postgresai 0.14.0-dev.85 → 0.14.0-dev.86

package/dist/bin/postgres-ai.js

@@ -13064,7 +13064,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.14.0-dev.85",
+  version: "0.14.0-dev.86",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -15889,7 +15889,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.14.0-dev.85";
+var version = "0.14.0-dev.86";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -24971,14 +24971,7 @@ end $$;`;
   });
   let permissionsSql = applyTemplate(loadSqlTemplate("03.permissions.sql"), vars);
   if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
-    permissionsSql = permissionsSql.split(`
-`).filter((line) => {
-      const trimmed = line.trim();
-      if (trimmed.startsWith("--") || trimmed === "")
-        return true;
-      return !/^\s*alter\s+user\s+/i.test(line);
-    }).join(`
-`);
+    permissionsSql = permissionsSql.replace(/-- \[SEARCH_PATH_BLOCK_START\][\s\S]*?-- \[SEARCH_PATH_BLOCK_END\]\n?/, "");
   }
   steps.push({
     name: "03.permissions",
@@ -25162,6 +25155,19 @@ async function verifyInitSetup(params) {
     if (!schemaUsageRes.rows?.[0]?.ok) {
       missingRequired.push("USAGE on schema public");
     }
+    const extSchemaRes = await params.client.query(`
+      select n.nspname as schema
+      from pg_extension e
+      join pg_namespace n on e.extnamespace = n.oid
+      where e.extname = 'pg_stat_statements'
+    `);
+    const extSchema = extSchemaRes.rows?.[0]?.schema;
+    if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+      const extSchemaUsageRes = await params.client.query("select has_schema_privilege($1, $2, 'USAGE') as ok", [role, extSchema]);
+      if (!extSchemaUsageRes.rows?.[0]?.ok) {
+        missingRequired.push(`USAGE on schema ${extSchema} (pg_stat_statements location)`);
+      }
+    }
     if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
       const rolcfgRes = await params.client.query("select rolconfig from pg_catalog.pg_roles where rolname = $1", [role]);
       const rolconfig = rolcfgRes.rows?.[0]?.rolconfig;
@@ -25173,6 +25179,11 @@ async function verifyInitSetup(params) {
         if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
           missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
         }
+        if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+          if (!sp.includes(extSchema.toLowerCase())) {
+            missingRequired.push(`role search_path includes ${extSchema} (pg_stat_statements location)`);
+          }
+        }
       }
     }
     const explainFnRes = await params.client.query("select has_function_privilege($1, 'postgres_ai.explain_generic(text, text, text)', 'EXECUTE') as ok", [role]);

package/dist/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/dist/sql/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/lib/init.ts

@@ -538,16 +538,12 @@ end $$;`;
   // Some providers restrict ALTER USER - remove those statements.
   // TODO: Make this more flexible by allowing users to specify which statements to skip via config.
   if (SKIP_ALTER_USER_PROVIDERS.includes(provider)) {
-    permissionsSql = permissionsSql
-      .split("\n")
-      .filter((line) => {
-        const trimmed = line.trim();
-        // Keep comments and empty lines
-        if (trimmed.startsWith("--") || trimmed === "") return true;
-        // Filter out ALTER USER statements (case-insensitive, flexible whitespace)
-        return !/^\s*alter\s+user\s+/i.test(line);
-      })
-      .join("\n");
+    // Remove the entire search_path DO block (marked with SEARCH_PATH_BLOCK_START/END)
+    // since it contains ALTER USER and can't be line-filtered without breaking the DO block.
+    permissionsSql = permissionsSql.replace(
+      /-- \[SEARCH_PATH_BLOCK_START\][\s\S]*?-- \[SEARCH_PATH_BLOCK_END\]\n?/,
+      ""
+    );
   }
 
   steps.push({
@@ -838,6 +834,24 @@ export async function verifyInitSetup(params: {
       missingRequired.push("USAGE on schema public");
     }
 
+    // Check access to pg_stat_statements extension schema (may be 'extensions' on Supabase)
+    const extSchemaRes = await params.client.query(`
+      select n.nspname as schema
+      from pg_extension e
+      join pg_namespace n on e.extnamespace = n.oid
+      where e.extname = 'pg_stat_statements'
+    `);
+    const extSchema = extSchemaRes.rows?.[0]?.schema;
+    if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+      const extSchemaUsageRes = await params.client.query(
+        "select has_schema_privilege($1, $2, 'USAGE') as ok",
+        [role, extSchema]
+      );
+      if (!extSchemaUsageRes.rows?.[0]?.ok) {
+        missingRequired.push(`USAGE on schema ${extSchema} (pg_stat_statements location)`);
+      }
+    }
+
     // Some providers don't allow setting search_path via ALTER USER - skip this check.
     // TODO: Make this more flexible by allowing users to specify which checks to skip via config.
     if (!SKIP_SEARCH_PATH_CHECK_PROVIDERS.includes(provider)) {
@@ -848,10 +862,17 @@ export async function verifyInitSetup(params: {
         missingRequired.push("role search_path is set");
       } else {
         // We accept any ordering as long as postgres_ai, public, and pg_catalog are included.
+        // Also verify search_path includes the pg_stat_statements schema if in a non-standard location.
         const sp = spLine.toLowerCase();
         if (!sp.includes("postgres_ai") || !sp.includes("public") || !sp.includes("pg_catalog")) {
           missingRequired.push("role search_path includes postgres_ai, public and pg_catalog");
         }
+        // If pg_stat_statements is in a non-standard schema (e.g., 'extensions' on Supabase), verify it's in search_path
+        if (extSchema && extSchema !== "pg_catalog" && extSchema !== "public") {
+          if (!sp.includes(extSchema.toLowerCase())) {
+            missingRequired.push(`role search_path includes ${extSchema} (pg_stat_statements location)`);
+          }
+        }
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postgresai",
-  "version": "0.14.0-dev.85",
+  "version": "0.14.0-dev.86",
   "description": "postgres_ai CLI",
   "license": "Apache-2.0",
   "private": false,

package/sql/03.permissions.sql

@@ -32,7 +32,46 @@ grant select on postgres_ai.pg_statistic to {{ROLE_IDENT}};
 -- Hardened clusters sometimes revoke PUBLIC on schema public
 grant usage on schema public to {{ROLE_IDENT}};
 
--- Keep search_path predictable; postgres_ai first so our objects are found
-alter user {{ROLE_IDENT}} set search_path = postgres_ai, "$user", public, pg_catalog;
+-- Grant access to the schema where pg_stat_statements is installed.
+-- Some providers (e.g., Supabase) install extensions in a separate 'extensions' schema
+-- rather than pg_catalog. This DO block detects the schema and grants USAGE if needed.
+do $$
+declare
+  ext_schema text;
+begin
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Only grant if extension exists and is in a non-standard schema
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    execute format('grant usage on schema %I to {{ROLE_IDENT}}', ext_schema);
+  end if;
+end $$;
+
+-- [SEARCH_PATH_BLOCK_START] Keep search_path predictable; postgres_ai first so our objects are found.
+-- Dynamically include the pg_stat_statements extension schema if it's in a non-standard location.
+do $$
+declare
+  ext_schema text;
+  sp text;
+begin
+  -- Detect pg_stat_statements extension schema
+  select n.nspname into ext_schema
+  from pg_extension e
+  join pg_namespace n on e.extnamespace = n.oid
+  where e.extname = 'pg_stat_statements';
+
+  -- Build search_path: include extension schema if in non-standard location
+  if ext_schema is not null and ext_schema not in ('pg_catalog', 'public') then
+    sp := 'postgres_ai, ' || quote_ident(ext_schema) || ', "$user", public, pg_catalog';
+  else
+    sp := 'postgres_ai, "$user", public, pg_catalog';
+  end if;
+
+  execute format('alter user {{ROLE_IDENT}} set search_path = %s', sp);
+end $$;
+-- [SEARCH_PATH_BLOCK_END]
 
 

package/test/init.test.ts

@@ -281,7 +281,7 @@ describe("init module", () => {
           return { rowCount: 1, rows: [] };
         }
         if (String(sql).includes("select rolconfig")) {
-          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
         }
         if (String(sql).includes("from pg_catalog.pg_roles")) {
           return { rowCount: 1, rows: [] };
@@ -307,6 +307,10 @@ describe("init module", () => {
         if (String(sql).includes("has_schema_privilege")) {
           return { rowCount: 1, rows: [{ ok: true }] };
         }
+        // Query for pg_stat_statements extension schema location
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "pg_catalog" }] };
+        }
 
         throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
       },
@@ -363,6 +367,10 @@ describe("init module", () => {
         if (String(sql).includes("has_schema_privilege")) {
           return { rowCount: 1, rows: [{ ok: true }] };
         }
+        // Query for pg_stat_statements extension schema location (Supabase uses 'extensions' schema)
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
 
         throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
       },
@@ -382,6 +390,335 @@ describe("init module", () => {
     expect(calls.some((c) => c.includes("select rolconfig"))).toBe(false);
   });
 
+  test("verifyInitSetup checks extensions schema when pg_stat_statements is there", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in 'extensions' schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
+        // Check for USAGE on extensions schema
+        if (String(sql).includes("has_schema_privilege") && params?.[1] === "extensions") {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should have queried for pg_stat_statements schema location
+    expect(calls.some((c) => c.includes("pg_extension e") && c.includes("pg_stat_statements"))).toBe(true);
+  });
+
+  test("verifyInitSetup reports missing extensions schema access", async () => {
+    const client = {
+      query: async (sql: string, params?: any) => {
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in 'extensions' schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "extensions" }] };
+        }
+        // No USAGE on extensions schema
+        if (String(sql).includes("has_schema_privilege") && params?.[1] === "extensions") {
+          return { rowCount: 1, rows: [{ ok: false }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    expect(r.ok).toBe(false);
+    // Should report missing USAGE on extensions schema
+    expect(r.missingRequired.some((m) => m.includes("extensions") && m.includes("pg_stat_statements"))).toBe(true);
+    // Should also report missing extensions in search_path
+    expect(r.missingRequired.some((m) => m.includes("search_path") && m.includes("extensions"))).toBe(true);
+  });
+
+  test("buildInitPlan includes dynamic search_path with extension schema detection", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should use dynamic DO block to set search_path based on detected extension schema
+    expect(permStep!.sql).toMatch(/alter\s+user.*set\s+search_path\s*=/i);
+    // Should detect pg_stat_statements extension schema dynamically
+    expect(permStep!.sql).toMatch(/quote_ident\(ext_schema\)/i);
+  });
+
+  test("buildInitPlan includes dynamic extension schema grant", async () => {
+    const plan = await init.buildInitPlan({
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      monitoringPassword: "pw",
+      includeOptionalPermissions: false,
+    });
+
+    const permStep = plan.steps.find((s) => s.name === "03.permissions");
+    expect(permStep).toBeTruthy();
+    // Should include DO block that grants USAGE on extension schema
+    expect(permStep!.sql).toMatch(/do\s+\$\$/i);
+    expect(permStep!.sql).toMatch(/pg_stat_statements/);
+    expect(permStep!.sql).toMatch(/grant usage on schema/i);
+  });
+
+  test("verifyInitSetup handles pg_stat_statements not installed", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, extensions, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is NOT installed - empty result
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 0, rows: [] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass without errors - missing extension shouldn't cause failure
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should have queried for pg_stat_statements schema location
+    expect(calls.some((c) => c.includes("pg_extension e") && c.includes("pg_stat_statements"))).toBe(true);
+  });
+
+  test("verifyInitSetup skips extension schema check when in pg_catalog", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in pg_catalog (standard location)
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "pg_catalog" }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass - pg_catalog doesn't need extra USAGE grant
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+    // Should NOT have queried for has_schema_privilege on pg_catalog specifically
+    // (the code skips the check for pg_catalog and public schemas)
+    const pgCatalogPrivCheck = calls.filter(
+      (c) => c.includes("has_schema_privilege") && c.includes("pg_catalog")
+    );
+    // Should only have the standard public schema check, not a pg_catalog check for extension
+    expect(pgCatalogPrivCheck.length).toBe(0);
+  });
+
+  test("verifyInitSetup skips extension schema check when in public", async () => {
+    const calls: string[] = [];
+    const client = {
+      query: async (sql: string, params?: any) => {
+        calls.push(String(sql));
+
+        if (String(sql).toLowerCase().startsWith("begin isolation level repeatable read")) {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).toLowerCase() === "rollback;") {
+          return { rowCount: 1, rows: [] };
+        }
+        if (String(sql).includes("select rolconfig")) {
+          return { rowCount: 1, rows: [{ rolconfig: ['search_path=postgres_ai, "$user", public, pg_catalog'] }] };
+        }
+        if (String(sql).includes("from pg_catalog.pg_roles")) {
+          return { rowCount: 1, rows: [{ rolname: DEFAULT_MONITORING_USER }] };
+        }
+        if (String(sql).includes("has_database_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("pg_has_role")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_table_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("to_regclass")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        if (String(sql).includes("has_function_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+        // pg_stat_statements is in public schema
+        if (String(sql).includes("pg_extension e") && String(sql).includes("pg_stat_statements")) {
+          return { rowCount: 1, rows: [{ schema: "public" }] };
+        }
+        if (String(sql).includes("has_schema_privilege")) {
+          return { rowCount: 1, rows: [{ ok: true }] };
+        }
+
+        throw new Error(`unexpected sql: ${sql} params=${JSON.stringify(params)}`);
+      },
+    };
+
+    const r = await init.verifyInitSetup({
+      client: client as any,
+      database: "mydb",
+      monitoringUser: DEFAULT_MONITORING_USER,
+      includeOptionalPermissions: false,
+    });
+    // Should pass - public doesn't need extra USAGE grant for extension
+    expect(r.ok).toBe(true);
+    expect(r.missingRequired.length).toBe(0);
+  });
+
   test("buildInitPlan preserves comments when filtering ALTER USER", async () => {
     const plan = await init.buildInitPlan({
       database: "mydb",