@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

package/src/core/objects/procedure/procedure.model.test.ts

@@ -0,0 +1,117 @@
+import { describe, expect, test } from "bun:test";
+import type { Pool } from "pg";
+import { extractProcedures, Procedure } from "./procedure.model.ts";
+
+const baseRow = {
+  schema: "public",
+  kind: "f" as const,
+  return_type: "integer",
+  return_type_schema: "pg_catalog",
+  language: "sql",
+  security_definer: false,
+  volatility: "v" as const,
+  parallel_safety: "u" as const,
+  execution_cost: 100,
+  result_rows: 0,
+  is_strict: false,
+  leakproof: false,
+  returns_set: false,
+  argument_count: 0,
+  argument_default_count: 0,
+  argument_names: null,
+  argument_types: null,
+  all_argument_types: null,
+  argument_modes: null,
+  argument_defaults: null,
+  source_code: "select 1",
+  binary_path: null,
+  sql_body: null,
+  config: null,
+  owner: "postgres",
+  comment: null,
+  privileges: [],
+};
+
+const mockPool = (rows: unknown[]): Pool =>
+  ({ query: async () => ({ rows }) }) as unknown as Pool;
+
+const mockPoolSequence = (...attempts: unknown[][]): Pool => {
+  let i = 0;
+  return {
+    query: async () => ({
+      rows: attempts[Math.min(i++, attempts.length - 1)],
+    }),
+  } as unknown as Pool;
+};
+
+const NO_BACKOFF = { backoffMs: 0 } as const;
+
+describe("extractProcedures", () => {
+  test("skips rows where pg_get_functiondef returned NULL after exhausting retries", async () => {
+    const procs = await extractProcedures(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"good_fn"',
+          definition:
+            "CREATE OR REPLACE FUNCTION good_fn() RETURNS integer AS $$ select 1 $$ LANGUAGE sql;",
+        },
+        { ...baseRow, name: '"orphan_fn"', definition: null },
+      ]),
+      NO_BACKOFF,
+    );
+
+    expect(procs).toHaveLength(1);
+    expect(procs[0]).toBeInstanceOf(Procedure);
+    expect(procs[0]?.name).toBe('"good_fn"');
+  });
+
+  test("does not throw ZodError when the only row has a null definition", async () => {
+    await expect(
+      extractProcedures(
+        mockPool([{ ...baseRow, name: '"orphan"', definition: null }]),
+        NO_BACKOFF,
+      ),
+    ).resolves.toEqual([]);
+  });
+
+  test("returns all procedures when every row has a valid definition", async () => {
+    const procs = await extractProcedures(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"a"',
+          definition:
+            "CREATE OR REPLACE FUNCTION a() RETURNS integer AS $$ select 1 $$ LANGUAGE sql;",
+        },
+        {
+          ...baseRow,
+          name: '"b"',
+          definition:
+            "CREATE OR REPLACE FUNCTION b() RETURNS integer AS $$ select 2 $$ LANGUAGE sql;",
+        },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(procs.map((p) => p.name)).toEqual(['"a"', '"b"']);
+  });
+
+  test("recovers when pg_get_functiondef is NULL on first attempt but resolved on retry", async () => {
+    const procs = await extractProcedures(
+      mockPoolSequence(
+        [{ ...baseRow, name: '"racy_fn"', definition: null }],
+        [
+          {
+            ...baseRow,
+            name: '"racy_fn"',
+            definition:
+              "CREATE OR REPLACE FUNCTION racy_fn() RETURNS integer AS $$ select 1 $$ LANGUAGE sql;",
+          },
+        ],
+      ),
+      { retries: 2, backoffMs: 0 },
+    );
+    expect(procs).toHaveLength(1);
+    expect(procs[0]?.name).toBe('"racy_fn"');
+  });
+});

package/src/core/objects/procedure/procedure.model.ts

@@ -6,6 +6,14 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type ExtractRetryOptions,
+  extractWithDefinitionRetry,
+} from "../extract-with-retry.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const FunctionKindSchema = z.enum([
   "f", // function
@@ -64,6 +72,16 @@ const procedurePropsSchema = z.object({
   owner: z.string(),
   comment: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
+});
+
+// pg_get_functiondef(oid) can return NULL when the function (its pg_proc
+// row) is dropped between catalog scan and resolution, or under transient
+// catalog state. An unreadable function cannot be diffed, so we accept NULL
+// here and filter the row out at extraction time rather than crashing the
+// whole catalog parse with a ZodError.
+const procedureRowSchema = procedurePropsSchema.extend({
+  definition: z.string().nullable(),
 });
 
 type ProcedurePrivilegeProps = PrivilegeProps;
@@ -99,6 +117,7 @@ export class Procedure extends BasePgModel {
   public readonly owner: ProcedureProps["owner"];
   public readonly comment: ProcedureProps["comment"];
   public readonly privileges: ProcedurePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: ProcedureProps) {
     super();
@@ -135,6 +154,7 @@ export class Procedure extends BasePgModel {
     this.owner = props.owner;
     this.comment = props.comment;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `procedure:${string}` {
@@ -179,12 +199,21 @@ export class Procedure extends BasePgModel {
       owner: this.owner,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
 
-export async function extractProcedures(pool: Pool): Promise<Procedure[]> {
-  const { rows: procedureRows } = await pool.query<ProcedureProps>(sql`
+export async function extractProcedures(
+  pool: Pool,
+  options?: ExtractRetryOptions,
+): Promise<Procedure[]> {
+  const procedureRows = await extractWithDefinitionRetry({
+    label: "procedures",
+    options,
+    hasNullDefinition: (row) => row.definition === null,
+    query: async () => {
+      const result = await pool.query<ProcedureProps>(sql`
 with extension_oids as (
   select
     objid
@@ -244,7 +273,20 @@ select
       )
       from lateral aclexplode(COALESCE(p.proacl, acldefault('f', p.proowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = p.oid
+        and sl.classoid = 'pg_proc'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_proc p
   inner join pg_catalog.pg_language l on l.oid = p.prolang
@@ -256,9 +298,11 @@ from
 order by
   1, 2
   `);
-  // Validate and parse each row using the Zod schema
-  const validatedRows = procedureRows.map((row: unknown) =>
-    procedurePropsSchema.parse(row),
+      return result.rows.map((row: unknown) => procedureRowSchema.parse(row));
+    },
+  });
+  const validatedRows = procedureRows.filter(
+    (row): row is ProcedureProps => row.definition !== null,
   );
-  return validatedRows.map((row: ProcedureProps) => new Procedure(row));
+  return validatedRows.map((row) => new Procedure(row));
 }

package/src/core/objects/publication/changes/publication.base.ts

@@ -3,7 +3,7 @@ import type { Publication } from "../publication.model.ts";
 
 abstract class BasePublicationChange extends BaseChange {
   abstract readonly publication: Publication;
-  abstract readonly scope: "object" | "comment";
+  abstract readonly scope: "object" | "comment" | "security_label";
   readonly objectType = "publication" as const;
 }
 

package/src/core/objects/publication/changes/publication.security-label.ts

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Publication } from "../publication.model.ts";
+import {
+  CreatePublicationChange,
+  DropPublicationChange,
+} from "./publication.base.ts";
+
+export type SecurityLabelPublication =
+  | CreateSecurityLabelOnPublication
+  | DropSecurityLabelOnPublication;
+
+export class CreateSecurityLabelOnPublication extends CreatePublicationChange {
+  public readonly publication: Publication;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    publication: Publication;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.publication = props.publication;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [this.publication.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON PUBLICATION",
+      this.publication.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnPublication extends DropPublicationChange {
+  public readonly publication: Publication;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    publication: Publication;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.publication = props.publication;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.publication.stableId,
+        this.securityLabel.provider,
+      ),
+      this.publication.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON PUBLICATION",
+      this.publication.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/publication/changes/publication.types.ts

@@ -10,6 +10,7 @@ import type {
 import type { CommentPublication } from "./publication.comment.ts";
 import type { CreatePublication } from "./publication.create.ts";
 import type { DropPublication } from "./publication.drop.ts";
+import type { SecurityLabelPublication } from "./publication.security-label.ts";
 
 /** Union of all publication-related change variants (`objectType: "publication"`). @category Change Types */
 export type PublicationChange =
@@ -22,4 +23,5 @@ export type PublicationChange =
   | AlterPublicationSetOwner
   | CommentPublication
   | CreatePublication
-  | DropPublication;
+  | DropPublication
+  | SecurityLabelPublication;

package/src/core/objects/publication/publication.diff.ts

@@ -1,5 +1,6 @@
 import { diffObjects } from "../base.diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterPublicationAddSchemas,
@@ -15,6 +16,10 @@ import {
 } from "./changes/publication.comment.ts";
 import { CreatePublication } from "./changes/publication.create.ts";
 import { DropPublication } from "./changes/publication.drop.ts";
+import {
+  CreateSecurityLabelOnPublication,
+  DropSecurityLabelOnPublication,
+} from "./changes/publication.security-label.ts";
 import type { PublicationChange } from "./changes/publication.types.ts";
 import type {
   Publication,
@@ -47,6 +52,14 @@ export function diffPublications(
     if (publication.comment !== null) {
       changes.push(new CreateCommentOnPublication({ publication }));
     }
+    for (const label of publication.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnPublication({
+          publication,
+          securityLabel: label,
+        }),
+      );
+    }
   }
 
   for (const id of dropped) {
@@ -172,6 +185,26 @@ export function diffPublications(
         );
       }
     }
+
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnPublication | DropSecurityLabelOnPublication
+      >(
+        mainPublication.security_labels,
+        branchPublication.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnPublication({
+            publication: branchPublication,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnPublication({
+            publication: mainPublication,
+            securityLabel,
+          }),
+      ),
+    );
   }
 
   return changes;

package/src/core/objects/publication/publication.model.ts

@@ -2,6 +2,11 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const publicationTablePropsSchema = z.object({
   schema: z.string(),
@@ -22,6 +27,7 @@ const publicationPropsSchema = z.object({
   publish_via_partition_root: z.boolean(),
   tables: z.array(publicationTablePropsSchema),
   schemas: z.array(z.string()),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 export type PublicationTableProps = z.infer<typeof publicationTablePropsSchema>;
@@ -44,6 +50,7 @@ export class Publication extends BasePgModel {
   public readonly publish_via_partition_root: PublicationProps["publish_via_partition_root"];
   public readonly tables: PublicationTableProps[];
   public readonly schemas: PublicationProps["schemas"];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: PublicationProps) {
     super();
@@ -72,6 +79,7 @@ export class Publication extends BasePgModel {
     });
 
     this.schemas = [...props.schemas].sort((a, b) => a.localeCompare(b));
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `publication:${string}` {
@@ -96,6 +104,7 @@ export class Publication extends BasePgModel {
       publish_via_partition_root: this.publish_via_partition_root,
       tables: this.tables,
       schemas: this.schemas,
+      security_labels: this.security_labels,
     };
   }
 
@@ -118,6 +127,7 @@ export class Publication extends BasePgModel {
             a.schema.localeCompare(b.schema) || a.name.localeCompare(b.name),
         ),
         schemas: [...this.schemas].sort((a, b) => a.localeCompare(b)),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -194,7 +204,20 @@ export async function extractPublications(pool: Pool): Promise<Publication[]> {
             where s.pnpubid = p.oid
           ),
           '[]'::json
-        ) as schemas
+        ) as schemas,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = p.oid
+              and sl.classoid = 'pg_publication'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from pg_publication p
       left join extension_oids e on e.objid = p.oid
       where e.objid is null

package/src/core/objects/rls-policy/rls-policy.diff.ts

@@ -59,7 +59,25 @@ export function diffRlsPolicies(
       {},
     );
 
-    if (nonAlterablePropsChanged) {
+    // The set of relations and procedures that the policy's USING / WITH
+    // CHECK expressions reference is recorded by PostgreSQL in pg_depend
+    // (recordDependencyOnExpr at policy creation). When that set changes
+    // it is unsafe to ALTER POLICY in place: the old reference target may
+    // be dropped in the same plan, and the new reference target may only
+    // exist after the create phase. Drop+create lets the sort phase order
+    // the policy's drop before the referenced object's drop and the
+    // policy's recreate after the referenced object's create.
+    const referencedDependenciesChanged = hasNonAlterableChanges(
+      mainRlsPolicy,
+      branchRlsPolicy,
+      ["referenced_procedures", "referenced_relations"] as const,
+      {
+        referenced_procedures: deepEqual,
+        referenced_relations: deepEqual,
+      },
+    );
+
+    if (nonAlterablePropsChanged || referencedDependenciesChanged) {
       // Replace the entire RLS policy (drop + create)
       changes.push(
         new DropRlsPolicy({ policy: mainRlsPolicy }),

package/src/core/objects/role/changes/role.base.ts

@@ -7,7 +7,8 @@ abstract class BaseRoleChange extends BaseChange {
     | "object"
     | "comment"
     | "membership"
-    | "default_privilege";
+    | "default_privilege"
+    | "security_label";
   readonly objectType: "role" = "role";
 }
 

package/src/core/objects/role/changes/role.security-label.ts

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Role } from "../role.model.ts";
+import { CreateRoleChange, DropRoleChange } from "./role.base.ts";
+
+export type SecurityLabelRole =
+  | CreateSecurityLabelOnRole
+  | DropSecurityLabelOnRole;
+
+export class CreateSecurityLabelOnRole extends CreateRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [this.role.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnRole extends DropRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+      this.role.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/role/changes/role.types.ts

@@ -3,6 +3,7 @@ import type { CommentRole } from "./role.comment.ts";
 import type { CreateRole } from "./role.create.ts";
 import type { DropRole } from "./role.drop.ts";
 import type { RolePrivilege } from "./role.privilege.ts";
+import type { SecurityLabelRole } from "./role.security-label.ts";
 
 /** Union of all role-related change variants (`objectType: "role"`). @category Change Types */
 export type RoleChange =
@@ -10,4 +11,5 @@ export type RoleChange =
   | CommentRole
   | CreateRole
   | DropRole
-  | RolePrivilege;
+  | RolePrivilege
+  | SecurityLabelRole;

package/src/core/objects/role/role.diff.ts

@@ -1,4 +1,5 @@
 import { diffObjects } from "../base.diff.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import {
   AlterRoleSetConfig,
   AlterRoleSetOptions,
@@ -16,6 +17,10 @@ import {
   RevokeRoleMembership,
   RevokeRoleMembershipOptions,
 } from "./changes/role.privilege.ts";
+import {
+  CreateSecurityLabelOnRole,
+  DropSecurityLabelOnRole,
+} from "./changes/role.security-label.ts";
 import type { RoleChange } from "./changes/role.types.ts";
 import type { Role } from "./role.model.ts";
 
@@ -51,6 +56,14 @@ export function diffRoles(
     if (role.comment !== null) {
       changes.push(new CreateCommentOnRole({ role }));
     }
+    for (const label of role.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnRole({
+          role,
+          securityLabel: label,
+        }),
+      );
+    }
     // MEMBERSHIPS: Grant memberships immediately after role creation.
     // Members are already deduplicated by the Role model constructor.
     for (const membership of role.members) {
@@ -215,6 +228,26 @@ export function diffRoles(
       }
     }
 
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnRole | DropSecurityLabelOnRole
+      >(
+        mainRole.security_labels,
+        branchRole.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnRole({
+            role: branchRole,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnRole({
+            role: mainRole,
+            securityLabel,
+          }),
+      ),
+    );
+
     // MEMBERSHIPS
     // Members are already deduplicated by the Role model constructor.
     const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));