pg_sql_triggers 1.3.0 → 1.4.0

data/lib/pg_sql_triggers/drift/detector.rb

@@ -11,27 +11,7 @@ module PgSqlTriggers
         def detect(trigger_name)
           registry_entry = TriggerRegistry.find_by(trigger_name: trigger_name)
           db_trigger = DbQueries.find_trigger(trigger_name)
-
-          # State 1: DISABLED - Registry entry disabled
-          return disabled_state(registry_entry, db_trigger) if registry_entry&.enabled == false
-
-          # State 2: MANUAL_OVERRIDE - Marked as manual SQL
-          return manual_override_state(registry_entry, db_trigger) if registry_entry&.source == "manual_sql"
-
-          # State 3: DROPPED - Registry entry exists, DB trigger missing
-          return dropped_state(registry_entry) if registry_entry && !db_trigger
-
-          # State 4: UNKNOWN - DB trigger exists, no registry entry
-          return unknown_state(db_trigger) if !registry_entry && db_trigger
-
-          # State 5: DRIFTED - Checksum mismatch
-          if registry_entry && db_trigger
-            checksum_match = checksums_match?(registry_entry, db_trigger)
-            return drifted_state(registry_entry, db_trigger) unless checksum_match
-          end
-
-          # State 6: IN_SYNC - Everything matches
-          in_sync_state(registry_entry, db_trigger)
+          detect_with_preloaded(registry_entry, db_trigger)
         end
 
         # Detect drift for all triggers
@@ -39,13 +19,14 @@ module PgSqlTriggers
           registry_entries = TriggerRegistry.all.to_a
           db_triggers = DbQueries.all_triggers
 
-          # Check each registry entry
+          db_trigger_map = db_triggers.index_by { |t| t["trigger_name"] }
+
           results = registry_entries.map do |entry|
-            detect(entry.trigger_name)
+            detect_with_preloaded(entry, db_trigger_map[entry.trigger_name])
           end
 
           # Find unknown (external) triggers not in registry
-          registry_trigger_names = registry_entries.map(&:trigger_name)
+          registry_trigger_names = registry_entries.to_set(&:trigger_name)
           db_triggers.each do |db_trigger|
             next if registry_trigger_names.include?(db_trigger["trigger_name"])
 
@@ -60,13 +41,14 @@ module PgSqlTriggers
           registry_entries = TriggerRegistry.for_table(table_name).to_a
           db_triggers = DbQueries.find_triggers_for_table(table_name)
 
-          # Check each registry entry for this table
+          db_trigger_map = db_triggers.index_by { |t| t["trigger_name"] }
+
           results = registry_entries.map do |entry|
-            detect(entry.trigger_name)
+            detect_with_preloaded(entry, db_trigger_map[entry.trigger_name])
           end
 
           # Find unknown triggers on this table
-          registry_trigger_names = registry_entries.map(&:trigger_name)
+          registry_trigger_names = registry_entries.to_set(&:trigger_name)
           db_triggers.each do |db_trigger|
             next if registry_trigger_names.include?(db_trigger["trigger_name"])
 
@@ -78,6 +60,20 @@ module PgSqlTriggers
 
         private
 
+        # Core state computation using pre-loaded data — no additional DB queries.
+        def detect_with_preloaded(registry_entry, db_trigger)
+          return disabled_state(registry_entry, db_trigger) if registry_entry&.enabled == false
+          return manual_override_state(registry_entry, db_trigger) if registry_entry&.source == "manual_sql"
+          return dropped_state(registry_entry) if registry_entry && !db_trigger
+          return unknown_state(db_trigger) if !registry_entry && db_trigger
+
+          if registry_entry && db_trigger && !checksums_match?(registry_entry, db_trigger)
+            return drifted_state(registry_entry, db_trigger)
+          end
+
+          in_sync_state(registry_entry, db_trigger)
+        end
+
         # Compare registry checksum with calculated DB checksum
         def checksums_match?(registry_entry, db_trigger)
           db_checksum = calculate_db_checksum(registry_entry, db_trigger)
@@ -86,32 +82,39 @@ module PgSqlTriggers
 
         # Calculate checksum from DB trigger (must match registry algorithm)
         def calculate_db_checksum(registry_entry, db_trigger)
-          # Extract function body from the function definition
-          function_body = extract_function_body(db_trigger)
+          function_body = if registry_entry.source == "dsl"
+                            db_trigger["function_definition"] || ""
+                          else
+                            extract_function_body(db_trigger) || ""
+                          end
 
-          # Extract condition from trigger definition
+          # Extract condition and for_each granularity from trigger definition
           condition = extract_trigger_condition(db_trigger)
+          db_for_each = extract_trigger_for_each(db_trigger)
 
           # Use same algorithm as TriggerRegistry#calculate_checksum
           Digest::SHA256.hexdigest([
             registry_entry.trigger_name,
             registry_entry.table_name,
             registry_entry.version,
-            function_body || "",
-            condition || ""
+            function_body,
+            condition || "",
+            registry_entry.timing || "before",
+            db_for_each || "row"
           ].join)
         end
 
-        # Extract function body from pg_get_functiondef output
+        # Extract just the PL/pgSQL body from pg_get_functiondef output.
+        # pg_get_functiondef() returns the full CREATE OR REPLACE FUNCTION statement;
+        # we extract only the content between the dollar-quote delimiters so the
+        # comparison is format-agnostic (handles $$ and $function$ styles).
         def extract_function_body(db_trigger)
           function_def = db_trigger["function_definition"]
           return nil unless function_def
 
-          # The function definition includes CREATE OR REPLACE FUNCTION header
-          # We need to extract just the body for comparison
-          # For now, return the full definition
-          # TODO: Parse and extract just the body if needed
-          function_def
+          # Match any dollar-quoted string: $tag$body$tag$ (tag may be empty)
+          match = function_def.match(/\$([^$]*)\$(.*?)\$\1\$/m)
+          match ? match[2].strip : function_def.strip
         end
 
         # Extract WHEN condition from trigger definition
@@ -125,6 +128,16 @@ module PgSqlTriggers
           match ? match[1].strip : nil
         end
 
+        # Extract FOR EACH ROW / FOR EACH STATEMENT from trigger definition.
+        # Returns "row" or "statement" (lowercase). Defaults to "row".
+        def extract_trigger_for_each(db_trigger)
+          trigger_def = db_trigger["trigger_definition"]
+          return "row" unless trigger_def
+
+          match = trigger_def.match(/FOR\s+EACH\s+(ROW|STATEMENT)/i)
+          match ? match[1].downcase : "row"
+        end
+
         # State helper methods
         def disabled_state(registry_entry, db_trigger)
           {

data/lib/pg_sql_triggers/dsl/trigger_definition.rb

@@ -3,16 +3,18 @@
 module PgSqlTriggers
   module DSL
     class TriggerDefinition
-      attr_accessor :name, :table_name, :events, :function_name, :environments, :condition
+      attr_accessor :name, :table_name, :events, :function_name, :environments, :condition, :version, :enabled
+      attr_reader :timing, :for_each
 
       def initialize(name)
         @name = name
         @events = []
         @version = 1
-        @enabled = false
+        @enabled = true
         @environments = []
         @condition = nil
         @timing = "before"
+        @for_each = "row"
       end
 
       def table(table_name)
@@ -27,23 +29,22 @@ module PgSqlTriggers
         @function_name = function_name
       end
 
-      def version(version = nil)
-        if version.nil?
-          @version
-        else
-          @version = version
-        end
+      def timing=(val)
+        @timing = val.to_s
       end
 
-      def enabled(enabled = nil)
-        if enabled.nil?
-          @enabled
-        else
-          @enabled = enabled
-        end
+      def for_each_row
+        @for_each = "row"
+      end
+
+      def for_each_statement
+        @for_each = "statement"
       end
 
       def when_env(*environments)
+        warn "[DEPRECATION] `when_env` is deprecated and will be removed in a future version. " \
+             "Environment-specific trigger behavior causes schema drift between environments. " \
+             "Use application-level configuration instead."
         @environments = environments.map(&:to_s)
       end
 
@@ -51,14 +52,6 @@ module PgSqlTriggers
         @condition = condition_sql
       end
 
-      def timing(timing_value = nil)
-        if timing_value.nil?
-          @timing
-        else
-          @timing = timing_value.to_s
-        end
-      end
-
       def function_body
         nil # DSL definitions don't include function_body directly
       end
@@ -73,7 +66,8 @@ module PgSqlTriggers
           enabled: @enabled,
           environments: @environments,
           condition: @condition,
-          timing: @timing
+          timing: @timing,
+          for_each: @for_each
         }
       end
     end

data/lib/pg_sql_triggers/engine.rb

@@ -25,5 +25,19 @@ module PgSqlTriggers
     rake_tasks do
       load root.join("lib/tasks/trigger_migrations.rake")
     end
+
+    # Warn at startup if no permission_checker is set in a protected environment.
+    # The default is to allow all actions (including admin-level ones), which is
+    # unsafe in production without an explicit checker configured.
+    config.after_initialize do
+      if PgSqlTriggers.permission_checker.nil? && defined?(Rails) && Rails.env.production?
+        Rails.logger.warn(
+          "[PgSqlTriggers] SECURITY WARNING: No permission_checker is configured. " \
+          "All actions are permitted by default, including admin-level operations " \
+          "(drop_trigger, execute_sql, override_drift). " \
+          "Set PgSqlTriggers.permission_checker in an initializer before deploying to production."
+        )
+      end
+    end
   end
 end

data/lib/pg_sql_triggers/migrator/pre_apply_comparator.rb

@@ -12,25 +12,24 @@ module PgSqlTriggers
         # Compare expected state from migration with actual database state
         # Returns a comparison result with diff information
         def compare(migration_instance, direction: :up)
-          expected = extract_expected_state(migration_instance, direction)
+          captured_sql = capture_sql(migration_instance, direction)
+          compare_sql(captured_sql)
+        end
+
+        # Compare using pre-captured SQL (avoids re-instantiating the migration class).
+        # Returns a comparison result with diff information.
+        def compare_sql(captured_sql)
+          expected = parse_sql_to_state(captured_sql)
           actual = extract_actual_state(expected)
           generate_diff(expected, actual)
         end
 
         private
 
-        # Extract expected SQL and state from migration instance
-        def extract_expected_state(migration_instance, direction)
-          captured_sql = capture_sql(migration_instance, direction)
-          parse_sql_to_state(captured_sql)
-        end
-
         # Capture SQL that would be executed by the migration
         def capture_sql(migration_instance, direction)
           captured = []
 
-          # Override execute to capture SQL instead of executing
-          # Since we use a separate instance for comparison, we don't need to restore
           migration_instance.define_singleton_method(:execute) do |sql|
             captured << sql.to_s.strip
           end

data/lib/pg_sql_triggers/migrator/safety_validator.rb

@@ -34,26 +34,41 @@ module PgSqlTriggers
           raise UnsafeOperationError.new(error_message, violations)
         end
 
+        # Validate using pre-captured SQL (avoids re-instantiating the migration class).
+        # Raises UnsafeOperationError if unsafe patterns are detected.
+        def validate_sql!(captured_sql, direction: :up, allow_unsafe: false) # rubocop:disable Lint/UnusedMethodArgument
+          return if allow_unsafe
+
+          violations = detect_unsafe_patterns_from_sql(captured_sql)
+          return if violations.empty?
+
+          error_message = build_error_message(violations, "(migration)")
+          raise UnsafeOperationError.new(error_message, violations)
+        end
+
         # Detect unsafe patterns in migration SQL
         # Returns array of violation hashes
         def detect_unsafe_patterns(migration_instance, direction)
-          violations = []
-
-          # Capture SQL that would be executed
           captured_sql = capture_sql(migration_instance, direction)
+          detect_unsafe_patterns_from_sql(captured_sql)
+        end
 
-          # Parse SQL to detect unsafe patterns
-          sql_operations = parse_sql_operations(captured_sql)
+        private
 
-          # Check for explicit DROP + CREATE patterns (the main safety concern)
+        # Core detection logic that works on pre-captured SQL.
+        def detect_unsafe_patterns_from_sql(captured_sql)
+          violations = []
+          sql_operations = parse_sql_operations(captured_sql)
           violations.concat(detect_drop_create_patterns(sql_operations))
-
           violations
         end
 
-        private
-
-        # Capture SQL that would be executed by the migration
+        # Capture SQL that would be executed by the migration.
+        # Runs the migration inside a transaction that is always rolled back so
+        # that any ActiveRecord migration helpers (add_column, create_table, …)
+        # that are called alongside explicit +execute+ calls produce no lasting
+        # side effects.  The singleton override of +execute+ still intercepts
+        # raw SQL strings before they reach the database.
         def capture_sql(migration_instance, direction)
           captured = []
 
@@ -62,8 +77,13 @@ module PgSqlTriggers
             captured << sql.to_s.strip
           end
 
-          # Call the migration method (up or down) to capture SQL
-          migration_instance.public_send(direction)
+          # Run inside a transaction and roll it back so that any AR helpers
+          # called by the migration (add_column, create_table, etc.) do not
+          # persist their side effects during the capture phase.
+          ActiveRecord::Base.transaction do
+            migration_instance.public_send(direction)
+            raise ActiveRecord::Rollback
+          end
 
           captured
         end

data/lib/pg_sql_triggers/migrator.rb

@@ -191,13 +191,17 @@ module PgSqlTriggers
           end
         end
 
+        # Capture SQL once from a single inspection instance so that both the
+        # safety validator and comparator work from the same snapshot without
+        # running the migration code a second time.
+        captured_sql = capture_migration_sql(migration_class.new, direction)
+
         # Perform safety validation (prevent unsafe DROP + CREATE operations)
-        validation_instance = migration_class.new
         begin
           allow_unsafe = ENV["ALLOW_UNSAFE_MIGRATIONS"] == "true" ||
                          (defined?(PgSqlTriggers) && PgSqlTriggers.allow_unsafe_migrations == true)
 
-          SafetyValidator.validate!(validation_instance, direction: direction, allow_unsafe: allow_unsafe)
+          SafetyValidator.validate_sql!(captured_sql, direction: direction, allow_unsafe: allow_unsafe)
         rescue SafetyValidator::UnsafeOperationError => e
           # Safety validation failed - block the migration
           error_msg = "\n#{e.message}\n\n"
@@ -212,11 +216,9 @@ module PgSqlTriggers
           end
         end
 
-        # Perform pre-apply comparison (diff expected vs actual)
-        # Create a separate instance for comparison to avoid side effects
-        comparison_instance = migration_class.new
+        # Perform pre-apply comparison (diff expected vs actual) using the same captured SQL
         begin
-          diff_result = PreApplyComparator.compare(comparison_instance, direction: direction)
+          diff_result = PreApplyComparator.compare_sql(captured_sql)
 
           # Log the comparison result
           if diff_result[:has_differences]
@@ -261,6 +263,8 @@ module PgSqlTriggers
             cleanup_orphaned_registry_entries
           end
         end
+
+        enforce_disabled_triggers if direction == :up
       rescue LoadError => e
         raise StandardError, "Error loading trigger migration #{migration.filename}: #{e.message}"
       rescue StandardError => e
@@ -295,6 +299,49 @@ module PgSqlTriggers
         current_version
       end
 
+      private
+
+      # Capture the SQL statements a migration would execute for a given direction
+      # without committing any side effects.  The migration's +execute+ method is
+      # overridden on the singleton so raw SQL strings are intercepted, and the
+      # whole run is wrapped in a transaction that is always rolled back so that
+      # any ActiveRecord migration helpers (add_column, create_table, …) don't
+      # persist their effects during the inspection phase.
+      def capture_migration_sql(migration_instance, direction)
+        captured = []
+
+        migration_instance.define_singleton_method(:execute) do |sql|
+          captured << sql.to_s.strip
+        end
+
+        ActiveRecord::Base.transaction do
+          migration_instance.public_send(direction)
+          raise ActiveRecord::Rollback
+        end
+
+        captured
+      end
+
+      def enforce_disabled_triggers
+        return unless ActiveRecord::Base.connection.table_exists?("pg_sql_triggers_registry")
+
+        introspection = PgSqlTriggers::DatabaseIntrospection.new
+        PgSqlTriggers::TriggerRegistry.disabled.each do |registry|
+          next unless introspection.trigger_exists?(registry.trigger_name)
+
+          conn           = ActiveRecord::Base.connection
+          quoted_table   = conn.quote_table_name(registry.table_name.to_s)
+          quoted_trigger = conn.quote_table_name(registry.trigger_name.to_s)
+          conn.execute("ALTER TABLE #{quoted_table} DISABLE TRIGGER #{quoted_trigger};")
+        rescue StandardError => e
+          if defined?(Rails.logger)
+            Rails.logger.warn("[MIGRATOR] Could not disable trigger #{registry.trigger_name}: #{e.message}")
+          end
+        end
+      end
+
+      public
+
       # Clean up registry entries for triggers that no longer exist in the database
       # This is called after rolling back migrations to keep the registry in sync
       def cleanup_orphaned_registry_entries

data/lib/pg_sql_triggers/registry/manager.rb

@@ -3,15 +3,19 @@
 module PgSqlTriggers
   module Registry
     class Manager
+      REGISTRY_CACHE_MUTEX = Mutex.new
+      private_constant :REGISTRY_CACHE_MUTEX
+
       class << self
-        # Request-level cache to avoid N+1 queries when loading multiple trigger files
-        # This cache is cleared after each request/transaction to ensure data consistency
+        # Request-level cache to avoid N+1 queries when loading multiple trigger files.
+        # Access to @_registry_cache is guarded by REGISTRY_CACHE_MUTEX so that
+        # concurrent threads cannot observe a partially-initialised hash.
         def _registry_cache
-          @_registry_cache ||= {}
+          REGISTRY_CACHE_MUTEX.synchronize { @_registry_cache ||= {} }
         end
 
         def _clear_registry_cache
-          @_registry_cache = {}
+          REGISTRY_CACHE_MUTEX.synchronize { @_registry_cache = {} }
         end
 
         # Batch load existing triggers into cache to avoid N+1 queries
@@ -52,7 +56,8 @@ module PgSqlTriggers
             source: "dsl",
             environment: definition.environments.join(","),
             definition: definition.to_h.to_json,
-            checksum: checksum
+            checksum: checksum,
+            for_each: definition.for_each || "row"
           }
 
           if existing
@@ -60,6 +65,7 @@ module PgSqlTriggers
             attributes_changed = attributes.any? do |key, value|
               existing.send(key) != value
             end
+            enabled_changed = existing.enabled != definition.enabled
 
             if attributes_changed
               begin
@@ -67,6 +73,9 @@ module PgSqlTriggers
                 # Update cache with the modified record (reload to get fresh data)
                 reloaded = existing.reload
                 _registry_cache[trigger_name] = reloaded
+                if enabled_changed
+                  sync_postgresql_enabled_state(existing.trigger_name, existing.table_name, definition.enabled)
+                end
                 reloaded
               rescue ActiveRecord::RecordNotFound
                 # Cached record was deleted, create a new one
@@ -82,6 +91,9 @@ module PgSqlTriggers
             new_record = PgSqlTriggers::TriggerRegistry.create!(attributes)
             # Cache the newly created record
             _registry_cache[trigger_name] = new_record
+            unless definition.enabled
+              sync_postgresql_enabled_state(new_record.trigger_name, new_record.table_name, definition.enabled)
+            end
             new_record
           end
         end
@@ -127,22 +139,35 @@ module PgSqlTriggers
         private
 
         def calculate_checksum(definition)
-          # DSL definitions don't have function_body, so use placeholder
-          # Generator forms have function_body, so calculate real checksum
           function_body_value = definition.respond_to?(:function_body) ? definition.function_body : nil
-          return "placeholder" if function_body_value.blank?
 
-          # Use field-concatenation algorithm (consistent with TriggerRegistry#calculate_checksum)
+          # Use field-concatenation algorithm (consistent with TriggerRegistry#calculate_checksum).
+          # DSL definitions have no function_body — use "" so the checksum is real and comparable
+          # with what Drift::Detector#calculate_db_checksum computes for DSL-source triggers.
           require "digest"
           Digest::SHA256.hexdigest([
             definition.name,
             definition.table_name,
             definition.version,
-            function_body_value,
+            function_body_value || "",
             definition.condition || "",
-            definition.timing || "before"
+            definition.timing || "before",
+            definition.for_each || "row"
           ].join)
         end
+
+        def sync_postgresql_enabled_state(trigger_name, table_name, enabled)
+          introspection = PgSqlTriggers::DatabaseIntrospection.new
+          return unless introspection.trigger_exists?(trigger_name)
+
+          conn           = ActiveRecord::Base.connection
+          quoted_table   = conn.quote_table_name(table_name.to_s)
+          quoted_trigger = conn.quote_table_name(trigger_name.to_s)
+          verb           = enabled ? "ENABLE" : "DISABLE"
+          conn.execute("ALTER TABLE #{quoted_table} #{verb} TRIGGER #{quoted_trigger};")
+        rescue StandardError => e
+          Rails.logger.warn("[REGISTER] Could not sync trigger enabled state: #{e.message}") if defined?(Rails.logger)
+        end
       end
     end
   end

data/lib/pg_sql_triggers/registry/validator.rb

@@ -1,15 +1,72 @@
 # frozen_string_literal: true
 
+require "json"
+
 module PgSqlTriggers
   module Registry
     class Validator
-      # rubocop:disable Naming/PredicateMethod
+      VALID_EVENTS = %w[insert update delete truncate].freeze
+      VALID_TIMINGS = %w[before after instead_of].freeze
+      VALID_FOR_EACH = %w[row statement].freeze
+
       def self.validate!
-        # Validates all registry entries
-        # This is a placeholder implementation
-        true
+        errors = []
+
+        PgSqlTriggers::TriggerRegistry.where(source: "dsl").find_each do |trigger|
+          errors.concat(validate_dsl_trigger(trigger))
+        end
+
+        return true if errors.empty?
+
+        raise PgSqlTriggers::ValidationError.new(
+          "Registry validation failed:\n#{errors.map { |e| "  - #{e}" }.join("\n")}",
+          error_code: "VALIDATION_FAILED",
+          context: { errors: errors }
+        )
+      end
+      class << self
+        private
+
+        def validate_dsl_trigger(trigger)
+          errors = []
+          name = trigger.trigger_name
+          definition = parse_definition(trigger.definition)
+
+          errors << "Trigger '#{name}': missing table_name" if definition["table_name"].blank?
+
+          events = Array(definition["events"])
+          if events.empty?
+            errors << "Trigger '#{name}': events cannot be empty"
+          else
+            invalid = events - VALID_EVENTS
+            if invalid.any?
+              errors << "Trigger '#{name}': invalid events #{invalid.inspect} (valid: #{VALID_EVENTS.inspect})"
+            end
+          end
+
+          errors << "Trigger '#{name}': missing function_name" if definition["function_name"].blank?
+
+          timing = definition["timing"].to_s
+          if timing.present? && VALID_TIMINGS.exclude?(timing)
+            errors << "Trigger '#{name}': invalid timing '#{timing}' (valid: #{VALID_TIMINGS.inspect})"
+          end
+
+          for_each = definition["for_each"].to_s
+          if for_each.present? && VALID_FOR_EACH.exclude?(for_each)
+            errors << "Trigger '#{name}': invalid for_each '#{for_each}' (valid: #{VALID_FOR_EACH.inspect})"
+          end
+
+          errors
+        end
+
+        def parse_definition(definition_json)
+          return {} if definition_json.blank?
+
+          JSON.parse(definition_json)
+        rescue JSON::ParserError
+          {}
+        end
       end
-      # rubocop:enable Naming/PredicateMethod
     end
   end
 end