postgresai 0.14.0-dev.70 → 0.14.0-dev.71

package/bin/postgres-ai.ts

@@ -12,7 +12,7 @@ import { Client } from "pg";
 import { startMcpServer } from "../lib/mcp-server";
 import { fetchIssues, fetchIssueComments, createIssueComment, fetchIssue, createIssue, updateIssue, updateIssueComment } from "../lib/issues";
 import { resolveBaseUrls } from "../lib/util";
-import { applyInitPlan, buildInitPlan, connectWithSslFallback, DEFAULT_MONITORING_USER, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, verifyInitSetup } from "../lib/init";
+import { applyInitPlan, buildInitPlan, connectWithSslFallback, DEFAULT_MONITORING_USER, KNOWN_PROVIDERS, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, validateProvider, verifyInitSetup } from "../lib/init";
 import { SupabaseClient, resolveSupabaseConfig, extractProjectRefFromUrl, applyInitPlanViaSupabase, verifyInitSetupViaSupabase, type PgCompatibleError } from "../lib/supabase";
 import * as pkce from "../lib/pkce";
 import * as authServer from "../lib/auth-server";
@@ -565,6 +565,7 @@ program
   .option("--monitoring-user <name>", "Monitoring role name to create/update", DEFAULT_MONITORING_USER)
   .option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)")
   .option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false)
+  .option("--provider <provider>", "Database provider (e.g., supabase). Affects which steps are executed.")
   .option("--verify", "Verify that monitoring role/permissions are in place (no changes)", false)
   .option("--reset-password", "Reset monitoring role password only (no other changes)", false)
   .option("--print-sql", "Print SQL plan and exit (no changes applied)", false)
@@ -619,6 +620,10 @@ program
       "",
       "  Generate a token at: https://supabase.com/dashboard/account/tokens",
       "  Find your project ref in: https://supabase.com/dashboard/project/<ref>",
+      "",
+      "Provider-specific behavior (for direct connections):",
+      "  --provider supabase    Skip role creation (create user in Supabase dashboard)",
+      "                         Skip ALTER USER (restricted by Supabase)",
     ].join("\n")
   )
   .action(async (conn: string | undefined, opts: {
@@ -631,6 +636,7 @@ program
     monitoringUser: string;
     password?: string;
     skipOptionalPermissions?: boolean;
+    provider?: string;
     verify?: boolean;
     resetPassword?: boolean;
     printSql?: boolean;
@@ -681,6 +687,12 @@ program
     const shouldPrintSql = !!opts.printSql;
     const redactPasswords = (sql: string): string => redactPasswordsInSql(sql);
 
+    // Validate provider and warn if unknown
+    const providerWarning = validateProvider(opts.provider);
+    if (providerWarning) {
+      console.warn(`⚠ ${providerWarning}`);
+    }
+
     // Offline mode: allow printing SQL without providing/using an admin connection.
     // Useful for audits/reviews; caller can provide -d/PGDATABASE.
     if (!conn && !opts.dbUrl && !opts.host && !opts.port && !opts.username && !opts.adminPassword) {
@@ -698,11 +710,13 @@ program
           monitoringUser: opts.monitoringUser,
           monitoringPassword: monPassword,
           includeOptionalPermissions,
+          provider: opts.provider,
         });
 
         console.log("\n--- SQL plan (offline; not connected) ---");
         console.log(`-- database: ${database}`);
         console.log(`-- monitoring user: ${opts.monitoringUser}`);
+        console.log(`-- provider: ${opts.provider ?? "self-managed"}`);
         console.log(`-- optional permissions: ${includeOptionalPermissions ? "enabled" : "skipped"}`);
         for (const step of plan.steps) {
           console.log(`\n-- ${step.name}${step.optional ? " (optional)" : ""}`);
@@ -1059,6 +1073,7 @@ program
           database,
           monitoringUser: opts.monitoringUser,
           includeOptionalPermissions,
+          provider: opts.provider,
         });
         if (v.ok) {
           if (jsonOutput) {
@@ -1068,11 +1083,12 @@ program
               action: "verify",
               database,
               monitoringUser: opts.monitoringUser,
+              provider: opts.provider,
               verified: true,
               missingOptional: v.missingOptional,
             });
           } else {
-            console.log("✓ prepare-db verify: OK");
+            console.log(`✓ prepare-db verify: OK${opts.provider ? ` (provider: ${opts.provider})` : ""}`);
             if (v.missingOptional.length > 0) {
               console.log("⚠ Optional items missing:");
               for (const m of v.missingOptional) console.log(`- ${m}`);
@@ -1154,12 +1170,21 @@ program
         monitoringUser: opts.monitoringUser,
         monitoringPassword: monPassword,
         includeOptionalPermissions,
+        provider: opts.provider,
       });
 
+      // For reset-password, we only want the role step. But if provider skips role creation,
+      // reset-password doesn't make sense - warn the user.
       const effectivePlan = opts.resetPassword
         ? { ...plan, steps: plan.steps.filter((s) => s.name === "01.role") }
         : plan;
 
+      if (opts.resetPassword && effectivePlan.steps.length === 0) {
+        console.error(`✗ --reset-password not supported for provider "${opts.provider}" (role creation is skipped)`);
+        process.exitCode = 1;
+        return;
+      }
+
       if (shouldPrintSql) {
         console.log("\n--- SQL plan ---");
         for (const step of effectivePlan.steps) {

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.70",
+  version: "0.14.0-dev.71",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -15887,7 +15887,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.70";
+var version = "0.14.0-dev.71";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -23947,6 +23947,15 @@ import { URL as URL2, fileURLToPath } from "url";
 import * as fs3 from "fs";
 import * as path3 from "path";
 var DEFAULT_MONITORING_USER = "postgres_ai_mon";
+var KNOWN_PROVIDERS = ["self-managed", "supabase"];
+var SKIP_ROLE_CREATION_PROVIDERS = ["supabase"];
+var SKIP_ALTER_USER_PROVIDERS = ["supabase"];
+var SKIP_SEARCH_PATH_CHECK_PROVIDERS = ["supabase"];
+function validateProvider(provider) {
+  if (!provider || KNOWN_PROVIDERS.includes(provider))
+    return null;
+  return `Unknown provider "${provider}". Known providers: ${KNOWN_PROVIDERS.join(", ")}. Treating as self-managed.`;
+}
 function sslModeToConfig(mode) {
   if (mode.toLowerCase() === "disable")
     return false;
@@ -24261,6 +24270,7 @@ async function resolveMonitoringPassword(opts) {
 async function buildInitPlan(params) {
   const monitoringUser = params.monitoringUser || DEFAULT_MONITORING_USER;
   const database = params.database;
+  const provider = params.provider ?? "self-managed";
   const qRole = quoteIdent(monitoringUser);
   const qDb = quoteIdent(database);
   const qPw = quoteLiteral(params.monitoringPassword);
@@ -24270,7 +24280,8 @@ async function buildInitPlan(params) {
     ROLE_IDENT: qRole,
     DB_IDENT: qDb
   };
-  const roleStmt = `do $$ begin
+  if (!SKIP_ROLE_CREATION_PROVIDERS.includes(provider)) {
+    const roleStmt = `do $$ begin
   if not exists (select 1 from pg_catalog.pg_roles where rolname = ${qRoleNameLit}) then
     begin
       create user ${qRole} with password ${qPw};
@@ -24280,11 +24291,23 @@ async function buildInitPlan(params) {
   end if;
   alter user ${qRole} with password ${qPw};
 end $$;`;
-  const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
-  steps.push({ name: "01.role", sql: roleSql });
+    const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
+    steps.push({ name: "01.role", sql: roleSql });
+  }
+  let permissionsSql = applyTemplate(loadSqlTemplate("02.permissions.sql"), vars);
+  if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
+    permissionsSql = permissionsSql.split(`
+`).filter((line) => {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("--") || trimmed === "")
+        return true;
+      return !/^\s*alter\s+user\s+/i.test(line);
+    }).join(`
+`);
+  }
   steps.push({
     name: "02.permissions",
-    sql: applyTemplate(loadSqlTemplate("02.permissions.sql"), vars)
+    sql: permissionsSql
   });
   steps.push({
     name: "05.helpers",
@@ -24372,6 +24395,7 @@ async function verifyInitSetup(params) {
     const missingOptional = [];
     const role = params.monitoringUser;
     const db = params.database;
+    const provider = params.provider ?? "self-managed";
     const roleRes = await params.client.query("select 1 from pg_catalog.pg_roles where rolname = $1", [role]);
     const roleExists = (roleRes.rowCount ?? 0) > 0;
     if (!roleExists) {
@@ -24407,15 +24431,17 @@ async function verifyInitSetup(params) {
     if (!schemaUsageRes.rows?.[0]?.ok) {
       missingRequired.push("USAGE on schema public");
     }
-    const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
-    const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
-    const spLine = Array.isArray(rolconfig) ? rolconfig.find((v) => String(v).startsWith("search_path=")) : undefined;
-    if (typeof spLine !== "string" || !spLine) {
-      missingRequired.push("role search_path is set");
-    } else {
-      const sp = spLine.toLowerCase();
-      if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
-        missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
+    if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
+      const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
+      const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
+      const spLine = Array.isArray(rolconfig) ? rolconfig.find((v) => String(v).startsWith("search_path=")) : undefined;
+      if (typeof spLine !== "string" || !spLine) {
+        missingRequired.push("role search_path is set");
+      } else {
+        const sp = spLine.toLowerCase();
+        if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
+          missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
+        }
       }
     }
     const explainFnRes = await params.client.query("select has_function_privilege($1, 'postgres_ai.explain_generic(text, text, text)', 'EXECUTE') as ok", [role]);
@@ -27134,7 +27160,7 @@ program2.command("set-default-project <project>").description("store default pro
   writeConfig({ defaultProject: value });
   console.log(`Default project saved: ${value}`);
 });
-program2.command("prepare-db [conn]").description("prepare database for monitoring: create monitoring user, required view(s), and grant permissions (idempotent)").option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)").option("-h, --host <host>", "PostgreSQL host (psql-like)").option("-p, --port <port>", "PostgreSQL port (psql-like)").option("-U, --username <username>", "PostgreSQL user (psql-like)").option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)").option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)").option("--monitoring-user <name>", "Monitoring role name to create/update", DEFAULT_MONITORING_USER).option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)").option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false).option("--verify", "Verify that monitoring role/permissions are in place (no changes)", false).option("--reset-password", "Reset monitoring role password only (no other changes)", false).option("--print-sql", "Print SQL plan and exit (no changes applied)", false).option("--print-password", "Print generated monitoring password (DANGEROUS in CI logs)", false).option("--supabase", "Use Supabase Management API instead of direct PostgreSQL connection", false).option("--supabase-access-token <token>", "Supabase Management API access token (or SUPABASE_ACCESS_TOKEN env)").option("--supabase-project-ref <ref>", "Supabase project reference (or SUPABASE_PROJECT_REF env)").option("--json", "Output result as JSON (machine-readable)", false).addHelpText("after", [
+program2.command("prepare-db [conn]").description("prepare database for monitoring: create monitoring user, required view(s), and grant permissions (idempotent)").option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)").option("-h, --host <host>", "PostgreSQL host (psql-like)").option("-p, --port <port>", "PostgreSQL port (psql-like)").option("-U, --username <username>", "PostgreSQL user (psql-like)").option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)").option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)").option("--monitoring-user <name>", "Monitoring role name to create/update", DEFAULT_MONITORING_USER).option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)").option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false).option("--provider <provider>", "Database provider (e.g., supabase). Affects which steps are executed.").option("--verify", "Verify that monitoring role/permissions are in place (no changes)", false).option("--reset-password", "Reset monitoring role password only (no other changes)", false).option("--print-sql", "Print SQL plan and exit (no changes applied)", false).option("--print-password", "Print generated monitoring password (DANGEROUS in CI logs)", false).option("--supabase", "Use Supabase Management API instead of direct PostgreSQL connection", false).option("--supabase-access-token <token>", "Supabase Management API access token (or SUPABASE_ACCESS_TOKEN env)").option("--supabase-project-ref <ref>", "Supabase project reference (or SUPABASE_PROJECT_REF env)").option("--json", "Output result as JSON (machine-readable)", false).addHelpText("after", [
   "",
   "Examples:",
   "  postgresai prepare-db postgresql://admin@host:5432/dbname",
@@ -27177,7 +27203,11 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
   "  SUPABASE_ACCESS_TOKEN=... postgresai prepare-db --supabase --supabase-project-ref <ref>",
   "",
   "  Generate a token at: https://supabase.com/dashboard/account/tokens",
-  "  Find your project ref in: https://supabase.com/dashboard/project/<ref>"
+  "  Find your project ref in: https://supabase.com/dashboard/project/<ref>",
+  "",
+  "Provider-specific behavior (for direct connections):",
+  "  --provider supabase    Skip role creation (create user in Supabase dashboard)",
+  "                         Skip ALTER USER (restricted by Supabase)"
 ].join(`
 `)).action(async (conn, opts, cmd) => {
   const jsonOutput = opts.json;
@@ -27216,6 +27246,10 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
   }
   const shouldPrintSql = !!opts.printSql;
   const redactPasswords = (sql) => redactPasswordsInSql(sql);
+  const providerWarning = validateProvider(opts.provider);
+  if (providerWarning) {
+    console.warn(`\u26A0 ${providerWarning}`);
+  }
   if (!conn && !opts.dbUrl && !opts.host && !opts.port && !opts.username && !opts.adminPassword) {
     if (shouldPrintSql) {
       const database = (opts.dbname ?? process.env.PGDATABASE ?? "postgres").trim();
@@ -27225,12 +27259,14 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
         database,
         monitoringUser: opts.monitoringUser,
         monitoringPassword: monPassword,
-        includeOptionalPermissions: includeOptionalPermissions2
+        includeOptionalPermissions: includeOptionalPermissions2,
+        provider: opts.provider
       });
       console.log(`
 --- SQL plan (offline; not connected) ---`);
       console.log(`-- database: ${database}`);
       console.log(`-- monitoring user: ${opts.monitoringUser}`);
+      console.log(`-- provider: ${opts.provider ?? "self-managed"}`);
       console.log(`-- optional permissions: ${includeOptionalPermissions2 ? "enabled" : "skipped"}`);
       for (const step of plan.steps) {
         console.log(`
@@ -27550,7 +27586,8 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
         client,
         database,
         monitoringUser: opts.monitoringUser,
-        includeOptionalPermissions
+        includeOptionalPermissions,
+        provider: opts.provider
       });
       if (v.ok) {
         if (jsonOutput) {
@@ -27560,11 +27597,12 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
             action: "verify",
             database,
             monitoringUser: opts.monitoringUser,
+            provider: opts.provider,
             verified: true,
             missingOptional: v.missingOptional
           });
         } else {
-          console.log("\u2713 prepare-db verify: OK");
+          console.log(`\u2713 prepare-db verify: OK${opts.provider ? ` (provider: ${opts.provider})` : ""}`);
           if (v.missingOptional.length > 0) {
             console.log("\u26A0 Optional items missing:");
             for (const m of v.missingOptional)
@@ -27642,9 +27680,15 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
       database,
       monitoringUser: opts.monitoringUser,
       monitoringPassword: monPassword,
-      includeOptionalPermissions
+      includeOptionalPermissions,
+      provider: opts.provider
     });
     const effectivePlan = opts.resetPassword ? { ...plan, steps: plan.steps.filter((s) => s.name === "01.role") } : plan;
+    if (opts.resetPassword && effectivePlan.steps.length === 0) {
+      console.error(`\u2717 --reset-password not supported for provider "${opts.provider}" (role creation is skipped)`);
+      process.exitCode = 1;
+      return;
+    }
     if (shouldPrintSql) {
       console.log(`
 --- SQL plan ---`);

package/lib/init.ts

@@ -7,6 +7,32 @@ import * as path from "path";
 
 export const DEFAULT_MONITORING_USER = "postgres_ai_mon";
 
+/**
+ * Database provider type. Affects which prepare-db steps are executed.
+ * Known providers have specific behavior adjustments; unknown providers use default behavior.
+ * TODO: Consider auto-detecting provider from connection string or server version string.
+ * TODO: Consider making this more flexible via a config that specifies which steps/checks to skip.
+ */
+export type DbProvider = string;
+
+/** Known providers with special handling. Unknown providers are treated as self-managed. */
+export const KNOWN_PROVIDERS = ["self-managed", "supabase"] as const;
+
+/** Providers where we skip role creation (users managed externally). */
+const SKIP_ROLE_CREATION_PROVIDERS = ["supabase"];
+
+/** Providers where we skip ALTER USER statements (restricted by provider). */
+const SKIP_ALTER_USER_PROVIDERS = ["supabase"];
+
+/** Providers where we skip search_path verification (not set via ALTER USER). */
+const SKIP_SEARCH_PATH_CHECK_PROVIDERS = ["supabase"];
+
+/** Check if a provider is known and return a warning message if not. */
+export function validateProvider(provider: string | undefined): string | null {
+  if (!provider || KNOWN_PROVIDERS.includes(provider as any)) return null;
+  return `Unknown provider "${provider}". Known providers: ${KNOWN_PROVIDERS.join(", ")}. Treating as self-managed.`;
+}
+
 export type PgClientConfig = {
   connectionString?: string;
   host?: string;
@@ -458,10 +484,13 @@ export async function buildInitPlan(params: {
   monitoringUser?: string;
   monitoringPassword: string;
   includeOptionalPermissions: boolean;
+  /** Provider type. Affects which steps are included. Defaults to "self-managed". */
+  provider?: DbProvider;
 }): Promise<InitPlan> {
   // NOTE: kept async for API stability / potential future async template loading.
   const monitoringUser = params.monitoringUser || DEFAULT_MONITORING_USER;
   const database = params.database;
+  const provider = params.provider ?? "self-managed";
 
   const qRole = quoteIdent(monitoringUser);
   const qDb = quoteIdent(database);
@@ -475,12 +504,15 @@ export async function buildInitPlan(params: {
     DB_IDENT: qDb,
   };
 
-  // Role creation/update is done in one template file.
-  // Always use a single DO block to avoid race conditions between "role exists?" checks and CREATE USER.
-  // We:
-  // - create role if missing (and handle duplicate_object in case another session created it concurrently),
-  // - then ALTER ROLE to ensure the password is set to the desired value.
-  const roleStmt = `do $$ begin
+  // Some providers (e.g., Supabase) manage users externally - skip role creation.
+  // TODO: Make this more flexible by allowing users to specify which steps to skip via config.
+  if (!SKIP_ROLE_CREATION_PROVIDERS.includes(provider)) {
+    // Role creation/update is done in one template file.
+    // Always use a single DO block to avoid race conditions between "role exists?" checks and CREATE USER.
+    // We:
+    // - create role if missing (and handle duplicate_object in case another session created it concurrently),
+    // - then ALTER ROLE to ensure the password is set to the desired value.
+    const roleStmt = `do $$ begin
   if not exists (select 1 from pg_catalog.pg_roles where rolname = ${qRoleNameLit}) then
     begin
       create user ${qRole} with password ${qPw};
@@ -491,12 +523,30 @@ export async function buildInitPlan(params: {
   alter user ${qRole} with password ${qPw};
 end $$;`;
 
-  const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
-  steps.push({ name: "01.role", sql: roleSql });
+    const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
+    steps.push({ name: "01.role", sql: roleSql });
+  }
+
+  let permissionsSql = applyTemplate(loadSqlTemplate("02.permissions.sql"), vars);
+
+  // Some providers restrict ALTER USER - remove those statements.
+  // TODO: Make this more flexible by allowing users to specify which statements to skip via config.
+  if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
+    permissionsSql = permissionsSql
+      .split("\n")
+      .filter((line) => {
+        const trimmed = line.trim();
+        // Keep comments and empty lines
+        if (trimmed.startsWith("--") || trimmed === "") return true;
+        // Filter out ALTER USER statements (case-insensitive, flexible whitespace)
+        return !/^\s*alter\s+user\s+/i.test(line);
+      })
+      .join("\n");
+  }
 
   steps.push({
     name: "02.permissions",
-    sql: applyTemplate(loadSqlTemplate("02.permissions.sql"), vars),
+    sql: permissionsSql,
   });
 
   // Helper functions (SECURITY DEFINER) for plan analysis and table info
@@ -612,6 +662,8 @@ export async function verifyInitSetup(params: {
   database: string;
   monitoringUser: string;
   includeOptionalPermissions: boolean;
+  /** Provider type. Affects which checks are performed. */
+  provider?: DbProvider;
 }): Promise<VerifyInitResult> {
   // Use a repeatable-read snapshot so all checks see a consistent view.
   await params.client.query("begin isolation level repeatable read;");
@@ -621,6 +673,7 @@ export async function verifyInitSetup(params: {
 
     const role = params.monitoringUser;
     const db = params.database;
+    const provider = params.provider ?? "self-managed";
 
     const roleRes = await params.client.query("select 1 from pg_catalog.pg_roles where rolname = $1", [role]);
     const roleExists = (roleRes.rowCount ?? 0) > 0;
@@ -684,16 +737,20 @@ export async function verifyInitSetup(params: {
       missingRequired.push("USAGE on schema public");
     }
 
-    const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
-    const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
-    const spLine = Array.isArray(rolconfig) ? rolconfig.find((v: any) => String(v).startsWith("search_path=")) : undefined;
-    if (typeof spLine !== "string" || !spLine) {
-      missingRequired.push("role search_path is set");
-    } else {
-      // We accept any ordering as long as postgres_ai, public, and pg_catalog are included.
-      const sp = spLine.toLowerCase();
-      if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
-        missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
+    // Some providers don't allow setting search_path via ALTER USER - skip this check.
+    // TODO: Make this more flexible by allowing users to specify which checks to skip via config.
+    if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
+      const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
+      const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
+      const spLine = Array.isArray(rolconfig) ? rolconfig.find((v: any) => String(v).startsWith("search_path=")) : undefined;
+      if (typeof spLine !== "string" || !spLine) {
+        missingRequired.push("role search_path is set");
+      } else {
+        // We accept any ordering as long as postgres_ai, public, and pg_catalog are included.
+        const sp = spLine.toLowerCase();
+        if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
+          missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
+        }
       }
     }
 

package/lib/metrics-embedded.ts

@@ -1,6 +1,6 @@
 // AUTO-GENERATED FILE - DO NOT EDIT
 // Generated from config/pgwatch-prometheus/metrics.yml by scripts/embed-metrics.ts
-// Generated at: 2026-01-08T20:01:57.541Z
+// Generated at: 2026-01-09T12:41:56.884Z
 
 /**
  * Metric definition from metrics.yml

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.70",
+  "version": "0.14.0-dev.71",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,

package/test/config-consistency.test.ts

@@ -0,0 +1,36 @@
+/**
+ * Tests that config files are consistent with what the CLI expects.
+ * Catches schema mismatches like pg_statistic in wrong schema.
+ */
+import { describe, test, expect } from "bun:test";
+import { readFileSync } from "fs";
+import { resolve } from "path";
+
+const configDir = resolve(import.meta.dir, "../../config");
+
+describe("Config consistency", () => {
+  test("target-db/init.sql creates pg_statistic in postgres_ai schema", () => {
+    const initSql = readFileSync(resolve(configDir, "target-db/init.sql"), "utf8");
+
+    // Must create postgres_ai schema
+    expect(initSql).toMatch(/create\s+schema\s+if\s+not\s+exists\s+postgres_ai/i);
+
+    // Must create view in postgres_ai schema, not public
+    expect(initSql).toMatch(/create\s+or\s+replace\s+view\s+postgres_ai\.pg_statistic/i);
+    expect(initSql).not.toMatch(/create\s+or\s+replace\s+view\s+public\.pg_statistic/i);
+
+    // Must grant on postgres_ai.pg_statistic
+    expect(initSql).toMatch(/grant\s+select\s+on\s+postgres_ai\.pg_statistic/i);
+  });
+
+  test("pgwatch metrics.yml uses postgres_ai.pg_statistic", () => {
+    const metricsYml = readFileSync(
+      resolve(configDir, "pgwatch-prometheus/metrics.yml"),
+      "utf8"
+    );
+
+    // Should reference postgres_ai.pg_statistic, not public.pg_statistic
+    expect(metricsYml).not.toMatch(/public\.pg_statistic/);
+    expect(metricsYml).toMatch(/postgres_ai\.pg_statistic/);
+  });
+});

package/test/init.test.ts

@@ -152,6 +152,42 @@ describe("init module", () => {
     expect(plan.steps.some((s: { optional?: boolean }) => s.optional)).toBe(true);
   });
 
+  test("buildInitPlan skips role creation for supabase provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    expect(plan.steps.some((s) => s.name === "01.role")).toBe(false);
+    expect(plan.steps.some((s) => s.name === "02.permissions")).toBe(true);
+  });
+
+  test("buildInitPlan removes ALTER USER for supabase provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    expect(permStep).toBeDefined();
+    expect(permStep!.sql.toLowerCase()).not.toMatch(/alter user/);
+  });
+
+  test("buildInitPlan includes role creation for unknown provider", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "some-custom-provider",
+    });
+    expect(plan.steps.some((s) => s.name === "01.role")).toBe(true);
+  });
+
   test("resolveAdminConnection accepts positional URI", () => {
     const r = init.resolveAdminConnection({ conn: "postgresql://u:p@h:5432/d" });
     expect(r.clientConfig.connectionString).toBeTruthy();
@@ -290,6 +326,91 @@ describe("init module", () => {
     expect(calls[calls.length - 1].toLowerCase()).toBe("rollback;");
   });
 
+  test("verifyInitSetup skips search_path check for supabase provider", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        // Return empty rolconfig - would fail without provider=supabase
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: null }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    // With provider=supabase, should pass even without search_path
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should not have queried for rolconfig since we skip search_path check
+    expect(calls.some((c) => c.includes("select rolconfig"))).toBe(false);
+  });
+
+  test("buildInitPlan preserves comments when filtering ALTER USER", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    expect(permStep).toBeDefined();
+    // Should have removed ALTER USER but kept comments
+    expect(permStep!.sql.toLowerCase()).not.toMatch(/^\s*alter\s+user/m);
+    // Should still have comment lines
+    expect(permStep!.sql).toMatch(/^--/m);
+  });
+
+  test("validateProvider returns null for known providers", () => {
+    expect(init.validateProvider(undefined)).toBe(null);
+    expect(init.validateProvider("self-managed")).toBe(null);
+    expect(init.validateProvider("supabase")).toBe(null);
+  });
+
+  test("validateProvider returns warning for unknown providers", () => {
+    const warning = init.validateProvider("unknown-provider");
+    expect(warning).not.toBe(null);
+    expect(warning).toMatch(/Unknown provider/);
+    expect(warning).toMatch(/unknown-provider/);
+  });
+
   test("redactPasswordsInSql redacts password literals with embedded quotes", async () => {
     const plan = await init.buildInitPlan({
       database: "mydb",
@@ -319,6 +440,40 @@ describe("CLI commands", () => {
     expect(r.stdout).toMatch(new RegExp(`grant connect on database "mydb" to "${DEFAULT_MONITORING_USER}"`, "i"));
   });
 
+  test("cli: prepare-db --print-sql with --provider supabase skips role step", () => {
+    const r = runCli(["prepare-db", "--print-sql", "-d", "mydb", "--password", "monpw", "--provider", "supabase"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/provider: supabase/);
+    // Should not have 01.role step
+    expect(r.stdout).not.toMatch(/-- 01\.role/);
+    // Should have 02.permissions step
+    expect(r.stdout).toMatch(/-- 02\.permissions/);
+  });
+
+  test("cli: prepare-db warns about unknown provider", () => {
+    const r = runCli(["prepare-db", "--print-sql", "-d", "mydb", "--password", "monpw", "--provider", "unknown-cloud"]);
+    expect(r.status).toBe(0);
+    // Should warn about unknown provider
+    expect(r.stderr).toMatch(/Unknown provider.*unknown-cloud/);
+  });
+
+  test("cli: prepare-db --reset-password with supabase provider would have no role step", async () => {
+    // When using supabase provider, the role creation step is skipped.
+    // This means --reset-password (which only runs 01.role) would have no steps.
+    // The CLI should error in this case. We test the underlying plan logic here.
+    const plan = await (await import("../lib/init")).buildInitPlan({
+      database: "mydb",
+      monitoringUser: "mon",
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+      provider: "supabase",
+    });
+    // Simulate what --reset-password does: filter to only 01.role step
+    const resetPasswordSteps = plan.steps.filter((s) => s.name === "01.role");
+    // For supabase, this should be empty (role creation is skipped)
+    expect(resetPasswordSteps.length).toBe(0);
+  });
+
   test("pgai wrapper forwards to postgresai CLI", () => {
     const r = runPgai(["--help"]);
     expect(r.status).toBe(0);