postgresai 0.14.0-dev.74 → 0.14.0-dev.76

package/lib/init.ts

@@ -527,7 +527,13 @@ end $$;`;
     steps.push({ name: "01.role", sql: roleSql });
   }
 
-  let permissionsSql = applyTemplate(loadSqlTemplate("02.permissions.sql"), vars);
+  // Extensions should be created before permissions (so we can grant permissions on them)
+  steps.push({
+    name: "02.extensions",
+    sql: loadSqlTemplate("02.extensions.sql"),
+  });
+
+  let permissionsSql = applyTemplate(loadSqlTemplate("03.permissions.sql"), vars);
 
   // Some providers restrict ALTER USER - remove those statements.
   // TODO: Make this more flexible by allowing users to specify which statements to skip via config.
@@ -545,26 +551,26 @@ end $$;`;
   }
 
   steps.push({
-    name: "02.permissions",
+    name: "03.permissions",
     sql: permissionsSql,
   });
 
   // Helper functions (SECURITY DEFINER) for plan analysis and table info
   steps.push({
-    name: "05.helpers",
-    sql: applyTemplate(loadSqlTemplate("05.helpers.sql"), vars),
+    name: "06.helpers",
+    sql: applyTemplate(loadSqlTemplate("06.helpers.sql"), vars),
   });
 
   if (params.includeOptionalPermissions) {
     steps.push(
       {
-        name: "03.optional_rds",
-        sql: applyTemplate(loadSqlTemplate("03.optional_rds.sql"), vars),
+        name: "04.optional_rds",
+        sql: applyTemplate(loadSqlTemplate("04.optional_rds.sql"), vars),
         optional: true,
       },
       {
-        name: "04.optional_self_managed",
-        sql: applyTemplate(loadSqlTemplate("04.optional_self_managed.sql"), vars),
+        name: "05.optional_self_managed",
+        sql: applyTemplate(loadSqlTemplate("05.optional_self_managed.sql"), vars),
         optional: true,
       }
     );
@@ -657,6 +663,101 @@ export type VerifyInitResult = {
   missingOptional: string[];
 };
 
+export type UninitPlan = {
+  monitoringUser: string;
+  database: string;
+  steps: InitStep[];
+  /** If true, also drop the monitoring role. If false, only revoke permissions. */
+  dropRole: boolean;
+};
+
+export async function buildUninitPlan(params: {
+  database: string;
+  monitoringUser?: string;
+  /** If true, drop the role entirely. If false, only revoke permissions/drop objects. */
+  dropRole?: boolean;
+  /** Provider type. Affects which steps are included. Defaults to "self-managed". */
+  provider?: DbProvider;
+}): Promise<UninitPlan> {
+  const monitoringUser = params.monitoringUser || DEFAULT_MONITORING_USER;
+  const database = params.database;
+  const provider = params.provider ?? "self-managed";
+  const dropRole = params.dropRole ?? true;
+
+  const qRole = quoteIdent(monitoringUser);
+  const qDb = quoteIdent(database);
+  const qRoleLiteral = quoteLiteral(monitoringUser);
+
+  const steps: InitStep[] = [];
+
+  const vars: Record<string, string> = {
+    ROLE_IDENT: qRole,
+    DB_IDENT: qDb,
+    ROLE_LITERAL: qRoleLiteral,
+  };
+
+  // Step 1: Drop helper functions
+  steps.push({
+    name: "01.drop_helpers",
+    sql: applyTemplate(loadSqlTemplate("uninit/01.helpers.sql"), vars),
+  });
+
+  // Step 2: Drop view, revoke permissions, drop schema
+  steps.push({
+    name: "02.revoke_permissions",
+    sql: applyTemplate(loadSqlTemplate("uninit/02.permissions.sql"), vars),
+  });
+
+  // Step 3: Drop the role (only if requested and provider allows it)
+  if (dropRole && !SKIP_ROLE_CREATION_PROVIDERS.includes(provider)) {
+    steps.push({
+      name: "03.drop_role",
+      sql: applyTemplate(loadSqlTemplate("uninit/03.role.sql"), vars),
+    });
+  }
+
+  return { monitoringUser, database, steps, dropRole };
+}
+
+export async function applyUninitPlan(params: {
+  client: PgClient;
+  plan: UninitPlan;
+}): Promise<{ applied: string[]; errors: string[] }> {
+  const applied: string[] = [];
+  const errors: string[] = [];
+
+  // Helper to wrap a step execution in begin/commit
+  const executeStep = async (step: InitStep): Promise<void> => {
+    await params.client.query("begin;");
+    try {
+      await params.client.query(step.sql, step.params as any);
+      await params.client.query("commit;");
+    } catch (e) {
+      try {
+        await params.client.query("rollback;");
+      } catch {
+        // ignore
+      }
+      throw e;
+    }
+  };
+
+  // Apply steps in order - unlike init, uninit steps are not optional
+  // but we continue on errors to clean up as much as possible
+  for (const step of params.plan.steps) {
+    try {
+      await executeStep(step);
+      applied.push(step.name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      errors.push(`${step.name}: ${msg}`);
+      // Continue to try other steps
+    }
+  }
+
+  return { applied, errors };
+}
+
 export async function verifyInitSetup(params: {
   client: PgClient;
   database: string;

package/lib/metrics-embedded.ts

@@ -1,6 +1,6 @@
 // AUTO-GENERATED FILE - DO NOT EDIT
 // Generated from config/pgwatch-prometheus/metrics.yml by scripts/embed-metrics.ts
-// Generated at: 2026-01-09T18:10:39.847Z
+// Generated at: 2026-01-13T04:02:15.672Z
 
 /**
  * Metric definition from metrics.yml

package/lib/supabase.ts

@@ -347,14 +347,6 @@ export async function fetchPoolerDatabaseUrl(
 ): Promise<string | null> {
   const url = `${SUPABASE_API_BASE}/v1/projects/${encodeURIComponent(config.projectRef)}/config/database/pooler`;
 
-  // For Supabase pooler connections, the username must include the project ref:
-  //   <user>.<project_ref>
-  // Example:
-  //   postgresql://postgres_ai_mon.xhaqmsvczjkkvkgdyast@aws-1-eu-west-1.pooler.supabase.com:6543/postgres
-  const effectiveUsername = (() => {
-    const suffix = `.${config.projectRef}`;
-    return username.endsWith(suffix) ? username : `${username}${suffix}`;
-  })();
   try {
     const response = await fetch(url, {
       method: "GET",
@@ -375,7 +367,7 @@ export async function fetchPoolerDatabaseUrl(
       const pooler = data[0];
       // Build URL from components if available
       if (pooler.db_host && pooler.db_port && pooler.db_name) {
-        return `postgresql://${effectiveUsername}@${pooler.db_host}:${pooler.db_port}/${pooler.db_name}`;
+        return `postgresql://${username}@${pooler.db_host}:${pooler.db_port}/${pooler.db_name}`;
       }
       // Fallback: try to extract from connection_string if present
       if (typeof pooler.connection_string === "string") {
@@ -383,7 +375,7 @@ export async function fetchPoolerDatabaseUrl(
           const connUrl = new URL(pooler.connection_string);
           // Use provided username; handle empty port for default ports (e.g., 5432)
           const portPart = connUrl.port ? `:${connUrl.port}` : "";
-          return `postgresql://${effectiveUsername}@${connUrl.hostname}${portPart}${connUrl.pathname}`;
+          return `postgresql://${username}@${connUrl.hostname}${portPart}${connUrl.pathname}`;
         } catch {
           return null;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.74",
+  "version": "0.14.0-dev.76",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,

package/sql/02.extensions.sql

@@ -0,0 +1,8 @@
+-- Extensions required for postgres_ai monitoring
+
+-- Enable pg_stat_statements for query performance monitoring
+-- Note: Uses IF NOT EXISTS because extension may already be installed.
+-- We do NOT drop this extension in unprepare-db since it may have been pre-existing.
+create extension if not exists pg_stat_statements;
+
+

package/sql/{02.permissions.sql → 03.permissions.sql}

@@ -8,6 +8,7 @@ grant pg_monitor to {{ROLE_IDENT}};
 grant select on pg_catalog.pg_index to {{ROLE_IDENT}};
 
 -- Create postgres_ai schema for our objects
+-- Using IF NOT EXISTS for idempotency - prepare-db can be run multiple times
 create schema if not exists postgres_ai;
 grant usage on schema postgres_ai to {{ROLE_IDENT}};
 

package/sql/uninit/01.helpers.sql

@@ -0,0 +1,5 @@
+-- Drop helper functions created by prepare-db (template-filled by cli/lib/init.ts)
+-- Run before dropping the postgres_ai schema.
+
+drop function if exists postgres_ai.explain_generic(text, text, text);
+drop function if exists postgres_ai.table_describe(text);

package/sql/uninit/02.permissions.sql

@@ -0,0 +1,30 @@
+-- Revoke permissions and drop objects created by prepare-db (template-filled by cli/lib/init.ts)
+
+-- Drop the postgres_ai.pg_statistic view
+drop view if exists postgres_ai.pg_statistic;
+
+-- Drop the postgres_ai schema (CASCADE to handle any remaining objects)
+drop schema if exists postgres_ai cascade;
+
+-- Revoke permissions from the monitoring role
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  revoke pg_monitor from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist, nothing to revoke
+end $$;
+
+do $$ begin
+  revoke select on pg_catalog.pg_index from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+do $$ begin
+  revoke connect on database {{DB_IDENT}} from {{ROLE_IDENT}};
+exception when undefined_object then
+  null; -- Role doesn't exist
+end $$;
+
+-- Note: USAGE on public is typically granted by default; we don't revoke it
+-- to avoid breaking other applications that may rely on it.

package/sql/uninit/03.role.sql

@@ -0,0 +1,27 @@
+-- Drop the monitoring role created by prepare-db (template-filled by cli/lib/init.ts)
+-- This must run after revoking all permissions from the role.
+
+-- Use a DO block to handle the case where the role doesn't exist
+do $$ begin
+  -- Reassign owned objects to current user before dropping
+  -- This handles any objects that might have been created by the role
+  begin
+    execute format('reassign owned by %I to current_user', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, nothing to reassign
+  end;
+
+  -- Drop owned objects (in case reassign didn't work for some objects)
+  begin
+    execute format('drop owned by %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist
+  end;
+
+  -- Drop the role
+  begin
+    execute format('drop role %I', {{ROLE_LITERAL}});
+  exception when undefined_object then
+    null; -- Role doesn't exist, that's fine
+  end;
+end $$;

package/test/init.test.ts

@@ -89,7 +89,7 @@ describe("init module", () => {
     expect(roleStep.sql).toMatch(/create\s+user\s+"user ""with"" quotes ✓"/i);
     expect(roleStep.sql).toMatch(/alter\s+user\s+"user ""with"" quotes ✓"/i);
 
-    const permStep = plan.steps.find((s: { name: string }) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s: { name: string }) => s.name === "03.permissions");
     expect(permStep).toBeTruthy();
     expect(permStep.sql).toMatch(/grant connect on database "db name ""with"" quotes ✓" to "user ""with"" quotes ✓"/i);
   });
@@ -161,7 +161,7 @@ describe("init module", () => {
       provider: "supabase",
     });
     expect(plan.steps.some((s) => s.name === "01.role")).toBe(false);
-    expect(plan.steps.some((s) => s.name === "02.permissions")).toBe(true);
+    expect(plan.steps.some((s) => s.name === "03.permissions")).toBe(true);
   });
 
   test("buildInitPlan removes ALTER USER for supabase provider", async () => {
@@ -172,7 +172,7 @@ describe("init module", () => {
       includeOptionalPermissions: false,
       provider: "supabase",
     });
-    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
     expect(permStep).toBeDefined();
     expect(permStep!.sql.toLowerCase()).not.toMatch(/alter user/);
   });
@@ -390,7 +390,7 @@ describe("init module", () => {
       includeOptionalPermissions: false,
       provider: "supabase",
     });
-    const permStep = plan.steps.find((s) => s.name === "02.permissions");
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
     expect(permStep).toBeDefined();
     // Should have removed ALTER USER but kept comments
     expect(permStep!.sql.toLowerCase()).not.toMatch(/^\s*alter\s+user/m);
@@ -423,6 +423,179 @@ describe("init module", () => {
     const redacted = init.redactPasswordsInSql(step.sql);
     expect(redacted).toMatch(/password '<redacted>'/i);
   });
+
+  // Tests for buildUninitPlan
+  test("buildUninitPlan generates correct steps with dropRole=true", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    expect(plan.database).toBe("mydb");
+    expect(plan.monitoringUser).toBe(DEFAULT_MONITORING_USER);
+    expect(plan.dropRole).toBe(true);
+    expect(plan.steps.length).toBe(3);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+      "03.drop_role",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop when dropRole=false", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: false,
+    });
+
+    expect(plan.dropRole).toBe(false);
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.map((s) => s.name)).toEqual([
+      "01.drop_helpers",
+      "02.revoke_permissions",
+    ]);
+  });
+
+  test("buildUninitPlan skips role drop for supabase provider", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+      provider: "supabase",
+    });
+
+    // Even with dropRole=true, supabase provider skips role operations
+    expect(plan.steps.length).toBe(2);
+    expect(plan.steps.some((s) => s.name === "03.drop_role")).toBe(false);
+  });
+
+  test("buildUninitPlan handles special characters in identifiers", async () => {
+    const monitoringUser = 'user "with" quotes';
+    const database = 'db "name"';
+    const plan = await init.buildUninitPlan({
+      database,
+      monitoringUser,
+      dropRole: true,
+    });
+
+    // Check that identifiers are properly quoted in SQL
+    const dropHelpersStep = plan.steps.find((s) => s.name === "01.drop_helpers");
+    expect(dropHelpersStep).toBeTruthy();
+
+    const revokeStep = plan.steps.find((s) => s.name === "02.revoke_permissions");
+    expect(revokeStep).toBeTruthy();
+    expect(revokeStep!.sql).toContain('"user ""with"" quotes"');
+    expect(revokeStep!.sql).toContain('"db ""name"""');
+
+    const dropRoleStep = plan.steps.find((s) => s.name === "03.drop_role");
+    expect(dropRoleStep).toBeTruthy();
+    // Uses ROLE_LITERAL (single-quoted) for format('%I', ...) in dynamic SQL
+    expect(dropRoleStep!.sql).toContain("'user \"with\" quotes'");
+  });
+
+  test("buildUninitPlan rejects identifiers with null bytes", async () => {
+    await expect(
+      init.buildUninitPlan({
+        database: "mydb",
+        monitoringUser: "bad\0user",
+        dropRole: true,
+      })
+    ).rejects.toThrow(/Identifier cannot contain null bytes/);
+  });
+
+  test("applyUninitPlan continues on errors and reports them", async () => {
+    const plan = {
+      monitoringUser: DEFAULT_MONITORING_USER,
+      database: "mydb",
+      dropRole: true,
+      steps: [
+        { name: "01.drop_helpers", sql: "drop function if exists postgres_ai.test()" },
+        { name: "02.revoke_permissions", sql: "select 1/0" }, // Will fail
+        { name: "03.drop_role", sql: "select 1" },
+      ],
+    };
+
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string) => {
+        calls.push(sql);
+        if (sql === "begin;") return { rowCount: 1 };
+        if (sql === "commit;") return { rowCount: 1 };
+        if (sql === "rollback;") return { rowCount: 1 };
+        if (sql.includes("1/0")) throw new Error("division by zero");
+        return { rowCount: 1 };
+      },
+    };
+
+    const result = await init.applyUninitPlan({ client: client as any, plan: plan as any });
+
+    // Should have applied steps 1 and 3, with step 2 in errors
+    expect(result.applied).toContain("01.drop_helpers");
+    expect(result.applied).toContain("03.drop_role");
+    expect(result.applied).not.toContain("02.revoke_permissions");
+    expect(result.errors.length).toBe(1);
+    expect(result.errors[0]).toMatch(/02\.revoke_permissions.*division by zero/);
+  });
+
+  test("buildInitPlan includes 02.extensions step with pg_stat_statements", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const extStep = plan.steps.find((s) => s.name === "02.extensions");
+    expect(extStep).toBeTruthy();
+    // Should create pg_stat_statements with IF NOT EXISTS
+    expect(extStep!.sql).toMatch(/create extension if not exists pg_stat_statements/i);
+  });
+
+  test("buildInitPlan creates extensions before permissions", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const stepNames = plan.steps.map((s) => s.name);
+    const extIndex = stepNames.indexOf("02.extensions");
+    const permIndex = stepNames.indexOf("03.permissions");
+    expect(extIndex).toBeGreaterThanOrEqual(0);
+    expect(permIndex).toBeGreaterThanOrEqual(0);
+    // Extensions should come before permissions
+    expect(extIndex).toBeLessThan(permIndex);
+  });
+
+  test("buildInitPlan uses IF NOT EXISTS for postgres_ai schema (idempotent)", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should use IF NOT EXISTS for idempotent behavior
+    expect(permStep!.sql).toMatch(/create schema if not exists postgres_ai/i);
+  });
+
+  test("buildUninitPlan does NOT drop pg_stat_statements extension", async () => {
+    const plan = await init.buildUninitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      dropRole: true,
+    });
+
+    // Check all steps - none should drop pg_stat_statements
+    for (const step of plan.steps) {
+      expect(step.sql.toLowerCase()).not.toMatch(/drop extension.*pg_stat_statements/);
+    }
+  });
 });
 
 describe("CLI commands", () => {
@@ -446,8 +619,9 @@ describe("CLI commands", () => {
     expect(r.stdout).toMatch(/provider: supabase/);
     // Should not have 01.role step
     expect(r.stdout).not.toMatch(/-- 01\.role/);
-    // Should have 02.permissions step
-    expect(r.stdout).toMatch(/-- 02\.permissions/);
+    // Should have 02.extensions and 03.permissions steps
+    expect(r.stdout).toMatch(/-- 02\.extensions/);
+    expect(r.stdout).toMatch(/-- 03\.permissions/);
   });
 
   test("cli: prepare-db warns about unknown provider", () => {
@@ -571,11 +745,66 @@ describe("CLI commands", () => {
     expect(r.status).not.toBe(0);
     expect(r.stderr).toMatch(/Cannot use --api-key with --demo mode/);
   });
+
+  // Tests for unprepare-db command
+  test("cli: unprepare-db with missing connection prints help/options", () => {
+    const r = runCli(["unprepare-db"]);
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/--print-sql/);
+    expect(r.stderr).toMatch(/--monitoring-user/);
+  });
+
+  test("cli: unprepare-db --print-sql works without connection (offline mode)", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/SQL plan \(offline; not connected\)/);
+    expect(r.stdout).toMatch(/drop schema if exists postgres_ai/i);
+  });
+
+  test("cli: unprepare-db --print-sql with --keep-role skips role drop", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--keep-role"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/drop role: false/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+    // Should have 01 and 02 steps
+    expect(r.stdout).toMatch(/-- 01\.drop_helpers/);
+    expect(r.stdout).toMatch(/-- 02\.revoke_permissions/);
+  });
+
+  test("cli: unprepare-db --print-sql with --provider supabase skips role step", () => {
+    const r = runCli(["unprepare-db", "--print-sql", "-d", "mydb", "--provider", "supabase"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/provider: supabase/);
+    // Should not have 03.drop_role step
+    expect(r.stdout).not.toMatch(/-- 03\.drop_role/);
+  });
+
+  test("cli: unprepare-db command exists and shows help", () => {
+    const r = runCli(["unprepare-db", "--help"]);
+    expect(r.status).toBe(0);
+    expect(r.stdout).toMatch(/--keep-role/);
+    expect(r.stdout).toMatch(/--print-sql/);
+    expect(r.stdout).toMatch(/--force/);
+  });
 });
 
-describe("imageTag priority behavior", () => {
+// Check if Docker is available for imageTag tests
+function isDockerAvailable(): boolean {
+  try {
+    const result = Bun.spawnSync(["docker", "info"], { timeout: 5000 });
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+
+const dockerAvailable = isDockerAvailable();
+
+describe.skipIf(!dockerAvailable)("imageTag priority behavior", () => {
   // Tests for the imageTag priority: --tag flag > PGAI_TAG env var > pkg.version
   // This verifies the fix that prevents stale .env PGAI_TAG from being used
+  // These tests require Docker and spawn subprocesses so need longer timeout
 
   let tempDir: string;
 
@@ -598,11 +827,13 @@ describe("imageTag priority behavior", () => {
     fs.writeFileSync(resolve(testDir, "docker-compose.yml"), "version: '3'\nservices: {}\n");
 
     // Run from the test directory (so resolvePaths finds docker-compose.yml)
+    // Note: Command may hang on Docker check in CI without Docker, so we use a timeout
     const cliPath = resolve(import.meta.dir, "..", "bin", "postgres-ai.ts");
     const bunBin = typeof process.execPath === "string" && process.execPath.length > 0 ? process.execPath : "bun";
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000, // Kill subprocess after 30s if it hangs on Docker
     });
 
     // Read the .env that was written
@@ -612,7 +843,7 @@ describe("imageTag priority behavior", () => {
     expect(envContent).not.toMatch(/PGAI_TAG=beta/);
     // It should contain the CLI version (0.0.0-dev.0 in dev)
     expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
-  });
+  }, 60000);
 
   test("--tag flag takes priority over pkg.version", () => {
     const testDir = resolve(tempDir, "tag-flag-test");
@@ -624,6 +855,7 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--tag", "v1.2.3-custom", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
@@ -632,7 +864,7 @@ describe("imageTag priority behavior", () => {
     // Verify stdout confirms the tag being used
     const stdout = new TextDecoder().decode(result.stdout);
     expect(stdout).toMatch(/Using image tag: v1\.2\.3-custom/);
-  });
+  }, 60000);
 
   test("PGAI_TAG env var is intentionally ignored (Bun auto-loads .env)", () => {
     // Note: We do NOT use process.env.PGAI_TAG because Bun auto-loads .env files,
@@ -647,13 +879,14 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: "v2.0.0-from-env" },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
     // PGAI_TAG env var should be IGNORED - uses pkg.version instead
     expect(envContent).not.toMatch(/PGAI_TAG=v2\.0\.0-from-env/);
     expect(envContent).toMatch(/PGAI_TAG=\d+\.\d+\.\d+|PGAI_TAG=0\.0\.0-dev/);
-  });
+  }, 60000);
 
   test("existing registry and password are preserved while tag is updated", () => {
     const testDir = resolve(tempDir, "preserve-test");
@@ -668,6 +901,7 @@ describe("imageTag priority behavior", () => {
     const result = Bun.spawnSync([bunBin, cliPath, "mon", "local-install", "--db-url", "postgresql://u:p@h:5432/d", "--yes"], {
       env: { ...process.env, PGAI_TAG: undefined },
       cwd: testDir,
+      timeout: 30000,
     });
 
     const envContent = fs.readFileSync(resolve(testDir, ".env"), "utf8");
@@ -678,5 +912,5 @@ describe("imageTag priority behavior", () => {
     // But registry and password should be preserved
     expect(envContent).toMatch(/PGAI_REGISTRY=my\.registry\.com/);
     expect(envContent).toMatch(/GF_SECURITY_ADMIN_PASSWORD=secret123/);
-  });
+  }, 60000);
 });