@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

package/src/core/objects/type/range/changes/range.base.ts

@@ -3,7 +3,11 @@ import type { Range } from "../range.model.ts";
 
 abstract class BaseRangeChange extends BaseChange {
   abstract readonly range: Range;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "range" = "range";
 }
 

package/src/core/objects/type/range/changes/range.security-label.ts

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../../base.change.ts";
+import type { SecurityLabelProps } from "../../../security-label.types.ts";
+import { stableId } from "../../../utils.ts";
+import type { Range } from "../range.model.ts";
+import { CreateRangeChange, DropRangeChange } from "./range.base.ts";
+
+export type SecurityLabelRange =
+  | CreateSecurityLabelOnRange
+  | DropSecurityLabelOnRange;
+
+export class CreateSecurityLabelOnRange extends CreateRangeChange {
+  public readonly range: Range;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { range: Range; securityLabel: SecurityLabelProps }) {
+    super();
+    this.range = props.range;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(this.range.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [this.range.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.range.schema}.${this.range.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnRange extends DropRangeChange {
+  public readonly range: Range;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { range: Range; securityLabel: SecurityLabelProps }) {
+    super();
+    this.range = props.range;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(this.range.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(this.range.stableId, this.securityLabel.provider),
+      this.range.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.range.schema}.${this.range.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/type/range/changes/range.types.ts

@@ -3,6 +3,7 @@ import type { CommentRange } from "./range.comment.ts";
 import type { CreateRange } from "./range.create.ts";
 import type { DropRange } from "./range.drop.ts";
 import type { RangePrivilege } from "./range.privilege.ts";
+import type { SecurityLabelRange } from "./range.security-label.ts";
 
 /** Union of all range-related change variants (`objectType: "range"`). @category Change Types */
 export type RangeChange =
@@ -10,4 +11,5 @@ export type RangeChange =
   | CommentRange
   | CreateRange
   | DropRange
-  | RangePrivilege;
+  | RangePrivilege
+  | SecurityLabelRange;

package/src/core/objects/type/range/range.diff.ts

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../../diff-context.ts";
+import { diffSecurityLabels } from "../../security-label.types.ts";
 import { hasNonAlterableChanges } from "../../utils.ts";
 import { AlterRangeChangeOwner } from "./changes/range.alter.ts";
 import {
@@ -18,6 +19,10 @@ import {
   RevokeGrantOptionRangePrivileges,
   RevokeRangePrivileges,
 } from "./changes/range.privilege.ts";
+import {
+  CreateSecurityLabelOnRange,
+  DropSecurityLabelOnRange,
+} from "./changes/range.security-label.ts";
 import type { RangeChange } from "./changes/range.types.ts";
 import type { Range } from "./range.model.ts";
 
@@ -59,6 +64,14 @@ export function diffRanges(
     if (createdRange.comment !== null) {
       changes.push(new CreateCommentOnRange({ range: createdRange }));
     }
+    for (const label of createdRange.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnRange({
+          range: createdRange,
+          securityLabel: label,
+        }),
+      );
+    }
 
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -156,6 +169,26 @@ export function diffRanges(
         }
       }
 
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnRange | DropSecurityLabelOnRange
+        >(
+          mainRange.security_labels,
+          branchRange.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnRange({
+              range: branchRange,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnRange({
+              range: mainRange,
+              securityLabel,
+            }),
+        ),
+      );
+
       // PRIVILEGES
       // Filter out PUBLIC's built-in default USAGE privilege from main catalog
       // (PostgreSQL grants it automatically, so we shouldn't compare it)

package/src/core/objects/type/range/range.model.ts

@@ -6,6 +6,10 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../../base.privilege-diff.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../../security-label.types.ts";
 
 const rangePropsSchema = z.object({
   schema: z.string(),
@@ -30,6 +34,7 @@ const rangePropsSchema = z.object({
   subtype_opclass_schema: z.string().nullable(),
   subtype_opclass_name: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 type RangePrivilegeProps = PrivilegeProps;
@@ -54,6 +59,7 @@ export class Range extends BasePgModel {
   public readonly subtype_opclass_schema: RangeProps["subtype_opclass_schema"];
   public readonly subtype_opclass_name: RangeProps["subtype_opclass_name"];
   public readonly privileges: RangePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: RangeProps) {
     super();
@@ -75,6 +81,7 @@ export class Range extends BasePgModel {
     this.subtype_opclass_schema = props.subtype_opclass_schema;
     this.subtype_opclass_name = props.subtype_opclass_name;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `type:${string}` {
@@ -102,6 +109,7 @@ export class Range extends BasePgModel {
       subtype_opclass_name: this.subtype_opclass_name,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -166,7 +174,20 @@ select
       )
       from lateral aclexplode(COALESCE(t.typacl, acldefault('T', t.typowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = t.oid
+        and sl.classoid = 'pg_type'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from pg_catalog.pg_range r
 join pg_catalog.pg_type t on t.oid = r.rngtypid
 join pg_catalog.pg_type subt on subt.oid = r.rngsubtype

package/src/core/objects/utils.ts

@@ -71,9 +71,15 @@ export const stableId = {
   constraint(schema: string, table: string, constraint: string) {
     return `constraint:${schema}.${table}.${constraint}` as const;
   },
+  index(schema: string, table: string, indexName: string) {
+    return `index:${schema}.${table}.${indexName}` as const;
+  },
   comment(objectStableId: string) {
     return `comment:${objectStableId}` as const;
   },
+  securityLabel(objectStableId: string, provider: string) {
+    return `securityLabel:${objectStableId}::provider:${provider}` as const;
+  },
   role(role: string) {
     return `role:${role}` as const;
   },

package/src/core/objects/view/changes/view.base.ts

@@ -3,7 +3,11 @@ import type { View } from "../view.model.ts";
 
 abstract class BaseViewChange extends BaseChange {
   abstract readonly view: View;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "view" = "view";
 }
 

package/src/core/objects/view/changes/view.security-label.test.ts

@@ -0,0 +1,64 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { View, type ViewProps } from "../view.model.ts";
+import {
+  CreateSecurityLabelOnView,
+  DropSecurityLabelOnView,
+} from "./view.security-label.ts";
+
+const makeView = (): View =>
+  new View({
+    schema: "public",
+    name: "v",
+    definition: "SELECT 1",
+    row_security: false,
+    force_row_security: false,
+    has_indexes: false,
+    has_rules: false,
+    has_triggers: false,
+    has_subclasses: false,
+    is_populated: true,
+    replica_identity: "d",
+    is_partition: false,
+    options: null,
+    partition_bound: null,
+    owner: "postgres",
+    comment: null,
+    columns: [],
+    privileges: [],
+  } as ViewProps);
+
+describe("view.security-label", () => {
+  test("create serializes and tracks dependencies", async () => {
+    const view = makeView();
+    const change = new CreateSecurityLabelOnView({
+      view,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(view.stableId, "dummy"),
+    ]);
+    expect(change.requires).toEqual([view.stableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON VIEW public.v IS 'classified'",
+    );
+  });
+
+  test("drop serializes to IS NULL", async () => {
+    const view = makeView();
+    const change = new DropSecurityLabelOnView({
+      view,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.drops).toEqual([
+      stableId.securityLabel(view.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON VIEW public.v IS NULL",
+    );
+  });
+});

package/src/core/objects/view/changes/view.security-label.ts

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { View } from "../view.model.ts";
+import { CreateViewChange, DropViewChange } from "./view.base.ts";
+
+export type SecurityLabelView =
+  | CreateSecurityLabelOnView
+  | DropSecurityLabelOnView;
+
+export class CreateSecurityLabelOnView extends CreateViewChange {
+  public readonly view: View;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { view: View; securityLabel: SecurityLabelProps }) {
+    super();
+    this.view = props.view;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(this.view.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [this.view.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON VIEW",
+      `${this.view.schema}.${this.view.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnView extends DropViewChange {
+  public readonly view: View;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { view: View; securityLabel: SecurityLabelProps }) {
+    super();
+    this.view = props.view;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(this.view.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(this.view.stableId, this.securityLabel.provider),
+      this.view.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON VIEW",
+      `${this.view.schema}.${this.view.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/view/changes/view.types.ts

@@ -3,6 +3,7 @@ import type { CommentView } from "./view.comment.ts";
 import type { CreateView } from "./view.create.ts";
 import type { DropView } from "./view.drop.ts";
 import type { ViewPrivilege } from "./view.privilege.ts";
+import type { SecurityLabelView } from "./view.security-label.ts";
 
 /** Union of all view-related change variants (`objectType: "view"`). @category Change Types */
 export type ViewChange =
@@ -10,4 +11,5 @@ export type ViewChange =
   | CommentView
   | CreateView
   | DropView
-  | ViewPrivilege;
+  | ViewPrivilege
+  | SecurityLabelView;

package/src/core/objects/view/view.diff.ts

@@ -5,6 +5,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterViewChangeOwner,
@@ -22,6 +23,10 @@ import {
   RevokeGrantOptionViewPrivileges,
   RevokeViewPrivileges,
 } from "./changes/view.privilege.ts";
+import {
+  CreateSecurityLabelOnView,
+  DropSecurityLabelOnView,
+} from "./changes/view.security-label.ts";
 import type { ViewChange } from "./changes/view.types.ts";
 import type { View } from "./view.model.ts";
 
@@ -57,6 +62,12 @@ export function diffViews(
       changes.push(new CreateCommentOnView({ view }));
     }
 
+    for (const label of view.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnView({ view, securityLabel: label }),
+      );
+    }
+
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -195,6 +206,26 @@ export function diffViews(
         }
       }
 
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnView | DropSecurityLabelOnView
+        >(
+          mainView.security_labels,
+          branchView.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnView({
+              view: branchView,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnView({
+              view: mainView,
+              securityLabel,
+            }),
+        ),
+      );
+
       // Note: View renaming would also use ALTER VIEW ... RENAME TO ...
       // But since our View model uses 'name' as the identity field,
       // a name change would be handled as drop + create by diffObjects()

package/src/core/objects/view/view.model.test.ts

@@ -0,0 +1,90 @@
+import { describe, expect, test } from "bun:test";
+import type { Pool } from "pg";
+import { extractViews, View } from "./view.model.ts";
+
+const baseRow = {
+  schema: "public",
+  row_security: false,
+  force_row_security: false,
+  has_indexes: false,
+  has_rules: false,
+  has_triggers: false,
+  has_subclasses: false,
+  is_populated: true,
+  replica_identity: "d" as const,
+  is_partition: false,
+  options: null,
+  partition_bound: null,
+  owner: "postgres",
+  comment: null,
+  columns: [],
+  privileges: [],
+};
+
+const mockPool = (rows: unknown[]): Pool =>
+  ({ query: async () => ({ rows }) }) as unknown as Pool;
+
+const mockPoolSequence = (...attempts: unknown[][]): Pool => {
+  let i = 0;
+  return {
+    query: async () => ({
+      rows: attempts[Math.min(i++, attempts.length - 1)],
+    }),
+  } as unknown as Pool;
+};
+
+const NO_BACKOFF = { backoffMs: 0 } as const;
+
+describe("extractViews", () => {
+  test("skips rows where pg_get_viewdef returned NULL after exhausting retries", async () => {
+    const views = await extractViews(
+      mockPool([
+        {
+          ...baseRow,
+          name: '"good_view"',
+          definition: "SELECT 1",
+        },
+        { ...baseRow, name: '"orphan_view"', definition: null },
+      ]),
+      NO_BACKOFF,
+    );
+
+    expect(views).toHaveLength(1);
+    expect(views[0]).toBeInstanceOf(View);
+    expect(views[0]?.name).toBe('"good_view"');
+    expect(views[0]?.definition).toBe("SELECT 1");
+  });
+
+  test("does not throw ZodError when the only row has a null definition", async () => {
+    await expect(
+      extractViews(
+        mockPool([{ ...baseRow, name: '"orphan"', definition: null }]),
+        NO_BACKOFF,
+      ),
+    ).resolves.toEqual([]);
+  });
+
+  test("returns all views when every row has a valid definition", async () => {
+    const views = await extractViews(
+      mockPool([
+        { ...baseRow, name: '"a"', definition: "SELECT 1" },
+        { ...baseRow, name: '"b"', definition: "SELECT 2" },
+      ]),
+      NO_BACKOFF,
+    );
+    expect(views.map((v) => v.name)).toEqual(['"a"', '"b"']);
+  });
+
+  test("recovers when pg_get_viewdef is NULL on first attempt but resolved on retry", async () => {
+    const views = await extractViews(
+      mockPoolSequence(
+        [{ ...baseRow, name: '"racy_view"', definition: null }],
+        [{ ...baseRow, name: '"racy_view"', definition: "SELECT 42" }],
+      ),
+      { retries: 2, backoffMs: 0 },
+    );
+    expect(views).toHaveLength(1);
+    expect(views[0]?.name).toBe('"racy_view"');
+    expect(views[0]?.definition).toBe("SELECT 42");
+  });
+});

package/src/core/objects/view/view.model.ts

@@ -11,6 +11,15 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type ExtractRetryOptions,
+  extractWithDefinitionRetry,
+} from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 import { ReplicaIdentitySchema } from "../table/table.model.ts";
 
 const viewPropsSchema = z.object({
@@ -32,6 +41,16 @@ const viewPropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
+});
+
+// pg_get_viewdef(oid) can return NULL when the underlying view (or its
+// pg_rewrite row) is dropped between catalog scan and resolution, or under
+// transient catalog state during recovery. An unreadable view cannot be
+// diffed, so we accept NULL here and filter the row out at extraction time
+// rather than crashing the whole catalog parse with a ZodError.
+const viewRowSchema = viewPropsSchema.extend({
+  definition: z.string().nullable(),
 });
 
 type ViewPrivilegeProps = PrivilegeProps;
@@ -56,6 +75,7 @@ export class View extends BasePgModel implements TableLikeObject {
   public readonly comment: ViewProps["comment"];
   public readonly columns: ViewProps["columns"];
   public readonly privileges: ViewPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: ViewProps) {
     super();
@@ -81,6 +101,7 @@ export class View extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `view:${string}` {
@@ -112,6 +133,7 @@ export class View extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 
@@ -121,13 +143,22 @@ export class View extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(this.columns),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
 }
 
-export async function extractViews(pool: Pool): Promise<View[]> {
-  const { rows: viewRows } = await pool.query<ViewProps>(sql`
+export async function extractViews(
+  pool: Pool,
+  options?: ExtractRetryOptions,
+): Promise<View[]> {
+  const viewRows = await extractWithDefinitionRetry({
+    label: "views",
+    options,
+    hasNullDefinition: (row) => row.definition === null,
+    query: async () => {
+      const result = await pool.query<ViewProps>(sql`
 with extension_oids as (
   select
     objid
@@ -243,7 +274,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = v.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   views v
   left join pg_attribute a on a.attrelid = v.oid and a.attnum > 0 and not a.attisdropped
@@ -254,9 +298,11 @@ group by
 order by
   v.schema, v.name
   `);
-  // Validate and parse each row using the Zod schema
-  const validatedRows = viewRows.map((row: unknown) =>
-    viewPropsSchema.parse(row),
+      return result.rows.map((row: unknown) => viewRowSchema.parse(row));
+    },
+  });
+  const validatedRows = viewRows.filter(
+    (row): row is ViewProps => row.definition !== null,
   );
-  return validatedRows.map((row: ViewProps) => new View(row));
+  return validatedRows.map((row) => new View(row));
 }