postgresai 0.14.0-dev.74 → 0.14.0-dev.76

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.74",
+  version: "0.14.0-dev.76",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -15887,7 +15887,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.74";
+var version = "0.14.0-dev.76";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -24961,7 +24961,11 @@ end $$;`;
     const roleSql = applyTemplate(loadSqlTemplate("01.role.sql"), { ...vars, ROLE_STMT: roleStmt });
     steps.push({ name: "01.role", sql: roleSql });
   }
-  let permissionsSql = applyTemplate(loadSqlTemplate("02.permissions.sql"), vars);
+  steps.push({
+    name: "02.extensions",
+    sql: loadSqlTemplate("02.extensions.sql")
+  });
+  let permissionsSql = applyTemplate(loadSqlTemplate("03.permissions.sql"), vars);
   if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
     permissionsSql = permissionsSql.split(`
 `).filter((line) => {
@@ -24973,21 +24977,21 @@ end $$;`;
 `);
   }
   steps.push({
-    name: "02.permissions",
+    name: "03.permissions",
     sql: permissionsSql
   });
   steps.push({
-    name: "05.helpers",
-    sql: applyTemplate(loadSqlTemplate("05.helpers.sql"), vars)
+    name: "06.helpers",
+    sql: applyTemplate(loadSqlTemplate("06.helpers.sql"), vars)
   });
   if (params.includeOptionalPermissions) {
     steps.push({
-      name: "03.optional_rds",
-      sql: applyTemplate(loadSqlTemplate("03.optional_rds.sql"), vars),
+      name: "04.optional_rds",
+      sql: applyTemplate(loadSqlTemplate("04.optional_rds.sql"), vars),
       optional: true
     }, {
-      name: "04.optional_self_managed",
-      sql: applyTemplate(loadSqlTemplate("04.optional_self_managed.sql"), vars),
+      name: "05.optional_self_managed",
+      sql: applyTemplate(loadSqlTemplate("05.optional_self_managed.sql"), vars),
       optional: true
     });
   }
@@ -25055,6 +25059,62 @@ async function applyInitPlan(params) {
   }
   return { applied, skippedOptional };
 }
+async function buildUninitPlan(params) {
+  const monitoringUser = params.monitoringUser || DEFAULT_MONITORING_USER;
+  const database = params.database;
+  const provider = params.provider ?? "self-managed";
+  const dropRole = params.dropRole ?? true;
+  const qRole = quoteIdent(monitoringUser);
+  const qDb = quoteIdent(database);
+  const qRoleLiteral = quoteLiteral(monitoringUser);
+  const steps = [];
+  const vars = {
+    ROLE_IDENT: qRole,
+    DB_IDENT: qDb,
+    ROLE_LITERAL: qRoleLiteral
+  };
+  steps.push({
+    name: "01.drop_helpers",
+    sql: applyTemplate(loadSqlTemplate("uninit/01.helpers.sql"), vars)
+  });
+  steps.push({
+    name: "02.revoke_permissions",
+    sql: applyTemplate(loadSqlTemplate("uninit/02.permissions.sql"), vars)
+  });
+  if (dropRole && !SKIP_ROLE_CREATION_PROVIDERS.includes(provider)) {
+    steps.push({
+      name: "03.drop_role",
+      sql: applyTemplate(loadSqlTemplate("uninit/03.role.sql"), vars)
+    });
+  }
+  return { monitoringUser, database, steps, dropRole };
+}
+async function applyUninitPlan(params) {
+  const applied = [];
+  const errors3 = [];
+  const executeStep = async (step) => {
+    await params.client.query("begin;");
+    try {
+      await params.client.query(step.sql, step.params);
+      await params.client.query("commit;");
+    } catch (e) {
+      try {
+        await params.client.query("rollback;");
+      } catch {}
+      throw e;
+    }
+  };
+  for (const step of params.plan.steps) {
+    try {
+      await executeStep(step);
+      applied.push(step.name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      errors3.push(`${step.name}: ${msg}`);
+    }
+  }
+  return { applied, errors: errors3 };
+}
 async function verifyInitSetup(params) {
   await params.client.query("begin isolation level repeatable read;");
   try {
@@ -25314,10 +25374,6 @@ class SupabaseClient {
 }
 async function fetchPoolerDatabaseUrl(config2, username) {
   const url = `${SUPABASE_API_BASE}/v1/projects/${encodeURIComponent(config2.projectRef)}/config/database/pooler`;
-  const effectiveUsername = (() => {
-    const suffix = `.${config2.projectRef}`;
-    return username.endsWith(suffix) ? username : `${username}${suffix}`;
-  })();
   try {
     const response = await fetch(url, {
       method: "GET",
@@ -25332,13 +25388,13 @@ async function fetchPoolerDatabaseUrl(config2, username) {
     if (Array.isArray(data) && data.length > 0) {
       const pooler = data[0];
       if (pooler.db_host && pooler.db_port && pooler.db_name) {
-        return `postgresql://${effectiveUsername}@${pooler.db_host}:${pooler.db_port}/${pooler.db_name}`;
+        return `postgresql://${username}@${pooler.db_host}:${pooler.db_port}/${pooler.db_name}`;
       }
       if (typeof pooler.connection_string === "string") {
         try {
           const connUrl = new URL(pooler.connection_string);
           const portPart = connUrl.port ? `:${connUrl.port}` : "";
-          return `postgresql://${effectiveUsername}@${connUrl.hostname}${portPart}${connUrl.pathname}`;
+          return `postgresql://${username}@${connUrl.hostname}${portPart}${connUrl.pathname}`;
         } catch {
           return null;
         }
@@ -28233,12 +28289,16 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
           if (errAny.code === "42501") {
             if (failedStep === "01.role") {
               console.error("  Context: role creation/update requires CREATEROLE or superuser");
-            } else if (failedStep === "02.permissions") {
+            } else if (failedStep === "03.permissions") {
               console.error("  Context: grants/view/search_path require sufficient GRANT/DDL privileges");
             }
             console.error("  Fix: ensure your Supabase access token has sufficient permissions");
             console.error("  Tip: run with --print-sql to review the exact SQL plan");
           }
+          if (errAny.code === "42P06" || message.includes("already exists") && failedStep === "03.permissions") {
+            console.error("  Hint: postgres_ai schema or objects already exist from a previous setup.");
+            console.error("  Fix: run 'postgresai unprepare-db <connection>' first to clean up, then retry prepare-db.");
+          }
         }
         if (errAny && typeof errAny === "object" && typeof errAny.httpStatus === "number") {
           if (errAny.httpStatus === 401) {
@@ -28502,13 +28562,258 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
         if (errAny.code === "42501") {
           if (failedStep === "01.role") {
             console.error("  Context: role creation/update requires CREATEROLE or superuser");
-          } else if (failedStep === "02.permissions") {
+          } else if (failedStep === "03.permissions") {
             console.error("  Context: grants/view/search_path require sufficient GRANT/DDL privileges");
           }
           console.error("  Fix: connect as a superuser (or a role with CREATEROLE and sufficient GRANT privileges)");
           console.error("  Fix: on managed Postgres, use the provider's admin/master user");
           console.error("  Tip: run with --print-sql to review the exact SQL plan");
         }
+        if (errAny.code === "42P06" || message.includes("already exists") && failedStep === "03.permissions") {
+          console.error("  Hint: postgres_ai schema or objects already exist from a previous setup.");
+          console.error("  Fix: run 'postgresai unprepare-db <connection>' first to clean up, then retry prepare-db.");
+        }
+        if (errAny.code === "ECONNREFUSED") {
+          console.error("  Hint: check host/port and ensure Postgres is reachable from this machine");
+        }
+        if (errAny.code === "ENOTFOUND") {
+          console.error("  Hint: DNS resolution failed; double-check the host name");
+        }
+        if (errAny.code === "ETIMEDOUT") {
+          console.error("  Hint: connection timed out; check network/firewall rules");
+        }
+      }
+      process.exitCode = 1;
+    }
+  } finally {
+    if (client) {
+      try {
+        await client.end();
+      } catch {}
+    }
+  }
+});
+program2.command("unprepare-db [conn]").description("remove monitoring setup: drop monitoring user, views, schema, and revoke permissions").option("--db-url <url>", "PostgreSQL connection URL (admin) (deprecated; pass it as positional arg)").option("-h, --host <host>", "PostgreSQL host (psql-like)").option("-p, --port <port>", "PostgreSQL port (psql-like)").option("-U, --username <username>", "PostgreSQL user (psql-like)").option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)").option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)").option("--monitoring-user <name>", "Monitoring role name to remove", DEFAULT_MONITORING_USER).option("--keep-role", "Keep the monitoring role (only revoke permissions and drop objects)", false).option("--provider <provider>", "Database provider (e.g., supabase). Affects which steps are executed.").option("--print-sql", "Print SQL plan and exit (no changes applied)", false).option("--force", "Skip confirmation prompt", false).option("--json", "Output result as JSON (machine-readable)", false).addHelpText("after", [
+  "",
+  "Examples:",
+  "  postgresai unprepare-db postgresql://admin@host:5432/dbname",
+  '  postgresai unprepare-db "dbname=dbname host=host user=admin"',
+  "  postgresai unprepare-db -h host -p 5432 -U admin -d dbname",
+  "",
+  "Admin password:",
+  "  --admin-password <password>   or  PGPASSWORD=... (libpq standard)",
+  "",
+  "Keep role but remove objects/permissions:",
+  "  postgresai unprepare-db <conn> --keep-role",
+  "",
+  "Inspect SQL without applying changes:",
+  "  postgresai unprepare-db <conn> --print-sql",
+  "",
+  "Offline SQL plan (no DB connection):",
+  "  postgresai unprepare-db --print-sql",
+  "",
+  "Skip confirmation prompt:",
+  "  postgresai unprepare-db <conn> --force"
+].join(`
+`)).action(async (conn, opts, cmd) => {
+  const jsonOutput = opts.json;
+  const outputJson = (data) => {
+    console.log(JSON.stringify(data, null, 2));
+  };
+  const outputError = (error2) => {
+    if (jsonOutput) {
+      outputJson({
+        success: false,
+        error: error2
+      });
+    } else {
+      console.error(`Error: unprepare-db: ${error2.message}`);
+      if (error2.step)
+        console.error(`  Step: ${error2.step}`);
+      if (error2.code)
+        console.error(`  Code: ${error2.code}`);
+      if (error2.detail)
+        console.error(`  Detail: ${error2.detail}`);
+      if (error2.hint)
+        console.error(`  Hint: ${error2.hint}`);
+    }
+    process.exitCode = 1;
+  };
+  const shouldPrintSql = !!opts.printSql;
+  const dropRole = !opts.keepRole;
+  const providerWarning = validateProvider(opts.provider);
+  if (providerWarning) {
+    console.warn(`\u26A0 ${providerWarning}`);
+  }
+  if (!conn && !opts.dbUrl && !opts.host && !opts.port && !opts.username && !opts.adminPassword) {
+    if (shouldPrintSql) {
+      const database = (opts.dbname ?? process.env.PGDATABASE ?? "postgres").trim();
+      const plan = await buildUninitPlan({
+        database,
+        monitoringUser: opts.monitoringUser,
+        dropRole,
+        provider: opts.provider
+      });
+      console.log(`
+--- SQL plan (offline; not connected) ---`);
+      console.log(`-- database: ${database}`);
+      console.log(`-- monitoring user: ${opts.monitoringUser}`);
+      console.log(`-- provider: ${opts.provider ?? "self-managed"}`);
+      console.log(`-- drop role: ${dropRole}`);
+      for (const step of plan.steps) {
+        console.log(`
+-- ${step.name}`);
+        console.log(step.sql);
+      }
+      console.log(`
+--- end SQL plan ---
+`);
+      return;
+    }
+  }
+  let adminConn;
+  try {
+    adminConn = resolveAdminConnection({
+      conn,
+      dbUrlFlag: opts.dbUrl,
+      host: opts.host ?? process.env.PGHOST,
+      port: opts.port ?? process.env.PGPORT,
+      username: opts.username ?? process.env.PGUSER,
+      dbname: opts.dbname ?? process.env.PGDATABASE,
+      adminPassword: opts.adminPassword,
+      envPassword: process.env.PGPASSWORD
+    });
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    if (jsonOutput) {
+      outputError({ message: msg });
+    } else {
+      console.error(`Error: unprepare-db: ${msg}`);
+      if (typeof msg === "string" && msg.startsWith("Connection is required.")) {
+        console.error("");
+        cmd.outputHelp({ error: true });
+      }
+      process.exitCode = 1;
+    }
+    return;
+  }
+  if (!jsonOutput) {
+    console.log(`Connecting to: ${adminConn.display}`);
+    console.log(`Monitoring user: ${opts.monitoringUser}`);
+    console.log(`Drop role: ${dropRole}`);
+  }
+  if (!opts.force && !jsonOutput && !shouldPrintSql) {
+    const answer = await new Promise((resolve6) => {
+      const readline = getReadline();
+      readline.question(`This will remove the monitoring setup for user "${opts.monitoringUser}"${dropRole ? " and drop the role" : ""}. Continue? [y/N] `, (ans) => resolve6(ans.trim().toLowerCase()));
+    });
+    if (answer !== "y" && answer !== "yes") {
+      console.log("Aborted.");
+      return;
+    }
+  }
+  let client;
+  try {
+    const connResult = await connectWithSslFallback(Client, adminConn);
+    client = connResult.client;
+    const dbRes = await client.query("select current_database() as db");
+    const database = dbRes.rows?.[0]?.db;
+    if (typeof database !== "string" || !database) {
+      throw new Error("Failed to resolve current database name");
+    }
+    const plan = await buildUninitPlan({
+      database,
+      monitoringUser: opts.monitoringUser,
+      dropRole,
+      provider: opts.provider
+    });
+    if (shouldPrintSql) {
+      console.log(`
+--- SQL plan ---`);
+      for (const step of plan.steps) {
+        console.log(`
+-- ${step.name}`);
+        console.log(step.sql);
+      }
+      console.log(`
+--- end SQL plan ---
+`);
+      return;
+    }
+    const { applied, errors: errors3 } = await applyUninitPlan({ client, plan });
+    if (jsonOutput) {
+      outputJson({
+        success: errors3.length === 0,
+        action: "unprepare",
+        database,
+        monitoringUser: opts.monitoringUser,
+        dropRole,
+        applied,
+        errors: errors3
+      });
+      if (errors3.length > 0) {
+        process.exitCode = 1;
+      }
+    } else {
+      if (errors3.length === 0) {
+        console.log("\u2713 unprepare-db completed");
+        console.log(`Applied ${applied.length} steps`);
+      } else {
+        console.log("\u26A0 unprepare-db completed with errors");
+        console.log(`Applied ${applied.length} steps`);
+        console.log("Errors:");
+        for (const err of errors3) {
+          console.log(`  - ${err}`);
+        }
+        process.exitCode = 1;
+      }
+    }
+  } catch (error2) {
+    const errAny = error2;
+    let message = "";
+    if (error2 instanceof Error && error2.message) {
+      message = error2.message;
+    } else if (errAny && typeof errAny === "object" && typeof errAny.message === "string" && errAny.message) {
+      message = errAny.message;
+    } else {
+      message = String(error2);
+    }
+    if (!message || message === "[object Object]") {
+      message = "Unknown error";
+    }
+    const errorObj = { message };
+    if (errAny && typeof errAny === "object") {
+      if (typeof errAny.code === "string" && errAny.code)
+        errorObj.code = errAny.code;
+      if (typeof errAny.detail === "string" && errAny.detail)
+        errorObj.detail = errAny.detail;
+      if (typeof errAny.hint === "string" && errAny.hint)
+        errorObj.hint = errAny.hint;
+    }
+    if (jsonOutput) {
+      outputJson({
+        success: false,
+        error: errorObj
+      });
+      process.exitCode = 1;
+    } else {
+      console.error(`Error: unprepare-db: ${message}`);
+      if (errAny && typeof errAny === "object") {
+        if (typeof errAny.code === "string" && errAny.code) {
+          console.error(`  Code: ${errAny.code}`);
+        }
+        if (typeof errAny.detail === "string" && errAny.detail) {
+          console.error(`  Detail: ${errAny.detail}`);
+        }
+        if (typeof errAny.hint === "string" && errAny.hint) {
+          console.error(`  Hint: ${errAny.hint}`);
+        }
+      }
+      if (errAny && typeof errAny === "object" && typeof errAny.code === "string") {
+        if (errAny.code === "42501") {
+          console.error("  Context: dropping roles/objects requires sufficient privileges");
+          console.error("  Fix: connect as a superuser (or a role with appropriate DROP privileges)");
+        }
         if (errAny.code === "ECONNREFUSED") {
           console.error("  Hint: check host/port and ensure Postgres is reachable from this machine");
         }
@@ -28527,6 +28832,7 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
         await client.end();
       } catch {}
     }
+    closeReadline();
   }
 });
 program2.command("checkup [conn]").description("generate health check reports directly from PostgreSQL (express mode)").option("--check-id <id>", `specific check to run: ${Object.keys(CHECK_INFO).join(", ")}, or ALL`, "ALL").option("--node-name <name>", "node name for reports", "node-01").option("--output <path>", "output directory for JSON files").option("--[no-]upload", "upload JSON results to PostgresAI (default: enabled; requires API key)", undefined).option("--project <project>", "project name or ID for remote upload (used with --upload; defaults to config defaultProject; auto-generated on first run)").option("--json", "output JSON to stdout (implies --no-upload)").addHelpText("after", [
@@ -28655,14 +28961,14 @@ async function resolveOrInitPaths() {
 }
 function isDockerRunning() {
   try {
-    const result = spawnSync2("docker", ["info"], { stdio: "pipe" });
+    const result = spawnSync2("docker", ["info"], { stdio: "pipe", timeout: 5000 });
     return result.status === 0;
   } catch {
     return false;
   }
 }
 function getComposeCmd() {
-  const tryCmd = (cmd, args) => spawnSync2(cmd, args, { stdio: "ignore" }).status === 0;
+  const tryCmd = (cmd, args) => spawnSync2(cmd, args, { stdio: "ignore", timeout: 5000 }).status === 0;
   if (tryCmd("docker-compose", ["version"]))
     return ["docker-compose"];
   if (tryCmd("docker", ["compose", "version"]))
@@ -28671,7 +28977,7 @@ function getComposeCmd() {
 }
 function checkRunningContainers() {
   try {
-    const result = spawnSync2("docker", ["ps", "--filter", "name=grafana-with-datasources", "--filter", "name=pgwatch", "--format", "{{.Names}}"], { stdio: "pipe", encoding: "utf8" });
+    const result = spawnSync2("docker", ["ps", "--filter", "name=grafana-with-datasources", "--filter", "name=pgwatch", "--format", "{{.Names}}"], { stdio: "pipe", encoding: "utf8", timeout: 5000 });
     if (result.status === 0 && result.stdout) {
       const containers = result.stdout.trim().split(`
 `).filter(Boolean);

package/dist/sql/02.extensions.sql

@@ -0,0 +1,8 @@
+-- Extensions required for postgres_ai monitoring
+
+-- Enable pg_stat_statements for query performance monitoring
+-- Note: Uses IF NOT EXISTS because extension may already be installed.
+-- We do NOT drop this extension in unprepare-db since it may have been pre-existing.
+create extension if not exists pg_stat_statements;
+
+

package/dist/sql/{02.permissions.sql → 03.permissions.sql}

@@ -8,6 +8,7 @@ grant pg_monitor to {{ROLE_IDENT}};
 grant select on pg_catalog.pg_index to {{ROLE_IDENT}};
 
 -- Create postgres_ai schema for our objects
+-- Using IF NOT EXISTS for idempotency - prepare-db can be run multiple times
 create schema if not exists postgres_ai;
 grant usage on schema postgres_ai to {{ROLE_IDENT}};
 

package/dist/sql/sql/02.extensions.sql

@@ -0,0 +1,8 @@
+-- Extensions required for postgres_ai monitoring
+
+-- Enable pg_stat_statements for query performance monitoring
+-- Note: Uses IF NOT EXISTS because extension may already be installed.
+-- We do NOT drop this extension in unprepare-db since it may have been pre-existing.
+create extension if not exists pg_stat_statements;
+
+

package/dist/sql/sql/{02.permissions.sql → 03.permissions.sql}

@@ -8,6 +8,7 @@ grant pg_monitor to {{ROLE_IDENT}};
 grant select on pg_catalog.pg_index to {{ROLE_IDENT}};
 
 -- Create postgres_ai schema for our objects
+-- Using IF NOT EXISTS for idempotency - prepare-db can be run multiple times
 create schema if not exists postgres_ai;
 grant usage on schema postgres_ai to {{ROLE_IDENT}};
 

package/dist/sql/sql/uninit/01.helpers.sql

@@ -0,0 +1,5 @@
+-- Drop helper functions created by prepare-db (template-filled by cli/lib/init.ts)
+-- Run before dropping the postgres_ai schema.
+
+drop function if exists postgres_ai.explain_generic(text, text, text);
+drop function if exists postgres_ai.table_describe(text);

package/dist/sql/sql/uninit/02.permissions.sql

@@ -0,0 +1,30 @@
+-- Revoke permissions and drop objects created by prepare-db (template-filled by cli/lib/init.ts)
+
+-- Drop the postgres_ai.pg_statistic view
+drop view if exists postgres_ai.pg_statistic;
+
+-- Drop the postgres_ai schema (CASCADE to handle any remaining objects)
+drop schema if exists postgres_ai cascade;
+
+-- Revoke permissions from the monitoring role
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  revoke pg_monitor from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist, nothing to revoke
+end $$;
+
+do $$ begin
+  revoke select on pg_catalog.pg_index from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+do $$ begin
+  revoke connect on database {{DB_IDENT}} from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+-- Note: USAGE on public is typically granted by default; we don't revoke it
+-- to avoid breaking other applications that may rely on it.

package/dist/sql/sql/uninit/03.role.sql

@@ -0,0 +1,27 @@
+-- Drop the monitoring role created by prepare-db (template-filled by cli/lib/init.ts)
+-- This must run after revoking all permissions from the role.
+
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  -- Reassign owned objects to current user before dropping
+  -- This handles any objects that might have been created by the role
+  begin
+    execute format('reassign owned by %I to current_user', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, nothing to reassign
+  end;
+
+  -- Drop owned objects (in case reassign didn't work for some objects)
+  begin
+    execute format('drop owned by %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist
+  end;
+
+  -- Drop the role
+  begin
+    execute format('drop role %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, that's fine
+  end;
+end $$;

package/dist/sql/uninit/01.helpers.sql

@@ -0,0 +1,5 @@
+-- Drop helper functions created by prepare-db (template-filled by cli/lib/init.ts)
+-- Run before dropping the postgres_ai schema.
+
+drop function if exists postgres_ai.explain_generic(text, text, text);
+drop function if exists postgres_ai.table_describe(text);

package/dist/sql/uninit/02.permissions.sql

@@ -0,0 +1,30 @@
+-- Revoke permissions and drop objects created by prepare-db (template-filled by cli/lib/init.ts)
+
+-- Drop the postgres_ai.pg_statistic view
+drop view if exists postgres_ai.pg_statistic;
+
+-- Drop the postgres_ai schema (CASCADE to handle any remaining objects)
+drop schema if exists postgres_ai cascade;
+
+-- Revoke permissions from the monitoring role
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  revoke pg_monitor from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist, nothing to revoke
+end $$;
+
+do $$ begin
+  revoke select on pg_catalog.pg_index from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+do $$ begin
+  revoke connect on database {{DB_IDENT}} from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+-- Note: USAGE on public is typically granted by default; we don't revoke it
+-- to avoid breaking other applications that may rely on it.

package/dist/sql/uninit/03.role.sql

@@ -0,0 +1,27 @@
+-- Drop the monitoring role created by prepare-db (template-filled by cli/lib/init.ts)
+-- This must run after revoking all permissions from the role.
+
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  -- Reassign owned objects to current user before dropping
+  -- This handles any objects that might have been created by the role
+  begin
+    execute format('reassign owned by %I to current_user', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, nothing to reassign
+  end;
+
+  -- Drop owned objects (in case reassign didn't work for some objects)
+  begin
+    execute format('drop owned by %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist
+  end;
+
+  -- Drop the role
+  begin
+    execute format('drop role %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, that's fine
+  end;
+end $$;