnv = fs5.readFileSync(envFile, "utf8");
+    const tagMatch = existingEnv.match(/^PGAI_TAG=(.+)$/m);
+    if (tagMatch)
+      existingTag = tagMatch[1].trim();
+    const registryMatch = existingEnv.match(/^PGAI_REGISTRY=(.+)$/m);
+    if (registryMatch)
+      existingRegistry = registryMatch[1].trim();
     const pwdMatch = existingEnv.match(/^GF_SECURITY_ADMIN_PASSWORD=(.+)$/m);
-    if (pwdMatch) {
-      envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${pwdMatch[1]}`);
-    }
+    if (pwdMatch)
+      existingPassword = pwdMatch[1].trim();
+  }
+  const imageTag = opts.tag || existingTag || package_default.version;
+  const envLines = [`PGAI_TAG=${imageTag}`];
+  if (existingRegistry) {
+    envLines.push(`PGAI_REGISTRY=${existingRegistry}`);
+  }
+  if (existingPassword) {
+    envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
   }
   fs5.writeFileSync(envFile, envLines.join(`
 `) + `
@@ -27535,7 +27556,7 @@ Please verify the --api-base-url parameter.`);
       process.exit(1);
       return;
     }
-    const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}`;
+    const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}&api_url=${encodeURIComponent(apiBaseUrl)}`;
     if (opts.debug) {
       console.log(`Debug: Auth URL: ${authUrl}`);
     }

package/dist/sql/01.role.sql

@@ -0,0 +1,16 @@
+-- Role creation / password update (template-filled by cli/lib/init.ts)
+--
+-- Always uses a race-safe pattern (create if missing, then always alter to set the password):
+--   do $$ begin
+--     if not exists (select 1 from pg_catalog.pg_roles where rolname = '...') then
+--       begin
+--         create user "..." with password '...';
+--       exception when duplicate_object then
+--         null;
+--       end;
+--     end if;
+--     alter user "..." with password '...';
+--   end $$;
+{{ROLE_STMT}}
+
+

package/dist/sql/02.permissions.sql

@@ -0,0 +1,37 @@
+-- Required permissions for postgres_ai monitoring user (template-filled by cli/lib/init.ts)
+
+-- Allow connect
+grant connect on database {{DB_IDENT}} to {{ROLE_IDENT}};
+
+-- Standard monitoring privileges
+grant pg_monitor to {{ROLE_IDENT}};
+grant select on pg_catalog.pg_index to {{ROLE_IDENT}};
+
+-- Create postgres_ai schema for our objects
+create schema if not exists postgres_ai;
+grant usage on schema postgres_ai to {{ROLE_IDENT}};
+
+-- For bloat analysis: expose pg_statistic via a view
+create or replace view postgres_ai.pg_statistic as
+select
+    n.nspname as schemaname,
+    c.relname as tablename,
+    a.attname,
+    s.stanullfrac as null_frac,
+    s.stawidth as avg_width,
+    false as inherited
+from pg_catalog.pg_statistic s
+join pg_catalog.pg_class c on c.oid = s.starelid
+join pg_catalog.pg_namespace n on n.oid = c.relnamespace
+join pg_catalog.pg_attribute a on a.attrelid = s.starelid and a.attnum = s.staattnum
+where a.attnum > 0 and not a.attisdropped;
+
+grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
+
+-- Hardened clusters sometimes revoke PUBLIC on schema public
+grant usage on schema public to {{ROLE_IDENT}};
+
+-- Keep search_path predictable; postgres_ai first so our objects are found
+alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+
+

package/dist/sql/03.optional_rds.sql

@@ -0,0 +1,6 @@
+-- Optional permissions for RDS Postgres / Aurora (best effort)
+
+create extension if not exists rds_tools;
+grant execute on function rds_tools.pg_ls_multixactdir() to {{ROLE_IDENT}};
+
+

package/dist/sql/04.optional_self_managed.sql

@@ -0,0 +1,8 @@
+-- Optional permissions for self-managed Postgres (best effort)
+
+grant execute on function pg_catalog.pg_stat_file(text) to {{ROLE_IDENT}};
+grant execute on function pg_catalog.pg_stat_file(text, boolean) to {{ROLE_IDENT}};
+grant execute on function pg_catalog.pg_ls_dir(text) to {{ROLE_IDENT}};
+grant execute on function pg_catalog.pg_ls_dir(text, boolean, boolean) to {{ROLE_IDENT}};
+
+