fix: include postgres instance ports in validation check

This ensures all instances (database and service) avoid
port conflicts.

Author: rshoemaker

server/internal/api/apiv1/validate.go

@@ -129,10 +129,11 @@ func validateDatabaseSpec(spec *api.DatabaseSpec) error {
 	// Validate orchestrator_opts (spec-level)
 	errs = append(errs, validateOrchestratorOpts(spec.OrchestratorOpts, []string{"orchestrator_opts"})...)
 
-	// Validate services
-	seenServiceIDs := make(ds.Set[string], len(spec.Services))
+	// Validate services — seed portOwner with Postgres ports so services can't collide with the database.
 	portOwner := make(servicePortOwnerMap)
+	seedPostgresPorts(spec, portOwner)
 
+	seenServiceIDs := make(ds.Set[string], len(spec.Services))
 	for i, svc := range spec.Services {
 		svcPath := []string{"services", arrayIndexPath(i)}
 
@@ -199,10 +200,13 @@ func validateDatabaseUpdate(old *database.Spec, new *api.DatabaseSpec) error {
 		existingServiceIDs.Add(svc.ServiceID)
 	}
 
+	// Seed portOwner with Postgres ports so services can't collide with the database.
+	portOwner := make(servicePortOwnerMap)
+	seedPostgresPorts(new, portOwner)
+
 	// Validate each service. Pass isUpdate=false for services being added for the
 	// first time so that bootstrap-only fields are accepted. For service types that
 	// have no bootstrap fields (e.g. postgrest) the flag has no effect.
-	portOwner := make(servicePortOwnerMap)
 	for i, svc := range new.Services {
 		svcPath := []string{"services", arrayIndexPath(i)}
 		isExistingService := existingServiceIDs.Has(string(svc.ServiceID))
@@ -484,6 +488,24 @@ func validateUsers(users []*api.DatabaseUserSpec, path []string) []error {
 	return errs
 }
 
+// seedPostgresPorts registers each node's effective Postgres port in the
+// portOwner map so that service port validation can detect collisions with
+// the database. A node-level port override (node.Port) takes precedence
+// over the spec-level default (spec.Port).
+func seedPostgresPorts(spec *api.DatabaseSpec, owner servicePortOwnerMap) {
+	for _, node := range spec.Nodes {
+		pgPort := utils.FromPointer(spec.Port)
+		if node.Port != nil {
+			pgPort = *node.Port
+		}
+		if pgPort > 0 {
+			for _, hostID := range node.HostIds {
+				owner[hostPort{hostID: string(hostID), port: pgPort}] = "postgres"
+			}
+		}
+	}
+}
+
 // hostPort identifies a unique (host, port) binding for cross-service
 // port conflict detection.
 type hostPort struct {

server/internal/api/apiv1/validate_test.go

@@ -817,6 +817,99 @@ func TestValidateDatabaseSpec(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid service port conflicts with postgres port",
+			spec: &api.DatabaseSpec{
+				DatabaseName:    "testdb",
+				PostgresVersion: utils.PointerTo("17.6"),
+				Port:            utils.PointerTo(5432),
+				Nodes: []*api.DatabaseNodeSpec{
+					{
+						Name:    "n1",
+						HostIds: []api.Identifier{"host-1"},
+					},
+				},
+				Services: []*api.ServiceSpec{
+					{
+						ServiceID:   "mcp-server",
+						ServiceType: "mcp",
+						Version:     "1.0.0",
+						HostIds:     []api.Identifier{"host-1"},
+						Port:        utils.PointerTo(5432),
+						Config: map[string]any{
+							"llm_enabled":       true,
+							"llm_provider":      "anthropic",
+							"llm_model":         "claude-sonnet-4-5",
+							"anthropic_api_key": "sk-ant-...",
+						},
+					},
+				},
+			},
+			expected: []string{
+				`port 5432 conflicts with service "postgres" on the same host`,
+			},
+		},
+		{
+			name: "invalid service port conflicts with node-level postgres port override",
+			spec: &api.DatabaseSpec{
+				DatabaseName:    "testdb",
+				PostgresVersion: utils.PointerTo("17.6"),
+				Nodes: []*api.DatabaseNodeSpec{
+					{
+						Name:    "n1",
+						HostIds: []api.Identifier{"host-1"},
+						Port:    utils.PointerTo(5433),
+					},
+				},
+				Services: []*api.ServiceSpec{
+					{
+						ServiceID:   "mcp-server",
+						ServiceType: "mcp",
+						Version:     "1.0.0",
+						HostIds:     []api.Identifier{"host-1"},
+						Port:        utils.PointerTo(5433),
+						Config: map[string]any{
+							"llm_enabled":       true,
+							"llm_provider":      "anthropic",
+							"llm_model":         "claude-sonnet-4-5",
+							"anthropic_api_key": "sk-ant-...",
+						},
+					},
+				},
+			},
+			expected: []string{
+				`port 5433 conflicts with service "postgres" on the same host`,
+			},
+		},
+		{
+			name: "valid service port on different host than postgres",
+			spec: &api.DatabaseSpec{
+				DatabaseName:    "testdb",
+				PostgresVersion: utils.PointerTo("17.6"),
+				Port:            utils.PointerTo(5432),
+				Nodes: []*api.DatabaseNodeSpec{
+					{
+						Name:    "n1",
+						HostIds: []api.Identifier{"host-1"},
+					},
+				},
+				Services: []*api.ServiceSpec{
+					{
+						ServiceID:   "mcp-server",
+						ServiceType: "mcp",
+						Version:     "1.0.0",
+						HostIds:     []api.Identifier{"host-2"},
+						Port:        utils.PointerTo(5432),
+						Config: map[string]any{
+							"llm_enabled":       true,
+							"llm_provider":      "anthropic",
+							"llm_model":         "claude-sonnet-4-5",
+							"anthropic_api_key": "sk-ant-...",
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "invalid with service validation errors",
 			spec: &api.DatabaseSpec{