fix: CLI sslmode=prefer behavior, CI publish improvements, and schema fixes

Nikolay Samokhvalovrequested to merge
fix/cli-init-ssl-support into main

Changes

1. CLI: Implement sslmode=prefer behavior for all connections

The init command was failing with "SSL required" (error 08P01) when connecting to databases with varying SSL configurations.

Root cause: node-postgres handles SSL differently than libpq (psql) — it doesn't have sslmode=prefer fallback behavior.

Fix: Implement sslmode=prefer-like behavior for all connections:

  • Tries SSL first, falls back to non-SSL if server doesn't support it
  • Works consistently for both localhost and remote connections
  • Strips sslmode from connection URI to ensure our ssl config object is used (not overridden by URI parameter)
  • Respects explicit sslmode in connection strings (?sslmode=require or ?sslmode=disable)
  • Supports PGSSLMODE environment variable override

2. CLI: Security vulnerability fixes

Updated dependencies to resolve:

  • @modelcontextprotocol/sdk: 1.20.2 → 1.25.1 (high severity DNS rebinding protection)
  • body-parser: 2.2.0 → 2.2.1 (moderate severity DoS via url encoding)
  • js-yaml: 4.1.0 → 4.1.1 (moderate severity prototype pollution)
  • ajv: 6.12.6 → 8.17.1
  • zod: 3.25.76 → 4.2.1

3. CI: Split npm publish into two separate jobs

  • cli:npm:publish — publishes postgresai package
  • cli:npm:publish-wrapper — waits for registry propagation, then publishes pgai wrapper
  • Both jobs are idempotent (skip if version already published)
  • Wrapper job waits up to 60s for main package to be available on npm
  • If wrapper fails, can retry just that job without re-publishing main package

4. Reporter: F004/F005 schema fixes

Added missing fields to bloat report schemas:

  • F004 (heap bloat): fillfactor, last_vacuum, last_vacuum_epoch
  • F005 (btree bloat): fillfactor, last_vacuum, last_vacuum_epoch, real_size, real_size_pretty, table_size, table_size_pretty

5. Chore: Update .cursor rules submodule

Testing

  • All 28 CLI tests pass
  • Tested SSL connection against real PgBouncer endpoint
  • npm audit shows 0 vulnerabilities

Files changed

  • cli/lib/init.ts — SSL handling with fallback logic, URI stripping
  • cli/bin/postgres-ai.ts — help text updates, use connectWithSslFallback
  • cli/package-lock.json — dependency updates
  • .gitlab-ci.yml — split publish into two jobs
  • reporter/schemas/F004.schema.json — add missing fields
  • reporter/schemas/F005.schema.json — add missing fields
  • .cursor — submodule update
Edited by Nikolay Samokhvalov

Merge request reports