Merge branch 'fix/cli-init-ssl-support' into 'main'

fix: CLI sslmode=prefer behavior, CI publish improvements, and schema fixes

See merge request postgres-ai/postgres_ai!108

Author: NikolayS

.cursor

@@ -133,6 +133,62 @@ cli:node:tests:
   rules:
     - if: '$CI_COMMIT_BRANCH'
 
+# Shared script for version parsing (used by both publish jobs)
+.cli_npm_version_script: &cli_npm_version_script |
+  set -euo pipefail
+  : "${NPM_TOKEN:?NPM_TOKEN is required to publish}"
+
+  # Supported tag formats (examples):
+  # - v0.14.0-dev.1
+  # - 0.14.0-dev.1
+  # - 0.14-dev.1          (normalized to 0.14.0-dev.1)
+  # - 0.14.0-rc.1
+  # - v0.14.0            (stable, published to latest)
+  RAW_TAG="${CI_COMMIT_TAG:-${CI_COMMIT_REF_NAME:-}}"
+  if [ -z "$RAW_TAG" ]; then
+    echo "CI_COMMIT_TAG is empty"
+    exit 1
+  fi
+
+  TAG_VERSION="$RAW_TAG"
+  TAG_VERSION="${TAG_VERSION#v}"
+
+  # Normalize 0.14-dev.1 -> 0.14.0-dev.1 (also for beta/rc)
+  if printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+-(dev|beta|rc)\.[0-9]+$'; then
+    TAG_VERSION="$(printf '%s' "$TAG_VERSION" | sed -E 's/^([0-9]+\.[0-9]+)-((dev|beta|rc)\.[0-9]+)$/\1.0-\2/')"
+  fi
+
+  DIST_TAG=""
+  if printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+-(dev|beta|rc)\.[0-9]+$'; then
+    DIST_TAG="$(printf '%s' "$TAG_VERSION" | sed -E 's/^.*-(dev|beta|rc)\.[0-9]+$/\1/')"
+  elif printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+    DIST_TAG="latest"
+  fi
+
+  if [ "$DIST_TAG" != "dev" ] && [ "$DIST_TAG" != "beta" ] && [ "$DIST_TAG" != "rc" ] && [ "$DIST_TAG" != "latest" ]; then
+    echo "Unsupported tag/version: $TAG_VERSION (expected X.Y.Z, X.Y.Z-dev.N, X.Y.Z-beta.N, or X.Y.Z-rc.N)"
+    exit 1
+  fi
+
+  # Configure npm auth without committing credentials
+  printf "//registry.npmjs.org/:_authToken=%s\n" "$NPM_TOKEN" > ~/.npmrc
+
+  # Helper: check if package version exists on npm
+  pkg_exists() {
+    npm view "$1@$2" version >/dev/null 2>&1
+  }
+
+.cli_npm_publish_rules:
+  rules:
+    # prereleases (also allow patchless X.Y-dev.N, normalized in script)
+    - if: '$CI_COMMIT_TAG =~ /^v?\d+\.\d+(\.\d+)?-(dev|beta|rc)\.\d+$/'
+    # stable releases
+    - if: '$CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/'
+    # GitLab "Run pipeline" UI ("web" pipelines) often doesn't populate tag vars consistently.
+    # Keep this job available manually so the pipeline is never empty; the script validates the ref name.
+    - if: '$CI_PIPELINE_SOURCE == "web"'
+      when: manual
+
 cli:npm:publish:
   stage: publish
   image: node:20-bullseye
@@ -144,72 +200,67 @@ cli:npm:publish:
     - corepack enable || true
     - node -v && npm -v
   script:
+    - *cli_npm_version_script
     - |
-      set -euo pipefail
-      : "${NPM_TOKEN:?NPM_TOKEN is required to publish}"
-
-      # Supported tag formats (examples):
-      # - v0.14.0-dev.1
-      # - 0.14.0-dev.1
-      # - 0.14-dev.1          (normalized to 0.14.0-dev.1)
-      # - 0.14.0-rc.1
-      # - v0.14.0            (stable, published to latest)
-      RAW_TAG="${CI_COMMIT_TAG:-${CI_COMMIT_REF_NAME:-}}"
-      if [ -z "$RAW_TAG" ]; then
-        echo "CI_COMMIT_TAG is empty"
-        exit 1
-      fi
-
-      TAG_VERSION="$RAW_TAG"
-      TAG_VERSION="${TAG_VERSION#v}"
-
-      # Normalize 0.14-dev.1 -> 0.14.0-dev.1 (also for beta/rc)
-      if printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+-(dev|beta|rc)\.[0-9]+$'; then
-        TAG_VERSION="$(printf '%s' "$TAG_VERSION" | sed -E 's/^([0-9]+\.[0-9]+)-((dev|beta|rc)\.[0-9]+)$/\1.0-\2/')"
-      fi
-
-      DIST_TAG=""
-      if printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+-(dev|beta|rc)\.[0-9]+$'; then
-        DIST_TAG="$(printf '%s' "$TAG_VERSION" | sed -E 's/^.*-(dev|beta|rc)\.[0-9]+$/\1/')"
-      elif printf '%s' "$TAG_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
-        DIST_TAG="latest"
-      fi
-
-      if [ "$DIST_TAG" != "dev" ] && [ "$DIST_TAG" != "beta" ] && [ "$DIST_TAG" != "rc" ] && [ "$DIST_TAG" != "latest" ]; then
-        echo "Unsupported tag/version: $TAG_VERSION (expected X.Y.Z, X.Y.Z-dev.N, X.Y.Z-beta.N, or X.Y.Z-rc.N)"
-        exit 1
-      fi
-
-      # Configure npm auth without committing credentials
-      printf "//registry.npmjs.org/:_authToken=%s\n" "$NPM_TOKEN" > ~/.npmrc
-
       echo "Publishing postgresai@${TAG_VERSION} to dist-tag ${DIST_TAG}"
       cd cli
       npm ci --no-audit --no-fund
-      # Make the git tag the source of truth without committing version bumps.
       npm version --no-git-tag-version "$TAG_VERSION"
       npm run build
-      npm publish --tag "$DIST_TAG" --access public
+      if pkg_exists "postgresai" "$TAG_VERSION"; then
+        echo "postgresai@${TAG_VERSION} already published, skipping"
+      else
+        npm publish --tag "$DIST_TAG" --access public
+      fi
+  after_script:
+    - rm -f ~/.npmrc
+  extends: .cli_npm_publish_rules
+
+cli:npm:publish-wrapper:
+  stage: publish
+  image: node:20-bullseye
+  needs: [cli:npm:publish]
+  variables:
+    GIT_STRATEGY: fetch
+    NPM_CONFIG_AUDIT: "false"
+    NPM_CONFIG_FUND: "false"
+  before_script:
+    - corepack enable || true
+    - node -v && npm -v
+  script:
+    - *cli_npm_version_script
+    - |
+      # Wait for postgresai to be available on npm (max 60s)
+      wait_for_pkg() {
+        local pkg="$1" ver="$2" i=0
+        while [ $i -lt 12 ]; do
+          if pkg_exists "$pkg" "$ver"; then
+            echo "✓ $pkg@$ver is available on npm"
+            return 0
+          fi
+          echo "Waiting for $pkg@$ver to be available on npm..."
+          sleep 5
+          i=$((i + 1))
+        done
+        echo "✗ Timeout waiting for $pkg@$ver"
+        return 1
+      }
+
+      wait_for_pkg "postgresai" "$TAG_VERSION"
 
       echo "Publishing pgai@${TAG_VERSION} (wrapper) to dist-tag ${DIST_TAG}"
-      cd ../pgai
-      # Update version + dependency so `npx pgai@<tag>` pulls the matching postgresai version.
+      cd pgai
       npm pkg set "dependencies.postgresai=$TAG_VERSION"
       npm version --no-git-tag-version "$TAG_VERSION"
-      # No lockfile: use npm install here.
-      npm install --no-audit --no-fund
-      npm publish --tag "$DIST_TAG" --access public
+      if pkg_exists "pgai" "$TAG_VERSION"; then
+        echo "pgai@${TAG_VERSION} already published, skipping"
+      else
+        npm install --no-audit --no-fund
+        npm publish --tag "$DIST_TAG" --access public
+      fi
   after_script:
     - rm -f ~/.npmrc
-  rules:
-    # prereleases (also allow patchless X.Y-dev.N, normalized in script)
-    - if: '$CI_COMMIT_TAG =~ /^v?\d+\.\d+(\.\d+)?-(dev|beta|rc)\.\d+$/'
-    # stable releases
-    - if: '$CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/'
-    # GitLab "Run pipeline" UI ("web" pipelines) often doesn't populate tag vars consistently.
-    # Keep this job available manually so the pipeline is never empty; the script validates the ref name.
-    - if: '$CI_PIPELINE_SOURCE == "web"'
-      when: manual
+  extends: .cli_npm_publish_rules
 
 cli:node:e2e:dind:
   stage: test

.gitlab-ci.yml

@@ -16,7 +16,7 @@ import { Client } from "pg";
 import { startMcpServer } from "../lib/mcp-server";
 import { fetchIssues, fetchIssueComments, createIssueComment, fetchIssue } from "../lib/issues";
 import { resolveBaseUrls } from "../lib/util";
-import { applyInitPlan, buildInitPlan, DEFAULT_MONITORING_USER, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, verifyInitSetup } from "../lib/init";
+import { applyInitPlan, buildInitPlan, connectWithSslFallback, DEFAULT_MONITORING_USER, redactPasswordsInSql, resolveAdminConnection, resolveMonitoringPassword, verifyInitSetup } from "../lib/init";
 
 const execPromise = promisify(exec);
 const execFilePromise = promisify(execFile);
@@ -151,9 +151,15 @@ program
       "  If auto-generated, it is printed only on TTY by default.",
       "  To print it in non-interactive mode: --print-password",
       "",
+      "SSL connection (sslmode=prefer behavior):",
+      "  Tries SSL first, falls back to non-SSL if server doesn't support it.",
+      "  To force SSL: PGSSLMODE=require or ?sslmode=require in URL",
+      "  To disable SSL: PGSSLMODE=disable or ?sslmode=disable in URL",
+      "",
       "Environment variables (libpq standard):",
       "  PGHOST, PGPORT, PGUSER, PGDATABASE  — connection defaults",
       "  PGPASSWORD                          — admin password",
+      "  PGSSLMODE                           — SSL mode (disable, require, verify-full)",
       "  PGAI_MON_PASSWORD                   — monitoring password",
       "",
       "Inspect SQL without applying changes:",
@@ -265,8 +271,8 @@ program
     // Use native pg client instead of requiring psql to be installed
     let client: Client | undefined;
     try {
-      client = new Client(adminConn.clientConfig);
-      await client.connect();
+      const connResult = await connectWithSslFallback(Client, adminConn);
+      client = connResult.client;
 
       const dbRes = await client.query("select current_database() as db");
       const database = dbRes.rows?.[0]?.db;