fix: prevent password and connection string leaking in --help output

bpaf's env() renders the current env var value in --help, e.g.
[env:PGPASSWORD = "secret"]. Remove env() from sensitive fields
(password, connection_string) and use from_env() merge in the CLI
path instead, matching the LSP approach.

Author: psteinroe

crates/pgls_cli/src/commands/mod.rs

@@ -196,14 +196,10 @@ pub enum PgLSCommand {
     /// Writes to stdout by default, or to a file if --output is specified.
     #[bpaf(command("schema-export"))]
     SchemaExport {
-        /// PostgreSQL connection string (e.g., postgres://user:pass@host/db)
-        #[bpaf(
-            env("DATABASE_URL"),
-            long("connection-string"),
-            short('c'),
-            argument("URL")
-        )]
-        connection_string: String,
+        /// PostgreSQL connection string (e.g., postgres://user:pass@host/db).
+        /// Can also be set via the `DATABASE_URL` environment variable.
+        #[bpaf(long("connection-string"), short('c'), argument("URL"), optional)]
+        connection_string: Option<String>,
 
         /// Output file path for the JSON schema (defaults to stdout if not specified)
         #[bpaf(long("output"), short('o'), argument("PATH"))]

crates/pgls_cli/src/lib.rs

@@ -144,6 +144,14 @@ impl<'app> CliSession<'app> {
                 connection_string,
                 output,
             } => {
+                let connection_string = connection_string
+                    .or_else(|| std::env::var("DATABASE_URL").ok())
+                    .ok_or_else(|| {
+                        CliDiagnostic::missing_argument(
+                            "--connection-string (or DATABASE_URL env var)",
+                            "schema-export",
+                        )
+                    })?;
                 let runtime = tokio::runtime::Runtime::new().map_err(CliDiagnostic::io_error)?;
                 runtime.block_on(commands::schema_export::run_schema_export(
                     &connection_string,
@@ -197,6 +205,16 @@ impl<'app> CliSession<'app> {
             configuration.merge_with(cli_config);
         }
 
+        // Env vars take highest priority — merge last so they override everything.
+        if let Some(env_db) = pgls_configuration::database::PartialDatabaseConfiguration::from_env()
+        {
+            let env_config = PartialConfiguration {
+                db: Some(env_db),
+                ..Default::default()
+            };
+            configuration.merge_with(env_config);
+        }
+
         Ok(configuration)
     }
 

crates/pgls_configuration/src/database.rs

@@ -11,29 +11,35 @@ use serde::{Deserialize, Serialize};
 pub struct DatabaseConfiguration {
     /// A connection string that encodes the full connection setup.
     /// When provided, it takes precedence over the individual fields.
-    #[partial(bpaf(env("DATABASE_URL"), long("connection-string")))]
+    /// Can also be set via the `DATABASE_URL` environment variable.
+    #[partial(bpaf(long("connection-string")))]
     pub connection_string: Option<String>,
 
     /// The host of the database.
     /// Required if you want database-related features.
     /// All else falls back to sensible defaults.
-    #[partial(bpaf(env("PGHOST"), long("host")))]
+    /// Can also be set via the `PGHOST` environment variable.
+    #[partial(bpaf(long("host")))]
     pub host: String,
 
     /// The port of the database.
-    #[partial(bpaf(env("PGPORT"), long("port")))]
+    /// Can also be set via the `PGPORT` environment variable.
+    #[partial(bpaf(long("port")))]
     pub port: u16,
 
     /// The username to connect to the database.
-    #[partial(bpaf(env("PGUSER"), long("username")))]
+    /// Can also be set via the `PGUSER` environment variable.
+    #[partial(bpaf(long("username")))]
     pub username: String,
 
     /// The password to connect to the database.
-    #[partial(bpaf(env("PGPASSWORD"), long("password")))]
+    /// Can also be set via the `PGPASSWORD` environment variable.
+    #[partial(bpaf(long("password")))]
     pub password: String,
 
     /// The name of the database.
-    #[partial(bpaf(env("PGDATABASE"), long("database")))]
+    /// Can also be set via the `PGDATABASE` environment variable.
+    #[partial(bpaf(long("database")))]
     pub database: String,
 
     #[partial(bpaf(long("allow_statement_executions_against")))]