postgresai 0.15.0-dev.2 → 0.15.0-dev.4

package/dist/bin/postgres-ai.js

@@ -27,6 +27,7 @@ var __export = (target, all) => {
       set: (newValue) => all[name] = () => newValue
     });
 };
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // node_modules/commander/lib/error.js
@@ -13046,6 +13047,92 @@ var require_dist2 = __commonJS((exports, module) => {
   exports.default = formatsPlugin;
 });
 
+// lib/util.ts
+var exports_util2 = {};
+__export(exports_util2, {
+  resolveBaseUrls: () => resolveBaseUrls2,
+  normalizeBaseUrl: () => normalizeBaseUrl2,
+  maskSecret: () => maskSecret2,
+  formatHttpError: () => formatHttpError2
+});
+function isHtmlContent2(text) {
+  const trimmed = text.trim();
+  return trimmed.startsWith("<!DOCTYPE") || trimmed.startsWith("<html") || trimmed.startsWith("<HTML");
+}
+function formatHttpError2(operation, status, responseBody) {
+  const statusMessage = HTTP_STATUS_MESSAGES2[status] || "Request failed";
+  let errMsg = `${operation}: HTTP ${status} - ${statusMessage}`;
+  if (responseBody) {
+    if (isHtmlContent2(responseBody)) {
+      return errMsg;
+    }
+    try {
+      const errObj = JSON.parse(responseBody);
+      const message = errObj.message || errObj.error || errObj.detail;
+      if (message && typeof message === "string") {
+        errMsg += `
+${message}`;
+      } else {
+        errMsg += `
+${JSON.stringify(errObj, null, 2)}`;
+      }
+    } catch {
+      const trimmed = responseBody.trim();
+      if (trimmed.length > 0 && trimmed.length < 500) {
+        errMsg += `
+${trimmed}`;
+      }
+    }
+  }
+  return errMsg;
+}
+function maskSecret2(secret) {
+  if (!secret)
+    return "";
+  if (secret.length <= 8)
+    return "****";
+  if (secret.length <= 16)
+    return `${secret.slice(0, 4)}${"*".repeat(secret.length - 8)}${secret.slice(-4)}`;
+  return `${secret.slice(0, Math.min(12, secret.length - 8))}${"*".repeat(Math.max(4, secret.length - 16))}${secret.slice(-4)}`;
+}
+function normalizeBaseUrl2(value) {
+  const trimmed = (value || "").replace(/\/$/, "");
+  try {
+    new URL(trimmed);
+  } catch {
+    throw new Error(`Invalid base URL: ${value}`);
+  }
+  return trimmed;
+}
+function resolveBaseUrls2(opts, cfg, defaults2 = {}) {
+  const defApi = defaults2.apiBaseUrl || "https://postgres.ai/api/general/";
+  const defUi = defaults2.uiBaseUrl || "https://console.postgres.ai";
+  const defStorage = defaults2.storageBaseUrl || "https://postgres.ai/storage";
+  const apiCandidate = opts?.apiBaseUrl || process.env.PGAI_API_BASE_URL || cfg?.baseUrl || defApi;
+  const uiCandidate = opts?.uiBaseUrl || process.env.PGAI_UI_BASE_URL || defUi;
+  const storageCandidate = opts?.storageBaseUrl || process.env.PGAI_STORAGE_BASE_URL || cfg?.storageBaseUrl || defStorage;
+  return {
+    apiBaseUrl: normalizeBaseUrl2(apiCandidate),
+    uiBaseUrl: normalizeBaseUrl2(uiCandidate),
+    storageBaseUrl: normalizeBaseUrl2(storageCandidate)
+  };
+}
+var HTTP_STATUS_MESSAGES2;
+var init_util = __esm(() => {
+  HTTP_STATUS_MESSAGES2 = {
+    400: "Bad Request",
+    401: "Unauthorized - check your API key",
+    403: "Forbidden - access denied",
+    404: "Not Found",
+    408: "Request Timeout",
+    429: "Too Many Requests - rate limited",
+    500: "Internal Server Error",
+    502: "Bad Gateway - server temporarily unavailable",
+    503: "Service Unavailable - server temporarily unavailable",
+    504: "Gateway Timeout - server temporarily unavailable"
+  };
+});
+
 // node_modules/commander/esm.mjs
 var import__ = __toESM(require_commander(), 1);
 var {
@@ -13064,7 +13151,7 @@ var {
 // package.json
 var package_default = {
   name: "postgresai",
-  version: "0.15.0-dev.2",
+  version: "0.15.0-dev.4",
   description: "postgres_ai CLI",
   license: "Apache-2.0",
   private: false,
@@ -13140,6 +13227,7 @@ function readConfig() {
   const config = {
     apiKey: null,
     baseUrl: null,
+    storageBaseUrl: null,
     orgId: null,
     defaultProject: null,
     projectName: null
@@ -13151,6 +13239,7 @@ function readConfig() {
       const parsed = JSON.parse(content);
       config.apiKey = parsed.apiKey ?? null;
       config.baseUrl = parsed.baseUrl ?? null;
+      config.storageBaseUrl = parsed.storageBaseUrl ?? null;
       config.orgId = parsed.orgId ?? null;
       config.defaultProject = parsed.defaultProject ?? null;
       config.projectName = parsed.projectName ?? null;
@@ -15873,8 +15962,8 @@ var safeLoadAll = renamed("safeLoadAll", "loadAll");
 var safeDump = renamed("safeDump", "dump");
 
 // bin/postgres-ai.ts
-import * as fs5 from "fs";
-import * as path5 from "path";
+import * as fs6 from "fs";
+import * as path6 from "path";
 import * as os3 from "os";
 import * as crypto2 from "crypto";
 
@@ -15892,7 +15981,7 @@ var Result = import_lib.default.Result;
 var TypeOverrides = import_lib.default.TypeOverrides;
 var defaults = import_lib.default.defaults;
 // package.json
-var version = "0.15.0-dev.2";
+var version = "0.15.0-dev.4";
 var package_default2 = {
   name: "postgresai",
   version,
@@ -15971,6 +16060,7 @@ function readConfig2() {
   const config = {
     apiKey: null,
     baseUrl: null,
+    storageBaseUrl: null,
     orgId: null,
     defaultProject: null,
     projectName: null
@@ -15982,6 +16072,7 @@ function readConfig2() {
       const parsed = JSON.parse(content);
       config.apiKey = parsed.apiKey ?? null;
       config.baseUrl = parsed.baseUrl ?? null;
+      config.storageBaseUrl = parsed.storageBaseUrl ?? null;
       config.orgId = parsed.orgId ?? null;
       config.defaultProject = parsed.defaultProject ?? null;
       config.projectName = parsed.projectName ?? null;
@@ -16079,11 +16170,14 @@ function normalizeBaseUrl(value) {
 function resolveBaseUrls(opts, cfg, defaults2 = {}) {
   const defApi = defaults2.apiBaseUrl || "https://postgres.ai/api/general/";
   const defUi = defaults2.uiBaseUrl || "https://console.postgres.ai";
+  const defStorage = defaults2.storageBaseUrl || "https://postgres.ai/storage";
   const apiCandidate = opts?.apiBaseUrl || process.env.PGAI_API_BASE_URL || cfg?.baseUrl || defApi;
   const uiCandidate = opts?.uiBaseUrl || process.env.PGAI_UI_BASE_URL || defUi;
+  const storageCandidate = opts?.storageBaseUrl || process.env.PGAI_STORAGE_BASE_URL || cfg?.storageBaseUrl || defStorage;
   return {
     apiBaseUrl: normalizeBaseUrl(apiCandidate),
-    uiBaseUrl: normalizeBaseUrl(uiCandidate)
+    uiBaseUrl: normalizeBaseUrl(uiCandidate),
+    storageBaseUrl: normalizeBaseUrl(storageCandidate)
   };
 }
 
@@ -16115,18 +16209,18 @@ async function fetchIssues(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16157,18 +16251,18 @@ async function fetchIssueComments(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16202,18 +16296,18 @@ async function fetchIssue(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16275,11 +16369,11 @@ async function createIssue(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16287,8 +16381,8 @@ async function createIssue(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16330,11 +16424,11 @@ async function createIssueComment(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16342,8 +16436,8 @@ async function createIssueComment(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16393,11 +16487,11 @@ async function updateIssue(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16405,8 +16499,8 @@ async function updateIssue(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16445,11 +16539,11 @@ async function updateIssueComment(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16457,8 +16551,8 @@ async function updateIssueComment(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16497,18 +16591,18 @@ async function fetchActionItem(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16548,18 +16642,18 @@ async function fetchActionItems(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16611,11 +16705,11 @@ async function createActionItem(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16623,8 +16717,8 @@ async function createActionItem(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16688,11 +16782,11 @@ async function updateActionItem(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -16700,8 +16794,8 @@ async function updateActionItem(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   if (!response.ok) {
     const data = await response.text();
@@ -16761,13 +16855,13 @@ async function fetchReports(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16828,13 +16922,13 @@ async function fetchReportFiles(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -16875,13 +16969,13 @@ async function fetchReportFileData(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24264,18 +24358,18 @@ async function fetchIssues2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24306,18 +24400,18 @@ async function fetchIssueComments2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24351,18 +24445,18 @@ async function fetchIssue2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24424,11 +24518,11 @@ async function createIssue2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24436,8 +24530,8 @@ async function createIssue2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24479,11 +24573,11 @@ async function createIssueComment2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24491,8 +24585,8 @@ async function createIssueComment2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24542,11 +24636,11 @@ async function updateIssue2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24554,8 +24648,8 @@ async function updateIssue2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24594,11 +24688,11 @@ async function updateIssueComment2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24606,8 +24700,8 @@ async function updateIssueComment2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24646,18 +24740,18 @@ async function fetchActionItem2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24697,18 +24791,18 @@ async function fetchActionItems2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), {
     method: "GET",
     headers
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24760,11 +24854,11 @@ async function createActionItem2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24772,8 +24866,8 @@ async function createActionItem2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24837,11 +24931,11 @@ async function updateActionItem2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: POST URL: ${url.toString()}`);
-    console.log(`Debug: Auth scheme: access-token`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
-    console.log(`Debug: Request body: ${body}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url.toString()}`);
+    console.error(`Debug: Auth scheme: access-token`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Request body: ${body}`);
   }
   const response = await fetch(url.toString(), {
     method: "POST",
@@ -24849,8 +24943,8 @@ async function updateActionItem2(params) {
     body
   });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
-    console.log(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
   }
   if (!response.ok) {
     const data = await response.text();
@@ -24910,13 +25004,13 @@ async function fetchReports2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -24977,13 +25071,13 @@ async function fetchReportFiles2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -25024,13 +25118,13 @@ async function fetchReportFileData2(params) {
   };
   if (debug) {
     const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
-    console.log(`Debug: Resolved API base URL: ${base}`);
-    console.log(`Debug: GET URL: ${url.toString()}`);
-    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+    console.error(`Debug: Resolved API base URL: ${base}`);
+    console.error(`Debug: GET URL: ${url.toString()}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
   }
   const response = await fetch(url.toString(), { method: "GET", headers });
   if (debug) {
-    console.log(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response status: ${response.status}`);
   }
   const data = await response.text();
   if (response.ok) {
@@ -25097,41 +25191,198 @@ function renderMarkdownForTerminal(md) {
 `);
 }
 
-// lib/util.ts
-function maskSecret2(secret) {
-  if (!secret)
-    return "";
-  if (secret.length <= 8)
-    return "****";
-  if (secret.length <= 16)
-    return `${secret.slice(0, 4)}${"*".repeat(secret.length - 8)}${secret.slice(-4)}`;
-  return `${secret.slice(0, Math.min(12, secret.length - 8))}${"*".repeat(Math.max(4, secret.length - 16))}${secret.slice(-4)}`;
-}
-function normalizeBaseUrl2(value) {
-  const trimmed = (value || "").replace(/\/$/, "");
-  try {
-    new URL(trimmed);
-  } catch {
-    throw new Error(`Invalid base URL: ${value}`);
+// bin/postgres-ai.ts
+init_util();
+
+// lib/storage.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+var MAX_UPLOAD_SIZE = 500 * 1024 * 1024;
+var MAX_DOWNLOAD_SIZE = 500 * 1024 * 1024;
+var MIME_TYPES = {
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".svg": "image/svg+xml",
+  ".bmp": "image/bmp",
+  ".ico": "image/x-icon",
+  ".pdf": "application/pdf",
+  ".json": "application/json",
+  ".xml": "application/xml",
+  ".zip": "application/zip",
+  ".gz": "application/gzip",
+  ".tar": "application/x-tar",
+  ".csv": "text/csv",
+  ".txt": "text/plain",
+  ".log": "text/plain",
+  ".sql": "application/sql",
+  ".html": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".ts": "application/typescript",
+  ".md": "text/markdown",
+  ".yaml": "application/x-yaml",
+  ".yml": "application/x-yaml"
+};
+async function uploadFile(params) {
+  const { apiKey, storageBaseUrl, filePath, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (!storageBaseUrl) {
+    throw new Error("storageBaseUrl is required");
+  }
+  if (!filePath) {
+    throw new Error("filePath is required");
+  }
+  const resolvedPath = path3.resolve(filePath);
+  if (!fs3.existsSync(resolvedPath)) {
+    throw new Error(`File not found: ${resolvedPath}`);
+  }
+  const stat = fs3.statSync(resolvedPath);
+  if (!stat.isFile()) {
+    throw new Error(`Not a file: ${resolvedPath}`);
+  }
+  if (stat.size > MAX_UPLOAD_SIZE) {
+    throw new Error(`File too large: ${stat.size} bytes (max ${MAX_UPLOAD_SIZE})`);
+  }
+  const base = normalizeBaseUrl(storageBaseUrl);
+  if (new URL(base).protocol === "http:") {
+    console.error("Warning: storage URL uses HTTP — API key will be sent unencrypted");
+  }
+  const url = `${base}/upload`;
+  const fileBuffer = fs3.readFileSync(resolvedPath);
+  const fileName = path3.basename(resolvedPath);
+  const ext = path3.extname(fileName).toLowerCase();
+  const mimeType = MIME_TYPES[ext] || "application/octet-stream";
+  const formData = new FormData;
+  formData.append("file", new Blob([fileBuffer], { type: mimeType }), fileName);
+  const headers = {
+    "access-token": apiKey
+  };
+  if (debug) {
+    const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Storage base URL: ${base}`);
+    console.error(`Debug: POST URL: ${url}`);
+    console.error(`Debug: File: ${resolvedPath} (${stat.size} bytes, ${mimeType})`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers,
+    body: formData
+  });
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+  }
+  const data = await response.text();
+  if (response.ok) {
+    try {
+      return JSON.parse(data);
+    } catch {
+      throw new Error(`Failed to parse upload response: ${data}`);
+    }
+  } else {
+    throw new Error(formatHttpError("Failed to upload file", response.status, data));
   }
-  return trimmed;
 }
-function resolveBaseUrls2(opts, cfg, defaults2 = {}) {
-  const defApi = defaults2.apiBaseUrl || "https://postgres.ai/api/general/";
-  const defUi = defaults2.uiBaseUrl || "https://console.postgres.ai";
-  const apiCandidate = opts?.apiBaseUrl || process.env.PGAI_API_BASE_URL || cfg?.baseUrl || defApi;
-  const uiCandidate = opts?.uiBaseUrl || process.env.PGAI_UI_BASE_URL || defUi;
+async function downloadFile(params) {
+  const { apiKey, storageBaseUrl, fileUrl, outputPath, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+  if (!storageBaseUrl) {
+    throw new Error("storageBaseUrl is required");
+  }
+  if (!fileUrl) {
+    throw new Error("fileUrl is required");
+  }
+  const base = normalizeBaseUrl(storageBaseUrl);
+  if (new URL(base).protocol === "http:") {
+    console.error("Warning: storage URL uses HTTP — API key will be sent unencrypted");
+  }
+  let fullUrl;
+  if (fileUrl.startsWith("http://") || fileUrl.startsWith("https://")) {
+    if (!fileUrl.startsWith(base + "/")) {
+      throw new Error(`URL must be under storage base URL: ${base}`);
+    }
+    fullUrl = fileUrl;
+  } else {
+    const relativePath = fileUrl.startsWith("/") ? fileUrl : `/${fileUrl}`;
+    fullUrl = `${base}${relativePath}`;
+  }
+  const urlFilename = path3.basename(new URL(fullUrl).pathname);
+  if (!urlFilename) {
+    throw new Error("Cannot derive filename from URL; please specify --output");
+  }
+  const saveTo = outputPath ? path3.resolve(outputPath) : path3.resolve(urlFilename);
+  if (!outputPath) {
+    const normalizedSave = path3.normalize(saveTo);
+    if (!normalizedSave.startsWith(path3.normalize(process.cwd()))) {
+      throw new Error("Derived output path escapes current directory; please specify --output");
+    }
+  }
+  const headers = {
+    "access-token": apiKey
+  };
+  if (debug) {
+    const debugHeaders = { ...headers, "access-token": maskSecret(apiKey) };
+    console.error(`Debug: Storage base URL: ${base}`);
+    console.error(`Debug: GET URL: ${fullUrl}`);
+    console.error(`Debug: Output: ${saveTo}`);
+    console.error(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+  const response = await fetch(fullUrl, {
+    method: "GET",
+    headers
+  });
+  if (debug) {
+    console.error(`Debug: Response status: ${response.status}`);
+    console.error(`Debug: Response headers: ${JSON.stringify(Object.fromEntries(response.headers.entries()))}`);
+  }
+  if (!response.ok) {
+    const data = await response.text();
+    throw new Error(formatHttpError("Failed to download file", response.status, data));
+  }
+  const contentLength = response.headers.get("content-length");
+  if (contentLength && parseInt(contentLength, 10) > MAX_DOWNLOAD_SIZE) {
+    throw new Error(`File too large: ${contentLength} bytes (max ${MAX_DOWNLOAD_SIZE})`);
+  }
+  const arrayBuffer = await response.arrayBuffer();
+  const buffer = Buffer.from(arrayBuffer);
+  const parentDir = path3.dirname(saveTo);
+  if (!fs3.existsSync(parentDir)) {
+    fs3.mkdirSync(parentDir, { recursive: true });
+  }
+  fs3.writeFileSync(saveTo, buffer);
   return {
-    apiBaseUrl: normalizeBaseUrl2(apiCandidate),
-    uiBaseUrl: normalizeBaseUrl2(uiCandidate)
+    savedTo: saveTo,
+    size: buffer.length,
+    mimeType: response.headers.get("content-type")
   };
 }
+var IMAGE_EXTENSIONS = new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg", ".bmp", ".ico"]);
+function buildMarkdownLink(fileUrl, storageBaseUrl, filename) {
+  const base = normalizeBaseUrl(storageBaseUrl);
+  const normalizedFileUrl = fileUrl.startsWith("/") ? fileUrl : `/${fileUrl}`;
+  const fullUrl = fileUrl.startsWith("http://") || fileUrl.startsWith("https://") ? fileUrl : `${base}${normalizedFileUrl}`;
+  const name = filename || path3.basename(new URL(fullUrl).pathname);
+  const safeName = name.replace(/[\[\]()]/g, "\\$&");
+  const ext = path3.extname(name).toLowerCase();
+  if (IMAGE_EXTENSIONS.has(ext)) {
+    return `![${safeName}](${fullUrl})`;
+  }
+  return `[${safeName}](${fullUrl})`;
+}
 
 // lib/init.ts
 import { randomBytes } from "crypto";
 import { URL as URL2, fileURLToPath } from "url";
-import * as fs3 from "fs";
-import * as path3 from "path";
+import * as fs4 from "fs";
+import * as path4 from "path";
 var DEFAULT_MONITORING_USER = "postgres_ai_mon";
 var KNOWN_PROVIDERS = ["self-managed", "supabase"];
 var SKIP_ROLE_CREATION_PROVIDERS = ["supabase"];
@@ -25203,7 +25454,7 @@ async function connectWithSslFallback(ClientClass, adminConn, verbose) {
       throw sslErr;
     }
     if (verbose) {
-      console.log("SSL connection failed, retrying without SSL...");
+      console.error("SSL connection failed, retrying without SSL...");
     }
     const noSslConfig = { ...adminConn.clientConfig, ssl: false };
     try {
@@ -25222,21 +25473,21 @@ async function connectWithSslFallback(ClientClass, adminConn, verbose) {
 }
 function sqlDir() {
   const currentFile = fileURLToPath(import.meta.url);
-  const currentDir = path3.dirname(currentFile);
+  const currentDir = path4.dirname(currentFile);
   const candidates = [
-    path3.resolve(currentDir, "..", "sql"),
-    path3.resolve(currentDir, "..", "..", "sql")
+    path4.resolve(currentDir, "..", "sql"),
+    path4.resolve(currentDir, "..", "..", "sql")
   ];
   for (const candidate of candidates) {
-    if (fs3.existsSync(candidate)) {
+    if (fs4.existsSync(candidate)) {
       return candidate;
     }
   }
   throw new Error(`SQL directory not found. Searched: ${candidates.join(", ")}`);
 }
 function loadSqlTemplate(filename) {
-  const p = path3.join(sqlDir(), filename);
-  return fs3.readFileSync(p, "utf8");
+  const p = path4.join(sqlDir(), filename);
+  return fs4.readFileSync(p, "utf8");
 }
 function applyTemplate(sql, vars) {
   return sql.replace(/\{\{([A-Z0-9_]+)\}\}/g, (_, key) => {
@@ -26215,12 +26466,12 @@ function createCallbackServer(port = 0, expectedState = null, timeoutMs = 300000
   let resolveReady;
   let rejectReady;
   let serverInstance = null;
-  const promise2 = new Promise((resolve4, reject) => {
-    resolveCallback = resolve4;
+  const promise2 = new Promise((resolve5, reject) => {
+    resolveCallback = resolve5;
     rejectCallback = reject;
   });
-  const ready = new Promise((resolve4, reject) => {
-    resolveReady = resolve4;
+  const ready = new Promise((resolve5, reject) => {
+    resolveReady = resolve5;
     rejectReady = reject;
   });
   let timeoutId = null;
@@ -26406,12 +26657,13 @@ function createCallbackServer(port = 0, expectedState = null, timeoutMs = 300000
 }
 
 // bin/postgres-ai.ts
+init_util();
 import { createInterface } from "readline";
 import * as childProcess from "child_process";
 
 // lib/checkup.ts
-import * as fs4 from "fs";
-import * as path4 from "path";
+import * as fs5 from "fs";
+import * as path5 from "path";
 
 // lib/metrics-embedded.ts
 var METRICS = {
@@ -27844,7 +28096,7 @@ function parseVersionNum(versionNum) {
     };
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[parseVersionNum] Warning: Failed to parse "${versionNum}": ${errorMsg}`);
+    console.error(`[parseVersionNum] Warning: Failed to parse "${versionNum}": ${errorMsg}`);
     return { major: "", minor: "" };
   }
 }
@@ -28161,7 +28413,7 @@ async function getStatsReset(client, pgMajorVersion = 16) {
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
     postmasterStartupError = `Failed to query postmaster start time: ${errorMsg}`;
-    console.log(`[getStatsReset] Warning: ${postmasterStartupError}`);
+    console.error(`[getStatsReset] Warning: ${postmasterStartupError}`);
   }
   const statsResult = {
     stats_reset_epoch: statsResetEpoch,
@@ -28214,7 +28466,7 @@ async function getRedundantIndexes(client, pgMajorVersion = 16) {
       const errorMsg = err instanceof Error ? err.message : String(err);
       const indexName = String(transformed.index_name || "unknown");
       parseError = `Failed to parse redundant_to_json: ${errorMsg}`;
-      console.log(`[H004] Warning: ${parseError} for index "${indexName}"`);
+      console.error(`[H004] Warning: ${parseError} for index "${indexName}"`);
     }
     const result2 = {
       schema_name: String(transformed.schema_name || ""),
@@ -28256,7 +28508,7 @@ function createBaseReport(checkId, checkTitle, nodeName) {
 }
 function readTextFileSafe(p) {
   try {
-    const value = fs4.readFileSync(p, "utf8").trim();
+    const value = fs5.readFileSync(p, "utf8").trim();
     return value || null;
   } catch {
     return null;
@@ -28269,8 +28521,8 @@ function resolveBuildTs() {
   if (fromFile)
     return fromFile;
   try {
-    const pkgRoot = path4.resolve(__dirname, "..");
-    const fromPkgFile = readTextFileSafe(path4.join(pkgRoot, "BUILD_TS"));
+    const pkgRoot = path5.resolve(__dirname, "..");
+    const fromPkgFile = readTextFileSafe(path5.join(pkgRoot, "BUILD_TS"));
     if (fromPkgFile)
       return fromPkgFile;
   } catch (err) {
@@ -28278,13 +28530,13 @@ function resolveBuildTs() {
     console.warn(`[resolveBuildTs] Warning: path resolution failed: ${errorMsg}`);
   }
   try {
-    const pkgJsonPath = path4.resolve(__dirname, "..", "package.json");
-    const st = fs4.statSync(pkgJsonPath);
+    const pkgJsonPath = path5.resolve(__dirname, "..", "package.json");
+    const st = fs5.statSync(pkgJsonPath);
     return st.mtime.toISOString();
   } catch (err) {
     if (process.env.DEBUG) {
       const errorMsg = err instanceof Error ? err.message : String(err);
-      console.log(`[resolveBuildTs] Could not stat package.json, using current time: ${errorMsg}`);
+      console.error(`[resolveBuildTs] Could not stat package.json, using current time: ${errorMsg}`);
     }
     return new Date().toISOString();
   }
@@ -28394,7 +28646,7 @@ async function generateD004(client, nodeName) {
     }
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[D004] Error querying pg_stat_statements: ${errorMsg}`);
+    console.error(`[D004] Error querying pg_stat_statements: ${errorMsg}`);
     pgssError = errorMsg;
   }
   let kcacheAvailable = false;
@@ -28440,7 +28692,7 @@ async function generateD004(client, nodeName) {
     }
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[D004] Error querying pg_stat_kcache: ${errorMsg}`);
+    console.error(`[D004] Error querying pg_stat_kcache: ${errorMsg}`);
     kcacheError = errorMsg;
   }
   report.results[nodeName] = {
@@ -28551,7 +28803,10 @@ async function generateF004(client, nodeName) {
     });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[F004] Error estimating table bloat: ${errorMsg}`);
+    console.error(`[F004] Error estimating table bloat: ${errorMsg}`);
+    if (errorMsg.includes("postgres_ai.")) {
+      console.error(`  Hint: Run "postgresai prepare-db <connection>" to create required objects.`);
+    }
   }
   const { datname: dbName, size_bytes: dbSizeBytes } = await getCurrentDatabaseInfo(client, pgMajorVersion);
   const totalCount = bloatedTables.length;
@@ -28625,7 +28880,10 @@ async function generateF005(client, nodeName) {
     });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[F005] Error estimating index bloat: ${errorMsg}`);
+    console.error(`[F005] Error estimating index bloat: ${errorMsg}`);
+    if (errorMsg.includes("postgres_ai.")) {
+      console.error(`  Hint: Run "postgresai prepare-db <connection>" to create required objects.`);
+    }
   }
   const { datname: dbName, size_bytes: dbSizeBytes } = await getCurrentDatabaseInfo(client, pgMajorVersion);
   const totalCount = bloatedIndexes.length;
@@ -28712,7 +28970,7 @@ async function generateG001(client, nodeName) {
     }
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[G001] Error calculating memory usage: ${errorMsg}`);
+    console.error(`[G001] Error calculating memory usage: ${errorMsg}`);
     memoryError = errorMsg;
   }
   report.results[nodeName] = {
@@ -28772,7 +29030,7 @@ async function generateG003(client, nodeName) {
     }
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    console.log(`[G003] Error querying deadlock stats: ${errorMsg}`);
+    console.error(`[G003] Error querying deadlock stats: ${errorMsg}`);
     deadlockError = errorMsg;
   }
   report.results[nodeName] = {
@@ -28878,7 +29136,7 @@ async function withRetry(fn, config2 = {}, onRetry) {
       if (onRetry) {
         onRetry(attempt, err, delayMs);
       }
-      await new Promise((resolve5) => setTimeout(resolve5, delayMs));
+      await new Promise((resolve6) => setTimeout(resolve6, delayMs));
       delayMs = Math.min(delayMs * backoffMultiplier, maxDelayMs);
     }
   }
@@ -28948,7 +29206,7 @@ async function postRpc(params) {
   const controller = new AbortController;
   let timeoutId = null;
   let settled = false;
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve6, reject) => {
     const settledReject = (err) => {
       if (settled)
         return;
@@ -28963,7 +29221,7 @@ async function postRpc(params) {
       settled = true;
       if (timeoutId)
         clearTimeout(timeoutId);
-      resolve5(value);
+      resolve6(value);
     };
     const req = https.request(url, {
       method: "POST",
@@ -29336,27 +29594,27 @@ function closeReadline() {
   }
 }
 async function execPromise(command) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     childProcess.exec(command, (error2, stdout, stderr) => {
       if (error2) {
         const err = error2;
         err.code = typeof error2.code === "number" ? error2.code : 1;
         reject(err);
       } else {
-        resolve6({ stdout, stderr });
+        resolve7({ stdout, stderr });
       }
     });
   });
 }
 async function execFilePromise(file, args) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     childProcess.execFile(file, args, (error2, stdout, stderr) => {
       if (error2) {
         const err = error2;
         err.code = typeof error2.code === "number" ? error2.code : 1;
         reject(err);
       } else {
-        resolve6({ stdout, stderr });
+        resolve7({ stdout, stderr });
       }
     });
   });
@@ -29397,9 +29655,9 @@ function spawn2(cmd, args, options) {
   };
 }
 async function question(prompt) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     getReadline().question(prompt, (answer) => {
-      resolve6(answer);
+      resolve7(answer);
     });
   });
 }
@@ -29410,7 +29668,7 @@ function expandHomePath(p) {
   if (s === "~")
     return os3.homedir();
   if (s.startsWith("~/") || s.startsWith("~\\")) {
-    return path5.join(os3.homedir(), s.slice(2));
+    return path6.join(os3.homedir(), s.slice(2));
   }
   return s;
 }
@@ -29459,10 +29717,10 @@ function prepareOutputDirectory(outputOpt) {
   if (!outputOpt)
     return;
   const outputDir = expandHomePath(outputOpt);
-  const outputPath = path5.isAbsolute(outputDir) ? outputDir : path5.resolve(process.cwd(), outputDir);
-  if (!fs5.existsSync(outputPath)) {
+  const outputPath = path6.isAbsolute(outputDir) ? outputDir : path6.resolve(process.cwd(), outputDir);
+  if (!fs6.existsSync(outputPath)) {
     try {
-      fs5.mkdirSync(outputPath, { recursive: true });
+      fs6.mkdirSync(outputPath, { recursive: true });
     } catch (e) {
       const errAny = e;
       const code = typeof errAny?.code === "string" ? errAny.code : "";
@@ -29541,9 +29799,10 @@ async function uploadCheckupReports(uploadCfg, reports, spinner, logUpload) {
 }
 function writeReportFiles(reports, outputPath) {
   for (const [checkId, report] of Object.entries(reports)) {
-    const filePath = path5.join(outputPath, `${checkId}.json`);
-    fs5.writeFileSync(filePath, JSON.stringify(report, null, 2), "utf8");
-    console.log(`\u2713 ${checkId}: ${filePath}`);
+    const filePath = path6.join(outputPath, `${checkId}.json`);
+    fs6.writeFileSync(filePath, JSON.stringify(report, null, 2), "utf8");
+    const title = report.checkTitle || checkId;
+    console.log(`\u2713 ${checkId} ${title}: ${filePath}`);
   }
 }
 function printUploadSummary(summary, projectWasGenerated, useStderr, reports) {
@@ -29586,7 +29845,7 @@ function getDefaultMonitoringProjectDir() {
   const override = process.env.PGAI_PROJECT_DIR;
   if (override && override.trim())
     return override.trim();
-  return path5.join(getConfigDir(), "monitoring");
+  return path6.join(getConfigDir(), "monitoring");
 }
 async function downloadText(url) {
   const controller = new AbortController;
@@ -29603,12 +29862,12 @@ async function downloadText(url) {
 }
 async function ensureDefaultMonitoringProject() {
   const projectDir = getDefaultMonitoringProjectDir();
-  const composeFile = path5.resolve(projectDir, "docker-compose.yml");
-  const instancesFile = path5.resolve(projectDir, "instances.yml");
-  if (!fs5.existsSync(projectDir)) {
-    fs5.mkdirSync(projectDir, { recursive: true, mode: 448 });
+  const composeFile = path6.resolve(projectDir, "docker-compose.yml");
+  const instancesFile = path6.resolve(projectDir, "instances.yml");
+  if (!fs6.existsSync(projectDir)) {
+    fs6.mkdirSync(projectDir, { recursive: true, mode: 448 });
   }
-  if (!fs5.existsSync(composeFile)) {
+  if (!fs6.existsSync(composeFile)) {
     const refs = [
       process.env.PGAI_PROJECT_REF,
       package_default.version,
@@ -29620,36 +29879,36 @@ async function ensureDefaultMonitoringProject() {
       const url = `https://gitlab.com/postgres-ai/postgres_ai/-/raw/${encodeURIComponent(ref)}/docker-compose.yml`;
       try {
         const text = await downloadText(url);
-        fs5.writeFileSync(composeFile, text, { encoding: "utf8", mode: 384 });
+        fs6.writeFileSync(composeFile, text, { encoding: "utf8", mode: 384 });
         break;
       } catch (err) {
         lastErr = err;
       }
     }
-    if (!fs5.existsSync(composeFile)) {
+    if (!fs6.existsSync(composeFile)) {
       const msg = lastErr instanceof Error ? lastErr.message : String(lastErr);
       throw new Error(`Failed to bootstrap docker-compose.yml: ${msg}`);
     }
   }
-  if (!fs5.existsSync(instancesFile)) {
+  if (!fs6.existsSync(instancesFile)) {
     const header = `# PostgreSQL instances to monitor
 ` + `# Add your instances using: pgai mon targets add <connection-string> <name>
 
 `;
-    fs5.writeFileSync(instancesFile, header, { encoding: "utf8", mode: 384 });
+    fs6.writeFileSync(instancesFile, header, { encoding: "utf8", mode: 384 });
   }
-  const pgwatchConfig = path5.resolve(projectDir, ".pgwatch-config");
-  if (!fs5.existsSync(pgwatchConfig)) {
-    fs5.writeFileSync(pgwatchConfig, "", { encoding: "utf8", mode: 384 });
+  const pgwatchConfig = path6.resolve(projectDir, ".pgwatch-config");
+  if (!fs6.existsSync(pgwatchConfig)) {
+    fs6.writeFileSync(pgwatchConfig, "", { encoding: "utf8", mode: 384 });
   }
-  const envFile = path5.resolve(projectDir, ".env");
-  if (!fs5.existsSync(envFile)) {
+  const envFile = path6.resolve(projectDir, ".env");
+  if (!fs6.existsSync(envFile)) {
     const envText = `PGAI_TAG=${package_default.version}
 # PGAI_REGISTRY=registry.gitlab.com/postgres-ai/postgres_ai
 `;
-    fs5.writeFileSync(envFile, envText, { encoding: "utf8", mode: 384 });
+    fs6.writeFileSync(envFile, envText, { encoding: "utf8", mode: 384 });
   }
-  return { fs: fs5, path: path5, projectDir, composeFile, instancesFile };
+  return { fs: fs6, path: path6, projectDir, composeFile, instancesFile };
 }
 function getConfig(opts) {
   let apiKey = opts.apiKey || process.env.PGAI_API_KEY || "";
@@ -29680,7 +29939,7 @@ function printResult(result, json2) {
   }
 }
 var program2 = new Command;
-program2.name("postgres-ai").description("PostgresAI CLI").version(package_default.version).option("--api-key <key>", "API key (overrides PGAI_API_KEY)").option("--api-base-url <url>", "API base URL for backend RPC (overrides PGAI_API_BASE_URL)").option("--ui-base-url <url>", "UI base URL for browser routes (overrides PGAI_UI_BASE_URL)");
+program2.name("postgres-ai").description("PostgresAI CLI").version(package_default.version).option("--api-key <key>", "API key (overrides PGAI_API_KEY)").option("--api-base-url <url>", "API base URL for backend RPC (overrides PGAI_API_BASE_URL)").option("--ui-base-url <url>", "UI base URL for browser routes (overrides PGAI_UI_BASE_URL)").option("--storage-base-url <url>", "Storage base URL for file uploads (overrides PGAI_STORAGE_BASE_URL)");
 program2.command("set-default-project <project>").description("store default project for checkup uploads").action(async (project) => {
   const value = (project || "").trim();
   if (!value) {
@@ -29691,6 +29950,23 @@ program2.command("set-default-project <project>").description("store default pro
   writeConfig({ defaultProject: value });
   console.log(`Default project saved: ${value}`);
 });
+program2.command("set-storage-url <url>").description("store storage base URL for file uploads").action(async (url) => {
+  const value = (url || "").trim();
+  if (!value) {
+    console.error("Error: url is required");
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const { normalizeBaseUrl: normalizeBaseUrl3 } = await Promise.resolve().then(() => (init_util(), exports_util2));
+    const normalized = normalizeBaseUrl3(value);
+    writeConfig({ storageBaseUrl: normalized });
+    console.log(`Storage URL saved: ${normalized}`);
+  } catch {
+    console.error(`Error: invalid URL: ${value}`);
+    process.exitCode = 1;
+  }
+});
 program2.command("prepare-db [conn]").description("prepare database for monitoring: create monitoring user, required view(s), and grant permissions (idempotent)").option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)").option("-h, --host <host>", "PostgreSQL host (psql-like)").option("-p, --port <port>", "PostgreSQL port (psql-like)").option("-U, --username <username>", "PostgreSQL user (psql-like)").option("-d, --dbname <dbname>", "PostgreSQL database name (psql-like)").option("--admin-password <password>", "Admin connection password (otherwise uses PGPASSWORD if set)").option("--monitoring-user <name>", "Monitoring role name to create/update", DEFAULT_MONITORING_USER).option("--password <password>", "Monitoring role password (overrides PGAI_MON_PASSWORD)").option("--skip-optional-permissions", "Skip optional permissions (RDS/self-managed extras)", false).option("--provider <provider>", "Database provider (e.g., supabase). Affects which steps are executed.").option("--verify", "Verify that monitoring role/permissions are in place (no changes)", false).option("--reset-password", "Reset monitoring role password only (no other changes)", false).option("--print-sql", "Print SQL plan and exit (no changes applied)", false).option("--print-password", "Print generated monitoring password (DANGEROUS in CI logs)", false).option("--supabase", "Use Supabase Management API instead of direct PostgreSQL connection", false).option("--supabase-access-token <token>", "Supabase Management API access token (or SUPABASE_ACCESS_TOKEN env)").option("--supabase-project-ref <ref>", "Supabase project reference (or SUPABASE_PROJECT_REF env)").option("--json", "Output result as JSON (machine-readable)", false).addHelpText("after", [
   "",
   "Examples:",
@@ -29871,9 +30147,9 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
           } else {
             console.log("\u2713 prepare-db verify: OK");
             if (v.missingOptional.length > 0) {
-              console.log("\u26A0 Optional items missing:");
+              console.error("\u26A0 Optional items missing:");
               for (const m of v.missingOptional)
-                console.log(`- ${m}`);
+                console.error(`- ${m}`);
             }
           }
           return;
@@ -29994,9 +30270,9 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
       } else {
         console.log(opts.resetPassword ? "\u2713 prepare-db password reset completed" : "\u2713 prepare-db completed");
         if (skippedOptional.length > 0) {
-          console.log("\u26A0 Some optional steps were skipped (not supported or insufficient privileges):");
+          console.error("\u26A0 Some optional steps were skipped (not supported or insufficient privileges):");
           for (const s of skippedOptional)
-            console.log(`- ${s}`);
+            console.error(`- ${s}`);
         }
         if (process.stdout.isTTY) {
           console.log(`Applied ${applied.length} steps`);
@@ -30154,9 +30430,9 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
         } else {
           console.log(`\u2713 prepare-db verify: OK${opts.provider ? ` (provider: ${opts.provider})` : ""}`);
           if (v.missingOptional.length > 0) {
-            console.log("\u26A0 Optional items missing:");
+            console.error("\u26A0 Optional items missing:");
             for (const m of v.missingOptional)
-              console.log(`- ${m}`);
+              console.error(`- ${m}`);
           }
         }
         return;
@@ -30272,9 +30548,9 @@ program2.command("prepare-db [conn]").description("prepare database for monitori
     } else {
       console.log(opts.resetPassword ? "\u2713 prepare-db password reset completed" : "\u2713 prepare-db completed");
       if (skippedOptional.length > 0) {
-        console.log("\u26A0 Some optional steps were skipped (not supported or insufficient privileges):");
+        console.error("\u26A0 Some optional steps were skipped (not supported or insufficient privileges):");
         for (const s of skippedOptional)
-          console.log(`- ${s}`);
+          console.error(`- ${s}`);
       }
       if (process.stdout.isTTY) {
         console.log(`Applied ${applied.length} steps`);
@@ -30474,9 +30750,9 @@ program2.command("unprepare-db [conn]").description("remove monitoring setup: dr
     console.log(`Drop role: ${dropRole}`);
   }
   if (!opts.force && !jsonOutput && !shouldPrintSql) {
-    const answer = await new Promise((resolve6) => {
+    const answer = await new Promise((resolve7) => {
       const readline = getReadline();
-      readline.question(`This will remove the monitoring setup for user "${opts.monitoringUser}"${dropRole ? " and drop the role" : ""}. Continue? [y/N] `, (ans) => resolve6(ans.trim().toLowerCase()));
+      readline.question(`This will remove the monitoring setup for user "${opts.monitoringUser}"${dropRole ? " and drop the role" : ""}. Continue? [y/N] `, (ans) => resolve7(ans.trim().toLowerCase()));
     });
     if (answer !== "y" && answer !== "yes") {
       console.log("Aborted.");
@@ -30530,11 +30806,11 @@ program2.command("unprepare-db [conn]").description("remove monitoring setup: dr
         console.log("\u2713 unprepare-db completed");
         console.log(`Applied ${applied.length} steps`);
       } else {
-        console.log("\u26A0 unprepare-db completed with errors");
+        console.error("\u26A0 unprepare-db completed with errors");
         console.log(`Applied ${applied.length} steps`);
-        console.log("Errors:");
+        console.error("Errors:");
         for (const err of errors3) {
-          console.log(`  - ${err}`);
+          console.error(`  - ${err}`);
         }
         process.exitCode = 1;
       }
@@ -30780,7 +31056,7 @@ Usage: postgresai checkup ${checkId} postgresql://user@host:5432/dbname
         }
       }
     }
-    if (shouldPrintJson) {
+    if (shouldPrintJson && !outputPath) {
       console.log(JSON.stringify(reports, null, 2));
     }
     const hadOutput = shouldPrintJson || shouldConvertMarkdown || outputPath || uploadSummary;
@@ -30833,12 +31109,12 @@ function resolvePaths() {
   const startDir = process.cwd();
   let currentDir = startDir;
   while (true) {
-    const composeFile = path5.resolve(currentDir, "docker-compose.yml");
-    if (fs5.existsSync(composeFile)) {
-      const instancesFile = path5.resolve(currentDir, "instances.yml");
-      return { fs: fs5, path: path5, projectDir: currentDir, composeFile, instancesFile };
+    const composeFile = path6.resolve(currentDir, "docker-compose.yml");
+    if (fs6.existsSync(composeFile)) {
+      const instancesFile = path6.resolve(currentDir, "instances.yml");
+      return { fs: fs6, path: path6, projectDir: currentDir, composeFile, instancesFile };
     }
-    const parentDir = path5.dirname(currentDir);
+    const parentDir = path6.dirname(currentDir);
     if (parentDir === currentDir)
       break;
     currentDir = parentDir;
@@ -30886,10 +31162,10 @@ function registerMonitoringInstance(apiKey, projectName, opts) {
   const url = `${apiBaseUrl}/rpc/monitoring_instance_register`;
   const debug = opts?.debug;
   if (debug) {
-    console.log(`
+    console.error(`
 Debug: Registering monitoring instance...`);
-    console.log(`Debug: POST ${url}`);
-    console.log(`Debug: project_name=${projectName}`);
+    console.error(`Debug: POST ${url}`);
+    console.error(`Debug: project_name=${projectName}`);
   }
   fetch(url, {
     method: "POST",
@@ -30904,26 +31180,26 @@ Debug: Registering monitoring instance...`);
     const body = await res.text().catch(() => "");
     if (!res.ok) {
       if (debug) {
-        console.log(`Debug: Monitoring registration failed: HTTP ${res.status}`);
-        console.log(`Debug: Response: ${body}`);
+        console.error(`Debug: Monitoring registration failed: HTTP ${res.status}`);
+        console.error(`Debug: Response: ${body}`);
       }
       return;
     }
     if (debug) {
-      console.log(`Debug: Monitoring registration response: ${body}`);
+      console.error(`Debug: Monitoring registration response: ${body}`);
     }
   }).catch((err) => {
     if (debug) {
-      console.log(`Debug: Monitoring registration error: ${err.message}`);
+      console.error(`Debug: Monitoring registration error: ${err.message}`);
     }
   });
 }
 function updatePgwatchConfig(configPath, updates) {
   let lines = [];
-  if (fs5.existsSync(configPath)) {
-    const stats = fs5.statSync(configPath);
+  if (fs6.existsSync(configPath)) {
+    const stats = fs6.statSync(configPath);
     if (!stats.isDirectory()) {
-      const content = fs5.readFileSync(configPath, "utf8");
+      const content = fs6.readFileSync(configPath, "utf8");
       lines = content.split(/\r?\n/).filter((l) => l.trim() !== "");
     }
   }
@@ -30935,7 +31211,7 @@ function updatePgwatchConfig(configPath, updates) {
       lines.push(`${key}=${value}`);
     }
   }
-  fs5.writeFileSync(configPath, lines.join(`
+  fs6.writeFileSync(configPath, lines.join(`
 `) + `
 `, { encoding: "utf8", mode: 384 });
 }
@@ -30965,12 +31241,12 @@ async function runCompose(args, grafanaPassword) {
   if (grafanaPassword) {
     env.GF_SECURITY_ADMIN_PASSWORD = grafanaPassword;
   } else {
-    const cfgPath = path5.resolve(projectDir, ".pgwatch-config");
-    if (fs5.existsSync(cfgPath)) {
+    const cfgPath = path6.resolve(projectDir, ".pgwatch-config");
+    if (fs6.existsSync(cfgPath)) {
       try {
-        const stats = fs5.statSync(cfgPath);
+        const stats = fs6.statSync(cfgPath);
         if (!stats.isDirectory()) {
-          const content = fs5.readFileSync(cfgPath, "utf8");
+          const content = fs6.readFileSync(cfgPath, "utf8");
           const match = content.match(/^grafana_password=([^\r\n]+)/m);
           if (match) {
             env.GF_SECURITY_ADMIN_PASSWORD = match[1].trim();
@@ -30987,13 +31263,13 @@ async function runCompose(args, grafanaPassword) {
   if (process.platform === "darwin" && args.includes("up")) {
     finalArgs.push("--scale", "self-node-exporter=0");
   }
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     const child = spawn2(cmd[0], [...cmd.slice(1), "-f", composeFile, ...finalArgs], {
       stdio: "inherit",
       env,
       cwd: projectDir
     });
-    child.on("close", (code) => resolve6(code || 0));
+    child.on("close", (code) => resolve7(code || 0));
   });
 }
 program2.command("help", { isDefault: true }).description("show help").action(() => {
@@ -31014,16 +31290,16 @@ mon.command("local-install").description("install local monitoring stack (genera
   console.log(`Project directory: ${projectDir}
 `);
   if (opts.project) {
-    const cfgPath2 = path5.resolve(projectDir, ".pgwatch-config");
+    const cfgPath2 = path6.resolve(projectDir, ".pgwatch-config");
     updatePgwatchConfig(cfgPath2, { project_name: opts.project });
     console.log(`Using project name: ${opts.project}
 `);
   }
-  const envFile = path5.resolve(projectDir, ".env");
+  const envFile = path6.resolve(projectDir, ".env");
   let existingRegistry = null;
   let existingPassword = null;
-  if (fs5.existsSync(envFile)) {
-    const existingEnv = fs5.readFileSync(envFile, "utf8");
+  if (fs6.existsSync(envFile)) {
+    const existingEnv = fs6.readFileSync(envFile, "utf8");
     const registryMatch = existingEnv.match(/^PGAI_REGISTRY=(.+)$/m);
     if (registryMatch)
       existingRegistry = registryMatch[1].trim();
@@ -31039,7 +31315,7 @@ mon.command("local-install").description("install local monitoring stack (genera
   if (existingPassword) {
     envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
   }
-  fs5.writeFileSync(envFile, envLines.join(`
+  fs6.writeFileSync(envFile, envLines.join(`
 `) + `
 `, { encoding: "utf8", mode: 384 });
   if (opts.tag) {
@@ -31047,8 +31323,8 @@ mon.command("local-install").description("install local monitoring stack (genera
 `);
   }
   if (opts.demo && opts.dbUrl) {
-    console.log("\u26A0 Both --demo and --db-url provided. Demo mode includes its own database.");
-    console.log(`\u26A0 The --db-url will be ignored in demo mode.
+    console.error("\u26A0 Both --demo and --db-url provided. Demo mode includes its own database.");
+    console.error(`\u26A0 The --db-url will be ignored in demo mode.
 `);
     opts.dbUrl = undefined;
   }
@@ -31063,7 +31339,7 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
   }
   const { running, containers } = checkRunningContainers();
   if (running) {
-    console.log(`\u26A0 Monitoring services are already running: ${containers.join(", ")}`);
+    console.error(`\u26A0 Monitoring services are already running: ${containers.join(", ")}`);
     console.log(`Use 'postgres-ai mon restart' to restart them
 `);
     return;
@@ -31075,12 +31351,12 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
     if (apiKey) {
       console.log("Using API key provided via --api-key parameter");
       writeConfig({ apiKey });
-      updatePgwatchConfig(path5.resolve(projectDir, ".pgwatch-config"), { api_key: apiKey });
+      updatePgwatchConfig(path6.resolve(projectDir, ".pgwatch-config"), { api_key: apiKey });
       console.log(`\u2713 API key saved
 `);
     } else if (opts.yes) {
       console.log("Auto-yes mode: no API key provided, skipping API key setup");
-      console.log("\u26A0 Reports will be generated locally only");
+      console.error("\u26A0 Reports will be generated locally only");
       console.log(`You can add an API key later with: postgres-ai add-key <api_key>
 `);
     } else {
@@ -31092,23 +31368,23 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
           const trimmedKey = inputApiKey.trim();
           if (trimmedKey) {
             writeConfig({ apiKey: trimmedKey });
-            updatePgwatchConfig(path5.resolve(projectDir, ".pgwatch-config"), { api_key: trimmedKey });
+            updatePgwatchConfig(path6.resolve(projectDir, ".pgwatch-config"), { api_key: trimmedKey });
             apiKey = trimmedKey;
             console.log(`\u2713 API key saved
 `);
             break;
           }
-          console.log("\u26A0 API key cannot be empty");
+          console.error("\u26A0 API key cannot be empty");
           const retry = await question("Try again or skip API key setup, retry? (Y/n): ");
           if (retry.toLowerCase() === "n") {
-            console.log("\u26A0 Skipping API key setup - reports will be generated locally only");
+            console.error("\u26A0 Skipping API key setup - reports will be generated locally only");
             console.log(`You can add an API key later with: postgres-ai add-key <api_key>
 `);
             break;
           }
         }
       } else {
-        console.log("\u26A0 Skipping API key setup - reports will be generated locally only");
+        console.error("\u26A0 Skipping API key setup - reports will be generated locally only");
         console.log(`You can add an API key later with: postgres-ai add-key <api_key>
 `);
       }
@@ -31126,7 +31402,7 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
 # Add your instances using: postgres-ai mon targets add
 
 `;
-    fs5.writeFileSync(instancesPath, emptyInstancesContent, "utf8");
+    fs6.writeFileSync(instancesPath, emptyInstancesContent, "utf8");
     console.log(`Instances file: ${instancesPath}`);
     console.log(`Project directory: ${projectDir2}
 `);
@@ -31158,7 +31434,7 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
     node_name: ${instanceName}
     sink_type: ~sink_type~
 `;
-      fs5.appendFileSync(instancesPath, body, "utf8");
+      fs6.appendFileSync(instancesPath, body, "utf8");
       console.log(`\u2713 Monitoring target '${instanceName}' added
 `);
       console.log("Testing connection to the added instance...");
@@ -31177,7 +31453,7 @@ Use demo mode without API key: postgres-ai mon local-install --demo`);
       }
     } else if (opts.yes) {
       console.log("Auto-yes mode: no database URL provided, skipping database setup");
-      console.log("\u26A0 No PostgreSQL instance added");
+      console.error("\u26A0 No PostgreSQL instance added");
       console.log(`You can add one later with: postgres-ai mon targets add
 `);
     } else {
@@ -31195,7 +31471,7 @@ You can provide either:`);
           const m = connStr.match(/^postgresql:\/\/([^:]+):([^@]+)@([^:\/]+)(?::(\d+))?\/(.+)$/);
           if (!m) {
             console.error("\u2717 Invalid connection string format");
-            console.log(`\u26A0 Continuing without adding instance
+            console.error(`\u26A0 Continuing without adding instance
 `);
           } else {
             const host = m[3];
@@ -31213,7 +31489,7 @@ You can provide either:`);
     node_name: ${instanceName}
     sink_type: ~sink_type~
 `;
-            fs5.appendFileSync(instancesPath, body, "utf8");
+            fs6.appendFileSync(instancesPath, body, "utf8");
             console.log(`\u2713 Monitoring target '${instanceName}' added
 `);
             console.log("Testing connection to the added instance...");
@@ -31232,11 +31508,11 @@ You can provide either:`);
             }
           }
         } else {
-          console.log(`\u26A0 No PostgreSQL instance added - you can add one later with: postgres-ai mon targets add
+          console.error(`\u26A0 No PostgreSQL instance added - you can add one later with: postgres-ai mon targets add
 `);
         }
       } else {
-        console.log(`\u26A0 No PostgreSQL instance added - you can add one later with: postgres-ai mon targets add
+        console.error(`\u26A0 No PostgreSQL instance added - you can add one later with: postgres-ai mon targets add
 `);
       }
     }
@@ -31253,13 +31529,13 @@ You can provide either:`);
   console.log(`\u2713 Configuration updated
 `);
   console.log(opts.demo ? "Step 4: Configuring Grafana security..." : "Step 4: Configuring Grafana security...");
-  const cfgPath = path5.resolve(projectDir, ".pgwatch-config");
+  const cfgPath = path6.resolve(projectDir, ".pgwatch-config");
   let grafanaPassword = "";
   try {
-    if (fs5.existsSync(cfgPath)) {
-      const stats = fs5.statSync(cfgPath);
+    if (fs6.existsSync(cfgPath)) {
+      const stats = fs6.statSync(cfgPath);
       if (!stats.isDirectory()) {
-        const content = fs5.readFileSync(cfgPath, "utf8");
+        const content = fs6.readFileSync(cfgPath, "utf8");
         const match = content.match(/^grafana_password=([^\r\n]+)/m);
         if (match) {
           grafanaPassword = match[1].trim();
@@ -31272,22 +31548,22 @@ You can provide either:`);
 '`);
       grafanaPassword = password.trim();
       let configContent = "";
-      if (fs5.existsSync(cfgPath)) {
-        const stats = fs5.statSync(cfgPath);
+      if (fs6.existsSync(cfgPath)) {
+        const stats = fs6.statSync(cfgPath);
         if (!stats.isDirectory()) {
-          configContent = fs5.readFileSync(cfgPath, "utf8");
+          configContent = fs6.readFileSync(cfgPath, "utf8");
         }
       }
       const lines = configContent.split(/\r?\n/).filter((l) => !/^grafana_password=/.test(l));
       lines.push(`grafana_password=${grafanaPassword}`);
-      fs5.writeFileSync(cfgPath, lines.filter(Boolean).join(`
+      fs6.writeFileSync(cfgPath, lines.filter(Boolean).join(`
 `) + `
 `, "utf8");
     }
     console.log(`\u2713 Grafana password configured
 `);
   } catch (error2) {
-    console.log("\u26A0 Could not generate Grafana password automatically");
+    console.error("\u26A0 Could not generate Grafana password automatically");
     console.log(`Using default password: demo
 `);
     grafanaPassword = "demo";
@@ -31382,7 +31658,7 @@ mon.command("stop").description("stop monitoring services").action(async () => {
   let code = await runCompose(["down", "--remove-orphans"]);
   if (code !== 0) {
     await removeOrphanedContainers();
-    await new Promise((resolve6) => setTimeout(resolve6, NETWORK_CLEANUP_DELAY_MS));
+    await new Promise((resolve7) => setTimeout(resolve7, NETWORK_CLEANUP_DELAY_MS));
     code = await runCompose(["down", "--remove-orphans"]);
   }
   if (code !== 0) {
@@ -31437,7 +31713,7 @@ mon.command("health").description("health check for monitoring services").option
     if (attempt > 1) {
       console.log(`Retrying (attempt ${attempt}/${maxAttempts})...
 `);
-      await new Promise((resolve6) => setTimeout(resolve6, 5000));
+      await new Promise((resolve7) => setTimeout(resolve7, 5000));
     }
     allHealthy = true;
     for (const service of services) {
@@ -31485,11 +31761,11 @@ mon.command("config").description("show monitoring services configuration").acti
   console.log(`Project Directory: ${projectDir}`);
   console.log(`Docker Compose File: ${composeFile}`);
   console.log(`Instances File: ${instancesFile}`);
-  if (fs5.existsSync(instancesFile)) {
+  if (fs6.existsSync(instancesFile)) {
     console.log(`
 Instances configuration:
 `);
-    const text = fs5.readFileSync(instancesFile, "utf8");
+    const text = fs6.readFileSync(instancesFile, "utf8");
     process.stdout.write(text);
     if (!/\n$/.test(text))
       console.log();
@@ -31504,8 +31780,8 @@ mon.command("update").description("update monitoring stack").action(async () =>
   console.log(`Updating PostgresAI monitoring stack...
 `);
   try {
-    const gitDir = path5.resolve(process.cwd(), ".git");
-    if (!fs5.existsSync(gitDir)) {
+    const gitDir = path6.resolve(process.cwd(), ".git");
+    if (!fs6.existsSync(gitDir)) {
       console.error("Not a git repository. Cannot update.");
       process.exitCode = 1;
       return;
@@ -31601,7 +31877,7 @@ mon.command("clean").description("cleanup monitoring services artifacts (stops s
     if (downCode === 0) {
       console.log("\u2713 Monitoring services stopped and removed");
     } else {
-      console.log("\u26A0 Could not stop services (may not be running)");
+      console.error("\u26A0 Could not stop services (may not be running)");
     }
     await removeOrphanedContainers();
     console.log("\u2713 Removed orphaned containers");
@@ -31660,13 +31936,13 @@ mon.command("check").description("monitoring services system readiness check").a
 var targets = mon.command("targets").description("manage databases to monitor");
 targets.command("list").description("list monitoring target databases").action(async () => {
   const { instancesFile: instancesPath, projectDir } = await resolveOrInitPaths();
-  if (!fs5.existsSync(instancesPath)) {
+  if (!fs6.existsSync(instancesPath)) {
     console.error(`instances.yml not found in ${projectDir}`);
     process.exitCode = 1;
     return;
   }
   try {
-    const content = fs5.readFileSync(instancesPath, "utf8");
+    const content = fs6.readFileSync(instancesPath, "utf8");
     const instances = load(content);
     if (!instances || !Array.isArray(instances) || instances.length === 0) {
       console.log("No monitoring targets configured");
@@ -31715,8 +31991,8 @@ targets.command("add [connStr] [name]").description("add monitoring target datab
   const db = m[5];
   const instanceName = name && name.trim() ? name.trim() : `${host}-${db}`.replace(/[^a-zA-Z0-9-]/g, "-");
   try {
-    if (fs5.existsSync(file)) {
-      const content2 = fs5.readFileSync(file, "utf8");
+    if (fs6.existsSync(file)) {
+      const content2 = fs6.readFileSync(file, "utf8");
       const instances = load(content2) || [];
       if (Array.isArray(instances)) {
         const exists = instances.some((inst) => inst.name === instanceName);
@@ -31728,7 +32004,7 @@ targets.command("add [connStr] [name]").description("add monitoring target datab
       }
     }
   } catch (err) {
-    const content2 = fs5.existsSync(file) ? fs5.readFileSync(file, "utf8") : "";
+    const content2 = fs6.existsSync(file) ? fs6.readFileSync(file, "utf8") : "";
     if (new RegExp(`^- name: ${instanceName}$`, "m").test(content2)) {
       console.error(`Monitoring target '${instanceName}' already exists`);
       process.exitCode = 1;
@@ -31747,20 +32023,20 @@ targets.command("add [connStr] [name]").description("add monitoring target datab
     node_name: ${instanceName}
     sink_type: ~sink_type~
 `;
-  const content = fs5.existsSync(file) ? fs5.readFileSync(file, "utf8") : "";
-  fs5.appendFileSync(file, (content && !/\n$/.test(content) ? `
+  const content = fs6.existsSync(file) ? fs6.readFileSync(file, "utf8") : "";
+  fs6.appendFileSync(file, (content && !/\n$/.test(content) ? `
 ` : "") + body, "utf8");
   console.log(`Monitoring target '${instanceName}' added`);
 });
 targets.command("remove <name>").description("remove monitoring target database").action(async (name) => {
   const { instancesFile: file } = await resolveOrInitPaths();
-  if (!fs5.existsSync(file)) {
+  if (!fs6.existsSync(file)) {
     console.error("instances.yml not found");
     process.exitCode = 1;
     return;
   }
   try {
-    const content = fs5.readFileSync(file, "utf8");
+    const content = fs6.readFileSync(file, "utf8");
     const instances = load(content);
     if (!instances || !Array.isArray(instances)) {
       console.error("Invalid instances.yml format");
@@ -31773,7 +32049,7 @@ targets.command("remove <name>").description("remove monitoring target database"
       process.exitCode = 1;
       return;
     }
-    fs5.writeFileSync(file, dump(filtered), "utf8");
+    fs6.writeFileSync(file, dump(filtered), "utf8");
     console.log(`Monitoring target '${name}' removed`);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -31783,13 +32059,13 @@ targets.command("remove <name>").description("remove monitoring target database"
 });
 targets.command("test <name>").description("test monitoring target database connectivity").action(async (name) => {
   const { instancesFile: instancesPath } = await resolveOrInitPaths();
-  if (!fs5.existsSync(instancesPath)) {
+  if (!fs6.existsSync(instancesPath)) {
     console.error("instances.yml not found");
     process.exitCode = 1;
     return;
   }
   try {
-    const content = fs5.readFileSync(instancesPath, "utf8");
+    const content = fs6.readFileSync(instancesPath, "utf8");
     const instances = load(content);
     if (!instances || !Array.isArray(instances)) {
       console.error("Invalid instances.yml format");
@@ -31850,8 +32126,8 @@ auth.command("login", { isDefault: true }).description("authenticate via browser
   const cfg = readConfig();
   const { apiBaseUrl, uiBaseUrl } = resolveBaseUrls2(rootOpts, cfg);
   if (opts.debug) {
-    console.log(`Debug: Resolved API base URL: ${apiBaseUrl}`);
-    console.log(`Debug: Resolved UI base URL: ${uiBaseUrl}`);
+    console.error(`Debug: Resolved API base URL: ${apiBaseUrl}`);
+    console.error(`Debug: Resolved UI base URL: ${uiBaseUrl}`);
   }
   try {
     console.log("Starting local callback server...");
@@ -31870,8 +32146,8 @@ auth.command("login", { isDefault: true }).description("authenticate via browser
     });
     const initUrl = new URL(`${apiBaseUrl}/rpc/oauth_init`);
     if (opts.debug) {
-      console.log(`Debug: Trying to POST to: ${initUrl.toString()}`);
-      console.log(`Debug: Request data: ${initData}`);
+      console.error(`Debug: Trying to POST to: ${initUrl.toString()}`);
+      console.error(`Debug: Request data: ${initData}`);
     }
     let initResponse;
     try {
@@ -31909,7 +32185,7 @@ Please verify the --api-base-url parameter.`);
     }
     const authUrl = `${uiBaseUrl}/cli/auth?state=${encodeURIComponent(params.state)}&code_challenge=${encodeURIComponent(params.codeChallenge)}&code_challenge_method=S256&redirect_uri=${encodeURIComponent(redirectUri)}&api_url=${encodeURIComponent(apiBaseUrl)}`;
     if (opts.debug) {
-      console.log(`Debug: Auth URL: ${authUrl}`);
+      console.error(`Debug: Auth URL: ${authUrl}`);
     }
     console.log(`
 Opening browser for authentication...`);
@@ -32042,15 +32318,15 @@ To authenticate, run: pgai auth`);
 });
 auth.command("remove-key").description("remove API key").action(async () => {
   const newConfigPath = getConfigPath();
-  const hasNewConfig = fs5.existsSync(newConfigPath);
+  const hasNewConfig = fs6.existsSync(newConfigPath);
   let legacyPath;
   try {
     const { projectDir } = await resolveOrInitPaths();
-    legacyPath = path5.resolve(projectDir, ".pgwatch-config");
+    legacyPath = path6.resolve(projectDir, ".pgwatch-config");
   } catch {
-    legacyPath = path5.resolve(process.cwd(), ".pgwatch-config");
+    legacyPath = path6.resolve(process.cwd(), ".pgwatch-config");
   }
-  const hasLegacyConfig = fs5.existsSync(legacyPath) && fs5.statSync(legacyPath).isFile();
+  const hasLegacyConfig = fs6.existsSync(legacyPath) && fs6.statSync(legacyPath).isFile();
   if (!hasNewConfig && !hasLegacyConfig) {
     console.log("No API key configured");
     return;
@@ -32060,11 +32336,11 @@ auth.command("remove-key").description("remove API key").action(async () => {
   }
   if (hasLegacyConfig) {
     try {
-      const content = fs5.readFileSync(legacyPath, "utf8");
+      const content = fs6.readFileSync(legacyPath, "utf8");
       const filtered = content.split(/\r?\n/).filter((l) => !/^api_key=/.test(l)).join(`
 `).replace(/\n+$/g, `
 `);
-      fs5.writeFileSync(legacyPath, filtered, "utf8");
+      fs6.writeFileSync(legacyPath, filtered, "utf8");
     } catch (err) {
       console.warn(`Warning: Could not update legacy config: ${err instanceof Error ? err.message : String(err)}`);
     }
@@ -32075,7 +32351,7 @@ To authenticate again, run: pgai auth`);
 });
 mon.command("generate-grafana-password").description("generate Grafana password for monitoring services").action(async () => {
   const { projectDir } = await resolveOrInitPaths();
-  const cfgPath = path5.resolve(projectDir, ".pgwatch-config");
+  const cfgPath = path6.resolve(projectDir, ".pgwatch-config");
   try {
     const { stdout: password } = await execPromise(`openssl rand -base64 12 | tr -d '
 '`);
@@ -32086,17 +32362,17 @@ mon.command("generate-grafana-password").description("generate Grafana password
       return;
     }
     let configContent = "";
-    if (fs5.existsSync(cfgPath)) {
-      const stats = fs5.statSync(cfgPath);
+    if (fs6.existsSync(cfgPath)) {
+      const stats = fs6.statSync(cfgPath);
       if (stats.isDirectory()) {
         console.error(".pgwatch-config is a directory, expected a file. Skipping read.");
       } else {
-        configContent = fs5.readFileSync(cfgPath, "utf8");
+        configContent = fs6.readFileSync(cfgPath, "utf8");
       }
     }
     const lines = configContent.split(/\r?\n/).filter((l) => !/^grafana_password=/.test(l));
     lines.push(`grafana_password=${newPassword}`);
-    fs5.writeFileSync(cfgPath, lines.filter(Boolean).join(`
+    fs6.writeFileSync(cfgPath, lines.filter(Boolean).join(`
 `) + `
 `, "utf8");
     console.log("\u2713 New Grafana password generated and saved");
@@ -32118,19 +32394,19 @@ Note: This command requires 'openssl' to be installed`);
 });
 mon.command("show-grafana-credentials").description("show Grafana credentials for monitoring services").action(async () => {
   const { projectDir } = await resolveOrInitPaths();
-  const cfgPath = path5.resolve(projectDir, ".pgwatch-config");
-  if (!fs5.existsSync(cfgPath)) {
+  const cfgPath = path6.resolve(projectDir, ".pgwatch-config");
+  if (!fs6.existsSync(cfgPath)) {
     console.error("Configuration file not found. Run 'postgres-ai mon local-install' first.");
     process.exitCode = 1;
     return;
   }
-  const stats = fs5.statSync(cfgPath);
+  const stats = fs6.statSync(cfgPath);
   if (stats.isDirectory()) {
     console.error(".pgwatch-config is a directory, expected a file. Cannot read credentials.");
     process.exitCode = 1;
     return;
   }
-  const content = fs5.readFileSync(cfgPath, "utf8");
+  const content = fs6.readFileSync(cfgPath, "utf8");
   const lines = content.split(/\r?\n/);
   let password = "";
   for (const line of lines) {
@@ -32235,11 +32511,11 @@ issues.command("view <issueId>").description("view issue details and comments").
 });
 issues.command("post-comment <issueId> <content>").description("post a new comment to an issue").option("--parent <uuid>", "parent comment id").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (issueId, content, opts) => {
   if (opts.debug) {
-    console.log(`Debug: Original content: ${JSON.stringify(content)}`);
+    console.error(`Debug: Original content: ${JSON.stringify(content)}`);
   }
   content = interpretEscapes2(content);
   if (opts.debug) {
-    console.log(`Debug: Interpreted content: ${JSON.stringify(content)}`);
+    console.error(`Debug: Interpreted content: ${JSON.stringify(content)}`);
   }
   const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Posting comment...");
   try {
@@ -32385,11 +32661,11 @@ issues.command("update <issueId>").description("update an existing issue (title/
 });
 issues.command("update-comment <commentId> <content>").description("update an existing issue comment").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (commentId, content, opts) => {
   if (opts.debug) {
-    console.log(`Debug: Original content: ${JSON.stringify(content)}`);
+    console.error(`Debug: Original content: ${JSON.stringify(content)}`);
   }
   content = interpretEscapes2(content);
   if (opts.debug) {
-    console.log(`Debug: Interpreted content: ${JSON.stringify(content)}`);
+    console.error(`Debug: Interpreted content: ${JSON.stringify(content)}`);
   }
   const rootOpts = program2.opts();
   const cfg = readConfig();
@@ -32418,6 +32694,74 @@ issues.command("update-comment <commentId> <content>").description("update an ex
     process.exitCode = 1;
   }
 });
+var issueFiles = issues.command("files").description("upload and download files for issues");
+issueFiles.command("upload <path>").description("upload a file to storage and get a markdown link").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (filePath, opts) => {
+  const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Uploading file...");
+  try {
+    const rootOpts = program2.opts();
+    const cfg = readConfig();
+    const { apiKey } = getConfig(rootOpts);
+    if (!apiKey) {
+      spinner.stop();
+      console.error("API key is required. Run 'pgai auth' first or set --api-key.");
+      process.exitCode = 1;
+      return;
+    }
+    const { storageBaseUrl } = resolveBaseUrls2(rootOpts, cfg);
+    const result = await uploadFile({
+      apiKey,
+      storageBaseUrl,
+      filePath,
+      debug: !!opts.debug
+    });
+    spinner.stop();
+    if (opts.json) {
+      printResult(result, true);
+    } else {
+      const md = buildMarkdownLink(result.url, storageBaseUrl, result.metadata.originalName);
+      const displayUrl = result.url.startsWith("/") ? `${storageBaseUrl}${result.url}` : `${storageBaseUrl}/${result.url}`;
+      console.log(`URL: ${displayUrl}`);
+      console.log(`File: ${result.metadata.originalName}`);
+      console.log(`Size: ${result.metadata.size} bytes`);
+      console.log(`Type: ${result.metadata.mimeType}`);
+      console.log(`Markdown: ${md}`);
+    }
+  } catch (err) {
+    spinner.stop();
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(message);
+    process.exitCode = 1;
+  }
+});
+issueFiles.command("download <url>").description("download a file from storage").option("-o, --output <path>", "output file path (default: derive from URL)").option("--debug", "enable debug output").action(async (fileUrl, opts) => {
+  const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Downloading file...");
+  try {
+    const rootOpts = program2.opts();
+    const cfg = readConfig();
+    const { apiKey } = getConfig(rootOpts);
+    if (!apiKey) {
+      spinner.stop();
+      console.error("API key is required. Run 'pgai auth' first or set --api-key.");
+      process.exitCode = 1;
+      return;
+    }
+    const { storageBaseUrl } = resolveBaseUrls2(rootOpts, cfg);
+    const result = await downloadFile({
+      apiKey,
+      storageBaseUrl,
+      fileUrl,
+      outputPath: opts.output,
+      debug: !!opts.debug
+    });
+    spinner.stop();
+    console.log(`Saved: ${result.savedTo}`);
+  } catch (err) {
+    spinner.stop();
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(message);
+    process.exitCode = 1;
+  }
+});
 issues.command("action-items <issueId>").description("list action items for an issue").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (issueId, opts) => {
   const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Fetching action items...");
   try {
@@ -32591,7 +32935,10 @@ issues.command("update-action-item <actionItemId>").description("update an actio
   }
 });
 var reports = program2.command("reports").description("checkup reports management");
-reports.command("list").description("list checkup reports").option("--project-id <id>", "filter by project id", (v) => parseInt(v, 10)).option("--status <status>", "filter by status (e.g., completed)").option("--limit <n>", "max number of reports to return (default: 20)", (v) => parseInt(v, 10)).option("--before <date>", "show reports created before this date (YYYY-MM-DD, DD.MM.YYYY, etc.)").option("--all", "fetch all reports (paginated automatically)").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (opts) => {
+reports.command("list").description("list checkup reports").option("--project-id <id>", "filter by project id", (v) => parseInt(v, 10)).addOption(new Option("--status <status>", "filter by status (e.g., completed)").hideHelp()).option("--limit <n>", "max number of reports to return (default: 20, max: 100)", (v) => {
+  const n = parseInt(v, 10);
+  return Number.isNaN(n) ? 20 : Math.max(1, Math.min(n, 100));
+}).option("--before <date>", "show reports created before this date (YYYY-MM-DD, DD.MM.YYYY, etc.)").option("--all", "fetch all reports (paginated automatically)").addOption(new Option("--debug", "enable debug output").hideHelp()).option("--json", "output raw JSON").action(async (opts) => {
   const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Fetching reports...");
   try {
     const rootOpts = program2.opts();
@@ -32640,7 +32987,7 @@ reports.command("list").description("list checkup reports").option("--project-id
     process.exitCode = 1;
   }
 });
-reports.command("files [reportId]").description("list files of a checkup report (metadata only, no content)").option("--type <type>", "filter by file type: json, md").option("--check-id <id>", "filter by check ID (e.g., H002)").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (reportId, opts) => {
+reports.command("files [reportId]").description("list files of a checkup report (metadata only, no content)").option("--type <type>", "filter by file type: json, md").option("--check-id <id>", "filter by check ID (e.g., H002)").addOption(new Option("--debug", "enable debug output").hideHelp()).option("--json", "output raw JSON").action(async (reportId, opts) => {
   const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Fetching report files...");
   try {
     const rootOpts = program2.opts();
@@ -32686,7 +33033,7 @@ reports.command("files [reportId]").description("list files of a checkup report
     process.exitCode = 1;
   }
 });
-reports.command("data [reportId]").description("get checkup report file data (includes content)").option("--type <type>", "filter by file type: json, md").option("--check-id <id>", "filter by check ID (e.g., H002)").option("--formatted", "render markdown with ANSI styling (experimental)").option("-o, --output <dir>", "save files to directory (uses original filenames)").option("--debug", "enable debug output").option("--json", "output raw JSON").action(async (reportId, opts) => {
+reports.command("data [reportId]").description("get checkup report file data (includes content)").option("--type <type>", "filter by file type: json, md").option("--check-id <id>", "filter by check ID (e.g., H002)").option("--formatted", "render markdown with ANSI styling (experimental)").option("-o, --output <dir>", "save files to directory (uses original filenames)").addOption(new Option("--debug", "enable debug output").hideHelp()).option("--json", "output raw JSON").action(async (reportId, opts) => {
   const spinner = createTtySpinner(process.stdout.isTTY ?? false, "Fetching report data...");
   try {
     const rootOpts = program2.opts();
@@ -32726,13 +33073,13 @@ reports.command("data [reportId]").description("get checkup report file data (in
     });
     spinner.stop();
     if (opts.output) {
-      const dir = path5.resolve(opts.output);
-      fs5.mkdirSync(dir, { recursive: true });
+      const dir = path6.resolve(opts.output);
+      fs6.mkdirSync(dir, { recursive: true });
       for (const f of result) {
-        const safeName = path5.basename(f.filename);
-        const filePath = path5.join(dir, safeName);
+        const safeName = path6.basename(f.filename);
+        const filePath = path6.join(dir, safeName);
         const content = f.type === "json" ? JSON.stringify(tryParseJson(f.data), null, 2) : f.data;
-        fs5.writeFileSync(filePath, content, "utf-8");
+        fs6.writeFileSync(filePath, content, "utf-8");
         console.log(filePath);
       }
     } else if (opts.json) {
@@ -32850,29 +33197,29 @@ mcp.command("install [client]").description("install MCP server configuration fo
     let configDir;
     switch (client) {
       case "cursor":
-        configPath = path5.join(homeDir, ".cursor", "mcp.json");
-        configDir = path5.dirname(configPath);
+        configPath = path6.join(homeDir, ".cursor", "mcp.json");
+        configDir = path6.dirname(configPath);
         break;
       case "windsurf":
-        configPath = path5.join(homeDir, ".windsurf", "mcp.json");
-        configDir = path5.dirname(configPath);
+        configPath = path6.join(homeDir, ".windsurf", "mcp.json");
+        configDir = path6.dirname(configPath);
         break;
       case "codex":
-        configPath = path5.join(homeDir, ".codex", "mcp.json");
-        configDir = path5.dirname(configPath);
+        configPath = path6.join(homeDir, ".codex", "mcp.json");
+        configDir = path6.dirname(configPath);
         break;
       default:
         console.error(`Configuration not implemented for: ${client}`);
         process.exitCode = 1;
         return;
     }
-    if (!fs5.existsSync(configDir)) {
-      fs5.mkdirSync(configDir, { recursive: true });
+    if (!fs6.existsSync(configDir)) {
+      fs6.mkdirSync(configDir, { recursive: true });
     }
     let config2 = { mcpServers: {} };
-    if (fs5.existsSync(configPath)) {
+    if (fs6.existsSync(configPath)) {
       try {
-        const content = fs5.readFileSync(configPath, "utf8");
+        const content = fs6.readFileSync(configPath, "utf8");
         config2 = JSON.parse(content);
         if (!config2.mcpServers) {
           config2.mcpServers = {};
@@ -32885,7 +33232,7 @@ mcp.command("install [client]").description("install MCP server configuration fo
       command: pgaiPath,
       args: ["mcp", "start"]
     };
-    fs5.writeFileSync(configPath, JSON.stringify(config2, null, 2), "utf8");
+    fs6.writeFileSync(configPath, JSON.stringify(config2, null, 2), "utf8");
     console.log(`\u2713 PostgresAI MCP server configured for ${client}`);
     console.log(`  Config file: ${configPath}`);
     console.log("");