postgresai 0.15.0-dev.10 → 0.15.0-dev.11

package/test/monitoring.test.ts

@@ -2,6 +2,20 @@ import { describe, test, expect, beforeEach, afterEach, mock, spyOn } from "bun:
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import * as yaml from "js-yaml";
+import { Client } from "pg";
+import {
+  addInstanceToFile,
+  removeInstanceFromFile,
+  loadInstances,
+  buildInstance,
+  buildClientConfig,
+  sslOptionFromConnString,
+  warnIfLaxSslmode,
+  isLaxSslmode,
+  extractSslmode,
+  InstancesParseError,
+} from "../lib/instances";
 
 /**
  * Test updatePgwatchConfig function behavior.
@@ -337,3 +351,266 @@ describe("demo mode instances.demo.yml", () => {
     }
   });
 });
+
+describe("docker-compose: default network has IPv6 enabled", () => {
+  const repoRoot = path.resolve(import.meta.dir, "..", "..");
+
+  test("root docker-compose.yml declares networks.default with enable_ipv6", () => {
+    const composePath = path.join(repoRoot, "docker-compose.yml");
+    const content = fs.readFileSync(composePath, "utf8");
+
+    // Use string match so we also catch the env-overridable form
+    // `enable_ipv6: ${PGAI_ENABLE_IPV6:-true}`, which Compose interpolates
+    // before the YAML strict-bool check.
+    expect(content).toMatch(/^networks:/m);
+    expect(content).toMatch(/^\s*default:/m);
+    expect(content).toMatch(/enable_ipv6:\s*(true|\$\{PGAI_ENABLE_IPV6:-true\})/);
+
+    // Also assert the YAML is parseable (catches indentation regressions).
+    const parsed = yaml.load(content) as any;
+    expect(parsed?.networks?.default).toBeDefined();
+  });
+
+  test("env override default resolves to 'true' when PGAI_ENABLE_IPV6 is unset", () => {
+    // Mirror Compose's `${VAR:-default}` interpolation rule. Verifies that the
+    // template's default value matches the documented one.
+    const composePath = path.join(repoRoot, "docker-compose.yml");
+    const content = fs.readFileSync(composePath, "utf8");
+    const m = content.match(/enable_ipv6:\s*\$\{PGAI_ENABLE_IPV6:-(\w+)\}/);
+    expect(m).not.toBeNull();
+    expect(m![1]).toBe("true");
+  });
+});
+
+describe("addInstanceToFile / removeInstanceFromFile round-trip", () => {
+  let tempDir: string;
+  let instancesFile: string;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "instances-test-"));
+    instancesFile = path.join(tempDir, "instances.yml");
+  });
+
+  afterEach(() => {
+    if (tempDir && fs.existsSync(tempDir)) {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  test("add to empty file produces a valid YAML list", () => {
+    addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db"));
+    const list = loadInstances(instancesFile);
+    expect(list.length).toBe(1);
+    expect(list[0].name).toBe("t1");
+  });
+
+  test("add → remove → add cycle keeps file parseable (regression)", () => {
+    // The previous bug: after `remove` left `[]` in the file, `add` appended a
+    // list-item next to it, producing two YAML documents in one file.
+    addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db"));
+    removeInstanceFromFile(instancesFile, "t1");
+    expect(loadInstances(instancesFile)).toEqual([]);
+
+    addInstanceToFile(instancesFile, buildInstance("t2", "postgresql://u:p@h:5432/db2"));
+
+    // Must NOT throw "end of the stream or a document separator is expected".
+    const list = loadInstances(instancesFile);
+    expect(list.length).toBe(1);
+    expect(list[0].name).toBe("t2");
+  });
+
+  test("sink_type placeholder survives the round-trip", () => {
+    addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db"));
+    const content = fs.readFileSync(instancesFile, "utf8");
+    // js-yaml emits ~sink_type~ unquoted (it's only special when standalone);
+    // sed s/~sink_type~/.../g still hits it as raw text regardless.
+    expect(content).toContain("~sink_type~");
+  });
+
+  test("add throws InstancesParseError on a corrupted file (no silent overwrite)", () => {
+    // Silent overwrite would discard credentials in conn_str values. Refuse.
+    fs.writeFileSync(instancesFile, "key: [unclosed\nfoo: bar\n", "utf8");
+
+    expect(() =>
+      addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db")),
+    ).toThrow(InstancesParseError);
+
+    // File contents are unchanged.
+    expect(fs.readFileSync(instancesFile, "utf8")).toBe("key: [unclosed\nfoo: bar\n");
+  });
+
+  test("add rejects duplicate name", () => {
+    addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db"));
+    expect(() =>
+      addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db")),
+    ).toThrow(/already exists/);
+  });
+
+  test("add replaces a directory at the target path (Docker bind-mount artifact)", () => {
+    fs.mkdirSync(instancesFile);
+    expect(fs.statSync(instancesFile).isDirectory()).toBe(true);
+    addInstanceToFile(instancesFile, buildInstance("t1", "postgresql://u:p@h:5432/db"));
+    expect(fs.statSync(instancesFile).isFile()).toBe(true);
+    expect(loadInstances(instancesFile).length).toBe(1);
+  });
+});
+
+describe("sslOptionFromConnString — libpq semantics", () => {
+  test("sslmode=require → SSL without chain verification", () => {
+    expect(sslOptionFromConnString("postgresql://u:p@h/db?sslmode=require"))
+      .toEqual({ rejectUnauthorized: false });
+  });
+
+  test("sslmode unset → SSL without chain verification", () => {
+    expect(sslOptionFromConnString("postgresql://u:p@h/db"))
+      .toEqual({ rejectUnauthorized: false });
+  });
+
+  test("sslmode=disable → no SSL", () => {
+    expect(sslOptionFromConnString("postgresql://u:p@h/db?sslmode=disable")).toBe(false);
+  });
+
+  test("sslmode=verify-ca → chain verification, no hostname check", () => {
+    const opt = sslOptionFromConnString("postgresql://u:p@h/db?sslmode=verify-ca");
+    expect(opt).toMatchObject({ rejectUnauthorized: true });
+    expect(typeof (opt as any).checkServerIdentity).toBe("function");
+  });
+
+  test("sslmode=verify-full → chain + hostname verification", () => {
+    expect(sslOptionFromConnString("postgresql://u:p@h/db?sslmode=verify-full"))
+      .toEqual({ rejectUnauthorized: true });
+  });
+
+  test("sslmode=prefer → SSL without chain verification", () => {
+    expect(sslOptionFromConnString("postgresql://u:p@h/db?sslmode=prefer"))
+      .toEqual({ rejectUnauthorized: false });
+  });
+
+  test("malformed connection string → safe default (no chain verification)", () => {
+    expect(sslOptionFromConnString("not-a-url")).toEqual({ rejectUnauthorized: false });
+  });
+});
+
+describe("buildClientConfig — actual node-postgres Client gets the intended ssl (regression)", () => {
+  // The previous code passed `{ connectionString, ssl }` to `new Client(...)`.
+  // node-postgres' ConnectionParameters internally does
+  // `Object.assign({}, config, parse(connectionString))`, so the parsed
+  // `connectionString.ssl` REPLACES the explicit `ssl`. Net effect:
+  //   `?sslmode=require` + `ssl: { rejectUnauthorized: false }` → `ssl: {}`
+  //                                                              (chain verified)
+  // — exactly the bug the MR claims to fix. This integration test asserts
+  // against `client.connectionParameters.ssl`, so the bug cannot return.
+
+  test("require: actual Client.connectionParameters.ssl has rejectUnauthorized:false", () => {
+    const c = new Client(buildClientConfig("postgresql://u:p@h/db?sslmode=require"));
+    expect(c.connectionParameters.ssl).toEqual({ rejectUnauthorized: false });
+  });
+
+  test("verify-full: actual Client.connectionParameters.ssl has rejectUnauthorized:true", () => {
+    const c = new Client(buildClientConfig("postgresql://u:p@h/db?sslmode=verify-full"));
+    expect(c.connectionParameters.ssl).toEqual({ rejectUnauthorized: true });
+  });
+
+  test("disable: actual Client.connectionParameters.ssl is false", () => {
+    const c = new Client(buildClientConfig("postgresql://u:p@h/db?sslmode=disable"));
+    expect(c.connectionParameters.ssl).toBe(false);
+  });
+
+  test("unset: actual Client.connectionParameters.ssl has rejectUnauthorized:false", () => {
+    const c = new Client(buildClientConfig("postgresql://u:p@h/db"));
+    expect(c.connectionParameters.ssl).toEqual({ rejectUnauthorized: false });
+  });
+
+  test("connectionTimeoutMillis is forwarded (exact value, not just truthy)", () => {
+    const c = new Client(buildClientConfig("postgresql://u:p@h/db?sslmode=require", { connectionTimeoutMillis: 5000 }));
+    // node-postgres v8 stores it on `_connectionTimeoutMillis`. Asserting the
+    // exact value catches regressions that would silently swap in the default.
+    expect((c as any)._connectionTimeoutMillis).toBe(5000);
+  });
+});
+
+describe("warnIfLaxSslmode — UX warning for lax sslmode", () => {
+  let stderrSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    stderrSpy = spyOn(console, "error").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    stderrSpy.mockRestore();
+  });
+
+  for (const sslmode of ["require", "prefer", "allow"]) {
+    test(`warns when sslmode=${sslmode}`, () => {
+      warnIfLaxSslmode(`postgresql://u:p@h/db?sslmode=${sslmode}`);
+      expect(stderrSpy).toHaveBeenCalledTimes(1);
+      const msg = String(stderrSpy.mock.calls[0][0]);
+      expect(msg).toContain(`sslmode=${sslmode}`);
+      expect(msg).toContain("NOT verified");
+      expect(msg).toContain("verify-full");
+    });
+  }
+
+  test("warns when sslmode is unset (uses '(unset)' label)", () => {
+    warnIfLaxSslmode("postgresql://u:p@h/db");
+    expect(stderrSpy).toHaveBeenCalledTimes(1);
+    expect(String(stderrSpy.mock.calls[0][0])).toContain("sslmode=(unset)");
+  });
+
+  test("does NOT warn when sslmode=verify-full or verify-ca or disable", () => {
+    warnIfLaxSslmode("postgresql://u:p@h/db?sslmode=verify-full");
+    warnIfLaxSslmode("postgresql://u:p@h/db?sslmode=verify-ca");
+    warnIfLaxSslmode("postgresql://u:p@h/db?sslmode=disable");
+    expect(stderrSpy).not.toHaveBeenCalled();
+  });
+});
+
+describe("buildClientConfig — silences pg-connection-string deprecation warning", () => {
+  // pg-connection-string v2.x prints `process.emitWarning("SECURITY WARNING:
+  // ... 'prefer'/'require'/'verify-ca' ...")` whenever a recognised lax
+  // sslmode appears. Without our `uselibpqcompat=true` shim, this would fire
+  // on every CLI invocation against a Supabase-shaped URL. Assert it doesn't.
+
+  let warnings: string[];
+  let origEmitWarning: typeof process.emitWarning;
+
+  beforeEach(() => {
+    warnings = [];
+    origEmitWarning = process.emitWarning;
+    (process as any).emitWarning = (warning: any) => {
+      warnings.push(typeof warning === "string" ? warning : String(warning));
+    };
+  });
+
+  afterEach(() => {
+    (process as any).emitWarning = origEmitWarning;
+  });
+
+  for (const sslmode of ["require", "prefer", "verify-ca"]) {
+    test(`no SECURITY WARNING for sslmode=${sslmode}`, () => {
+      buildClientConfig(`postgresql://u:p@h/db?sslmode=${sslmode}`);
+      const security = warnings.filter((w) => w.includes("SECURITY"));
+      expect(security).toEqual([]);
+    });
+  }
+});
+
+describe("extractSslmode / isLaxSslmode", () => {
+  test("extractSslmode returns lowercase", () => {
+    expect(extractSslmode("postgresql://u:p@h/db?sslmode=REQUIRE")).toBe("require");
+  });
+
+  test("extractSslmode returns '' for unparseable URLs", () => {
+    expect(extractSslmode("not-a-url")).toBe("");
+  });
+
+  test("isLaxSslmode covers the full set", () => {
+    expect(isLaxSslmode("")).toBe(true);
+    expect(isLaxSslmode("require")).toBe(true);
+    expect(isLaxSslmode("prefer")).toBe(true);
+    expect(isLaxSslmode("allow")).toBe(true);
+    expect(isLaxSslmode("verify-ca")).toBe(false);
+    expect(isLaxSslmode("verify-full")).toBe(false);
+    expect(isLaxSslmode("disable")).toBe(false);
+  });
+});

package/test/storage.test.ts

@@ -1,5 +1,5 @@
 import { describe, test, expect, mock, afterEach, beforeEach } from "bun:test";
-import { uploadFile, downloadFile, buildMarkdownLink } from "../lib/storage";
+import { uploadFile, downloadFile, buildMarkdownLink, uploadAttachments, appendAttachmentsToContent } from "../lib/storage";
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
@@ -759,3 +759,177 @@ describe("buildMarkdownLink escaping", () => {
     expect(result).toBe("![shot \\[v2\\] \\(draft\\).png](https://postgres.ai/storage/files/123/abc.png)");
   });
 });
+
+describe("appendAttachmentsToContent", () => {
+  const mkAttachment = (markdown: string) => ({
+    path: "/tmp/x",
+    url: "/files/1/x",
+    markdown,
+    metadata: { originalName: "x", size: 0, mimeType: "x", uploadedAt: "", duration: 0 },
+  });
+
+  test("returns content unchanged when attachments empty", () => {
+    expect(appendAttachmentsToContent("hello", [])).toBe("hello");
+  });
+
+  test("returns content unchanged when attachments missing (undefined-safe)", () => {
+    // Defensive: callers may pass undefined for cleaner sites — we tolerate it.
+    // (TS prevents this at compile time but runtime data can disagree.)
+    expect(appendAttachmentsToContent("hello", undefined as unknown as never[])).toBe("hello");
+  });
+
+  test("returns just the link(s) when content is empty string", () => {
+    const out = appendAttachmentsToContent("", [mkAttachment("![a](u)")]);
+    expect(out).toBe("![a](u)");
+  });
+
+  test("returns just the link(s) when content is whitespace", () => {
+    const out = appendAttachmentsToContent("   \n  ", [mkAttachment("![a](u)")]);
+    expect(out).toBe("![a](u)");
+  });
+
+  test("appends a single link with two-newline separator", () => {
+    const out = appendAttachmentsToContent("hello", [mkAttachment("![a](u)")]);
+    expect(out).toBe("hello\n\n![a](u)");
+  });
+
+  test("appends multiple links one per line, preserving order", () => {
+    const out = appendAttachmentsToContent("hello", [
+      mkAttachment("![first](u1)"),
+      mkAttachment("[second](u2)"),
+      mkAttachment("![third](u3)"),
+    ]);
+    expect(out).toBe("hello\n\n![first](u1)\n[second](u2)\n![third](u3)");
+  });
+
+  test("does not strip user-provided trailing newlines", () => {
+    // The user may have a meaningful trailing newline (e.g. for code blocks).
+    // We should not normalize content beyond appending.
+    const out = appendAttachmentsToContent("hello\n", [mkAttachment("![a](u)")]);
+    expect(out).toBe("hello\n\n\n![a](u)");
+  });
+});
+
+describe("uploadAttachments", () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+  });
+
+  test("returns empty array when input is empty", async () => {
+    const out = await uploadAttachments({
+      apiKey: "k",
+      storageBaseUrl: "https://postgres.ai/storage",
+      attachmentPaths: [],
+    });
+    expect(out).toEqual([]);
+  });
+
+  test("returns empty array when input is undefined (defensive)", async () => {
+    const out = await uploadAttachments({
+      apiKey: "k",
+      storageBaseUrl: "https://postgres.ai/storage",
+      attachmentPaths: undefined as unknown as string[],
+    });
+    expect(out).toEqual([]);
+  });
+
+  test("uploads each file in order and returns metadata + markdown link per upload", async () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "ua-"));
+    const f1 = path.join(tmpDir, "shot.png");
+    const f2 = path.join(tmpDir, "trace.log");
+    fs.writeFileSync(f1, "fake-png-bytes");
+    fs.writeFileSync(f2, "log line 1\nlog line 2\n");
+
+    const fakeResponses = [
+      { url: "/files/9/aaa.png", originalName: "shot.png" },
+      { url: "/files/9/bbb.log", originalName: "trace.log" },
+    ];
+    const calls: Array<{ url: string; mime: string }> = [];
+
+    globalThis.fetch = mock((url: string, init?: RequestInit) => {
+      const body = init?.body as FormData;
+      const file = body?.get("file") as Blob;
+      const next = fakeResponses[calls.length];
+      calls.push({ url: String(url), mime: file?.type ?? "" });
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            success: true,
+            url: next.url,
+            metadata: {
+              originalName: next.originalName,
+              size: 0,
+              mimeType: file?.type ?? "application/octet-stream",
+              uploadedAt: "",
+              duration: 0,
+            },
+            requestId: `r-${calls.length}`,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        )
+      );
+    }) as unknown as typeof fetch;
+
+    try {
+      const out = await uploadAttachments({
+        apiKey: "k",
+        storageBaseUrl: "https://postgres.ai/storage",
+        attachmentPaths: [f1, f2],
+      });
+
+      // Both uploads happened, in order.
+      expect(calls).toHaveLength(2);
+      expect(calls[0].url).toBe("https://postgres.ai/storage/upload");
+      expect(calls[1].url).toBe("https://postgres.ai/storage/upload");
+      // Mime types from extensions (image/png, text/plain).
+      // Blob may append `;charset=utf-8` for text MIME types — accept either.
+      expect(calls[0].mime).toBe("image/png");
+      expect(calls[1].mime.startsWith("text/plain")).toBe(true);
+
+      expect(out).toHaveLength(2);
+      expect(out[0].path).toBe(f1);
+      expect(out[0].url).toBe("/files/9/aaa.png");
+      // Image extension renders inline.
+      expect(out[0].markdown).toBe("![shot.png](https://postgres.ai/storage/files/9/aaa.png)");
+      expect(out[0].metadata.mimeType).toBe("image/png");
+
+      expect(out[1].path).toBe(f2);
+      expect(out[1].url).toBe("/files/9/bbb.log");
+      // Non-image renders as plain link.
+      expect(out[1].markdown).toBe("[trace.log](https://postgres.ai/storage/files/9/bbb.log)");
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  test("error on file N surfaces the path so the user can retry", async () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "ua-err-"));
+    const f1 = path.join(tmpDir, "ok.txt");
+    fs.writeFileSync(f1, "ok");
+    const missing = path.join(tmpDir, "definitely-not-here.png");
+
+    let callCount = 0;
+    globalThis.fetch = mock(() => {
+      callCount++;
+      return Promise.resolve(
+        new Response(JSON.stringify({ success: true, url: "/files/1/a", metadata: { originalName: "ok.txt", size: 2, mimeType: "text/plain", uploadedAt: "", duration: 0 }, requestId: "r" }), { status: 200 })
+      );
+    }) as unknown as typeof fetch;
+
+    try {
+      await expect(
+        uploadAttachments({
+          apiKey: "k",
+          storageBaseUrl: "https://postgres.ai/storage",
+          attachmentPaths: [f1, missing],
+        })
+      ).rejects.toThrow(/File not found.*definitely-not-here/);
+      // The first file was uploaded before the failure; we don't retry it.
+      // (Documenting current behavior — caller is responsible if mid-failure
+      // partial uploads matter.)
+      expect(callCount).toBe(1);
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+});