postgresai 0.14.0-dev.55 → 0.14.0-dev.57

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.55",
+  "version": "0.14.0-dev.57",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,
@@ -26,7 +26,7 @@
   },
   "scripts": {
     "embed-metrics": "bun run scripts/embed-metrics.ts",
-    "build": "bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e \"const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))\"",
+    "build": "bun run embed-metrics && bun build ./bin/postgres-ai.ts --outdir ./dist/bin --target node && node -e \"const fs=require('fs');const f='./dist/bin/postgres-ai.js';fs.writeFileSync(f,fs.readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))\" && cp -r ./sql ./dist/sql",
     "prepublishOnly": "npm run build",
     "start": "bun ./bin/postgres-ai.ts --help",
     "start:node": "node ./dist/bin/postgres-ai.js --help",

package/sql/05.helpers.sql

@@ -3,11 +3,17 @@
 -- operations they don't have direct permissions for.
 
 /*
- * pgai_explain_generic
+ * explain_generic
  *
  * Function to get generic explain plans with optional HypoPG index testing.
  * Requires: PostgreSQL 16+ (for generic_plan option), HypoPG extension (optional).
  *
+ * Security notes:
+ * - EXPLAIN without ANALYZE is read-only (plans but doesn't execute the query)
+ * - PostgreSQL's EXPLAIN only accepts a single statement (primary protection)
+ * - Input validation uses a simple heuristic to detect multiple statements
+ *   (Note: may reject valid queries containing semicolons in string literals)
+ *
  * Usage examples:
  *   -- Basic generic plan
  *   select postgres_ai.explain_generic('select * from users where id = $1');
@@ -39,6 +45,7 @@ declare
   v_hypo_result record;
   v_version int;
   v_hypopg_available boolean;
+  v_clean_query text;
 begin
   -- Check PostgreSQL version (generic_plan requires 16+)
   select current_setting('server_version_num')::int into v_version;
@@ -48,6 +55,24 @@ begin
       current_setting('server_version');
   end if;
 
+  -- Input validation: reject empty queries
+  if query is null or trim(query) = '' then
+    raise exception 'query cannot be empty';
+  end if;
+
+  -- Input validation: detect multiple statements (defense-in-depth)
+  -- Note: This is a simple heuristic - EXPLAIN itself only accepts single statements
+  -- Limitation: Queries with semicolons inside string literals will be rejected
+  v_clean_query := trim(query);
+  if v_clean_query like '%;%' then
+    -- Strip trailing semicolon if present (common user convenience)
+    v_clean_query := regexp_replace(v_clean_query, ';\s*$', '');
+    -- If there's still a semicolon, reject (likely multiple statements or semicolon in string)
+    if v_clean_query like '%;%' then
+      raise exception 'query contains semicolon (multiple statements not allowed; note: semicolons in string literals are also not supported)';
+    end if;
+  end if;
+
   -- Check if HypoPG extension is available
   if hypopg_index is not null then
     select exists(
@@ -64,15 +89,14 @@ begin
       v_hypo_result.indexname, v_hypo_result.indexrelid;
   end if;
 
-  -- Build and execute explain query based on format
-  -- Output is preserved exactly as EXPLAIN returns it
+  -- Build and execute EXPLAIN query
+  -- Note: EXPLAIN is read-only (plans but doesn't execute), making this safe
   begin
     if lower(format) = 'json' then
-      v_explain_query := 'explain (verbose, settings, generic_plan, format json) ' || query;
-      execute v_explain_query into result;
+      execute 'explain (verbose, settings, generic_plan, format json) ' || v_clean_query
+        into result;
     else
-      v_explain_query := 'explain (verbose, settings, generic_plan) ' || query;
-      for v_line in execute v_explain_query loop
+      for v_line in execute 'explain (verbose, settings, generic_plan) ' || v_clean_query loop
         v_lines := array_append(v_lines, v_line."QUERY PLAN");
       end loop;
       result := array_to_string(v_lines, e'\n');

package/test/checkup.integration.test.ts

@@ -253,6 +253,52 @@ describe.skipIf(!!skipReason)("checkup integration: express mode schema compatib
     expect(typeof nodeResult.data).toBe("object");
   });
 
+  test("H001 returns index_definition with CREATE INDEX statement", async () => {
+    // Create a table and an index, then mark the index as invalid
+    await client.query(`
+      CREATE TABLE IF NOT EXISTS test_invalid_idx_table (id serial PRIMARY KEY, value text);
+      CREATE INDEX IF NOT EXISTS test_invalid_idx ON test_invalid_idx_table(value);
+    `);
+
+    // Mark the index as invalid (simulating a failed CONCURRENTLY build)
+    await client.query(`
+      UPDATE pg_index SET indisvalid = false
+      WHERE indexrelid = 'test_invalid_idx'::regclass;
+    `);
+
+    try {
+      const report = await checkup.generateH001(client, "test-node");
+      validateAgainstSchema(report, "H001");
+
+      const nodeResult = report.results["test-node"];
+      const dbName = Object.keys(nodeResult.data)[0];
+      expect(dbName).toBeTruthy();
+
+      const dbData = nodeResult.data[dbName] as any;
+      expect(dbData.invalid_indexes).toBeDefined();
+      expect(dbData.invalid_indexes.length).toBeGreaterThan(0);
+
+      // Find our test index
+      const testIndex = dbData.invalid_indexes.find(
+        (idx: any) => idx.index_name === "test_invalid_idx"
+      );
+      expect(testIndex).toBeDefined();
+
+      // Verify index_definition contains the actual CREATE INDEX statement
+      expect(testIndex.index_definition).toMatch(/^CREATE INDEX/);
+      expect(testIndex.index_definition).toContain("test_invalid_idx");
+      expect(testIndex.index_definition).toContain("test_invalid_idx_table");
+    } finally {
+      // Cleanup: restore the index and drop test objects
+      await client.query(`
+        UPDATE pg_index SET indisvalid = true
+        WHERE indexrelid = 'test_invalid_idx'::regclass;
+        DROP INDEX IF EXISTS test_invalid_idx;
+        DROP TABLE IF EXISTS test_invalid_idx_table;
+      `);
+    }
+  });
+
   test("H002 (unused indexes) has correct data structure", async () => {
     const report = await checkup.generateH002(client, "test-node");
     validateAgainstSchema(report, "H002");

package/test/checkup.test.ts

@@ -480,7 +480,7 @@ describe("H001 - Invalid indexes", () => {
   test("getInvalidIndexes returns invalid indexes", async () => {
     const mockClient = createMockClient({
       invalidIndexesRows: [
-        { schema_name: "public", table_name: "users", index_name: "users_email_idx", relation_name: "users", index_size_bytes: "1048576", supports_fk: false },
+        { schema_name: "public", table_name: "users", index_name: "users_email_idx", relation_name: "users", index_size_bytes: "1048576", index_definition: "CREATE INDEX users_email_idx ON public.users USING btree (email)", supports_fk: false },
       ],
     });
 
@@ -491,6 +491,7 @@ describe("H001 - Invalid indexes", () => {
     expect(indexes[0].index_name).toBe("users_email_idx");
     expect(indexes[0].index_size_bytes).toBe(1048576);
     expect(indexes[0].index_size_pretty).toBeTruthy();
+    expect(indexes[0].index_definition).toMatch(/^CREATE INDEX/);
     expect(indexes[0].relation_name).toBe("users");
     expect(indexes[0].supports_fk).toBe(false);
   });
@@ -502,7 +503,7 @@ describe("H001 - Invalid indexes", () => {
         { name: "server_version_num", setting: "160003" },
       ],
         invalidIndexesRows: [
-          { schema_name: "public", table_name: "orders", index_name: "orders_status_idx", relation_name: "orders", index_size_bytes: "2097152", supports_fk: false },
+          { schema_name: "public", table_name: "orders", index_name: "orders_status_idx", relation_name: "orders", index_size_bytes: "2097152", index_definition: "CREATE INDEX orders_status_idx ON public.orders USING btree (status)", supports_fk: false },
         ],
       }
     );

package/test/init.integration.test.ts

@@ -396,4 +396,102 @@ describe.skipIf(skipTests)("integration: prepare-db", () => {
       await pg.cleanup();
     }
   });
+
+  test("explain_generic validates input and prevents SQL injection", async () => {
+    pg = await createTempPostgres();
+
+    try {
+      // Run init first
+      {
+        const r = runCliInit([pg.adminUri, "--password", "pw1", "--skip-optional-permissions"]);
+        expect(r.status).toBe(0);
+      }
+
+      const c = new Client({ connectionString: pg.adminUri });
+      await c.connect();
+
+      try {
+        // Check PostgreSQL version - generic_plan requires 16+
+        const versionRes = await c.query("show server_version_num");
+        const version = parseInt(versionRes.rows[0].server_version_num, 10);
+
+        if (version < 160000) {
+          // Skip this test on older PostgreSQL versions
+          console.log("Skipping explain_generic tests: requires PostgreSQL 16+");
+          return;
+        }
+
+        // Test 1: Empty query should be rejected
+        await expect(
+          c.query("select postgres_ai.explain_generic('')")
+        ).rejects.toThrow(/query cannot be empty/);
+
+        // Test 2: Null query should be rejected
+        await expect(
+          c.query("select postgres_ai.explain_generic(null)")
+        ).rejects.toThrow(/query cannot be empty/);
+
+        // Test 3: Multiple statements (semicolon in middle) should be rejected
+        await expect(
+          c.query("select postgres_ai.explain_generic('select 1; select 2')")
+        ).rejects.toThrow(/semicolon|multiple statements/i);
+
+        // Test 4: Trailing semicolon should be stripped and work
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select 1;') as result");
+          expect(res.rows[0].result).toBeTruthy();
+          expect(res.rows[0].result).toMatch(/Result/i);
+        }
+
+        // Test 5: Valid query should work
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select $1::int', 'text') as result");
+          expect(res.rows[0].result).toBeTruthy();
+        }
+
+        // Test 6: JSON format should work
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select 1', 'json') as result");
+          const plan = JSON.parse(res.rows[0].result);
+          expect(Array.isArray(plan)).toBe(true);
+          expect(plan[0].Plan).toBeTruthy();
+        }
+
+        // Test 7: Whitespace-only query should be rejected
+        await expect(
+          c.query("select postgres_ai.explain_generic('   ')")
+        ).rejects.toThrow(/query cannot be empty/);
+
+        // Test 8: Semicolon in string literal is rejected (documented limitation)
+        // Note: This is a known limitation - the simple heuristic cannot parse SQL strings
+        await expect(
+          c.query("select postgres_ai.explain_generic('select ''hello;world''')")
+        ).rejects.toThrow(/semicolon/i);
+
+        // Test 9: SQL comments should work (no semicolons)
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select 1 -- comment') as result");
+          expect(res.rows[0].result).toBeTruthy();
+        }
+
+        // Test 10: Escaped quotes should work (no semicolons)
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select ''test''''s value''') as result");
+          expect(res.rows[0].result).toBeTruthy();
+        }
+
+        // Test 11: Case-insensitive format parameter
+        {
+          const res = await c.query("select postgres_ai.explain_generic('select 1', 'JSON') as result");
+          const plan = JSON.parse(res.rows[0].result);
+          expect(Array.isArray(plan)).toBe(true);
+        }
+
+      } finally {
+        await c.end();
+      }
+    } finally {
+      await pg.cleanup();
+    }
+  });
 });

package/test/init.test.ts

@@ -337,9 +337,81 @@ describe("CLI commands", () => {
     expect(r.stdout).toMatch(/--api-key/);
   });
 
+  test("cli: mon local-install --api-key and --db-url skip interactive prompts", () => {
+    // This test verifies that when --api-key and --db-url are provided,
+    // the CLI uses them directly without prompting for input.
+    // The command will fail later (no Docker, invalid DB), but we check
+    // that the options were parsed and used correctly.
+    const r = runCli([
+      "mon", "local-install",
+      "--api-key", "test-api-key-12345",
+      "--db-url", "postgresql://user:pass@localhost:5432/testdb"
+    ]);
+
+    // Should show that API key was provided via CLI option (not prompting)
+    expect(r.stdout).toMatch(/Using API key provided via --api-key parameter/);
+    // Should show that DB URL was provided via CLI option (not prompting)
+    expect(r.stdout).toMatch(/Using database URL provided via --db-url parameter/);
+  });
+
   test("cli: auth login --help shows --set-key option", () => {
     const r = runCli(["auth", "login", "--help"]);
     expect(r.status).toBe(0);
     expect(r.stdout).toMatch(/--set-key/);
   });
+
+  test("cli: mon local-install reads global --api-key option", () => {
+    // The fix ensures --api-key works when passed as a global option (before subcommand)
+    // Commander.js routes global options to program.opts(), not subcommand opts
+    const r = runCli([
+      "--api-key", "global-api-key-test",
+      "mon", "local-install",
+      "--db-url", "postgresql://user:pass@localhost:5432/testdb"
+    ]);
+
+    // Should detect the API key from global options
+    expect(r.stdout).toMatch(/Using API key provided via --api-key parameter/);
+  });
+
+  test("cli: mon local-install works with --api-key after subcommand", () => {
+    // Test that --api-key works when passed after the subcommand
+    // Note: Commander.js routes --api-key to global opts, the fix reads from both
+    const r = runCli([
+      "mon", "local-install",
+      "--api-key", "test-key-after-subcommand",
+      "--db-url", "postgresql://user:pass@localhost:5432/testdb"
+    ]);
+
+    // Should detect the API key regardless of position
+    expect(r.stdout).toMatch(/Using API key provided via --api-key parameter/);
+    // Verify the key was saved
+    expect(r.stdout).toMatch(/API key saved/);
+  });
+
+  test("cli: mon local-install with --yes and no --api-key skips API setup", () => {
+    // When --yes is provided without --api-key, the CLI should skip
+    // the interactive prompt and proceed without API key
+    const r = runCli([
+      "mon", "local-install",
+      "--db-url", "postgresql://user:pass@localhost:5432/testdb",
+      "--yes"
+    ]);
+
+    // Should indicate auto-yes mode without API key
+    expect(r.stdout).toMatch(/Auto-yes mode: no API key provided/);
+    expect(r.stdout).toMatch(/Reports will be generated locally only/);
+  });
+
+  test("cli: mon local-install --demo with global --api-key shows error", () => {
+    // When --demo is used with global --api-key, it should still be detected and error
+    const r = runCli([
+      "--api-key", "global-api-key-test",
+      "mon", "local-install",
+      "--demo"
+    ]);
+
+    // Should reject demo mode with API key (from global option)
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/Cannot use --api-key with --demo mode/);
+  });
 });

package/test/issues.cli.test.ts

@@ -0,0 +1,314 @@
+import { describe, test, expect } from "bun:test";
+import { resolve } from "path";
+import { mkdtempSync } from "fs";
+import { tmpdir } from "os";
+
+function runCli(args: string[], env: Record<string, string> = {}) {
+  const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+  const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+  const result = Bun.spawnSync([bunBin, cliPath, ...args], {
+    env: { ...process.env, ...env },
+  });
+  return {
+    status: result.exitCode,
+    stdout: new TextDecoder().decode(result.stdout),
+    stderr: new TextDecoder().decode(result.stderr),
+  };
+}
+
+async function runCliAsync(args: string[], env: Record<string, string> = {}) {
+  const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
+  const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
+  const proc = Bun.spawn([bunBin, cliPath, ...args], {
+    env: { ...process.env, ...env },
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  const [status, stdout, stderr] = await Promise.all([
+    proc.exited,
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+  ]);
+  return { status, stdout, stderr };
+}
+
+function isolatedEnv(extra: Record<string, string> = {}) {
+  // Ensure tests do not depend on any real user config on the machine running them.
+  const cfgHome = mkdtempSync(resolve(tmpdir(), "postgresai-cli-test-"));
+  return {
+    XDG_CONFIG_HOME: cfgHome,
+    HOME: cfgHome,
+    ...extra,
+  };
+}
+
+async function startFakeApi() {
+  const requests: Array<{
+    method: string;
+    pathname: string;
+    headers: Record<string, string>;
+    bodyText: string;
+    bodyJson: any | null;
+  }> = [];
+
+  const server = Bun.serve({
+    hostname: "127.0.0.1",
+    port: 0,
+    async fetch(req) {
+      const url = new URL(req.url);
+      const headers: Record<string, string> = {};
+      for (const [k, v] of req.headers.entries()) headers[k.toLowerCase()] = v;
+
+      const bodyText = await req.text();
+      let bodyJson: any | null = null;
+      try {
+        bodyJson = bodyText ? JSON.parse(bodyText) : null;
+      } catch {
+        bodyJson = null;
+      }
+
+      requests.push({
+        method: req.method,
+        pathname: url.pathname,
+        headers,
+        bodyText,
+        bodyJson,
+      });
+
+      // Minimal fake PostgREST RPC endpoints used by our CLI.
+      if (req.method === "POST" && url.pathname.endsWith("/rpc/issue_create")) {
+        return new Response(
+          JSON.stringify({
+            id: "issue-1",
+            title: bodyJson?.title ?? "",
+            description: bodyJson?.description ?? null,
+            created_at: "2025-01-01T00:00:00Z",
+            status: 0,
+            project_id: bodyJson?.project_id ?? null,
+            labels: bodyJson?.labels ?? null,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+
+      if (req.method === "POST" && url.pathname.endsWith("/rpc/issue_update")) {
+        return new Response(
+          JSON.stringify({
+            id: bodyJson?.p_id ?? "issue-1",
+            title: bodyJson?.p_title ?? "unchanged",
+            description: bodyJson?.p_description ?? null,
+            status: bodyJson?.p_status ?? 0,
+            updated_at: "2025-01-02T00:00:00Z",
+            labels: bodyJson?.p_labels ?? null,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+
+      if (req.method === "POST" && url.pathname.endsWith("/rpc/issue_comment_update")) {
+        return new Response(
+          JSON.stringify({
+            id: bodyJson?.p_id ?? "comment-1",
+            issue_id: "issue-1",
+            content: bodyJson?.p_content ?? "",
+            updated_at: "2025-01-02T00:00:00Z",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+
+      if (req.method === "POST" && url.pathname.endsWith("/rpc/issue_comment_create")) {
+        return new Response(
+          JSON.stringify({
+            id: "comment-1",
+            issue_id: bodyJson?.issue_id ?? "issue-1",
+            author_id: 1,
+            parent_comment_id: bodyJson?.parent_comment_id ?? null,
+            content: bodyJson?.content ?? "",
+            created_at: "2025-01-01T00:00:00Z",
+            updated_at: "2025-01-01T00:00:00Z",
+            data: null,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+
+      return new Response("not found", { status: 404 });
+    },
+  });
+
+  const baseUrl = `http://${server.hostname}:${server.port}/api/general`;
+
+  return {
+    baseUrl,
+    requests,
+    stop: () => server.stop(true),
+  };
+}
+
+describe("CLI issues command group", () => {
+  test("issues help exposes the canonical subcommands and no legacy names", () => {
+    const r = runCli(["issues", "--help"], isolatedEnv());
+    expect(r.status).toBe(0);
+
+    const out = `${r.stdout}\n${r.stderr}`;
+
+    // Canonical subcommands
+    expect(out).toContain("create [options] <title>");
+    expect(out).toContain("update [options] <issueId>");
+    expect(out).toContain("update-comment [options] <commentId> <content>");
+    expect(out).toContain("post-comment [options] <issueId> <content>");
+
+    // Legacy / removed names
+    expect(out).not.toContain("create-issue");
+    expect(out).not.toContain("update-issue");
+    expect(out).not.toContain("update-issue-comment");
+    expect(out).not.toContain("post_comment");
+    expect(out).not.toContain("create_issue");
+    expect(out).not.toContain("update_issue");
+    expect(out).not.toContain("update_issue_comment");
+  });
+
+  test("issues create fails fast when API key is missing", () => {
+    const r = runCli(["issues", "create", "Test issue"], isolatedEnv());
+    expect(r.status).toBe(1);
+    expect(`${r.stdout}\n${r.stderr}`).toContain("API key is required");
+  });
+
+  test("issues create fails fast when org id is missing (no config fallback)", () => {
+    const r = runCli(["issues", "create", "Test issue"], isolatedEnv({ PGAI_API_KEY: "test-key" }));
+    expect(r.status).toBe(1);
+    expect(`${r.stdout}\n${r.stderr}`).toContain("org_id is required");
+  });
+
+  test("issues update fails fast when API key is missing", () => {
+    const r = runCli(["issues", "update", "00000000-0000-0000-0000-000000000000", "--title", "New title"], isolatedEnv());
+    expect(r.status).toBe(1);
+    expect(`${r.stdout}\n${r.stderr}`).toContain("API key is required");
+  });
+
+  test("issues update-comment fails fast when API key is missing", () => {
+    const r = runCli(["issues", "update-comment", "00000000-0000-0000-0000-000000000000", "hello"], isolatedEnv());
+    expect(r.status).toBe(1);
+    expect(`${r.stdout}\n${r.stderr}`).toContain("API key is required");
+  });
+
+  test("issues post-comment fails fast when API key is missing", () => {
+    const r = runCli(["issues", "post-comment", "00000000-0000-0000-0000-000000000000", "hello"], isolatedEnv());
+    expect(r.status).toBe(1);
+    expect(`${r.stdout}\n${r.stderr}`).toContain("API key is required");
+  });
+
+  test("issues create succeeds against a fake API and sends the expected request", async () => {
+    const api = await startFakeApi();
+    try {
+      const r = await runCliAsync(
+        ["issues", "create", "Hello", "--org-id", "123", "--description", "line1\\nline2", "--label", "a", "--label", "b"],
+        isolatedEnv({
+          PGAI_API_KEY: "test-key",
+          PGAI_API_BASE_URL: api.baseUrl,
+        })
+      );
+      expect(r.status).toBe(0);
+
+      const out = JSON.parse(r.stdout.trim());
+      expect(out.id).toBe("issue-1");
+      expect(out.title).toBe("Hello");
+      expect(out.description).toBe("line1\nline2");
+      expect(out.labels).toEqual(["a", "b"]);
+
+      const req = api.requests.find((x) => x.pathname.endsWith("/rpc/issue_create"));
+      expect(req).toBeTruthy();
+      expect(req!.headers["access-token"]).toBe("test-key");
+      expect(req!.method).toBe("POST");
+      expect(req!.bodyJson.org_id).toBe(123);
+      expect(req!.bodyJson.title).toBe("Hello");
+      expect(req!.bodyJson.description).toBe("line1\nline2");
+      expect(req!.bodyJson.labels).toEqual(["a", "b"]);
+    } finally {
+      api.stop();
+    }
+  });
+
+  test("issues update succeeds against a fake API (including status mapping)", async () => {
+    const api = await startFakeApi();
+    try {
+      const r = await runCliAsync(
+        ["issues", "update", "issue-1", "--title", "New title", "--status", "closed"],
+        isolatedEnv({
+          PGAI_API_KEY: "test-key",
+          PGAI_API_BASE_URL: api.baseUrl,
+        })
+      );
+      expect(r.status).toBe(0);
+
+      const out = JSON.parse(r.stdout.trim());
+      expect(out.id).toBe("issue-1");
+      expect(out.title).toBe("New title");
+      expect(out.status).toBe(1);
+
+      const req = api.requests.find((x) => x.pathname.endsWith("/rpc/issue_update"));
+      expect(req).toBeTruthy();
+      expect(req!.headers["access-token"]).toBe("test-key");
+      expect(req!.bodyJson.p_id).toBe("issue-1");
+      expect(req!.bodyJson.p_title).toBe("New title");
+      expect(req!.bodyJson.p_status).toBe(1);
+    } finally {
+      api.stop();
+    }
+  });
+
+  test("issues update-comment succeeds against a fake API and decodes escapes", async () => {
+    const api = await startFakeApi();
+    try {
+      const r = await runCliAsync(
+        ["issues", "update-comment", "comment-1", "hello\\nworld"],
+        isolatedEnv({
+          PGAI_API_KEY: "test-key",
+          PGAI_API_BASE_URL: api.baseUrl,
+        })
+      );
+      expect(r.status).toBe(0);
+
+      const out = JSON.parse(r.stdout.trim());
+      expect(out.id).toBe("comment-1");
+      expect(out.content).toBe("hello\nworld");
+
+      const req = api.requests.find((x) => x.pathname.endsWith("/rpc/issue_comment_update"));
+      expect(req).toBeTruthy();
+      expect(req!.headers["access-token"]).toBe("test-key");
+      expect(req!.bodyJson.p_id).toBe("comment-1");
+      expect(req!.bodyJson.p_content).toBe("hello\nworld");
+    } finally {
+      api.stop();
+    }
+  });
+
+  test("issues post-comment succeeds against a fake API and decodes escapes", async () => {
+    const api = await startFakeApi();
+    try {
+      const r = await runCliAsync(
+        ["issues", "post-comment", "issue-1", "hello\\nworld"],
+        isolatedEnv({
+          PGAI_API_KEY: "test-key",
+          PGAI_API_BASE_URL: api.baseUrl,
+        })
+      );
+      expect(r.status).toBe(0);
+
+      const out = JSON.parse(r.stdout.trim());
+      expect(out.id).toBe("comment-1");
+      expect(out.issue_id).toBe("issue-1");
+      expect(out.content).toBe("hello\nworld");
+
+      const req = api.requests.find((x) => x.pathname.endsWith("/rpc/issue_comment_create"));
+      expect(req).toBeTruthy();
+      expect(req!.headers["access-token"]).toBe("test-key");
+      expect(req!.bodyJson.issue_id).toBe("issue-1");
+      expect(req!.bodyJson.content).toBe("hello\nworld");
+    } finally {
+      api.stop();
+    }
+  });
+});
+