@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

package/dist/core/catalog.diff.js

@@ -1,6 +1,6 @@
 import debug from "debug";
 import { expandReplaceDependencies } from "./expand-replace-dependencies.js";
-import { normalizePostDiffCycles } from "./post-diff-cycle-breaking.js";
+import { normalizePostDiffChanges } from "./post-diff-normalization.js";
 const debugCatalog = debug("pg-delta:catalog");
 import { diffAggregates } from "./objects/aggregate/aggregate.diff.js";
 import { DefaultPrivilegeState } from "./objects/base.default-privileges.js";
@@ -126,7 +126,7 @@ export function diffCatalogs(main, branch, options) {
     changes.push(...diffProcedures(diffContext, main.procedures, branch.procedures));
     changes.push(...diffRlsPolicies(main.rlsPolicies, branch.rlsPolicies));
     changes.push(...diffSchemas(diffContext, main.schemas, branch.schemas));
-    changes.push(...diffSequences(diffContext, main.sequences, branch.sequences, branch.tables));
+    changes.push(...diffSequences(diffContext, main.sequences, branch.sequences, branch.tables, main.tables));
     changes.push(...diffTables(diffContext, main.tables, branch.tables));
     changes.push(...diffTriggers(main.triggers, branch.triggers, branch.indexableObjects));
     changes.push(...diffEventTriggers(diffContext, main.eventTriggers, branch.eventTriggers));
@@ -159,9 +159,10 @@ export function diffCatalogs(main, branch, options) {
         mainCatalog: main,
         branchCatalog: branch,
     });
-    filteredChanges = normalizePostDiffCycles({
+    filteredChanges = normalizePostDiffChanges({
         changes: expandedDependencies.changes,
         replacedTableIds: expandedDependencies.replacedTableIds,
+        branchTables: branch.tables,
     });
     debugCatalog("changes catalog diff: %O", stringifyWithBigInt(filteredChanges, 2));
     return filteredChanges;

package/dist/core/catalog.model.d.ts

@@ -102,5 +102,12 @@ export declare class Catalog {
  * to `createPlan`.
  */
 export declare function createEmptyCatalog(version: number, currentUser: string): Promise<Catalog>;
-export declare function extractCatalog(pool: Pool): Promise<Catalog>;
+interface ExtractCatalogOptions {
+    /**
+     * Number of retry attempts for catalog extractors when `pg_get_*def()`
+     * returns NULL for at least one row. See `ExtractRetryOptions.retries`.
+     */
+    extractRetries?: number;
+}
+export declare function extractCatalog(pool: Pool, options?: ExtractCatalogOptions): Promise<Catalog>;
 export {};

package/dist/core/catalog.model.js

@@ -157,6 +157,7 @@ export async function createEmptyCatalog(version, currentUser) {
         owner: currentUser,
         comment: "standard public schema",
         privileges: [],
+        security_labels: [],
     });
     return new Catalog({
         aggregates: {},
@@ -190,7 +191,8 @@ export async function createEmptyCatalog(version, currentUser) {
         currentUser,
     });
 }
-export async function extractCatalog(pool) {
+export async function extractCatalog(pool, options = {}) {
+    const retryOptions = { retries: options.extractRetries };
     const [aggregates, collations, compositeTypes, domains, enums, extensions, indexes, materializedViews, subscriptions, publications, procedures, rlsPolicies, roles, schemas, sequences, tables, triggers, eventTriggers, rules, ranges, views, foreignDataWrappers, servers, userMappings, foreignTables, depends, version, currentUser,] = await Promise.all([
         extractAggregates(pool).then(listToRecord),
         extractCollations(pool).then(listToRecord),
@@ -198,21 +200,21 @@ export async function extractCatalog(pool) {
         extractDomains(pool).then(listToRecord),
         extractEnums(pool).then(listToRecord),
         extractExtensions(pool).then(listToRecord),
-        extractIndexes(pool).then(listToRecord),
-        extractMaterializedViews(pool).then(listToRecord),
+        extractIndexes(pool, retryOptions).then(listToRecord),
+        extractMaterializedViews(pool, retryOptions).then(listToRecord),
         extractSubscriptions(pool).then(listToRecord),
         extractPublications(pool).then(listToRecord),
-        extractProcedures(pool).then(listToRecord),
+        extractProcedures(pool, retryOptions).then(listToRecord),
         extractRlsPolicies(pool).then(listToRecord),
         extractRoles(pool).then(listToRecord),
         extractSchemas(pool).then(listToRecord),
         extractSequences(pool).then(listToRecord),
-        extractTables(pool).then(listToRecord),
-        extractTriggers(pool).then(listToRecord),
+        extractTables(pool, retryOptions).then(listToRecord),
+        extractTriggers(pool, retryOptions).then(listToRecord),
         extractEventTriggers(pool).then(listToRecord),
-        extractRules(pool).then(listToRecord),
+        extractRules(pool, retryOptions).then(listToRecord),
         extractRanges(pool).then(listToRecord),
-        extractViews(pool).then(listToRecord),
+        extractViews(pool, retryOptions).then(listToRecord),
         extractForeignDataWrappers(pool).then(listToRecord),
         extractServers(pool).then(listToRecord),
         extractUserMappings(pool).then(listToRecord),

package/dist/core/expand-replace-dependencies.js

@@ -53,6 +53,29 @@ export function expandReplaceDependencies({ changes, mainCatalog, branchCatalog,
             replaceRoots.add(id);
         }
     }
+    // Drop-only objects (no matching create — typically a renamed-away table or
+    // type) are also expansion roots: anything in main that depends on them via
+    // pg_depend must drop before the parent does. Without this seed, a renamed
+    // table whose dependent view stays in the branch catalog (with an updated
+    // definition that no longer references the old name) would still try to
+    // run DROP TABLE old_name while old_name is referenced by the view, which
+    // PostgreSQL refuses without CASCADE. The walk below promotes the surviving
+    // dependent to DROP+CREATE so its drop is sequenced before the parent drop.
+    for (const id of droppedIds) {
+        if (createdIds.has(id))
+            continue;
+        if (replaceRoots.has(id))
+            continue;
+        // Only seed for object kinds that can have catalog dependents we know
+        // how to recreate via buildReplaceChanges.
+        if (id.startsWith("table:") ||
+            id.startsWith("view:") ||
+            id.startsWith("materializedView:") ||
+            id.startsWith("type:") ||
+            id.startsWith("domain:")) {
+            replaceRoots.add(id);
+        }
+    }
     if (replaceRoots.size === 0) {
         return {
             changes,

package/dist/core/integrations/filter/flatten.js

@@ -75,6 +75,19 @@ export function flattenChange(change) {
                 }
             }
         }
+        else if (key === "securityLabel" &&
+            value &&
+            typeof value === "object" &&
+            !Array.isArray(value)) {
+            // Security labels are change-level metadata, so expose provider/label as
+            // bare keys for filters like { scope: "security_label", provider: "..." }.
+            for (const [subKey, subValue] of Object.entries(value)) {
+                const flatVal = toFlatValue(subValue);
+                if (flatVal !== undefined) {
+                    flat[subKey] = flatVal;
+                }
+            }
+        }
         else {
             const flatVal = toFlatValue(value);
             if (flatVal !== undefined) {

package/dist/core/objects/aggregate/aggregate.diff.js

@@ -1,11 +1,13 @@
 import { diffObjects } from "../base.diff.js";
 import { diffPrivileges, emitObjectPrivilegeChanges, filterPublicBuiltInDefaults, } from "../base.privilege-diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { deepEqual, hasNonAlterableChanges } from "../utils.js";
 import { AlterAggregateChangeOwner } from "./changes/aggregate.alter.js";
 import { CreateCommentOnAggregate, DropCommentOnAggregate, } from "./changes/aggregate.comment.js";
 import { CreateAggregate } from "./changes/aggregate.create.js";
 import { DropAggregate } from "./changes/aggregate.drop.js";
 import { GrantAggregatePrivileges, RevokeAggregatePrivileges, RevokeGrantOptionAggregatePrivileges, } from "./changes/aggregate.privilege.js";
+import { CreateSecurityLabelOnAggregate, DropSecurityLabelOnAggregate, } from "./changes/aggregate.security-label.js";
 export function diffAggregates(ctx, main, branch) {
     const { created, dropped, altered } = diffObjects(main, branch);
     const changes = [];
@@ -23,6 +25,12 @@ export function diffAggregates(ctx, main, branch) {
         if (aggregate.comment !== null) {
             changes.push(new CreateCommentOnAggregate({ aggregate }));
         }
+        for (const label of aggregate.security_labels) {
+            changes.push(new CreateSecurityLabelOnAggregate({
+                aggregate,
+                securityLabel: label,
+            }));
+        }
         // PRIVILEGES: For created objects, compare against default privileges state
         // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
         // so objects are created with the default privileges state in effect.
@@ -113,6 +121,14 @@ export function diffAggregates(ctx, main, branch) {
                 changes.push(new CreateCommentOnAggregate({ aggregate: branchAggregate }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainAggregate.security_labels, branchAggregate.security_labels, (securityLabel) => new CreateSecurityLabelOnAggregate({
+            aggregate: branchAggregate,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnAggregate({
+            aggregate: mainAggregate,
+            securityLabel,
+        })));
         // PRIVILEGES
         // Filter out PUBLIC's built-in default EXECUTE privilege from main catalog
         // (PostgreSQL grants it automatically, so we shouldn't compare it)

package/dist/core/objects/aggregate/aggregate.model.d.ts

@@ -2,6 +2,7 @@ import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
 import { type PrivilegeProps } from "../base.privilege-diff.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const aggregatePropsSchema: z.ZodObject<{
     schema: z.ZodString;
     name: z.ZodString;
@@ -71,6 +72,10 @@ declare const aggregatePropsSchema: z.ZodObject<{
         grantable: z.ZodBoolean;
         columns: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 type AggregatePrivilegeProps = PrivilegeProps;
 type AggregateProps = z.infer<typeof aggregatePropsSchema>;
@@ -116,6 +121,7 @@ export declare class Aggregate extends BasePgModel {
     readonly owner: AggregateProps["owner"];
     readonly comment: AggregateProps["comment"];
     readonly privileges: AggregatePrivilegeProps[];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: AggregateProps);
     get stableId(): `aggregate:${string}`;
     get identityFields(): {
@@ -168,6 +174,10 @@ export declare class Aggregate extends BasePgModel {
             grantable: boolean;
             columns?: string[] | null | undefined;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 export declare function extractAggregates(pool: Pool): Promise<Aggregate[]>;

package/dist/core/objects/aggregate/aggregate.model.js

@@ -2,6 +2,7 @@ import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
 import { privilegePropsSchema, } from "../base.privilege-diff.js";
+import { securityLabelPropsSchema, } from "../security-label.types.js";
 const AggregateKindSchema = z.enum([
     "n", // normal aggregate
     "o", // ordered-set aggregate
@@ -66,6 +67,7 @@ const aggregatePropsSchema = z.object({
     owner: z.string(),
     comment: z.string().nullable(),
     privileges: z.array(privilegePropsSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export class Aggregate extends BasePgModel {
     schema;
@@ -109,6 +111,7 @@ export class Aggregate extends BasePgModel {
     owner;
     comment;
     privileges;
+    security_labels;
     constructor(props) {
         super();
         this.schema = props.schema;
@@ -153,6 +156,7 @@ export class Aggregate extends BasePgModel {
         this.owner = props.owner;
         this.comment = props.comment;
         this.privileges = props.privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         const normalized = this.identityArguments;
@@ -206,6 +210,7 @@ export class Aggregate extends BasePgModel {
             owner: this.owner,
             comment: this.comment,
             privileges: this.privileges,
+            security_labels: this.security_labels,
         };
     }
 }
@@ -275,7 +280,20 @@ select
       )
       from lateral aclexplode(COALESCE(p.proacl, acldefault('f', p.proowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = p.oid
+        and sl.classoid = 'pg_proc'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_proc p
   inner join pg_catalog.pg_aggregate a on a.aggfnoid = p.oid

package/dist/core/objects/aggregate/changes/aggregate.base.d.ts

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Aggregate } from "../aggregate.model.ts";
 declare abstract class BaseAggregateChange extends BaseChange {
     abstract readonly aggregate: Aggregate;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "aggregate";
 }
 export declare abstract class CreateAggregateChange extends BaseAggregateChange {

package/dist/core/objects/aggregate/changes/aggregate.security-label.d.ts

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Aggregate } from "../aggregate.model.ts";
+import { CreateAggregateChange, DropAggregateChange } from "./aggregate.base.ts";
+export type SecurityLabelAggregate = CreateSecurityLabelOnAggregate | DropSecurityLabelOnAggregate;
+export declare class CreateSecurityLabelOnAggregate extends CreateAggregateChange {
+    readonly aggregate: Aggregate;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        aggregate: Aggregate;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `aggregate:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnAggregate extends DropAggregateChange {
+    readonly aggregate: Aggregate;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        aggregate: Aggregate;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `aggregate:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/aggregate/changes/aggregate.security-label.js

@@ -0,0 +1,64 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateAggregateChange, DropAggregateChange, } from "./aggregate.base.js";
+function aggregateIdentity(a) {
+    return `${a.schema}.${a.name}(${a.identityArguments})`;
+}
+export class CreateSecurityLabelOnAggregate extends CreateAggregateChange {
+    aggregate;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.aggregate = props.aggregate;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.aggregate.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.aggregate.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON AGGREGATE",
+            aggregateIdentity(this.aggregate),
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnAggregate extends DropAggregateChange {
+    aggregate;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.aggregate = props.aggregate;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.aggregate.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.aggregate.stableId, this.securityLabel.provider),
+            this.aggregate.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON AGGREGATE",
+            aggregateIdentity(this.aggregate),
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/aggregate/changes/aggregate.types.d.ts

@@ -3,5 +3,6 @@ import type { CommentAggregate } from "./aggregate.comment.ts";
 import type { CreateAggregate } from "./aggregate.create.ts";
 import type { DropAggregate } from "./aggregate.drop.ts";
 import type { AggregatePrivilege } from "./aggregate.privilege.ts";
+import type { SecurityLabelAggregate } from "./aggregate.security-label.ts";
 /** Union of all aggregate-related change variants (`objectType: "aggregate"`). @category Change Types */
-export type AggregateChange = AlterAggregate | CommentAggregate | CreateAggregate | DropAggregate | AggregatePrivilege;
+export type AggregateChange = AlterAggregate | CommentAggregate | CreateAggregate | DropAggregate | AggregatePrivilege | SecurityLabelAggregate;

package/dist/core/objects/base.model.d.ts

@@ -16,6 +16,10 @@ export declare const columnPropsSchema: z.ZodObject<{
     collation: z.ZodNullable<z.ZodString>;
     default: z.ZodNullable<z.ZodString>;
     comment: z.ZodNullable<z.ZodString>;
+    security_labels: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>;
 }, z.z.core.$strip>;
 export type ColumnProps = z.infer<typeof columnPropsSchema>;
 export declare function normalizeColumns(columns: ColumnProps[]): {
@@ -34,6 +38,10 @@ export declare function normalizeColumns(columns: ColumnProps[]): {
     collation: string | null;
     default: string | null;
     comment: string | null;
+    security_labels?: {
+        provider: string;
+        label: string;
+    }[] | undefined;
 }[];
 /**
  * Interface for table-like objects that have columns (tables, views, materialized views).

package/dist/core/objects/base.model.js

@@ -1,4 +1,5 @@
 import z from "zod";
+import { securityLabelPropsSchema } from "./security-label.types.js";
 import { deepEqual } from "./utils.js";
 export const columnPropsSchema = z.object({
     name: z.string(),
@@ -17,6 +18,7 @@ export const columnPropsSchema = z.object({
     collation: z.string().nullable(),
     default: z.string().nullable(),
     comment: z.string().nullable(),
+    security_labels: z.array(securityLabelPropsSchema).optional(),
 });
 export function normalizeColumns(columns) {
     return columns

package/dist/core/objects/domain/changes/domain.base.d.ts

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Domain } from "../domain.model.ts";
 declare abstract class BaseDomainChange extends BaseChange {
     abstract readonly domain: Domain;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "domain";
 }
 export declare abstract class CreateDomainChange extends BaseDomainChange {

package/dist/core/objects/domain/changes/domain.security-label.d.ts

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Domain } from "../domain.model.ts";
+import { CreateDomainChange, DropDomainChange } from "./domain.base.ts";
+export type SecurityLabelDomain = CreateSecurityLabelOnDomain | DropSecurityLabelOnDomain;
+export declare class CreateSecurityLabelOnDomain extends CreateDomainChange {
+    readonly domain: Domain;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        domain: Domain;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `domain:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnDomain extends DropDomainChange {
+    readonly domain: Domain;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        domain: Domain;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `domain:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/domain/changes/domain.security-label.js

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateDomainChange, DropDomainChange } from "./domain.base.js";
+export class CreateSecurityLabelOnDomain extends CreateDomainChange {
+    domain;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.domain = props.domain;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.domain.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON DOMAIN",
+            `${this.domain.schema}.${this.domain.name}`,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnDomain extends DropDomainChange {
+    domain;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.domain = props.domain;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+            this.domain.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON DOMAIN",
+            `${this.domain.schema}.${this.domain.name}`,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/domain/changes/domain.types.d.ts

@@ -3,5 +3,6 @@ import type { CommentDomain } from "./domain.comment.ts";
 import type { CreateDomain } from "./domain.create.ts";
 import type { DropDomain } from "./domain.drop.ts";
 import type { DomainPrivilege } from "./domain.privilege.ts";
+import type { SecurityLabelDomain } from "./domain.security-label.ts";
 /** Union of all domain-related change variants (`objectType: "domain"`). @category Change Types */
-export type DomainChange = AlterDomain | CommentDomain | CreateDomain | DropDomain | DomainPrivilege;
+export type DomainChange = AlterDomain | CommentDomain | CreateDomain | DropDomain | DomainPrivilege | SecurityLabelDomain;

package/dist/core/objects/domain/domain.diff.js

@@ -1,10 +1,12 @@
 import { diffObjects } from "../base.diff.js";
 import { diffPrivileges, emitObjectPrivilegeChanges, filterPublicBuiltInDefaults, } from "../base.privilege-diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { AlterDomainAddConstraint, AlterDomainChangeOwner, AlterDomainDropConstraint, AlterDomainDropDefault, AlterDomainDropNotNull, AlterDomainSetDefault, AlterDomainSetNotNull, AlterDomainValidateConstraint, } from "./changes/domain.alter.js";
 import { CreateCommentOnDomain, DropCommentOnDomain, } from "./changes/domain.comment.js";
 import { CreateDomain } from "./changes/domain.create.js";
 import { DropDomain } from "./changes/domain.drop.js";
 import { GrantDomainPrivileges, RevokeDomainPrivileges, RevokeGrantOptionDomainPrivileges, } from "./changes/domain.privilege.js";
+import { CreateSecurityLabelOnDomain, DropSecurityLabelOnDomain, } from "./changes/domain.security-label.js";
 /**
  * Diff two sets of domains from main and branch catalogs.
  *
@@ -30,6 +32,12 @@ export function diffDomains(ctx, main, branch) {
         if (newDomain.comment !== null) {
             changes.push(new CreateCommentOnDomain({ domain: newDomain }));
         }
+        for (const label of newDomain.security_labels) {
+            changes.push(new CreateSecurityLabelOnDomain({
+                domain: newDomain,
+                securityLabel: label,
+            }));
+        }
         // For unvalidated constraints, CREATE DOMAIN cannot specify NOT VALID.
         // Add them after creation and validate to match branch state semantics.
         // For already validated constraints, they are emitted inline in CREATE DOMAIN.
@@ -164,6 +172,14 @@ export function diffDomains(ctx, main, branch) {
                 changes.push(new CreateCommentOnDomain({ domain: branchDomain }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainDomain.security_labels, branchDomain.security_labels, (securityLabel) => new CreateSecurityLabelOnDomain({
+            domain: branchDomain,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnDomain({
+            domain: mainDomain,
+            securityLabel,
+        })));
         // PRIVILEGES
         // Filter out PUBLIC's built-in default USAGE privilege from main catalog
         // (PostgreSQL grants it automatically, so we shouldn't compare it)

package/dist/core/objects/domain/domain.model.d.ts

@@ -2,6 +2,7 @@ import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
 import { type PrivilegeProps } from "../base.privilege-diff.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const domainConstraintPropsSchema: z.ZodObject<{
     name: z.ZodString;
     validated: z.ZodBoolean;
@@ -36,6 +37,10 @@ declare const domainPropsSchema: z.ZodObject<{
         grantable: z.ZodBoolean;
         columns: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 export type DomainConstraintProps = z.infer<typeof domainConstraintPropsSchema>;
 type DomainPrivilegeProps = PrivilegeProps;
@@ -61,6 +66,7 @@ export declare class Domain extends BasePgModel {
     readonly comment: DomainProps["comment"];
     readonly constraints: DomainConstraintProps[];
     readonly privileges: DomainPrivilegeProps[];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: DomainProps);
     get stableId(): `domain:${string}`;
     get identityFields(): {
@@ -91,6 +97,10 @@ export declare class Domain extends BasePgModel {
             grantable: boolean;
             columns?: string[] | null | undefined;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 /**