Fail closed on partial PG auth and remove eval

[nicosuave]

Summary

• fail closed when PG server auth is only partially configured
• enforce the same partial-auth guard in direct PG server startup
• remove shell eval from the Docker entrypoint and keep argument passing explicit
• add focused coverage for partial auth handling and entrypoint hardening

Validation

• uv run pytest -v tests/server/test_connection.py tests/test_cli_commands.py
• uv run ruff check sidemantic/server/connection.py sidemantic/server/server.py sidemantic/cli.py tests/server/test_connection.py tests/test_cli_commands.py
• uv run ruff format --check sidemantic/server/connection.py sidemantic/server/server.py sidemantic/cli.py tests/server/test_connection.py tests/test_cli_commands.py
• sh -n docker-entrypoint.sh

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2658e13e37

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Delete temp argv file before exec

This script writes all container args to ENTRYPOINT_ARGS_FILE, but cleanup relies on an EXIT trap while every mode ends with exec "$@"; in POSIX shells, exec replaces the shell process without running EXIT traps. That means the temp file is left behind for the container lifetime, which can persist sensitive CLI args (for example --auth-token) on disk and also causes avoidable /tmp buildup across restarts. Remove the file explicitly before each exec (or avoid serializing args to disk) so credentials are not retained.

Useful? React with 👍 / 👎.