npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.21 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/src/core/objects/role/role.model.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const membershipInfoSchema = z.object({
   member: z.string(),
@@ -35,6 +39,7 @@ const rolePropsSchema = z.object({
   comment: z.string().nullable(),
   members: z.array(membershipInfoSchema),
   default_privileges: z.array(defaultPrivilegeSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type RoleProps = z.infer<typeof rolePropsSchema>;
@@ -53,6 +58,7 @@ export class Role extends BasePgModel {
   public readonly comment: RoleProps["comment"];
   public readonly members: RoleProps["members"];
   public readonly default_privileges: RoleProps["default_privileges"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: RoleProps) {
     super();
@@ -73,6 +79,7 @@ export class Role extends BasePgModel {
     this.comment = props.comment;
     this.members = deduplicateMembers(props.members);
     this.default_privileges = props.default_privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `role:${string}` {
@@ -129,6 +136,7 @@ export class Role extends BasePgModel {
       comment: this.comment,
       members: sortedMembers,
       default_privileges: sortedDefaultPrivs,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -232,6 +240,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls  AS can_bypass_rls,
             r.rolconfig     AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (
@@ -353,6 +373,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls   AS can_bypass_rls,
             r.rolconfig      AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (

package/src/core/objects/rule/rule.model.test.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { describe, expect, test } from "bun:test";
+import type { Pool } from "pg";
+import { extractRules, Rule } from "./rule.model.ts";
+const baseRow = {
+  schema: "public",
+  table_name: '"events"',
+  relation_kind: "r" as const,
+  event: "INSERT" as const,
+  enabled: "O" as const,
+  is_instead: false,
+  owner: "postgres",
+  comment: null,
+  columns: [] as string[],
+};
+const mockPool = (rows: unknown[]): Pool =>
+  ({ query: async () => ({ rows }) }) as unknown as Pool;
+const mockPoolSequence = (...attempts: unknown[][]): Pool => {
+  let i = 0;
+  return {
+    query: async () => ({
+      rows: attempts[Math.min(i++, attempts.length - 1)],
+    }),
+  } as unknown as Pool;
+};
+const NO_BACKOFF = { backoffMs: 0 } as const;
+describe("extractRules", () => {
+  test("skips rows where pg_get_ruledef returned NULL after exhausting retries", async () => {
+    const rules = await extractRules(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"good_rule"',
+          definition:
+            "CREATE RULE good_rule AS ON INSERT TO events DO INSTEAD NOTHING;",
+        },
+        { ...baseRow, name: '"orphan_rule"', definition: null },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(rules).toHaveLength(1);
+    expect(rules[0]).toBeInstanceOf(Rule);
+    expect(rules[0]?.name).toBe('"good_rule"');
+  });
+  test("does not throw ZodError when the only row has a null definition", async () => {
+    await expect(
+      extractRules(
+        mockPool([{ ...baseRow, name: '"orphan"', definition: null }]),
+        NO_BACKOFF,
+      ),
+    ).resolves.toEqual([]);
+  });
+  test("returns all rules when every row has a valid definition", async () => {
+    const rules = await extractRules(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"a"',
+          definition:
+            "CREATE RULE a AS ON INSERT TO events DO INSTEAD NOTHING;",
+        },
+        {
+          ...baseRow,
+          name: '"b"',
+          definition:
+            "CREATE RULE b AS ON UPDATE TO events DO INSTEAD NOTHING;",
+        },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(rules.map((r) => r.name)).toEqual(['"a"', '"b"']);
+  });
+  test("recovers when pg_get_ruledef is NULL on first attempt but resolved on retry", async () => {
+    const rules = await extractRules(
+      mockPoolSequence(
+        [{ ...baseRow, name: '"racy_rule"', definition: null }],
+        [
+          {
+            ...baseRow,
+            name: '"racy_rule"',
+            definition:
+              "CREATE RULE racy_rule AS ON INSERT TO events DO INSTEAD NOTHING;",
+          },
+        ],
+      ),
+      { retries: 2, backoffMs: 0 },
+    );
+    expect(rules).toHaveLength(1);
+    expect(rules[0]?.name).toBe('"racy_rule"');
+  });
+});

package/src/core/objects/rule/rule.model.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type ExtractRetryOptions,
+  extractWithDefinitionRetry,
+} from "../extract-with-retry.ts";
 import { stableId } from "../utils.ts";
 const RuleEventSchema = z.enum(["SELECT", "INSERT", "UPDATE", "DELETE"]);
@@ -29,6 +33,15 @@ const rulePropsSchema = z.object({
   columns: z.array(z.string()),
 });
+// pg_get_ruledef(oid, pretty) can return NULL when the rule (its pg_rewrite
+// row) is dropped between catalog scan and resolution, or under transient
+// catalog state. An unreadable rule cannot be diffed, so we accept NULL here
+// and filter the row out at extraction time rather than crashing the whole
+// catalog parse with a ZodError.
+const ruleRowSchema = rulePropsSchema.extend({
+  definition: z.string().nullable(),
+});
 export type RuleEnabledState = z.infer<typeof RuleEnabledStateSchema>;
 export type RuleProps = z.infer<typeof rulePropsSchema>;
@@ -97,8 +110,16 @@ export class Rule extends BasePgModel {
   }
 }
-export async function extractRules(pool: Pool): Promise<Rule[]> {
-  const { rows: ruleRows } = await pool.query<RuleProps>(sql`
+export async function extractRules(
+  pool: Pool,
+  options?: ExtractRetryOptions,
+): Promise<Rule[]> {
+  const ruleRows = await extractWithDefinitionRetry({
+    label: "rules",
+    options,
+    hasNullDefinition: (row) => row.definition === null,
+    query: async () => {
+      const result = await pool.query<RuleProps>(sql`
       WITH extension_rule_oids AS (
         SELECT
           objid
@@ -164,9 +185,12 @@ export async function extractRules(pool: Pool): Promise<Rule[]> {
       ORDER BY
         1, 3, 2
   `);
+      return result.rows.map((row: unknown) => ruleRowSchema.parse(row));
+    },
+  });
-  const validatedRows = ruleRows.map((row: unknown) =>
-    rulePropsSchema.parse(row),
+  const validatedRows = ruleRows.filter(
+    (row): row is RuleProps => row.definition !== null,
   );
   return validatedRows.map((row) => new Rule(row));

package/src/core/objects/schema/changes/schema.alter.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe.concurrent("schema", () => {
         name: "test_schema",
         comment: null,
         privileges: [],
+        security_labels: [],
       };
       const schemaObj = new Schema({
         ...props,

package/src/core/objects/schema/changes/schema.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Schema } from "../schema.model.ts";
 abstract class BaseSchemaChange extends BaseChange {
   abstract readonly schema: Schema;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "schema" = "schema";
 }

package/src/core/objects/schema/changes/schema.create.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new CreateSchema({

package/src/core/objects/schema/changes/schema.drop.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new DropSchema({

package/src/core/objects/schema/changes/schema.security-label.test.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { Schema } from "../schema.model.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./schema.security-label.ts";
+const makeSchema = () =>
+  new Schema({
+    name: "app",
+    owner: "postgres",
+    comment: null,
+    privileges: [],
+    security_labels: [],
+  });
+describe("schema.security-label", () => {
+  test("create serializes and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: {
+        provider: "pg_graphql",
+        label: '{"inflect_names":true}',
+      },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("create");
+    expect(change.objectType).toBe("schema");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([schema.stableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      `SECURITY LABEL FOR pg_graphql ON SCHEMA app IS '{"inflect_names":true}'`,
+    );
+  });
+  test("drop serializes to IS NULL and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new DropSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "pg_graphql", label: "old" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("drop");
+    expect(change.drops).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+      schema.stableId,
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR pg_graphql ON SCHEMA app IS NULL",
+    );
+  });
+  test("create escapes single quotes in label", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "p", label: "it's a test" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR p ON SCHEMA app IS 'it''s a test'",
+    );
+  });
+});

package/src/core/objects/schema/changes/schema.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Schema } from "../schema.model.ts";
+import { CreateSchemaChange, DropSchemaChange } from "./schema.base.ts";
+export type SecurityLabelSchema =
+  | CreateSecurityLabelOnSchema
+  | DropSecurityLabelOnSchema;
+export class CreateSecurityLabelOnSchema extends CreateSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.schema.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnSchema extends DropSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+      this.schema.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/schema/changes/schema.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentSchema } from "./schema.comment.ts";
 import type { CreateSchema } from "./schema.create.ts";
 import type { DropSchema } from "./schema.drop.ts";
 import type { SchemaPrivilege } from "./schema.privilege.ts";
+import type { SecurityLabelSchema } from "./schema.security-label.ts";
 /** Union of all schema-related change variants (`objectType: "schema"`). @category Change Types */
 export type SchemaChange =
@@ -10,4 +11,5 @@ export type SchemaChange =
   | CommentSchema
   | CreateSchema
   | DropSchema
-  | SchemaPrivilege;
+  | SchemaPrivilege
+  | SecurityLabelSchema;

package/src/core/objects/schema/schema.diff.test.ts CHANGED Viewed

@@ -11,6 +11,7 @@ const base: SchemaProps = {
   owner: "o1",
   comment: null,
   privileges: [],
+  security_labels: [],
 };
 const testContext = {

package/src/core/objects/schema/schema.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitObjectPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { AlterSchemaChangeOwner } from "./changes/schema.alter.ts";
 import {
   CreateCommentOnSchema,
@@ -16,6 +17,10 @@ import {
   RevokeGrantOptionSchemaPrivileges,
   RevokeSchemaPrivileges,
 } from "./changes/schema.privilege.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./changes/schema.security-label.ts";
 import type { SchemaChange } from "./changes/schema.types.ts";
 import type { Schema } from "./schema.model.ts";
@@ -45,6 +50,14 @@ export function diffSchemas(
     if (sc.comment !== null) {
       changes.push(new CreateCommentOnSchema({ schema: sc }));
     }
+    for (const label of sc.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnSchema({
+          schema: sc,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -87,7 +100,16 @@ export function diffSchemas(
   }
   for (const schemaId of dropped) {
-    changes.push(new DropSchema({ schema: main[schemaId] }));
+    const mainSchema = main[schemaId];
+    for (const label of mainSchema.security_labels) {
+      changes.push(
+        new DropSecurityLabelOnSchema({
+          schema: mainSchema,
+          securityLabel: label,
+        }),
+      );
+    }
+    changes.push(new DropSchema({ schema: mainSchema }));
   }
   for (const schemaId of altered) {
@@ -113,6 +135,26 @@ export function diffSchemas(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnSchema | DropSecurityLabelOnSchema
+      >(
+        mainSchema.security_labels,
+        branchSchema.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnSchema({
+            schema: branchSchema,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnSchema({
+            schema: mainSchema,
+            securityLabel,
+          }),
+      ),
+    );
     // PRIVILEGES
     // Filter out owner privileges - owner always has ALL privileges implicitly
     // and shouldn't be compared. Use branch owner as the reference.

package/src/core/objects/schema/schema.model.ts CHANGED Viewed

@@ -6,6 +6,10 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 /**
  * All properties exposed by CREATE SCHEMA statement are included in diff output.
@@ -19,6 +23,7 @@ const schemaPropsSchema = z.object({
   owner: z.string(),
   comment: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 type SchemaPrivilegeProps = PrivilegeProps;
@@ -29,6 +34,7 @@ export class Schema extends BasePgModel {
   public readonly owner: SchemaProps["owner"];
   public readonly comment: SchemaProps["comment"];
   public readonly privileges: SchemaPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: SchemaProps) {
     super();
@@ -40,6 +46,7 @@ export class Schema extends BasePgModel {
     this.owner = props.owner;
     this.comment = props.comment;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `schema:${string}` {
@@ -57,6 +64,7 @@ export class Schema extends BasePgModel {
       owner: this.owner,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -88,7 +96,19 @@ export async function extractSchemas(pool: Pool): Promise<Schema[]> {
           )
           from lateral aclexplode(COALESCE(nspacl, acldefault('n', nspowner))) as x(grantor, grantee, privilege_type, is_grantable)
         ), '[]'
-      ) as privileges
+      ) as privileges,
+      coalesce(
+        (
+          select json_agg(
+            json_build_object('provider', sl.provider, 'label', sl.label)
+            order by sl.provider
+          )
+          from pg_catalog.pg_seclabel sl
+          where sl.objoid = pg_namespace.oid
+            and sl.classoid = 'pg_namespace'::regclass
+            and sl.objsubid = 0
+        ), '[]'
+      ) as security_labels
     from
       pg_catalog.pg_namespace
       left outer join extension_oids e on e.objid = oid