@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

package/src/core/objects/table/table.diff.ts

@@ -4,6 +4,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterTableAddColumn,
@@ -47,6 +48,12 @@ import {
   RevokeGrantOptionTablePrivileges,
   RevokeTablePrivileges,
 } from "./changes/table.privilege.ts";
+import {
+  CreateSecurityLabelOnColumn,
+  CreateSecurityLabelOnTable,
+  DropSecurityLabelOnColumn,
+  DropSecurityLabelOnTable,
+} from "./changes/table.security-label.ts";
 import type { TableChange } from "./changes/table.types.ts";
 import { Table } from "./table.model.ts";
 
@@ -245,15 +252,13 @@ export function diffTables(
 
     // REPLICA IDENTITY: If non-default, emit ALTER TABLE ... REPLICA IDENTITY
     if (branchTable.replica_identity !== "d") {
-      // Skip 'i' (USING INDEX) — handled by index changes
-      if (branchTable.replica_identity !== "i") {
-        changes.push(
-          new AlterTableSetReplicaIdentity({
-            table: branchTable,
-            mode: branchTable.replica_identity,
-          }),
-        );
-      }
+      changes.push(
+        new AlterTableSetReplicaIdentity({
+          table: branchTable,
+          mode: branchTable.replica_identity,
+          indexName: branchTable.replica_identity_index,
+        }),
+      );
     }
 
     changes.push(
@@ -281,6 +286,29 @@ export function diffTables(
       }
     }
 
+    // Table security labels on creation
+    for (const label of branchTable.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnTable({
+          table: branchTable,
+          securityLabel: label,
+        }),
+      );
+    }
+
+    // Column security labels on creation
+    for (const col of branchTable.columns) {
+      for (const label of col.security_labels ?? []) {
+        changes.push(
+          new CreateSecurityLabelOnColumn({
+            table: branchTable,
+            column: col,
+            securityLabel: label,
+          }),
+        );
+      }
+    }
+
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -404,16 +432,23 @@ export function diffTables(
     }
 
     // REPLICA IDENTITY
-    if (mainTable.replica_identity !== branchTable.replica_identity) {
-      // Skip when target is 'i' (USING INDEX) — handled by index changes
-      if (branchTable.replica_identity !== "i") {
-        changes.push(
-          new AlterTableSetReplicaIdentity({
-            table: mainTable,
-            mode: branchTable.replica_identity,
-          }),
-        );
-      }
+    // Re-emit when the mode changes, or when staying in 'i' mode but pointing
+    // at a different index. The index named on the branch must already exist
+    // before this ALTER runs; AlterTableSetReplicaIdentity declares that
+    // dependency in its `requires`.
+    const replicaIdentityChanged =
+      mainTable.replica_identity !== branchTable.replica_identity ||
+      (branchTable.replica_identity === "i" &&
+        mainTable.replica_identity_index !==
+          branchTable.replica_identity_index);
+    if (replicaIdentityChanged) {
+      changes.push(
+        new AlterTableSetReplicaIdentity({
+          table: mainTable,
+          mode: branchTable.replica_identity,
+          indexName: branchTable.replica_identity_index,
+        }),
+      );
     }
 
     // OWNER
@@ -435,6 +470,26 @@ export function diffTables(
       }
     }
 
+    // TABLE SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnTable | DropSecurityLabelOnTable
+      >(
+        mainTable.security_labels,
+        branchTable.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnTable({
+            table: branchTable,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnTable({
+            table: mainTable,
+            securityLabel,
+          }),
+      ),
+    );
+
     // PARTITION ATTACH/DETACH
     const mainIsPartition = Boolean(
       mainTable.parent_schema && mainTable.parent_name,
@@ -881,6 +936,43 @@ export function diffTables(
           );
         }
       }
+
+      // SECURITY LABELS on column
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnColumn | DropSecurityLabelOnColumn
+        >(
+          mainCol.security_labels ?? [],
+          branchCol.security_labels ?? [],
+          (securityLabel) =>
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: branchCol,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnColumn({
+              table: mainTable,
+              column: mainCol,
+              securityLabel,
+            }),
+        ),
+      );
+    }
+
+    // Added columns with security labels (for created columns on existing tables)
+    for (const [name, col] of branchCols) {
+      if (!mainCols.has(name)) {
+        for (const label of col.security_labels ?? []) {
+          changes.push(
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: col,
+              securityLabel: label,
+            }),
+          );
+        }
+      }
     }
 
     // PRIVILEGES (unified object and column privileges)

package/src/core/objects/table/table.model.test.ts

@@ -0,0 +1,209 @@
+import { describe, expect, test } from "bun:test";
+import type { Pool } from "pg";
+import { extractTables, Table } from "./table.model.ts";
+
+// Minimal fields required by tablePropsSchema; individual tests override the
+// constraints array (and any other relevant fields).
+const baseTableRow = {
+  schema: "public",
+  name: '"users"',
+  persistence: "p" as const,
+  row_security: false,
+  force_row_security: false,
+  has_indexes: false,
+  has_rules: false,
+  has_triggers: false,
+  has_subclasses: false,
+  is_populated: true,
+  replica_identity: "d" as const,
+  is_partition: false,
+  options: null,
+  partition_bound: null,
+  partition_by: null,
+  owner: "postgres",
+  comment: null,
+  parent_schema: null,
+  parent_name: null,
+  columns: [],
+  privileges: [],
+};
+
+const baseConstraint = {
+  name: '"users_pkey"',
+  constraint_type: "p" as const,
+  deferrable: false,
+  initially_deferred: false,
+  validated: true,
+  is_local: true,
+  no_inherit: false,
+  is_temporal: false,
+  is_partition_clone: false,
+  parent_constraint_schema: null,
+  parent_constraint_name: null,
+  parent_table_schema: null,
+  parent_table_name: null,
+  key_columns: ['"id"'],
+  foreign_key_columns: null,
+  foreign_key_table: null,
+  foreign_key_schema: null,
+  foreign_key_table_is_partition: null,
+  foreign_key_parent_schema: null,
+  foreign_key_parent_table: null,
+  foreign_key_effective_schema: null,
+  foreign_key_effective_table: null,
+  on_update: null,
+  on_delete: null,
+  match_type: null,
+  check_expression: null,
+  owner: "postgres",
+  comment: null,
+};
+
+const mockPool = (rows: unknown[]): Pool =>
+  ({ query: async () => ({ rows }) }) as unknown as Pool;
+
+const mockPoolSequence = (...attempts: unknown[][]): Pool => {
+  let i = 0;
+  return {
+    query: async () => ({
+      rows: attempts[Math.min(i++, attempts.length - 1)],
+    }),
+  } as unknown as Pool;
+};
+
+const NO_BACKOFF = { backoffMs: 0 } as const;
+
+describe("extractTables", () => {
+  test("skips constraints where pg_get_constraintdef returned NULL after exhausting retries", async () => {
+    const tables = await extractTables(
+      mockPool([
+        {
+          ...baseTableRow,
+          constraints: [
+            {
+              ...baseConstraint,
+              name: '"users_pkey"',
+              definition: "PRIMARY KEY (id)",
+            },
+            {
+              ...baseConstraint,
+              name: '"users_orphan_chk"',
+              constraint_type: "c",
+              key_columns: [],
+              definition: null,
+            },
+          ],
+        },
+      ]),
+      NO_BACKOFF,
+    );
+
+    expect(tables).toHaveLength(1);
+    expect(tables[0]).toBeInstanceOf(Table);
+    expect(tables[0]?.constraints).toHaveLength(1);
+    expect(tables[0]?.constraints[0]?.name).toBe('"users_pkey"');
+    expect(tables[0]?.constraints[0]?.definition).toBe("PRIMARY KEY (id)");
+  });
+
+  test("does not throw ZodError when every constraint has a null definition", async () => {
+    const tables = await extractTables(
+      mockPool([
+        {
+          ...baseTableRow,
+          constraints: [
+            {
+              ...baseConstraint,
+              name: '"orphan_a"',
+              constraint_type: "c",
+              key_columns: [],
+              definition: null,
+            },
+            {
+              ...baseConstraint,
+              name: '"orphan_b"',
+              constraint_type: "c",
+              key_columns: [],
+              definition: null,
+            },
+          ],
+        },
+      ]),
+      NO_BACKOFF,
+    );
+
+    expect(tables).toHaveLength(1);
+    expect(tables[0]?.constraints).toEqual([]);
+  });
+
+  test("returns all constraints when every definition is valid", async () => {
+    const tables = await extractTables(
+      mockPool([
+        {
+          ...baseTableRow,
+          constraints: [
+            {
+              ...baseConstraint,
+              name: '"users_pkey"',
+              definition: "PRIMARY KEY (id)",
+            },
+            {
+              ...baseConstraint,
+              name: '"users_email_key"',
+              constraint_type: "u",
+              key_columns: ['"email"'],
+              definition: "UNIQUE (email)",
+            },
+          ],
+        },
+      ]),
+      NO_BACKOFF,
+    );
+
+    expect(tables[0]?.constraints.map((c) => c.name)).toEqual([
+      '"users_pkey"',
+      '"users_email_key"',
+    ]);
+  });
+
+  test("recovers when pg_get_constraintdef is NULL on first attempt but resolved on retry", async () => {
+    const tables = await extractTables(
+      mockPoolSequence(
+        // attempt 1: one constraint has NULL definition
+        [
+          {
+            ...baseTableRow,
+            constraints: [
+              {
+                ...baseConstraint,
+                name: '"users_racy_chk"',
+                constraint_type: "c",
+                key_columns: [],
+                definition: null,
+              },
+            ],
+          },
+        ],
+        // attempt 2: constraint resolves on retry
+        [
+          {
+            ...baseTableRow,
+            constraints: [
+              {
+                ...baseConstraint,
+                name: '"users_racy_chk"',
+                constraint_type: "c",
+                key_columns: [],
+                definition: "CHECK (id > 0)",
+              },
+            ],
+          },
+        ],
+      ),
+      { retries: 2, backoffMs: 0 },
+    );
+    expect(tables).toHaveLength(1);
+    expect(tables[0]?.constraints).toHaveLength(1);
+    expect(tables[0]?.constraints[0]?.name).toBe('"users_racy_chk"');
+    expect(tables[0]?.constraints[0]?.definition).toBe("CHECK (id > 0)");
+  });
+});

package/src/core/objects/table/table.model.ts

@@ -12,6 +12,15 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type ExtractRetryOptions,
+  extractWithDefinitionRetry,
+} from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const RelationPersistenceSchema = z.enum([
   "p", // permanent
@@ -82,6 +91,15 @@ const tableConstraintPropsSchema = z.object({
 
 export type TableConstraintProps = z.infer<typeof tableConstraintPropsSchema>;
 
+// pg_get_constraintdef(oid, pretty) can return NULL under the same conditions
+// as pg_get_indexdef: races with concurrent DDL, transient catalog
+// inconsistencies, recovery edges. An unreadable constraint cannot be diffed,
+// so we accept NULL here and filter the constraint out at extraction time
+// rather than crashing the whole catalog parse with a ZodError.
+const tableConstraintRowSchema = tableConstraintPropsSchema.extend({
+  definition: z.string().nullable(),
+});
+
 const tablePropsSchema = z.object({
   schema: z.string(),
   name: z.string(),
@@ -94,6 +112,7 @@ const tablePropsSchema = z.object({
   has_subclasses: z.boolean(),
   is_populated: z.boolean(),
   replica_identity: ReplicaIdentitySchema,
+  replica_identity_index: z.string().nullable().optional(),
   is_partition: z.boolean(),
   options: z.array(z.string()).nullable(),
   partition_bound: z.string().nullable(),
@@ -105,10 +124,20 @@ const tablePropsSchema = z.object({
   columns: z.array(columnPropsSchema),
   constraints: z.array(tableConstraintPropsSchema).optional(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
+});
+
+const tableRowSchema = tablePropsSchema.extend({
+  constraints: z.array(tableConstraintRowSchema).optional(),
 });
 
 type TablePrivilegeProps = PrivilegeProps;
+/**
+ * Table input props. `security_labels` is optional on direct construction
+ * (defaults to `[]`); extraction always produces it via the Zod default.
+ */
 export type TableProps = z.infer<typeof tablePropsSchema>;
+type TableRow = z.infer<typeof tableRowSchema>;
 
 export class Table extends BasePgModel implements TableLikeObject {
   public readonly schema: TableProps["schema"];
@@ -122,6 +151,7 @@ export class Table extends BasePgModel implements TableLikeObject {
   public readonly has_subclasses: TableProps["has_subclasses"];
   public readonly is_populated: TableProps["is_populated"];
   public readonly replica_identity: TableProps["replica_identity"];
+  public readonly replica_identity_index: TableProps["replica_identity_index"];
   public readonly is_partition: TableProps["is_partition"];
   public readonly options: TableProps["options"];
   public readonly partition_bound: TableProps["partition_bound"];
@@ -133,6 +163,7 @@ export class Table extends BasePgModel implements TableLikeObject {
   public readonly columns: TableProps["columns"];
   public readonly constraints: TableConstraintProps[];
   public readonly privileges: TablePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: TableProps) {
     super();
@@ -151,6 +182,7 @@ export class Table extends BasePgModel implements TableLikeObject {
     this.has_subclasses = props.has_subclasses;
     this.is_populated = props.is_populated;
     this.replica_identity = props.replica_identity;
+    this.replica_identity_index = props.replica_identity_index ?? null;
     this.is_partition = props.is_partition;
     this.options = props.options;
     this.partition_bound = props.partition_bound;
@@ -162,6 +194,7 @@ export class Table extends BasePgModel implements TableLikeObject {
     this.columns = props.columns;
     this.constraints = props.constraints ?? [];
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `table:${string}` {
@@ -182,6 +215,7 @@ export class Table extends BasePgModel implements TableLikeObject {
       row_security: this.row_security,
       force_row_security: this.force_row_security,
       replica_identity: this.replica_identity,
+      replica_identity_index: this.replica_identity_index,
       options: this.options,
       // Partition membership can be altered via ATTACH/DETACH
       parent_schema: this.parent_schema,
@@ -192,6 +226,7 @@ export class Table extends BasePgModel implements TableLikeObject {
       columns: this.columns,
       constraints: this.constraints,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 
@@ -211,13 +246,23 @@ export class Table extends BasePgModel implements TableLikeObject {
         options: this.options ? [...this.options].sort() : this.options,
         constraints: normalizeConstraints(),
         privileges: normalizePrivileges(this.privileges),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
 }
 
-export async function extractTables(pool: Pool): Promise<Table[]> {
-  const { rows: tableRows } = await pool.query<TableProps>(sql`
+export async function extractTables(
+  pool: Pool,
+  options?: ExtractRetryOptions,
+): Promise<Table[]> {
+  const tableRows = await extractWithDefinitionRetry({
+    label: "table constraints",
+    options,
+    hasNullDefinition: (row: TableRow) =>
+      row.constraints?.some((c) => c.definition === null) ?? false,
+    query: async () => {
+      const result = await pool.query<TableProps>(sql`
 with extension_oids as (
   select objid
   from pg_depend d
@@ -236,6 +281,14 @@ with extension_oids as (
     c.relhassubclass as has_subclasses,
     c.relispopulated as is_populated,
     c.relreplident as replica_identity,
+    (
+      select quote_ident(ri_class.relname)
+      from pg_index ri
+      join pg_class ri_class on ri_class.oid = ri.indexrelid
+      where ri.indrelid = c.oid
+        and ri.indisreplident is true
+      limit 1
+    ) as replica_identity_index,
     c.relispartition as is_partition,
     c.reloptions as options,
     pg_get_expr(c.relpartbound, c.oid) as partition_bound,
@@ -266,6 +319,7 @@ select
   t.has_subclasses,
   t.is_populated,
   t.replica_identity,
+  t.replica_identity_index,
   t.is_partition,
   t.options,
   t.partition_bound,
@@ -406,7 +460,20 @@ select
             and a.attcollation <> t2.typcollation
         ),
         'default', pg_get_expr(ad.adbin, ad.adrelid),
-        'comment', col_description(a.attrelid, a.attnum)
+        'comment', col_description(a.attrelid, a.attnum),
+        'security_labels', coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = t.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = a.attnum
+          ),
+          '[]'::json
+        )
       )
     end
     order by a.attnum
@@ -446,20 +513,38 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = t.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   tables t
   left join pg_attribute a on a.attrelid = t.oid and a.attnum > 0 and not a.attisdropped
   left join pg_attrdef ad on a.attrelid = ad.adrelid and a.attnum = ad.adnum
   left join pg_type ty on ty.oid = a.atttypid
 group by
-  t.oid, t.schema, t.name, t.persistence, t.row_security, t.force_row_security, t.has_indexes, t.has_rules, t.has_triggers, t.has_subclasses, t.is_populated, t.replica_identity, t.is_partition, t.options, t.partition_bound, t.partition_by, t.owner, t.parent_schema, t.parent_name
+  t.oid, t.schema, t.name, t.persistence, t.row_security, t.force_row_security, t.has_indexes, t.has_rules, t.has_triggers, t.has_subclasses, t.is_populated, t.replica_identity, t.replica_identity_index, t.is_partition, t.options, t.partition_bound, t.partition_by, t.owner, t.parent_schema, t.parent_name
 order by
   t.schema, t.name
   `);
-  // Validate and parse each row using the Zod schema
-  const validatedRows = tableRows.map((row: unknown) =>
-    tablePropsSchema.parse(row),
-  );
+      return result.rows.map((row: unknown) => tableRowSchema.parse(row));
+    },
+  });
+  const validatedRows = tableRows.map((row): TableProps => {
+    const filteredConstraints = row.constraints?.filter(
+      (c): c is TableConstraintProps => c.definition !== null,
+    );
+    return { ...row, constraints: filteredConstraints };
+  });
   return validatedRows.map((row: TableProps) => new Table(row));
 }