postgresai 0.15.0-dev.7 → 0.15.0-dev.9

package/README.md

@@ -173,7 +173,7 @@ postgresai mon local-install --api-key your_key --db-url postgresql://user:pass@
 This will:
 - Configure API key for automated report uploads (if provided)
 - Add PostgreSQL instance to monitor (if provided)
-- Generate secure Grafana password
+- Generate secure Grafana and replication passwords
 - Start all monitoring services
 - Open Grafana at http://localhost:3000
 
@@ -205,6 +205,8 @@ postgresai mon health [--wait <sec>]  # Check monitoring services health
 - `--db-url <url>` - PostgreSQL connection URL to monitor (format: `postgresql://user:pass@host:port/db`)
 - `-y, --yes` - Accept all defaults and skip interactive prompts
 
+`local-install` writes `.env` in the monitoring directory. It preserves existing `REPLICATOR_PASSWORD` and `VM_AUTH_*` values or generates new random ones when missing; `VM_AUTH_USERNAME` defaults to `vmauth` when absent. The replication password is used by the demo PostgreSQL standby replication user, and the VM auth credentials are required before Docker Compose can provision Grafana datasources. If you run `docker compose` directly or maintain `.env` yourself, set both VM auth values before upgrading. For rotation, run `VM_AUTH_PASSWORD="$(openssl rand -base64 18)" ./scripts/rotate-vm-auth.sh` from the monitoring directory so `.env`, `sink-prometheus`, and `grafana` update together.
+
 #### Monitoring target databases (`mon targets` subgroup)
 ```bash
 postgresai mon targets list                       # List databases to monitor

package/bin/postgres-ai.ts

@@ -15,7 +15,7 @@ import { fetchIssues, fetchIssueComments, createIssueComment, fetchIssue, create
 import { fetchReports, fetchAllReports, fetchReportFiles, fetchReportFileData, renderMarkdownForTerminal, parseFlexibleDate } from "../lib/reports";
 import { resolveBaseUrls } from "../lib/util";
 import { uploadFile, downloadFile, buildMarkdownLink } from "../lib/storage";
-import { applyInitPlan, applyUninitPlan, buildInitPlan, buildUninitPlan, connectWithSslFallback, DEFAULT_MONITORING_USER, KNOWN_PROVIDERS, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, validateProvider, verifyInitSetup } from "../lib/init";
+import { applyInitPlan, applyUninitPlan, buildInitPlan, buildUninitPlan, checkCurrentUserPermissions, connectWithSslFallback, DEFAULT_MONITORING_USER, formatPermissionCheckMessages, KNOWN_PROVIDERS, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, validateProvider, verifyInitSetup } from "../lib/init";
 import { SupabaseClient, resolveSupabaseConfig, extractProjectRefFromUrl, applyInitPlanViaSupabase, verifyInitSetupViaSupabase, fetchPoolerDatabaseUrl, type PgCompatibleError } from "../lib/supabase";
 import * as pkce from "../lib/pkce";
 import * as authServer from "../lib/auth-server";
@@ -54,21 +54,16 @@ function closeReadline() {
   }
 }
 
-// Helper functions for spawning processes - use Node.js child_process for compatibility
-async function execPromise(command: string): Promise<{ stdout: string; stderr: string }> {
-  return new Promise((resolve, reject) => {
-    childProcess.exec(command, (error, stdout, stderr) => {
-      if (error) {
-        const err = error as Error & { code: number };
-        err.code = typeof error.code === "number" ? error.code : 1;
-        reject(err);
-      } else {
-        resolve({ stdout, stderr });
-      }
-    });
-  });
+function stripMatchingQuotes(value: string): string {
+  const trimmed = value.trim();
+  const quote = trimmed[0];
+  if (trimmed.length >= 2 && (quote === '"' || quote === "'") && trimmed.endsWith(quote)) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
 }
 
+// Helper functions for spawning processes - use Node.js child_process for compatibility
 async function execFilePromise(file: string, args: string[]): Promise<{ stdout: string; stderr: string }> {
   return new Promise((resolve, reject) => {
     childProcess.execFile(file, args, (error, stdout, stderr) => {
@@ -1831,6 +1826,24 @@ program
       const connResult = await connectWithSslFallback(Client, adminConn);
       client = connResult.client as Client;
 
+      // Preflight: verify the connected user has sufficient permissions
+      spinner.update("Checking database permissions");
+      const permCheck = await checkCurrentUserPermissions(client);
+      const permMessages = formatPermissionCheckMessages(permCheck);
+
+      for (const w of permMessages.warnings) {
+        console.error(w);
+      }
+
+      if (permMessages.failed) {
+        spinner.stop();
+        for (const e of permMessages.errors) {
+          console.error(e);
+        }
+        process.exitCode = 1;
+        return;
+      }
+
       // Generate reports
       let reports: Record<string, any>;
       if (checkId === "ALL") {
@@ -2250,11 +2263,11 @@ async function runCompose(args: string[], grafanaPassword?: string): Promise<num
       const envContent = fs.readFileSync(envFilePath, "utf8");
       if (!env.VM_AUTH_USERNAME) {
         const m = envContent.match(/^VM_AUTH_USERNAME=([^\r\n]+)/m);
-        if (m) env.VM_AUTH_USERNAME = m[1].trim().replace(/^["']|["']$/g, '');
+        if (m) env.VM_AUTH_USERNAME = stripMatchingQuotes(m[1]);
       }
       if (!env.VM_AUTH_PASSWORD) {
         const m = envContent.match(/^VM_AUTH_PASSWORD=([^\r\n]+)/m);
-        if (m) env.VM_AUTH_PASSWORD = m[1].trim().replace(/^["']|["']$/g, '');
+        if (m) env.VM_AUTH_PASSWORD = stripMatchingQuotes(m[1]);
       }
     } catch (err) {
       if (process.env.DEBUG) {
@@ -2320,10 +2333,13 @@ mon
     // Update .env with custom tag if provided
     const envFile = path.resolve(projectDir, ".env");
 
-    // Build .env content, preserving important existing values (registry, password)
-    // Note: PGAI_TAG is intentionally NOT preserved - the CLI version should always match Docker images
+    // Build .env content, preserving important existing values.
+    // Note: PGAI_TAG is intentionally NOT preserved - the CLI version should always match Docker images.
     let existingRegistry: string | null = null;
     let existingPassword: string | null = null;
+    let existingReplicatorPassword: string | null = null;
+    let existingVmAuthUsername: string | null = null;
+    let existingVmAuthPassword: string | null = null;
 
     if (fs.existsSync(envFile)) {
       const existingEnv = fs.readFileSync(envFile, "utf8");
@@ -2332,6 +2348,12 @@ mon
       if (registryMatch) existingRegistry = registryMatch[1].trim();
       const pwdMatch = existingEnv.match(/^GF_SECURITY_ADMIN_PASSWORD=(.+)$/m);
       if (pwdMatch) existingPassword = pwdMatch[1].trim();
+      const replicatorPwdMatch = existingEnv.match(/^REPLICATOR_PASSWORD=(.+)$/m);
+      if (replicatorPwdMatch) existingReplicatorPassword = replicatorPwdMatch[1].trim();
+      const vmAuthUserMatch = existingEnv.match(/^VM_AUTH_USERNAME=(.+)$/m);
+      if (vmAuthUserMatch) existingVmAuthUsername = stripMatchingQuotes(vmAuthUserMatch[1]);
+      const vmAuthPasswordMatch = existingEnv.match(/^VM_AUTH_PASSWORD=(.+)$/m);
+      if (vmAuthPasswordMatch) existingVmAuthPassword = stripMatchingQuotes(vmAuthPasswordMatch[1]);
     }
 
     // Priority: CLI --tag flag > package version
@@ -2347,6 +2369,11 @@ mon
     if (existingPassword) {
       envLines.push(`GF_SECURITY_ADMIN_PASSWORD=${existingPassword}`);
     }
+    envLines.push(
+      `REPLICATOR_PASSWORD=${existingReplicatorPassword || crypto.randomBytes(32).toString("hex")}`,
+    );
+    envLines.push(`VM_AUTH_USERNAME=${existingVmAuthUsername || "vmauth"}`);
+    envLines.push(`VM_AUTH_PASSWORD=${existingVmAuthPassword || crypto.randomBytes(18).toString("base64")}`);
     fs.writeFileSync(envFile, envLines.join("\n") + "\n", { encoding: "utf8", mode: 0o600 });
 
     if (opts.tag) {
@@ -2466,16 +2493,20 @@ mon
 
         // Test connection
         console.log("Testing connection to the added instance...");
-        try {
-          const client = new Client({ connectionString: connStr });
-          await client.connect();
-          const result = await client.query("select version();");
-          console.log("✓ Connection successful");
-          console.log(`${result.rows[0].version}\n`);
-          await client.end();
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          console.error(`✗ Connection failed: ${message}\n`);
+        {
+          let testClient: InstanceType<typeof Client> | null = null;
+          try {
+            testClient = new Client({ connectionString: connStr, connectionTimeoutMillis: 10000 });
+            await testClient.connect();
+            const result = await testClient.query("select version();");
+            console.log("✓ Connection successful");
+            console.log(`${result.rows[0].version}\n`);
+          } catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            console.error(`✗ Connection failed: ${message}\n`);
+          } finally {
+            if (testClient) await testClient.end();
+          }
         }
       } else if (opts.yes) {
         // Auto-yes mode without database URL - skip database setup
@@ -2510,16 +2541,20 @@ mon
 
               // Test connection
               console.log("Testing connection to the added instance...");
-              try {
-                const client = new Client({ connectionString: connStr });
-                await client.connect();
-                const result = await client.query("select version();");
-                console.log("✓ Connection successful");
-                console.log(`${result.rows[0].version}\n`);
-                await client.end();
-              } catch (error) {
-                const message = error instanceof Error ? error.message : String(error);
-                console.error(`✗ Connection failed: ${message}\n`);
+              {
+                let testClient: InstanceType<typeof Client> | null = null;
+                try {
+                  testClient = new Client({ connectionString: connStr, connectionTimeoutMillis: 10000 });
+                  await testClient.connect();
+                  const result = await testClient.query("select version();");
+                  console.log("✓ Connection successful");
+                  console.log(`${result.rows[0].version}\n`);
+                } catch (error) {
+                  const message = error instanceof Error ? error.message : String(error);
+                  console.error(`✗ Connection failed: ${message}\n`);
+                } finally {
+                  if (testClient) await testClient.end();
+                }
               }
             }
           } else {
@@ -2594,8 +2629,8 @@ mon
 
       if (!grafanaPassword) {
         console.log("Generating secure Grafana password...");
-        const { stdout: password } = await execPromise("openssl rand -base64 12 | tr -d '\n'");
-        grafanaPassword = password.trim();
+        const { stdout: password } = await execFilePromise("openssl", ["rand", "-base64", "12"]);
+        grafanaPassword = password.trim().replace(/\n/g, "");
 
         let configContent = "";
         if (fs.existsSync(cfgPath)) {
@@ -2626,16 +2661,16 @@ mon
         const envContent = fs.readFileSync(envFile, "utf8");
         const userMatch = envContent.match(/^VM_AUTH_USERNAME=([^\r\n]+)/m);
         const passMatch = envContent.match(/^VM_AUTH_PASSWORD=([^\r\n]+)/m);
-        if (userMatch) vmAuthUsername = userMatch[1].trim().replace(/^["']|["']$/g, '');
-        if (passMatch) vmAuthPassword = passMatch[1].trim().replace(/^["']|["']$/g, '');
+        if (userMatch) vmAuthUsername = stripMatchingQuotes(userMatch[1]);
+        if (passMatch) vmAuthPassword = stripMatchingQuotes(passMatch[1]);
       }
 
       if (!vmAuthUsername || !vmAuthPassword) {
         console.log("Generating VictoriaMetrics auth credentials...");
         vmAuthUsername = vmAuthUsername || "vmauth";
         if (!vmAuthPassword) {
-          const { stdout: vmPass } = await execPromise("openssl rand -base64 12 | tr -d '\n'");
-          vmAuthPassword = vmPass.trim();
+          const { stdout: vmPass } = await execFilePromise("openssl", ["rand", "-base64", "12"]);
+          vmAuthPassword = vmPass.trim().replace(/\n/g, "");
         }
 
         // Update .env file with VM auth credentials
@@ -2947,16 +2982,16 @@ mon
 
       // Fetch latest changes
       console.log("Fetching latest changes...");
-      await execPromise("git fetch origin");
+      await execFilePromise("git", ["fetch", "origin"]);
 
       // Check current branch
-      const { stdout: branch } = await execPromise("git rev-parse --abbrev-ref HEAD");
+      const { stdout: branch } = await execFilePromise("git", ["rev-parse", "--abbrev-ref", "HEAD"]);
       const currentBranch = branch.trim();
       console.log(`Current branch: ${currentBranch}`);
 
       // Pull latest changes
       console.log("Pulling latest changes...");
-      const { stdout: pullOut } = await execPromise("git pull origin " + currentBranch);
+      const { stdout: pullOut } = await execFilePromise("git", ["pull", "origin", currentBranch]);
       console.log(pullOut);
 
       // Update Docker images
@@ -3214,7 +3249,8 @@ targets
       // If YAML parsing fails, fall back to simple check
       const isFile = fs.existsSync(file) && !fs.lstatSync(file).isDirectory();
       const content = isFile ? fs.readFileSync(file, "utf8") : "";
-      if (new RegExp(`^- name: ${instanceName}$`, "m").test(content)) {
+      const escapedName = instanceName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      if (new RegExp(`^- name: ${escapedName}$`, "m").test(content)) {
         console.error(`Monitoring target '${instanceName}' already exists`);
         process.exitCode = 1;
         return;
@@ -3305,7 +3341,7 @@ targets
       console.log(`Testing connection to monitoring target '${name}'...`);
 
       // Use native pg client instead of requiring psql to be installed
-      const client = new Client({ connectionString: instance.conn_str });
+      const client = new Client({ connectionString: instance.conn_str, connectionTimeoutMillis: 10000 });
 
       try {
         await client.connect();
@@ -3658,10 +3694,10 @@ mon
 
     try {
       // Generate secure password using openssl
-      const { stdout: password } = await execPromise(
-        "openssl rand -base64 12 | tr -d '\n'"
+      const { stdout: password } = await execFilePromise(
+        "openssl", ["rand", "-base64", "12"]
       );
-      const newPassword = password.trim();
+      const newPassword = password.trim().replace(/\n/g, "");
 
       if (!newPassword) {
         console.error("Failed to generate password");
@@ -3748,8 +3784,8 @@ mon
       const vmPass = envContent.match(/^VM_AUTH_PASSWORD=([^\r\n]+)/m);
       if (vmUser && vmPass) {
         console.log("\nVictoriaMetrics credentials:");
-        console.log(`  Username: ${vmUser[1].trim().replace(/^["']|["']$/g, '')}`);
-        console.log(`  Password: ${vmPass[1].trim().replace(/^["']|["']$/g, '')}`);
+        console.log(`  Username: ${stripMatchingQuotes(vmUser[1])}`);
+        console.log(`  Password: ${stripMatchingQuotes(vmPass[1])}`);
       }
     }
     console.log("");
@@ -4712,7 +4748,7 @@ mcp
       // Get the path to the current pgai executable
       let pgaiPath: string;
       try {
-        const execPath = await execPromise("which pgai");
+        const execPath = await execFilePromise("which", ["pgai"]);
         pgaiPath = execPath.stdout.trim();
       } catch {
         // Fallback to just "pgai" if which fails
@@ -4724,8 +4760,8 @@ mcp
         console.log("Installing PostgresAI MCP server for Claude Code...");
 
         try {
-          const { stdout, stderr } = await execPromise(
-            `claude mcp add -s user postgresai ${pgaiPath} mcp start`
+          const { stdout, stderr } = await execFilePromise(
+            "claude", ["mcp", "add", "-s", "user", "postgresai", pgaiPath, "mcp", "start"]
           );
 
           if (stdout) console.log(stdout);

package/bun.lock

@@ -6,7 +6,7 @@
       "name": "postgresai",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.20.2",
-        "commander": "^12.1.0",
+        "commander": "^14.0.3",
         "js-yaml": "^4.1.0",
         "pg": "^8.16.3",
       },
@@ -16,7 +16,7 @@
         "@types/pg": "^8.15.6",
         "ajv": "^8.17.1",
         "ajv-formats": "^3.0.1",
-        "typescript": "^5.9.3",
+        "typescript": "^6.0.2",
       },
     },
   },
@@ -51,7 +51,7 @@
 
     "call-bound": ["call-bound@1.0.4", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } }, "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg=="],
 
-    "commander": ["commander@12.1.0", "", {}, "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA=="],
+    "commander": ["commander@14.0.3", "", {}, "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw=="],
 
     "content-disposition": ["content-disposition@1.0.0", "", { "dependencies": { "safe-buffer": "5.2.1" } }, "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg=="],
 
@@ -233,7 +233,7 @@
 
     "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="],
 
-    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+    "typescript": ["typescript@6.0.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw=="],
 
     "undici-types": ["undici-types@5.26.5", "", {}, "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="],