mainsync

.github/workflows/build-tarballs.yml

@@ -131,14 +131,30 @@ jobs:
         include:
           - platform: linux-x64-glibc
             runner:   ubuntu-latest
-          - platform: linux-x64-musl
-            runner:   ubuntu-latest
+          # linux-x64-musl dropped: @embedded-postgres publishes NO musl
+          # build (only glibc linux-x64 + linux-arm64), and no
+          # AUTOPG_POSTGRES_URL_TEMPLATE repo var is configured, so every
+          # musl fetch died "no @embedded-postgres pkg ... set
+          # AUTOPG_POSTGRES_URL_TEMPLATE". A missing artifact also sinks
+          # sign-attest's aggregate (same failure mode as darwin-x64).
+          # Re-add when a musl postgres source (URL template / self-hosted
+          # cache) exists — tracked follow-up.
           - platform: linux-arm64
             # GitHub-hosted ARM64 runners; falls back to QEMU emulation
             # if the org has not yet enabled ubuntu-24.04-arm runners.
             runner:   ubuntu-24.04-arm
-          - platform: darwin-x64
-            runner:   macos-13
+          # BRIEF-v3-build-fix Bug #2: darwin-x64 is intentionally NOT in
+          # this matrix. Its only viable hosted runner is `macos-13` (the
+          # last Intel macOS image — macos-14/15 are Apple Silicon), and
+          # the org's macOS runners are chronically unavailable, so the job
+          # sat `queued` forever holding the run-level conclusion `null`.
+          # That masked real failures AND, because a missing
+          # `autopg-*-darwin-x64` artifact fails sign-attest's `aggregate`
+          # (needs:[sign], no `if: always()`), it silently sank the entire
+          # signed-release chain. Dropping it lets the 4 buildable
+          # platforms publish a real signed release. Intel-macOS support is
+          # a tracked follow-up (re-add with a self-hosted/available Intel
+          # runner, or cross-build darwin-x64 + sign on darwin-arm64).
           - platform: darwin-arm64
             runner:   macos-latest
 

.github/workflows/release-publish.yml

@@ -271,7 +271,7 @@ jobs:
             "version": "${VERSION}",
             "released_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
             "tarball_base": "https://github.com/${{ github.repository }}/releases/download/v${VERSION}",
-            "platforms": ["linux-x64-glibc","linux-x64-musl","linux-arm64","darwin-x64","darwin-arm64"]
+            "platforms": ["linux-x64-glibc","linux-arm64","darwin-arm64"]
           }
           EOF
           done

.github/workflows/release.yml

@@ -37,6 +37,12 @@ concurrency:
 
 permissions:
   contents: write
+  actions: write    # the bump job's "Kick build-tarballs" step calls
+                    # `gh workflow run build-tarballs.yml` — creating a
+                    # workflow_dispatch event needs actions:write or the
+                    # default GITHUB_TOKEN gets HTTP 403 "Resource not
+                    # accessible by integration" (Bug #3 follow-up: the
+                    # dispatch step failed for v3.0.3 with exactly this).
   id-token: write   # required so the reusable `version.yml` workflow can mint
                     # the OIDC token for npm Trusted Publishing — without this,
                     # GH rejects the workflow at parse time (startup_failure)
@@ -89,6 +95,39 @@ jobs:
           git tag -a "${TAG}" -m "release ${TAG}"
           git push origin HEAD --follow-tags
 
+      # BRIEF-v3-build-fix Bug #3: the bump commit carries `[skip ci]` (a
+      # required bot-loop guard — the prepare gate filters that same marker
+      # so the push of this commit does NOT retrigger release.yml). But
+      # GitHub's skip-ci suppression ALSO applies to the *tag* push event,
+      # so `build-tarballs.yml` (on: push tags v*) never fires → the
+      # signed-release chain (build-tarballs → sign-attest →
+      # release-publish) silently never starts. This hit v2.7.0, v3.0.0,
+      # v3.0.2 (all tagged, none published anything).
+      #
+      # Fix: dispatch build-tarballs explicitly against the freshly-pushed
+      # tag. workflow_dispatch is NOT subject to skip-ci, GITHUB_TOKEN is
+      # permitted to start it, and `--ref ${TAG}` makes every job in the
+      # chain check out the tagged tree. `[skip ci]` stays intact.
+      - name: Kick build-tarballs for the tag (skip-ci-immune)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION="${{ steps.bump.outputs.version }}"
+          TAG="${{ steps.bump.outputs.tag }}"
+          # Tag refs need a beat to register before the API accepts --ref.
+          for i in 1 2 3 4 5; do
+            if gh workflow run build-tarballs.yml \
+                 --ref "${TAG}" \
+                 -f version="${VERSION}"; then
+              echo "Dispatched build-tarballs.yml @ ${TAG} (version=${VERSION})"
+              exit 0
+            fi
+            echo "build-tarballs dispatch attempt ${i} failed; retrying in 10s"
+            sleep 10
+          done
+          echo "::error::could not dispatch build-tarballs.yml for ${TAG}"
+          exit 1
+
   # ---------------------------------------------------------------------------
   # Prepare: resolve version, skip if tag already exists, build changelog.
   #

.github/workflows/sign-attest.yml

@@ -81,9 +81,15 @@ jobs:
       matrix:
         platform:
           - linux-x64-glibc
-          - linux-x64-musl
+          # linux-x64-musl dropped in lockstep with build-tarballs.yml
+          # (no @embedded-postgres musl package). A download-artifact for a
+          # tarball that was never built fails this leg and skips aggregate.
           - linux-arm64
-          - darwin-x64
+          # darwin-x64 dropped in lockstep with build-tarballs.yml — see
+          # the Bug #2 comment there. A `download-artifact` for a tarball
+          # build-tarballs never produced would fail this matrix leg, and
+          # the `aggregate` job (needs:[sign]) would be skipped, taking the
+          # whole release-publish chain down with it.
           - darwin-arm64
 
     steps:
@@ -248,8 +254,11 @@ jobs:
         with:
           cosign-release: 'v2.4.1'
 
-      - name: Install slsa-verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@v2.6.0
+      # slsa-verifier removed: it only verifies slsa-github-generator
+      # (intoto:0.0.2) provenance and rejects every actions/attest-build-
+      # provenance bundle ("unexpected tlog entry type: got dsse:0.0.1").
+      # verify-published-artifacts.sh now uses `gh attestation verify`
+      # (gh is preinstalled on GitHub runners).
 
       - name: Aggregate manifest.json
         shell: bash
@@ -263,6 +272,7 @@ jobs:
         shell: bash
         env:
           AUTOPG_SOURCE_URI: github.com/${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}   # gh attestation verify (provenance gate)
         run: |
           bash scripts/verify-published-artifacts.sh dist/
 

.well-known/latest.json

@@ -0,0 +1,8 @@
+{
+  "schema_version": 1,
+  "channel": "stable",
+  "version": "3.0.7",
+  "released_at": "2026-05-22T17:18:27Z",
+  "tarball_base": "https://github.com/automagik-dev/autopg/releases/download/v3.0.7",
+  "platforms": ["linux-x64-glibc","linux-arm64","darwin-arm64"]
+}

CHANGELOG.md

@@ -1,3 +1,15 @@
+## v3.0.1 — build-tarballs fix
+
+**Fixed:** `scripts/fetch-postgres-bins.sh` RETURN trap leaked globally (no `set -o functrace`) and aborted every per-platform build under `set -u` (`scratch: unbound variable`). This blocked the v3.0.0 build chain entirely; v3.0.1 is the first published v3 release (v3.0.0 tag never produced assets).
+
+## v3.0.0 — autopg (org transfer + bootstrap repair)
+
+**Changed:** Repository transferred `namastexlabs/pgserve` → `automagik-dev/autopg` (transfer + rename). Old URLs 301-redirect. `src/cosign/trust-list.js` self-trust regex flipped to `automagik-dev/autopg` — v3+ binaries verify v3+ releases signed under the new org identity.
+
+**Fixed:** `install.sh` fresh-host bootstrap, broken independent of the transfer: correct `autopg-*` asset names with glibc/musl detection, `gh api` latest-resolution (the unauthenticated `curl|sed` path returned empty), correct extracted layout (`autopg/autopg`) plus a `~/.local/bin/autopg` symlink, and a `cosign verify-blob` fallback with a dual-org identity regexp so hosts on `gh < 2.49` can still cryptographically verify the current `latest` (signed pre-transfer under the old org).
+
+**Note:** the npm `pgserve` package remains on v2.6.10 as legacy LTS for `@withone/cli` — not deprecated.
+
 ## v2.2.x — Transparent Upgrade
 
 **Added:** `autopg upgrade` CLI verb — idempotent migration runner that reconciles port back to canonical 8432, flushes the binary cache against the pinned PG version, re-resolves the plpgsql `.so` path per database, refreshes `~/.autopg/<app>.env` files, signals consumers, and validates final health.

bin/autopg-cli.js

@@ -0,0 +1,123 @@
+#!/usr/bin/env bun
+
+/**
+ * autopg-cli — the unified entry point for the COMPILED single-binary
+ * distribution (BRIEF-v3-build-fix blocker #10).
+ *
+ * `scripts/build-binary.sh` compiles THIS file with `bun build --compile`.
+ * The tarball's `autopg` IS this module.
+ *
+ * Why this exists: the npm package's bin (`bin/autopg-wrapper.cjs`) is a
+ * node launcher that resolves an external `bun` from node_modules and
+ * spawns it on `bin/postgres-server.js` for the long-running paths, while
+ * routing the pure-node operator verbs (install / verify / doctor / …)
+ * in-process through `src/cli-install.cjs`. That spawn-external-bun model
+ * cannot exist inside a single compiled binary — there is no node_modules
+ * and the binary already IS the runtime. Before this entry, the build
+ * compiled bare `postgres-server.js`, so the tarball `autopg` only knew
+ * `--version` / `postmaster` / `serve` and every operator verb (and
+ * install.sh's own final `autopg install`) exited 1 with a help dump.
+ *
+ * This entry mirrors the wrapper's dispatch, MINUS the bun-spawn:
+ *   - `--version` / `-v`         → print `autopg <version>` (exit 0)
+ *   - install/operator verbs     → src/cli-install.cjs `dispatch()` in
+ *                                  process. The supervised postmaster
+ *                                  command is THIS executable
+ *                                  (`process.execPath`) invoked with
+ *                                  `postmaster` — pm2 runs it under
+ *                                  `--interpreter none`, and the binary
+ *                                  handles `postmaster` natively.
+ *   - postmaster/serve/help/…    → delegate to bin/postgres-server.js
+ *                                  (re-used as a module; it reads argv).
+ *
+ * Keep the verb set in sync with bin/autopg-wrapper.cjs's
+ * __installSubcommands — that file remains the npm-path dispatcher.
+ */
+
+import cliInstall from '../src/cli-install.cjs';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const args = process.argv.slice(2);
+const sub = args[0];
+
+// `autopg --version` / `-v` — MUST exit 0 with `autopg <version>`.
+// Same contract + version source as bin/postgres-server.js (the bun
+// `--define BUILD_VERSION` literal in the compiled binary, package.json
+// fallback otherwise). `typeof` on an undeclared id is the one safe form.
+if (sub === '--version' || sub === '-v') {
+  process.stdout.write(`autopg ${resolveVersion()}\n`);
+  process.exit(0);
+}
+
+// Mirror of bin/autopg-wrapper.cjs __installSubcommands (the authoritative
+// npm-path routing). These are pure node + child_process — no bun, no
+// running PG backend — so they run in-process here.
+const INSTALL_SUBCOMMANDS = new Set([
+  'install',
+  'uninstall',
+  'status',
+  'url',
+  'port',
+  'config',
+  'update',
+  'restart',
+  'ui',
+  'verify',
+  'doctor',
+  'trust',
+  'gc',
+  'provision',
+  'create-app',
+]);
+
+if (sub && INSTALL_SUBCOMMANDS.has(sub)) {
+  // In the compiled binary, the postmaster the supervisor (pm2) must run
+  // is THIS executable with `postmaster`. process.execPath is the compiled
+  // binary path; buildPm2StartArgs() does
+  //   pm2 start <scriptPath> --interpreter none -- postmaster …
+  // so pm2 execs `<self> postmaster …`, which the binary handles.
+  const self = process.execPath;
+  const result = cliInstall.dispatch(sub, process.argv.slice(3), {
+    scriptPath: self,
+    wrapperPath: self,
+  });
+
+  // dispatch() returns either a number (sync verbs) or a Promise (async
+  // verbs: uninstall/doctor/verify/trust/gc/provision/create-app/update).
+  // Mirror the wrapper's dual handling + the EADDRINUSE double-print guard.
+  if (result && typeof result.then === 'function') {
+    result.then(
+      (code) => process.exit(typeof code === 'number' ? code : 0),
+      (err) => {
+        if (err && err.code !== 'EADDRINUSE') {
+          process.stderr.write(`autopg: ${err?.message ?? err}\n`);
+        }
+        if (process.exitCode === undefined || process.exitCode === 0) {
+          process.exitCode = 1;
+        }
+      },
+    );
+  } else {
+    process.exit(typeof result === 'number' ? result : 0);
+  }
+} else {
+  // postmaster / serve / --help / help / empty / unknown flags →
+  // bin/postgres-server.js owns this surface (it reads process.argv and
+  // dispatches, including its own `serve`→`postmaster` alias + the
+  // EX_USAGE-style unknown-verb exit). Re-used as a module so there is a
+  // single postmaster implementation.
+  await import('./postgres-server.js');
+}
+
+function resolveVersion() {
+  if (typeof BUILD_VERSION !== 'undefined' && BUILD_VERSION) return BUILD_VERSION;
+  try {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+    return pkg.version || '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}

bin/autopg-wrapper.cjs

@@ -52,6 +52,8 @@ const __installSubcommands = new Set([
   'update',
   'restart',
   'ui',
+  // Admin Basic Auth password rotation / admin path; pure node, same dispatcher.
+  'auth',
   // pgserve singleton (v2.4) — `pgserve-singleton-no-proxy` wish, Group 4.
   // `verify` shells out to cosign + writes an HMAC cache token. Pure node
   // (no bun) so it must skip the bun probe like the install surface above.

bin/postgres-server.js

@@ -19,6 +19,9 @@ import { PostgresManager } from '../src/postgres.js';
 import { resolveSocketDir, ensureSocketDir } from '../src/lib/socket-dir.js';
 import { writeRuntimeJson, clearRuntimeJson } from '../src/lib/runtime-json.js';
 import { createLogger } from '../src/logger.js';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
 
 // Global error handlers — surface unhandled rejections + uncaught errors
 // loud so a process supervisor (pm2 / systemd-user / launchd) restarts the
@@ -33,6 +36,26 @@ process.on('uncaughtException', (error) => {
 
 const args = process.argv.slice(2);
 
+// `autopg --version` / `-v` — MUST exit 0 with `autopg <version>`.
+//
+// This entry point is what `scripts/build-binary.sh` compiles via
+// `bun build --compile` (the tarball's `autopg` binary IS this file),
+// AND what `bin/autopg-wrapper.cjs` spawns through bun for the npm path.
+// Both surfaces previously fell through to `printHelp()` + `exit(1)` —
+// `tests/integration/tarball-smoke.sh` swallowed the stderr and reported
+// the generic "autopg binary not executable", masking the real cause
+// (no `--version` handler ever existed). See BRIEF-v3-build-fix Bug #1a.
+//
+// Version source: build-binary.sh injects `--define BUILD_VERSION="'<v>'"`,
+// so in the compiled binary the bare `BUILD_VERSION` token is replaced with
+// a string literal. `typeof` on an undeclared identifier is the one safe
+// form in JS (returns 'undefined' without throwing), so the non-compiled
+// wrapper path falls back to package.json cleanly.
+if (args[0] === '--version' || args[0] === '-v') {
+  process.stdout.write(`autopg ${resolveVersion()}\n`);
+  process.exit(0);
+}
+
 if (args[0] === 'postmaster') {
   await runPostmasterSubcommand(args.slice(1));
 } else if (args[0] === 'serve') {
@@ -218,6 +241,20 @@ no router, no bun proxy, no daemon control socket.
   return opts;
 }
 
+function resolveVersion() {
+  // Compiled binary: bun's `--define` already replaced BUILD_VERSION with a
+  // string literal. `typeof <undeclared>` is the only reference form that
+  // can't throw, so the non-compiled (wrapper/dev) path falls through here.
+  if (typeof BUILD_VERSION !== 'undefined' && BUILD_VERSION) return BUILD_VERSION;
+  try {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+    return pkg.version || '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+
 function printHelp() {
   process.stdout.write(`
 pgserve — Embedded PostgreSQL Server (singleton, v2.4+)

knip.json

@@ -3,6 +3,7 @@
   "entry": [
     "src/index.js",
     "bin/postgres-server.js",
+    "bin/autopg-cli.js",
     "bin/autopg-wrapper.cjs",
     "src/update/index.js",
     "src/commands/**",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "autopg",
-  "version": "2.7.0",
+  "version": "3.0.7",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",
@@ -55,6 +55,7 @@
   "optionalDependencies": {
     "@embedded-postgres/darwin-arm64": "18.3.0-beta.17",
     "@embedded-postgres/darwin-x64": "18.3.0-beta.17",
+    "@embedded-postgres/linux-arm64": "18.3.0-beta.17",
     "@embedded-postgres/linux-x64": "18.3.0-beta.17",
     "@embedded-postgres/windows-x64": "18.3.0-beta.17"
   },