feat(cli): auto-generate monitoring password in init

- Default to generated password (no interactive prompt)

- Still allow --password / PGAI_MON_PASSWORD overrides

- Print generated password once for safe copy

Author: Nik Samokhvalov

cli/README.md

@@ -59,7 +59,7 @@ npx postgresai init -h host -p 5432 -U admin -d dbname
 Password input options (in priority order):
 - `--password <password>`
 - `PGAI_MON_PASSWORD` environment variable
-- interactive prompt (TTY only)
+- if not provided: a strong password is generated automatically and printed once
 
 Optional permissions (RDS/self-managed extras from the root `README.md`) are enabled by default. To skip them:
 

cli/bin/postgres-ai.ts

@@ -159,20 +159,6 @@ program
       return;
     }
 
-    let monPassword: string;
-    try {
-      monPassword = await resolveMonitoringPassword({
-        passwordFlag: opts.password,
-        passwordEnv: process.env.PGAI_MON_PASSWORD,
-        monitoringUser: opts.monitoringUser,
-      });
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      console.error(`✗ ${msg}`);
-      process.exitCode = 1;
-      return;
-    }
-
     const includeOptionalPermissions = !opts.skipOptionalPermissions;
 
     console.log(`Connecting to: ${adminConn.display}`);
@@ -197,6 +183,25 @@ program
         throw new Error("Failed to resolve current database name");
       }
 
+      let monPassword: string;
+      try {
+        const resolved = await resolveMonitoringPassword({
+          passwordFlag: opts.password,
+          passwordEnv: process.env.PGAI_MON_PASSWORD,
+          monitoringUser: opts.monitoringUser,
+        });
+        monPassword = resolved.password;
+        if (resolved.generated) {
+          console.log(`Generated password for monitoring user ${opts.monitoringUser}: ${monPassword}`);
+          console.log("Store it securely (or rerun with --password / PGAI_MON_PASSWORD to set your own).");
+        }
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`✗ ${msg}`);
+        process.exitCode = 1;
+        return;
+      }
+
       const plan = await buildInitPlan({
         database,
         monitoringUser: opts.monitoringUser,

cli/lib/init.ts

@@ -1,4 +1,5 @@
 import * as readline from "readline";
+import { randomBytes } from "crypto";
 import { URL } from "url";
 import type { Client as PgClient } from "pg";
 
@@ -268,31 +269,25 @@ export async function promptHidden(prompt: string): Promise<string> {
   });
 }
 
+function generateMonitoringPassword(): string {
+  // URL-safe and easy to copy/paste; length ~32 chars.
+  return randomBytes(24).toString("base64url");
+}
+
 export async function resolveMonitoringPassword(opts: {
   passwordFlag?: string;
   passwordEnv?: string;
   prompt?: (prompt: string) => Promise<string>;
   monitoringUser: string;
-}): Promise<string> {
+}): Promise<{ password: string; generated: boolean }> {
   const fromFlag = (opts.passwordFlag || "").trim();
-  if (fromFlag) return fromFlag;
+  if (fromFlag) return { password: fromFlag, generated: false };
 
   const fromEnv = (opts.passwordEnv || "").trim();
-  if (fromEnv) return fromEnv;
-
-  if (!process.stdin.isTTY) {
-    throw new Error(
-      "Monitoring user password is required in non-interactive mode (use --password or PGAI_MON_PASSWORD)"
-    );
-  }
+  if (fromEnv) return { password: fromEnv, generated: false };
 
-  const prompter = opts.prompt || promptHidden;
-  while (true) {
-    const pw = (await prompter(`Enter password for monitoring user ${opts.monitoringUser}: `)).trim();
-    if (pw) return pw;
-    // eslint-disable-next-line no-console
-    console.error("Password cannot be empty");
-  }
+  // Default: auto-generate (safer than prompting; works in non-interactive mode).
+  return { password: generateMonitoringPassword(), generated: true };
 }
 
 export async function buildInitPlan(params: {