postgresai 0.15.0-dev.1 → 0.15.0-dev.10

package/lib/reports.ts

@@ -0,0 +1,373 @@
+import { formatHttpError, maskSecret, normalizeBaseUrl } from "./util";
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface CheckupReport {
+  id: number;
+  org_id: number;
+  org_name: string;
+  project_id: number;
+  project_name: string;
+  created_at: string;
+  created_formatted: string;
+  epoch: number;
+  status: string;
+}
+
+export interface CheckupReportFile {
+  id: number;
+  checkup_report_id: number;
+  filename: string;
+  check_id: string;
+  type: "json" | "md";
+  created_at: string;
+  created_formatted: string;
+  project_id: number;
+  project_name: string;
+}
+
+export interface CheckupReportFileData extends CheckupReportFile {
+  data: string;
+}
+
+// ============================================================================
+// Date parsing
+// ============================================================================
+
+/**
+ * Parse a date string in various formats into an ISO 8601 string.
+ * Supported formats:
+ *   YYYY-MM-DD            2025-01-15
+ *   YYYY-MM-DDTHH:mm:ss   2025-01-15T10:30:00
+ *   YYYY-MM-DD HH:mm:ss   2025-01-15 10:30:00
+ *   YYYY-MM-DD HH:mm      2025-01-15 10:30
+ *   DD.MM.YYYY             15.01.2025
+ *   DD.MM.YYYY HH:mm      15.01.2025 10:30
+ *   DD.MM.YYYY HH:mm:ss   15.01.2025 10:30:00
+ */
+export function parseFlexibleDate(input: string): string {
+  const s = input.trim();
+
+  // DD.MM.YYYY [HH:mm[:ss]]
+  const dotMatch = s.match(/^(\d{1,2})\.(\d{1,2})\.(\d{4})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?$/);
+  if (dotMatch) {
+    const [, dd, mm, yyyy, hh, min, ss] = dotMatch;
+    const iso = `${yyyy}-${mm.padStart(2, "0")}-${dd.padStart(2, "0")}T${(hh ?? "00").padStart(2, "0")}:${(min ?? "00").padStart(2, "0")}:${(ss ?? "00").padStart(2, "0")}Z`;
+    const d = new Date(iso);
+    if (isNaN(d.getTime())) throw new Error(`Invalid date: ${input}`);
+    return d.toISOString();
+  }
+
+  // YYYY-MM-DD[T ]HH:mm[:ss] or YYYY-MM-DD
+  const isoMatch = s.match(/^(\d{4})-(\d{2})-(\d{2})(?:[T ](\d{2}):(\d{2})(?::(\d{2}))?)?$/);
+  if (isoMatch) {
+    const [, yyyy, mm, dd, hh, min, ss] = isoMatch;
+    const iso = `${yyyy}-${mm}-${dd}T${hh ?? "00"}:${min ?? "00"}:${ss ?? "00"}Z`;
+    const d = new Date(iso);
+    if (isNaN(d.getTime())) throw new Error(`Invalid date: ${input}`);
+    return d.toISOString();
+  }
+
+  throw new Error(`Unrecognized date format: ${input}. Use YYYY-MM-DD or DD.MM.YYYY`);
+}
+
+// ============================================================================
+// Params
+// ============================================================================
+
+export interface FetchReportsParams {
+  apiKey: string;
+  apiBaseUrl: string;
+  projectId?: number;
+  status?: string;
+  limit?: number;
+  beforeDate?: string;
+  /** @internal Used by fetchAllReports for keyset pagination */
+  beforeId?: number;
+  debug?: boolean;
+}
+
+export interface FetchReportFilesParams {
+  apiKey: string;
+  apiBaseUrl: string;
+  reportId?: number;
+  type?: "json" | "md";
+  checkId?: string;
+  debug?: boolean;
+}
+
+export interface FetchReportFileDataParams {
+  apiKey: string;
+  apiBaseUrl: string;
+  reportId?: number;
+  type?: "json" | "md";
+  checkId?: string;
+  debug?: boolean;
+}
+
+// ============================================================================
+// API functions
+// ============================================================================
+
+export async function fetchReports(params: FetchReportsParams): Promise<CheckupReport[]> {
+  const { apiKey, apiBaseUrl, projectId, status, limit = 20, beforeDate, beforeId, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+
+  const base = normalizeBaseUrl(apiBaseUrl);
+  const url = new URL(`${base}/checkup_reports`);
+  url.searchParams.set("order", "id.desc");
+  url.searchParams.set("limit", String(limit));
+  if (typeof projectId === "number") {
+    url.searchParams.set("project_id", `eq.${projectId}`);
+  }
+  if (status) {
+    url.searchParams.set("status", `eq.${status}`);
+  }
+  if (beforeDate) {
+    url.searchParams.set("created_at", `lt.${beforeDate}`);
+  }
+  if (typeof beforeId === "number") {
+    url.searchParams.set("id", `lt.${beforeId}`);
+  }
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+    "Prefer": "return=representation",
+    "Content-Type": "application/json",
+    "Connection": "close",
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  const response = await fetch(url.toString(), { method: "GET", headers });
+
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+  }
+
+  const data = await response.text();
+
+  if (response.ok) {
+    try {
+      return JSON.parse(data) as CheckupReport[];
+    } catch {
+      throw new Error(`Failed to parse reports response: ${data}`);
+    }
+  } else {
+    throw new Error(formatHttpError("Failed to fetch reports", response.status, data));
+  }
+}
+
+const MAX_ALL_REPORTS = 10000;
+
+export async function fetchAllReports(params: Omit<FetchReportsParams, "beforeId" | "beforeDate">): Promise<CheckupReport[]> {
+  const pageSize = params.limit ?? 100;
+  const all: CheckupReport[] = [];
+  let beforeId: number | undefined;
+
+  while (true) {
+    const page = await fetchReports({ ...params, limit: pageSize, beforeId });
+    if (page.length === 0) break;
+    all.push(...page);
+    if (all.length >= MAX_ALL_REPORTS) {
+      console.warn(`Warning: reached maximum of ${MAX_ALL_REPORTS} reports, stopping pagination`);
+      break;
+    }
+    beforeId = page[page.length - 1].id;
+    if (page.length < pageSize) break;
+  }
+
+  return all;
+}
+
+export async function fetchReportFiles(params: FetchReportFilesParams): Promise<CheckupReportFile[]> {
+  const { apiKey, apiBaseUrl, reportId, type, checkId, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (reportId === undefined && !checkId) {
+    throw new Error("Either reportId or checkId is required");
+  }
+
+  const base = normalizeBaseUrl(apiBaseUrl);
+  const url = new URL(`${base}/checkup_report_files`);
+  if (typeof reportId === "number") {
+    url.searchParams.set("checkup_report_id", `eq.${reportId}`);
+  }
+  url.searchParams.set("order", "id.asc");
+  if (type) {
+    url.searchParams.set("type", `eq.${type}`);
+  }
+  if (checkId) {
+    url.searchParams.set("check_id", `eq.${checkId}`);
+  }
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+    "Prefer": "return=representation",
+    "Content-Type": "application/json",
+    "Connection": "close",
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  const response = await fetch(url.toString(), { method: "GET", headers });
+
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+  }
+
+  const data = await response.text();
+
+  if (response.ok) {
+    try {
+      return JSON.parse(data) as CheckupReportFile[];
+    } catch {
+      throw new Error(`Failed to parse report files response: ${data}`);
+    }
+  } else {
+    throw new Error(formatHttpError("Failed to fetch report files", response.status, data));
+  }
+}
+
+export async function fetchReportFileData(params: FetchReportFileDataParams): Promise<CheckupReportFileData[]> {
+  const { apiKey, apiBaseUrl, reportId, type, checkId, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (reportId === undefined && !checkId) {
+    throw new Error("Either reportId or checkId is required");
+  }
+
+  const base = normalizeBaseUrl(apiBaseUrl);
+  const url = new URL(`${base}/checkup_report_file_data`);
+  if (typeof reportId === "number") {
+    url.searchParams.set("checkup_report_id", `eq.${reportId}`);
+  }
+  url.searchParams.set("order", "id.asc");
+  if (type) {
+    url.searchParams.set("type", `eq.${type}`);
+  }
+  if (checkId) {
+    url.searchParams.set("check_id", `eq.${checkId}`);
+  }
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+    "Prefer": "return=representation",
+    "Content-Type": "application/json",
+    "Connection": "close",
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  const response = await fetch(url.toString(), { method: "GET", headers });
+
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+  }
+
+  const data = await response.text();
+
+  if (response.ok) {
+    try {
+      return JSON.parse(data) as CheckupReportFileData[];
+    } catch {
+      throw new Error(`Failed to parse report file data response: ${data}`);
+    }
+  } else {
+    throw new Error(formatHttpError("Failed to fetch report file data", response.status, data));
+  }
+}
+
+// ============================================================================
+// Lightweight markdown terminal renderer
+// ============================================================================
+
+export function renderMarkdownForTerminal(md: string): string {
+  if (!md) return "";
+
+  const RESET = "\x1b[0m";
+  const BOLD = "\x1b[1m";
+  const BOLD_UNDERLINE = "\x1b[1;4m";
+  const DIM = "\x1b[2m";
+  const ITALIC = "\x1b[3m";
+  const CYAN = "\x1b[36m";
+
+  const lines = md.split("\n");
+  const output: string[] = [];
+  let inCodeBlock = false;
+
+  for (const line of lines) {
+    // Code block toggle
+    if (line.trimStart().startsWith("```")) {
+      inCodeBlock = !inCodeBlock;
+      if (inCodeBlock) {
+        output.push(`${DIM}${"─".repeat(40)}${RESET}`);
+      } else {
+        output.push(`${DIM}${"─".repeat(40)}${RESET}`);
+      }
+      continue;
+    }
+
+    // Inside code block — dim output
+    if (inCodeBlock) {
+      output.push(`${DIM}  ${line}${RESET}`);
+      continue;
+    }
+
+    // Horizontal rule
+    if (/^-{3,}$/.test(line.trim()) || /^\*{3,}$/.test(line.trim()) || /^_{3,}$/.test(line.trim())) {
+      output.push(`${DIM}${"─".repeat(60)}${RESET}`);
+      continue;
+    }
+
+    // Headings
+    const headingMatch = line.match(/^(#{1,6})\s+(.*)/);
+    if (headingMatch) {
+      const level = headingMatch[1].length;
+      const text = headingMatch[2];
+      if (level === 1) {
+        output.push(`${BOLD_UNDERLINE}${text}${RESET}`);
+      } else {
+        output.push(`${BOLD}${text}${RESET}`);
+      }
+      continue;
+    }
+
+    // Inline formatting
+    let formatted = line;
+    // Bold: **text** or __text__
+    formatted = formatted.replace(/\*\*(.+?)\*\*/g, `${BOLD}$1${RESET}`);
+    formatted = formatted.replace(/__(.+?)__/g, `${BOLD}$1${RESET}`);
+    // Italic: *text* (only single, not inside **)
+    formatted = formatted.replace(/(?<!\*)\*(?!\*)(.+?)(?<!\*)\*(?!\*)/g, `${ITALIC}$1${RESET}`);
+    // Italic: _text_ — only at word boundaries (not inside identifiers like foo_bar_baz)
+    formatted = formatted.replace(/(?<=^|[\s(])_([^\s_](?:.*?[^\s_])?)_(?=$|[\s),.:;!?])/g, `${ITALIC}$1${RESET}`);
+    // Inline code: `text`
+    formatted = formatted.replace(/`([^`]+)`/g, `${CYAN}$1${RESET}`);
+
+    output.push(formatted);
+  }
+
+  return output.join("\n");
+}

package/lib/storage.ts

@@ -0,0 +1,291 @@
+import * as fs from "fs";
+import * as path from "path";
+import { formatHttpError, maskSecret, normalizeBaseUrl } from "./util";
+
+const MAX_UPLOAD_SIZE = 500 * 1024 * 1024; // 500 MB
+const MAX_DOWNLOAD_SIZE = 500 * 1024 * 1024; // 500 MB
+
+const MIME_TYPES: Record<string, string> = {
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".svg": "image/svg+xml",
+  ".bmp": "image/bmp",
+  ".ico": "image/x-icon",
+  ".pdf": "application/pdf",
+  ".json": "application/json",
+  ".xml": "application/xml",
+  ".zip": "application/zip",
+  ".gz": "application/gzip",
+  ".tar": "application/x-tar",
+  ".csv": "text/csv",
+  ".txt": "text/plain",
+  ".log": "text/plain",
+  ".sql": "application/sql",
+  ".html": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".ts": "application/typescript",
+  ".md": "text/markdown",
+  ".yaml": "application/x-yaml",
+  ".yml": "application/x-yaml",
+};
+
+export interface UploadFileMetadata {
+  originalName: string;
+  size: number;
+  mimeType: string;
+  uploadedAt: string;
+  duration: number;
+}
+
+export interface UploadResult {
+  success: boolean;
+  url: string;
+  metadata: UploadFileMetadata;
+  requestId: string;
+}
+
+export interface UploadFileParams {
+  apiKey: string;
+  storageBaseUrl: string;
+  filePath: string;
+  debug?: boolean;
+}
+
+/**
+ * Upload a file to the storage service.
+ *
+ * @param params.apiKey - API token for authentication
+ * @param params.storageBaseUrl - Storage service base URL
+ * @param params.filePath - Local file path to upload
+ * @param params.debug - Enable debug logging
+ * @returns Upload result with URL and metadata
+ */
+export async function uploadFile(params: UploadFileParams): Promise<UploadResult> {
+  const { apiKey, storageBaseUrl, filePath, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (!storageBaseUrl) {
+    throw new Error("storageBaseUrl is required");
+  }
+  if (!filePath) {
+    throw new Error("filePath is required");
+  }
+
+  const resolvedPath = path.resolve(filePath);
+  if (!fs.existsSync(resolvedPath)) {
+    throw new Error(`File not found: ${resolvedPath}`);
+  }
+  const stat = fs.statSync(resolvedPath);
+  if (!stat.isFile()) {
+    throw new Error(`Not a file: ${resolvedPath}`);
+  }
+  if (stat.size > MAX_UPLOAD_SIZE) {
+    throw new Error(`File too large: ${stat.size} bytes (max ${MAX_UPLOAD_SIZE})`);
+  }
+
+  const base = normalizeBaseUrl(storageBaseUrl);
+  // Warn but don't reject HTTP — CLI needs to work with localhost during development.
+  // Rejecting would require an --allow-insecure flag that adds friction for local setups.
+  if (new URL(base).protocol === "http:") {
+    console.error("Warning: storage URL uses HTTP — API key will be sent unencrypted");
+  }
+  const url = `${base}/upload`;
+
+  // readFileSync is intentional: FormData/Blob API requires the full buffer anyway,
+  // and the 500MB size check above prevents excessive memory use. Streaming would
+  // need a custom multipart encoder (no native stream support in fetch FormData).
+  const fileBuffer = fs.readFileSync(resolvedPath);
+  const fileName = path.basename(resolvedPath);
+
+  const ext = path.extname(fileName).toLowerCase();
+  const mimeType = MIME_TYPES[ext] || "application/octet-stream";
+
+  const formData = new FormData();
+  formData.append("file", new Blob([fileBuffer], { type: mimeType }), fileName);
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Storage base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url}`);
+    console.error(`Debug: File: ${resolvedPath} (${stat.size} bytes, ${mimeType})`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  const response = await fetch(url, {
+    method: "POST",
+    headers,
+    body: formData,
+  });
+
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+  }
+
+  const data = await response.text();
+
+  if (response.ok) {
+    try {
+      return JSON.parse(data) as UploadResult;
+    } catch {
+      throw new Error(`Failed to parse upload response: ${data}`);
+    }
+  } else {
+    throw new Error(formatHttpError("Failed to upload file", response.status, data));
+  }
+}
+
+export interface DownloadFileParams {
+  apiKey: string;
+  storageBaseUrl: string;
+  fileUrl: string;
+  outputPath?: string;
+  debug?: boolean;
+}
+
+export interface DownloadResult {
+  savedTo: string;
+  size: number;
+  mimeType: string | null;
+}
+
+/**
+ * Download a file from the storage service.
+ *
+ * @param params.apiKey - API token for authentication
+ * @param params.storageBaseUrl - Storage service base URL
+ * @param params.fileUrl - File URL path (e.g. /files/123/xxx.png) or full URL
+ * @param params.outputPath - Local path to save the file (default: derive from URL)
+ * @param params.debug - Enable debug logging
+ * @returns Download result with saved path and size
+ */
+export async function downloadFile(params: DownloadFileParams): Promise<DownloadResult> {
+  const { apiKey, storageBaseUrl, fileUrl, outputPath, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (!storageBaseUrl) {
+    throw new Error("storageBaseUrl is required");
+  }
+  if (!fileUrl) {
+    throw new Error("fileUrl is required");
+  }
+
+  const base = normalizeBaseUrl(storageBaseUrl);
+  // Warn but don't reject HTTP — same rationale as uploadFile (localhost dev).
+  if (new URL(base).protocol === "http:") {
+    console.error("Warning: storage URL uses HTTP — API key will be sent unencrypted");
+  }
+
+  // Support both full URLs and relative paths
+  let fullUrl: string;
+  if (fileUrl.startsWith("http://") || fileUrl.startsWith("https://")) {
+    if (!fileUrl.startsWith(base + "/")) {
+      throw new Error(`URL must be under storage base URL: ${base}`);
+    }
+    fullUrl = fileUrl;
+  } else {
+    // Relative path like /files/123/xxx.png
+    const relativePath = fileUrl.startsWith("/") ? fileUrl : `/${fileUrl}`;
+    fullUrl = `${base}${relativePath}`;
+  }
+
+  // Derive output filename from URL if not specified
+  const urlFilename = path.basename(new URL(fullUrl).pathname);
+  if (!urlFilename) {
+    throw new Error("Cannot derive filename from URL; please specify --output");
+  }
+  const saveTo = outputPath ? path.resolve(outputPath) : path.resolve(urlFilename);
+
+  // Path traversal guard only for URL-derived filenames (untrusted input).
+  // Explicit --output (-o) is trusted: the user intentionally chose the path,
+  // and restricting it to cwd would break legitimate use (e.g. -o /tmp/file.png).
+  if (!outputPath) {
+    const normalizedSave = path.normalize(saveTo);
+    if (!normalizedSave.startsWith(path.normalize(process.cwd()))) {
+      throw new Error("Derived output path escapes current directory; please specify --output");
+    }
+  }
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Storage base URL: ${base}`);
+    console.error(`Debug: GET URL: ${fullUrl}`);
+    console.error(`Debug: Output: ${saveTo}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  const response = await fetch(fullUrl, {
+    method: "GET",
+    headers,
+  });
+
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+  }
+
+  if (!response.ok) {
+    const data = await response.text();
+    throw new Error(formatHttpError("Failed to download file", response.status, data));
+  }
+
+  const contentLength = response.headers.get("content-length");
+  if (contentLength && parseInt(contentLength, 10) > MAX_DOWNLOAD_SIZE) {
+    throw new Error(`File too large: ${contentLength} bytes (max ${MAX_DOWNLOAD_SIZE})`);
+  }
+
+  const arrayBuffer = await response.arrayBuffer();
+  const buffer = Buffer.from(arrayBuffer);
+
+  // Create parent dirs for the output path. recursive:true is intentional —
+  // the user may specify -o deeply/nested/path.png and expect it to work,
+  // same as curl --create-dirs or wget -P.
+  const parentDir = path.dirname(saveTo);
+  if (!fs.existsSync(parentDir)) {
+    fs.mkdirSync(parentDir, { recursive: true });
+  }
+
+  fs.writeFileSync(saveTo, buffer);
+
+  return {
+    savedTo: saveTo,
+    size: buffer.length,
+    mimeType: response.headers.get("content-type"),
+  };
+}
+
+const IMAGE_EXTENSIONS = new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg", ".bmp", ".ico"]);
+
+/**
+ * Build a markdown link for a file URL.
+ * Returns `![name](url)` for images, `[name](url)` for other files.
+ */
+export function buildMarkdownLink(fileUrl: string, storageBaseUrl: string, filename?: string): string {
+  const base = normalizeBaseUrl(storageBaseUrl);
+  const normalizedFileUrl = fileUrl.startsWith("/") ? fileUrl : `/${fileUrl}`;
+  const fullUrl = (fileUrl.startsWith("http://") || fileUrl.startsWith("https://")) ? fileUrl : `${base}${normalizedFileUrl}`;
+  const name = filename || path.basename(new URL(fullUrl).pathname);
+  const safeName = name.replace(/[\[\]()]/g, "\\$&");
+  const ext = path.extname(name).toLowerCase();
+  // fullUrl is not escaped — storage URLs are server-generated (UUID-based paths
+  // like /files/641/1770646021425_019c42ba.png) and never contain parentheses.
+  // Escaping would break the URL for renderers that don't decode %29 in href.
+  if (IMAGE_EXTENSIONS.has(ext)) {
+    return `![${safeName}](${fullUrl})`;
+  }
+  return `[${safeName}](${fullUrl})`;
+}

package/lib/supabase.ts

@@ -350,6 +350,10 @@ export async function fetchPoolerDatabaseUrl(
   config: SupabaseConfig,
   username: string
 ): Promise<string | null> {
+  // Validate projectRef format to prevent SSRF via crafted project references
+  if (!isValidProjectRef(config.projectRef)) {
+    throw new Error(`Invalid Supabase project reference format: "${config.projectRef}". Expected 10-30 alphanumeric characters.`);
+  }
   const url = `${SUPABASE_API_BASE}/v1/projects/${encodeURIComponent(config.projectRef)}/config/database/pooler`;
 
   // For Supabase pooler connections, the username must include the project ref:
@@ -669,7 +673,10 @@ export async function verifyInitSetupViaSupabase(params: {
 
   // Check pg_statistic view
   const viewExistsRes = await params.client.query(
-    "SELECT to_regclass('postgres_ai.pg_statistic') IS NOT NULL as ok",
+    `SELECT CASE
+      WHEN NOT has_schema_privilege(current_user, 'postgres_ai', 'USAGE') THEN NULL
+      ELSE to_regclass('postgres_ai.pg_statistic') IS NOT NULL
+    END as ok`,
     true
   );
   if (!viewExistsRes.rows?.[0]?.ok) {