Honor PostgreSQL TLS settings in pool key

[arsis-dev]

Summary

• Include PostgreSQL ssl_mode in the pool key so cached pools are scoped by the selected TLS mode.
• Include PostgreSQL ssl_ca in the pool key for verify-ca and verify-full, where the connector actually uses a CA file.
• Add regression coverage for PostgreSQL pool-key changes while keeping SQLite unaffected by TLS fields.

Context

This is a follow-up to #263. PostgreSQL pool creation already honors ssl_mode and ssl_ca, but the shared pool key only varied by TLS settings for MySQL. After editing a PostgreSQL connection from one TLS mode or CA path to another, the main connection path could reuse an incompatible cached pool.

I did not find an existing open issue or PR for this exact PostgreSQL pool-key scoping bug. Related items checked:

• Honor MySQL SSL mode in connection setup #263: MySQL SSL mode propagation and pool-key scoping
• [Bug]: PostgreSQL on AWS RDS — initial connect OK, health-check ping fails repeatedly with "error performing TLS handshake" #166 / fix(postgres): switch deadpool TLS to rustls + honor ssl_ca (closes #166) #167: PostgreSQL rustls/CA handling in pool creation

This is intentionally scoped to PostgreSQL pool-key construction and does not change PostgreSQL TLS connector behavior.

Validation

• cargo test postgres_pool_key_changes_when_ssl -> 2 passed
• cargo test pool_manager -> 23 passed
• git diff --check -> passed
• npm --cache /tmp/gitnexus-npm-cache exec --yes gitnexus -- analyze -> indexed successfully, 11,576 nodes / 21,769 edges / 300 flows
• npm --cache /tmp/gitnexus-npm-cache exec --yes gitnexus -- impact build_connection_key --direction upstream -> CRITICAL risk, 74 impacted symbols, 5 direct callers, 6 affected flows
• npm --cache /tmp/gitnexus-npm-cache exec --yes gitnexus -- detect-changes --scope compare --base-ref main -> medium risk, 6 changed symbols, 4 affected flows

[kilo-code-bot]

SUGGESTION: Use "require" instead of "required" for PostgreSQL SSL mode

The test now validates PostgreSQL-specific pool-key behavior, but "required" is a MySQL-style mode name. PostgreSQL uses "require". All other PostgreSQL tests in this file already use "require", so updating this keeps the test consistent and avoids confusing future maintainers.

Suggested change

	let required = connection_params("postgres", Some("required"));
	let required = connection_params("postgres", Some("require"));

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The previously reported typo ("required" → "require") in src-tauri/src/pool_manager_tests.rs has been fixed.

Files Reviewed (2 files)

• src-tauri/src/pool_manager.rs
• src-tauri/src/pool_manager_tests.rs

---

_{Reviewed by kimi-k2.6-20260420 · 155,470 tokens}

[NewtTheWolf]

LGTM 🚀 @arsis-dev @debba — verified the key matches what build_postgres_tls_connector actually consumes: ssl_mode always, ssl_ca only for verify-ca/verify-full, and ssl_cert/ssl_key correctly omitted since the PG connector uses with_no_client_auth(). Any over-scoping only costs a redundant pool, never a wrongly-shared one. Nice test coverage too.

[debba]

Thanks a lot @arsis-dev and @NewtTheWolf for the review
I will merge it

[arsis-dev]

Thanks to you @debba! 🙏 Tabularis has been really useful and inspiring to me. I really appreciate your work.

[debba]

Always welcome to contribute!
Feel free to create a PRs and join in our Discord server if you want!