cli: dedupe init missing-connection output

Author: NikolayS

README.md

@@ -63,35 +63,17 @@ Experience the full monitoring solution: **https://demo.postgres.ai** (login: `d
 - Supports Postgres versions 14-18
 - **pg_stat_statements extension must be created** for the DB used for connection
 
-## ⚠️ Security Notice
-
-**WARNING: Security is your responsibility!**
-
-This monitoring solution exposes several ports that **MUST** be properly firewalled:
-- **Port 3000** (Grafana) - Contains sensitive database metrics and dashboards
-- **Port 58080** (PGWatch Postgres) - Database monitoring interface  
-- **Port 58089** (PGWatch Prometheus) - Database monitoring interface
-- **Port 59090** (Victoria Metrics) - Metrics storage and queries
-- **Port 59091** (PGWatch Prometheus endpoint) - Metrics collection
-- **Port 55000** (Flask API) - Backend API service
-- **Port 55432** (Demo DB) - When using `--demo` option
-- **Port 55433** (Metrics DB) - Postgres metrics storage
-
-**Configure your firewall to:**
-- Block public access to all monitoring ports
-- Allow access only from trusted networks/IPs
-- Use VPN or SSH tunnels for remote access
-
-Failure to secure these ports may expose sensitive database information!
-
 ## 🚀 Quick start
 
 Create a database user for monitoring (skip this if you want to just check out `postgres_ai` monitoring with a synthetic `demo` database).
 
 Use the CLI to create/update the monitoring role and grant all required permissions (idempotent):
 
 ```bash
-# Connect as an admin/superuser and apply required permissions.
+# Connect as an admin/superuser and run the idempotent setup:
+# - create/update the monitoring role
+# - create required view(s)
+# - apply required grants (and optional extensions where supported)
 # Admin password comes from PGPASSWORD (libpq standard) unless you pass --admin-password.
 #
 # Monitoring password:
@@ -132,17 +114,14 @@ If you want to see what will be executed first, use `--print-sql` (prints the SQ
 npx postgresai init --print-sql
 ```
 
-Optionally, to render the plan for a specific database and/or show the password literal:
+Optionally, to render the plan for a specific database:
 
 ```bash
 # Pick database (default is PGDATABASE or "postgres"):
 npx postgresai init --print-sql -d dbname
 
-# Provide an explicit monitoring password (still redacted unless you opt in):
+# Provide an explicit monitoring password (still redacted in output):
 npx postgresai init --print-sql -d dbname --password '...'
-
-# Dangerous: print secrets in the SQL output:
-npx postgresai init --print-sql -d dbname --password '...' --show-secrets
 ```
 
 ### Troubleshooting
@@ -161,7 +140,7 @@ If you see errors like `permission denied` / `insufficient_privilege` / code `42
 - **Review SQL before running** (audit-friendly):
 
     ```bash
-    npx postgresai init --print-sql -d mydb --password '...' --show-secrets
+    npx postgresai init --print-sql -d mydb
     ```
 
 **One command setup:**
@@ -191,6 +170,27 @@ Or if you want to just check out how it works:
 
 That's it! Everything is installed, configured, and running.
 
+## ⚠️ Security Notice
+
+**WARNING: Security is your responsibility!**
+
+This monitoring solution exposes several ports that **MUST** be properly firewalled:
+- **Port 3000** (Grafana) - Contains sensitive database metrics and dashboards
+- **Port 58080** (PGWatch Postgres) - Database monitoring interface  
+- **Port 58089** (PGWatch Prometheus) - Database monitoring interface
+- **Port 59090** (Victoria Metrics) - Metrics storage and queries
+- **Port 59091** (PGWatch Prometheus endpoint) - Metrics collection
+- **Port 55000** (Flask API) - Backend API service
+- **Port 55432** (Demo DB) - When using `--demo` option
+- **Port 55433** (Metrics DB) - Postgres metrics storage
+
+**Configure your firewall to:**
+- Block public access to all monitoring ports
+- Allow access only from trusted networks/IPs
+- Use VPN or SSH tunnels for remote access
+
+Failure to secure these ports may expose sensitive database information!
+
 ## 📊 What you get
 
 - **Grafana Dashboards** - Visual monitoring at http://localhost:3000

cli/README.md

@@ -29,7 +29,7 @@ brew install postgresai
 
 ## Usage
 
-The CLI provides three command aliases:
+The `postgresai` package provides two command aliases (prefer `postgresai`):
 ```bash
 postgres-ai --help
 postgresai --help
@@ -41,9 +41,17 @@ You can also run it without installing via `npx`:
 npx postgresai --help
 ```
 
+### Optional shorthand: `pgai`
+
+If you want `npx pgai ...` as a shorthand for `npx postgresai ...`, install the separate `pgai` wrapper package:
+
+```bash
+npx pgai --help
+```
+
 ## init (create monitoring user in Postgres)
 
-This command creates (or updates) the `postgres_ai_mon` user and grants the permissions described in the root `README.md` (it is idempotent).
+This command creates (or updates) the `postgres_ai_mon` user, creates the required view(s), and grants the permissions described in the root `README.md` (it is idempotent). Where supported, it also enables observability extensions described there.
 
 Run without installing (positional connection string):
 

cli/bin/postgres-ai.ts

@@ -120,7 +120,7 @@ program
 
 program
   .command("init [conn]")
-  .description("Create a monitoring user and grant all required permissions (idempotent)")
+  .description("Create a monitoring user, required view(s), and grant required permissions (idempotent)")
   .option("--db-url <url>", "PostgreSQL connection URL (admin) to run the setup against (deprecated; pass it as positional arg)")
   .option("-h, --host <host>", "PostgreSQL host (psql-like)")
   .option("-p, --port <port>", "PostgreSQL port (psql-like)")
@@ -133,7 +133,6 @@ program
   .option("--verify", "Verify that monitoring role/permissions are in place (no changes)", false)
   .option("--reset-password", "Reset monitoring role password only (no other changes)", false)
   .option("--print-sql", "Print SQL plan and exit (no changes applied)", false)
-  .option("--show-secrets", "When printing SQL, do not redact secrets (DANGEROUS)", false)
   .option("--print-password", "Print generated monitoring password (DANGEROUS in CI logs)", false)
   .addHelpText(
     "after",
@@ -167,7 +166,7 @@ program
       "  postgresai init <conn> --reset-password --password '...'",
       "",
       "Offline SQL plan (no DB connection):",
-      "  postgresai init --print-sql -d dbname --password '...' --show-secrets",
+      "  postgresai init --print-sql",
     ].join("\n")
   )
   .action(async (conn: string | undefined, opts: {
@@ -183,7 +182,6 @@ program
     verify?: boolean;
     resetPassword?: boolean;
     printSql?: boolean;
-    showSecrets?: boolean;
     printPassword?: boolean;
   }, cmd: Command) => {
     if (opts.verify && opts.resetPassword) {
@@ -198,23 +196,19 @@ program
     }
 
     const shouldPrintSql = !!opts.printSql;
-    const shouldRedactSecrets = !opts.showSecrets;
-    const redactPasswords = (sql: string): string => {
-      if (!shouldRedactSecrets) return sql;
-      // Replace PASSWORD '<literal>' (handles doubled quotes inside).
-      return redactPasswordsInSql(sql);
-    };
+    const redactPasswords = (sql: string): string => redactPasswordsInSql(sql);
 
     // Offline mode: allow printing SQL without providing/using an admin connection.
-    // Useful for audits/reviews; caller can provide -d/PGDATABASE and an explicit monitoring password.
+    // Useful for audits/reviews; caller can provide -d/PGDATABASE.
     if (!conn && !opts.dbUrl && !opts.host && !opts.port && !opts.username && !opts.adminPassword) {
       if (shouldPrintSql) {
         const database = (opts.dbname ?? process.env.PGDATABASE ?? "postgres").trim();
         const includeOptionalPermissions = !opts.skipOptionalPermissions;
 
-        // Use explicit password/env if provided; otherwise use a placeholder (will be redacted unless --show-secrets).
+        // Use explicit password/env if provided; otherwise use a placeholder.
+        // Printed SQL always redacts secrets.
         const monPassword =
-          (opts.password ?? process.env.PGAI_MON_PASSWORD ?? "CHANGE_ME").toString();
+          (opts.password ?? process.env.PGAI_MON_PASSWORD ?? "<redacted>").toString();
 
         const plan = await buildInitPlan({
           database,
@@ -232,9 +226,7 @@ program
           console.log(redactPasswords(step.sql));
         }
         console.log("\n--- end SQL plan ---\n");
-        if (shouldRedactSecrets) {
-          console.log("Note: passwords are redacted in the printed SQL (use --show-secrets to print them).");
-        }
+        console.log("Note: passwords are redacted in the printed SQL output.");
         return;
       }
     }
@@ -367,9 +359,7 @@ program
           console.log(redactPasswords(step.sql));
         }
         console.log("\n--- end SQL plan ---\n");
-        if (shouldRedactSecrets) {
-          console.log("Note: passwords are redacted in the printed SQL (use --show-secrets to print them).");
-        }
+              console.log("Note: passwords are redacted in the printed SQL output.");
         return;
       }
 

cli/lib/init.ts

@@ -1,4 +1,3 @@
-import * as readline from "readline";
 import { randomBytes } from "crypto";
 import { URL } from "url";
 import type { ConnectionOptions as TlsConnectionOptions } from "tls";
@@ -223,19 +222,8 @@ export function resolveAdminConnection(opts: {
   }
 
   if (!hasConnDetails) {
-    throw new Error(
-      [
-        "Connection is required.",
-        "",
-        "Examples:",
-        "  postgresai init postgresql://admin@host:5432/dbname",
-        "  postgresai init \"dbname=dbname host=host user=admin\"",
-        "  postgresai init -h host -p 5432 -U admin -d dbname",
-        "",
-        "Admin password:",
-        "  --admin-password <password>  (or set PGPASSWORD)",
-      ].join("\n")
-    );
+    // Keep this message short: the CLI prints full help (including examples) on this error.
+    throw new Error("Connection is required.");
   }
 
   const cfg: PgClientConfig = {};
@@ -254,72 +242,6 @@ export function resolveAdminConnection(opts: {
   return { clientConfig: cfg, display: describePgConfig(cfg) };
 }
 
-export async function promptHidden(prompt: string): Promise<string> {
-  // Implement our own hidden input reader so:
-  // - prompt text is visible
-  // - only user input is masked
-  // - we don't rely on non-public readline internals
-  if (!process.stdin.isTTY) {
-    throw new Error("Cannot prompt for password in non-interactive mode");
-  }
-
-  const stdin = process.stdin;
-  const stdout = process.stdout as NodeJS.WriteStream;
-
-  stdout.write(prompt);
-
-  return await new Promise<string>((resolve, reject) => {
-    let value = "";
-
-    const cleanup = () => {
-      try {
-        stdin.setRawMode(false);
-      } catch {
-        // ignore
-      }
-      stdin.removeListener("keypress", onKeypress);
-    };
-
-    const onKeypress = (str: string, key: any) => {
-      if (key?.ctrl && key?.name === "c") {
-        stdout.write("\n");
-        cleanup();
-        reject(new Error("Cancelled"));
-        return;
-      }
-
-      if (key?.name === "return" || key?.name === "enter") {
-        stdout.write("\n");
-        cleanup();
-        resolve(value);
-        return;
-      }
-
-      if (key?.name === "backspace") {
-        if (value.length > 0) {
-          value = value.slice(0, -1);
-          // Erase one mask char.
-          stdout.write("\b \b");
-        }
-        return;
-      }
-
-      // Ignore other control keys.
-      if (key?.ctrl || key?.meta) return;
-
-      if (typeof str === "string" && str.length > 0) {
-        value += str;
-        stdout.write("*");
-      }
-    };
-
-    readline.emitKeypressEvents(stdin);
-    stdin.setRawMode(true);
-    stdin.on("keypress", onKeypress);
-    stdin.resume();
-  });
-}
-
 function generateMonitoringPassword(): string {
   // URL-safe and easy to copy/paste; 24 bytes => 32 base64url chars (no padding).
   // Note: randomBytes() throws on failure; we add a tiny sanity check for unexpected output.
@@ -333,7 +255,6 @@ function generateMonitoringPassword(): string {
 export async function resolveMonitoringPassword(opts: {
   passwordFlag?: string;
   passwordEnv?: string;
-  prompt?: (prompt: string) => Promise<string>;
   monitoringUser: string;
 }): Promise<{ password: string; generated: boolean }> {
   const fromFlag = (opts.passwordFlag || "").trim();

cli/test/init.test.cjs

@@ -173,8 +173,8 @@ test("resolveAdminConnection rejects when only PGPASSWORD is provided (no connec
   assert.throws(() => init.resolveAdminConnection({ envPassword: "pw" }), /Connection is required/);
 });
 
-test("resolveAdminConnection error message includes examples", () => {
-  assert.throws(() => init.resolveAdminConnection({}), /Examples:/);
+test("resolveAdminConnection rejects when connection is missing", () => {
+  assert.throws(() => init.resolveAdminConnection({}), /Connection is required/);
 });
 
 test("cli: init with missing connection prints init help/options", () => {

pgai/README.md

@@ -0,0 +1,21 @@
+# pgai
+
+`pgai` is a thin wrapper around the [`postgresai`](../cli/README.md) CLI, intended to provide a short command name.
+
+## Usage
+
+Run without installing:
+
+```bash
+npx pgai --help
+npx pgai init postgresql://admin@host:5432/dbname
+```
+
+This is equivalent to:
+
+```bash
+npx postgresai --help
+npx postgresai init postgresql://admin@host:5432/dbname
+```
+
+