postgresai 0.14.0-dev.84 → 0.14.0-dev.86

package/bin/postgres-ai.ts

@@ -1643,9 +1643,9 @@ program
   });
 
 program
-  .command("checkup [conn]")
+  .command("checkup [checkIdOrConn] [conn]")
   .description("generate health check reports directly from PostgreSQL (express mode)")
-  .option("--check-id <id>", `specific check to run (see list below), or ALL`, "ALL")
+  .option("--check-id <id>", `specific check to run (see list below), or ALL`)
   .option("--node-name <name>", "node name for reports", "node-01")
   .option("--output <path>", "output directory for JSON files")
   .option("--upload", "upload JSON results to PostgresAI (requires API key)")
@@ -1664,13 +1664,43 @@ program
       "",
       "Examples:",
       "  postgresai checkup postgresql://user:pass@host:5432/db",
-      "  postgresai checkup postgresql://user:pass@host:5432/db --check-id D001",
+      "  postgresai checkup H002 postgresql://user:pass@host:5432/db",
+      "  postgresai checkup postgresql://user:pass@host:5432/db --check-id H002",
       "  postgresai checkup postgresql://user:pass@host:5432/db --output ./reports",
-      "  postgresai checkup postgresql://user:pass@host:5432/db --project my_project",
       "  postgresai checkup postgresql://user:pass@host:5432/db --no-upload --json",
     ].join("\n")
   )
-  .action(async (conn: string | undefined, opts: CheckupOptions, cmd: Command) => {
+  .action(async (checkIdOrConn: string | undefined, connArg: string | undefined, opts: CheckupOptions, cmd: Command) => {
+    // Support both syntaxes:
+    //   pgai checkup postgresql://...              -> run ALL checks
+    //   pgai checkup H002 postgresql://...         -> run specific check (positional)
+    //   pgai checkup --check-id H002 postgresql:// -> run specific check (option)
+    const checkIdPattern = /^[A-Z]\d{3}$/i;
+    let conn: string | undefined;
+    let checkId: string;
+
+    if (!checkIdOrConn) {
+      cmd.outputHelp();
+      process.exitCode = 1;
+      return;
+    }
+
+    if (checkIdPattern.test(checkIdOrConn)) {
+      // First arg is a check ID
+      checkId = checkIdOrConn.toUpperCase();
+      conn = connArg;
+      if (!conn) {
+        console.error(`Error: Connection string required when specifying check ID "${checkId}"`);
+        console.error(`\nUsage: postgresai checkup ${checkId} postgresql://user@host:5432/dbname\n`);
+        process.exitCode = 1;
+        return;
+      }
+    } else {
+      // First arg is the connection string
+      conn = checkIdOrConn;
+      checkId = opts.checkId?.toUpperCase() || "ALL";
+    }
+
     if (!conn) {
       cmd.outputHelp();
       process.exitCode = 1;
@@ -1718,12 +1748,11 @@ program
 
       // Generate reports
       let reports: Record<string, any>;
-      if (opts.checkId === "ALL") {
+      if (checkId === "ALL") {
         reports = await generateAllReports(client, opts.nodeName, (p) => {
           spinner.update(`Running ${p.checkId}: ${p.checkTitle} (${p.index}/${p.total})`);
         });
       } else {
-        const checkId = opts.checkId.toUpperCase();
         const generator = REPORT_GENERATORS[checkId];
         if (!generator) {
           spinner.stop();
@@ -1733,7 +1762,7 @@ program
             console.error(`Check ${checkId} (${dictEntry.title}) is not yet available in express mode.`);
             console.error(`Express-mode checks: ${Object.keys(CHECK_INFO).join(", ")}`);
           } else {
-            console.error(`Unknown check ID: ${opts.checkId}`);
+            console.error(`Unknown check ID: ${checkId}`);
             console.error(`See 'postgresai checkup --help' for available checks.`);
           }
           process.exitCode = 1;

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.84",
+  version: "0.14.0-dev.86",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -15889,7 +15889,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.84";
+var version = "0.14.0-dev.86";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -24971,14 +24971,7 @@ end $$;`;
   });
   let permissionsSql = applyTemplate(loadSqlTemplate("03.permissions.sql"), vars);
   if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
-    permissionsSql = permissionsSql.split(`
-`).filter((line) => {
-      const trimmed = line.trim();
-      if (trimmed.startsWith("--") || trimmed === "")
-        return true;
-      return !/^\s*alter\s+user\s+/i.test(line);
-    }).join(`
-`);
+    permissionsSql = permissionsSql.replace(/-- \[SEARCH_PATH_BLOCK_START\][\s\S]*?-- \[SEARCH_PATH_BLOCK_END\]\n?/, "");
   }
   steps.push({
     name: "03.permissions",
@@ -25162,6 +25155,19 @@ async function verifyInitSetup(params) {
     if (!schemaUsageRes.rows?.[0]?.ok) {
       missingRequired.push("USAGE on schema public");
     }
+    const extSchemaRes = await params.client.query(`
+      select n.nspname as schema
+      from pg_extension e
+      join pg_namespace n on e.extnamespace = n.oid
+      where e.extname = 'pg_stat_statements'
+    `);
+    const extSchema = extSchemaRes.rows?.[0]?.schema;
+    if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+      const extSchemaUsageRes = await params.client.query("select has_schema_privilege($1, $2, 'USAGE') as ok", [role, extSchema]);
+      if (!extSchemaUsageRes.rows?.[0]?.ok) {
+        missingRequired.push(`USAGE on schema ${extSchema} (pg_stat_statements location)`);
+      }
+    }
     if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
       const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
       const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
@@ -25173,6 +25179,11 @@ async function verifyInitSetup(params) {
         if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
           missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
         }
+        if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+          if (!sp.includes(extSchema.toLowerCase())) {
+            missingRequired.push(`role search_path includes ${extSchema} (pg_stat_statements location)`);
+          }
+        }
       }
     }
     const explainFnRes = await params.client.query("select has_function_privilege($1, 'postgres_ai.explain_generic(text, text, text)', 'EXECUTE') as ok", [role]);
@@ -27116,7 +27127,7 @@ function buildCheckInfoMap() {
 }
 
 // lib/checkup.ts
-var __dirname = "/builds/postgres-ai/postgres_ai/cli/lib";
+var __dirname = "/builds/postgres-ai/postgresai/cli/lib";
 var SECONDS_PER_DAY = 86400;
 var SECONDS_PER_HOUR = 3600;
 var SECONDS_PER_MINUTE = 60;
@@ -29487,19 +29498,42 @@ program2.command("unprepare-db [conn]").description("remove monitoring setup: dr
     closeReadline();
   }
 });
-program2.command("checkup [conn]").description("generate health check reports directly from PostgreSQL (express mode)").option("--check-id <id>", `specific check to run (see list below), or ALL`, "ALL").option("--node-name <name>", "node name for reports", "node-01").option("--output <path>", "output directory for JSON files").option("--upload", "upload JSON results to PostgresAI (requires API key)").option("--no-upload", "disable upload to PostgresAI").option("--project <project>", "project name or ID for remote upload (used with --upload; defaults to config defaultProject; auto-generated on first run)").option("--json", "output JSON to stdout").addHelpText("after", [
+program2.command("checkup [checkIdOrConn] [conn]").description("generate health check reports directly from PostgreSQL (express mode)").option("--check-id <id>", `specific check to run (see list below), or ALL`).option("--node-name <name>", "node name for reports", "node-01").option("--output <path>", "output directory for JSON files").option("--upload", "upload JSON results to PostgresAI (requires API key)").option("--no-upload", "disable upload to PostgresAI").option("--project <project>", "project name or ID for remote upload (used with --upload; defaults to config defaultProject; auto-generated on first run)").option("--json", "output JSON to stdout").addHelpText("after", [
   "",
   "Available checks:",
   ...Object.entries(CHECK_INFO).map(([id, title]) => `  ${id}: ${title}`),
   "",
   "Examples:",
   "  postgresai checkup postgresql://user:pass@host:5432/db",
-  "  postgresai checkup postgresql://user:pass@host:5432/db --check-id D001",
+  "  postgresai checkup H002 postgresql://user:pass@host:5432/db",
+  "  postgresai checkup postgresql://user:pass@host:5432/db --check-id H002",
   "  postgresai checkup postgresql://user:pass@host:5432/db --output ./reports",
-  "  postgresai checkup postgresql://user:pass@host:5432/db --project my_project",
   "  postgresai checkup postgresql://user:pass@host:5432/db --no-upload --json"
 ].join(`
-`)).action(async (conn, opts, cmd) => {
+`)).action(async (checkIdOrConn, connArg, opts, cmd) => {
+  const checkIdPattern = /^[A-Z]\d{3}$/i;
+  let conn;
+  let checkId;
+  if (!checkIdOrConn) {
+    cmd.outputHelp();
+    process.exitCode = 1;
+    return;
+  }
+  if (checkIdPattern.test(checkIdOrConn)) {
+    checkId = checkIdOrConn.toUpperCase();
+    conn = connArg;
+    if (!conn) {
+      console.error(`Error: Connection string required when specifying check ID "${checkId}"`);
+      console.error(`
+Usage: postgresai checkup ${checkId} postgresql://user@host:5432/dbname
+`);
+      process.exitCode = 1;
+      return;
+    }
+  } else {
+    conn = checkIdOrConn;
+    checkId = opts.checkId?.toUpperCase() || "ALL";
+  }
   if (!conn) {
     cmd.outputHelp();
     process.exitCode = 1;
@@ -29535,12 +29569,11 @@ program2.command("checkup [conn]").description("generate health check reports di
     const connResult = await connectWithSslFallback(Client, adminConn);
     client = connResult.client;
     let reports;
-    if (opts.checkId === "ALL") {
+    if (checkId === "ALL") {
       reports = await generateAllReports(client, opts.nodeName, (p) => {
         spinner.update(`Running ${p.checkId}: ${p.checkTitle} (${p.index}/${p.total})`);
       });
     } else {
-      const checkId = opts.checkId.toUpperCase();
       const generator = REPORT_GENERATORS[checkId];
       if (!generator) {
         spinner.stop();
@@ -29549,7 +29582,7 @@ program2.command("checkup [conn]").description("generate health check reports di
           console.error(`Check ${checkId} (${dictEntry.title}) is not yet available in express mode.`);
           console.error(`Express-mode checks: ${Object.keys(CHECK_INFO).join(", ")}`);
         } else {
-          console.error(`Unknown check ID: ${opts.checkId}`);
+          console.error(`Unknown check ID: ${checkId}`);
           console.error(`See 'postgresai checkup --help' for available checks.`);
         }
         process.exitCode = 1;

package/dist/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/dist/sql/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/lib/init.ts

@@ -538,16 +538,12 @@ end $$;`;
   // Some providers restrict ALTER USER - remove those statements.
   // TODO: Make this more flexible by allowing users to specify which statements to skip via config.
   if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
-    permissionsSql = permissionsSql
-      .split("\n")
-      .filter((line) => {
-        const trimmed = line.trim();
-        // Keep comments and empty lines
-        if (trimmed.startsWith("--") || trimmed === "") return true;
-        // Filter out ALTER USER statements (case-insensitive, flexible whitespace)
-        return !/^\s*alter\s+user\s+/i.test(line);
-      })
-      .join("\n");
+    // Remove the entire search_path DO block (marked with SEARCH_PATH_BLOCK_START/END)
+    // since it contains ALTER USER and can't be line-filtered without breaking the DO block.
+    permissionsSql = permissionsSql.replace(
+      /-- \[SEARCH_PATH_BLOCK_START\][\s\S]*?-- \[SEARCH_PATH_BLOCK_END\]\n?/,
+      ""
+    );
   }
 
   steps.push({
@@ -838,6 +834,24 @@ export async function verifyInitSetup(params: {
       missingRequired.push("USAGE on schema public");
     }
 
+    // Check access to pg_stat_statements extension schema (may be 'extensions' on Supabase)
+    const extSchemaRes = await params.client.query(`
+      select n.nspname as schema
+      from pg_extension e
+      join pg_namespace n on e.extnamespace = n.oid
+      where e.extname = 'pg_stat_statements'
+    `);
+    const extSchema = extSchemaRes.rows?.[0]?.schema;
+    if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+      const extSchemaUsageRes = await params.client.query(
+        "select has_schema_privilege($1, $2, 'USAGE') as ok",
+        [role, extSchema]
+      );
+      if (!extSchemaUsageRes.rows?.[0]?.ok) {
+        missingRequired.push(`USAGE on schema ${extSchema} (pg_stat_statements location)`);
+      }
+    }
+
     // Some providers don't allow setting search_path via ALTER USER - skip this check.
     // TODO: Make this more flexible by allowing users to specify which checks to skip via config.
     if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
@@ -848,10 +862,17 @@ export async function verifyInitSetup(params: {
         missingRequired.push("role search_path is set");
       } else {
         // We accept any ordering as long as postgres_ai, public, and pg_catalog are included.
+        // Also verify search_path includes the pg_stat_statements schema if in a non-standard location.
         const sp = spLine.toLowerCase();
         if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
           missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
         }
+        // If pg_stat_statements is in a non-standard schema (e.g., 'extensions' on Supabase), verify it's in search_path
+        if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+          if (!sp.includes(extSchema.toLowerCase())) {
+            missingRequired.push(`role search_path includes ${extSchema} (pg_stat_statements location)`);
+          }
+        }
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.84",
+  "version": "0.14.0-dev.86",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,

package/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/test/checkup.test.ts

@@ -1008,6 +1008,47 @@ describe("CLI tests", () => {
     const r = runCli(["checkup", "postgresql://test:test@localhost:5432/test", "--no-upload"], env);
     expect(r.stderr).not.toMatch(/API key is required/i);
   });
+
+  // Argument parsing tests for check ID / connection string recognition
+  test("checkup with check ID but no connection shows specific error", () => {
+    const r = runCli(["checkup", "H002"]);
+    expect(r.status).not.toBe(0);
+    expect(r.stderr).toMatch(/connection string required/i);
+    expect(r.stderr).toMatch(/H002/);
+  });
+
+  test("checkup recognizes valid check ID patterns", () => {
+    // Valid check IDs: A002, H002, F004, etc.
+    for (const checkId of ["A002", "H002", "F004", "K003", "a002", "h002"]) {
+      const r = runCli(["checkup", checkId]);
+      expect(r.status).not.toBe(0);
+      expect(r.stderr).toMatch(/connection string required/i);
+    }
+  });
+
+  test("checkup does not treat connection string as check ID", () => {
+    // Connection strings should not be parsed as check IDs
+    const r = runCli(["checkup", "postgresql://test:test@localhost:5432/test", "--no-upload"]);
+    // Should not show "connection string required" error
+    expect(r.stderr).not.toMatch(/connection string required/i);
+  });
+
+  test("checkup with check ID and connection string works", () => {
+    // pgai checkup H002 postgresql://...
+    const r = runCli(["checkup", "H002", "postgresql://test:test@localhost:5432/test", "--no-upload"]);
+    // Should not show "connection string required" error
+    expect(r.stderr).not.toMatch(/connection string required/i);
+    // Connection will fail but argument parsing should succeed
+    expect(r.stderr).not.toMatch(/unknown option/i);
+  });
+
+  test("checkup with --check-id option works", () => {
+    // pgai checkup --check-id H002 postgresql://...
+    const r = runCli(["checkup", "--check-id", "H002", "postgresql://test:test@localhost:5432/test", "--no-upload"]);
+    // Should not show "connection string required" error
+    expect(r.stderr).not.toMatch(/connection string required/i);
+    expect(r.stderr).not.toMatch(/unknown option/i);
+  });
 });
 
 // Tests for checkup-api module

package/test/init.test.ts

@@ -281,7 +281,7 @@ describe("init module", () => {
           return { rowCount: 1, rows: [] };
         }
         if (String(sql).includes("select rolconfig")) {
-          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
         }
         if (String(sql).includes("from pg_catalog.pg_roles")) {
           return { rowCount: 1, rows: [] };
@@ -307,6 +307,10 @@ describe("init module", () => {
         if (String(sql).includes("has_schema_privilege")) {
           return { rowCount: 1, rows: [{ ok: true }] };
         }
+        // Query for pg_stat_statements extension schema location
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "pg_catalog" }] };
+        }
 
         throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
       },
@@ -363,6 +367,10 @@ describe("init module", () => {
         if (String(sql).includes("has_schema_privilege")) {
           return { rowCount: 1, rows: [{ ok: true }] };
         }
+        // Query for pg_stat_statements extension schema location (Supabase uses 'extensions' schema)
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
 
         throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
       },
@@ -382,6 +390,335 @@ describe("init module", () => {
     expect(calls.some((c) => c.includes("select rolconfig"))).toBe(false);
   });
 
+  test("verifyInitSetup checks extensions schema when pg_stat_statements is there", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in 'extensions' schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
+        // Check for USAGE on extensions schema
+        if (String(sql).includes("has_schema_privilege") && params?.[1] === "extensions") {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should have queried for pg_stat_statements schema location
+    expect(calls.some((c) => c.includes("pg_extension e") && c.includes("pg_stat_statements"))).toBe(true);
+  });
+
+  test("verifyInitSetup reports missing extensions schema access", async () => {
+    const client = {
+      query: async (sql: string, params?: any) => {
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in 'extensions' schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
+        // No USAGE on extensions schema
+        if (String(sql).includes("has_schema_privilege") && params?.[1] === "extensions") {
+          return { rowCount: 1, rows: [{ ok: false }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    expect(r.ok).toBe(false);
+    // Should report missing USAGE on extensions schema
+    expect(r.missingRequired.some((m) => m.includes("extensions") && m.includes("pg_stat_statements"))).toBe(true);
+    // Should also report missing extensions in search_path
+    expect(r.missingRequired.some((m) => m.includes("search_path") && m.includes("extensions"))).toBe(true);
+  });
+
+  test("buildInitPlan includes dynamic search_path with extension schema detection", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should use dynamic DO block to set search_path based on detected extension schema
+    expect(permStep!.sql).toMatch(/alter\s+user.*set\s+search_path\s*=/i);
+    // Should detect pg_stat_statements extension schema dynamically
+    expect(permStep!.sql).toMatch(/quote_ident\(ext_schema\)/i);
+  });
+
+  test("buildInitPlan includes dynamic extension schema grant", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should include DO block that grants USAGE on extension schema
+    expect(permStep!.sql).toMatch(/do\s+\$\$/i);
+    expect(permStep!.sql).toMatch(/pg_stat_statements/);
+    expect(permStep!.sql).toMatch(/grant usage on schema/i);
+  });
+
+  test("verifyInitSetup handles pg_stat_statements not installed", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is NOT installed - empty result
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 0, rows: [] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass without errors - missing extension shouldn't cause failure
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should have queried for pg_stat_statements schema location
+    expect(calls.some((c) => c.includes("pg_extension e") && c.includes("pg_stat_statements"))).toBe(true);
+  });
+
+  test("verifyInitSetup skips extension schema check when in pg_catalog", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in pg_catalog (standard location)
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "pg_catalog" }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass - pg_catalog doesn't need extra USAGE grant
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should NOT have queried for has_schema_privilege on pg_catalog specifically
+    // (the code skips the check for pg_catalog and public schemas)
+    const pgCatalogPrivCheck = calls.filter(
+      (c) => c.includes("has_schema_privilege") && c.includes("pg_catalog")
+    );
+    // Should only have the standard public schema check, not a pg_catalog check for extension
+    expect(pgCatalogPrivCheck.length).toBe(0);
+  });
+
+  test("verifyInitSetup skips extension schema check when in public", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in public schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "public" }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass - public doesn't need extra USAGE grant for extension
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+  });
+
   test("buildInitPlan preserves comments when filtering ALTER USER", async () => {
     const plan = await init.buildInitPlan({
       database: "mydb",