npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.21 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.21 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/dist/core/objects/procedure/procedure.model.d.ts CHANGED Viewed

@@ -2,6 +2,8 @@ import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
 import { type PrivilegeProps } from "../base.privilege-diff.ts";
+import { type ExtractRetryOptions } from "../extract-with-retry.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const procedurePropsSchema: z.ZodObject<{
     schema: z.ZodString;
     name: z.ZodString;
@@ -56,6 +58,10 @@ declare const procedurePropsSchema: z.ZodObject<{
         grantable: z.ZodBoolean;
         columns: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 type ProcedurePrivilegeProps = PrivilegeProps;
 export type ProcedureProps = z.infer<typeof procedurePropsSchema>;
@@ -89,6 +95,7 @@ export declare class Procedure extends BasePgModel {
     readonly owner: ProcedureProps["owner"];
     readonly comment: ProcedureProps["comment"];
     readonly privileges: ProcedurePrivilegeProps[];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: ProcedureProps);
     get stableId(): `procedure:${string}`;
     get identityFields(): {
@@ -126,7 +133,11 @@ export declare class Procedure extends BasePgModel {
             grantable: boolean;
             columns?: string[] | null | undefined;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
-export declare function extractProcedures(pool: Pool): Promise<Procedure[]>;
+export declare function extractProcedures(pool: Pool, options?: ExtractRetryOptions): Promise<Procedure[]>;
 export {};

package/dist/core/objects/procedure/procedure.model.js CHANGED Viewed

@@ -2,6 +2,8 @@ import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
 import { privilegePropsSchema, } from "../base.privilege-diff.js";
+import { extractWithDefinitionRetry, } from "../extract-with-retry.js";
+import { securityLabelPropsSchema, } from "../security-label.types.js";
 const FunctionKindSchema = z.enum([
     "f", // function
     "p", // procedure
@@ -55,6 +57,15 @@ const procedurePropsSchema = z.object({
     owner: z.string(),
     comment: z.string().nullable(),
     privileges: z.array(privilegePropsSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
+});
+// pg_get_functiondef(oid) can return NULL when the function (its pg_proc
+// row) is dropped between catalog scan and resolution, or under transient
+// catalog state. An unreadable function cannot be diffed, so we accept NULL
+// here and filter the row out at extraction time rather than crashing the
+// whole catalog parse with a ZodError.
+const procedureRowSchema = procedurePropsSchema.extend({
+    definition: z.string().nullable(),
 });
 export class Procedure extends BasePgModel {
     schema;
@@ -86,6 +97,7 @@ export class Procedure extends BasePgModel {
     owner;
     comment;
     privileges;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -119,6 +131,7 @@ export class Procedure extends BasePgModel {
         this.owner = props.owner;
         this.comment = props.comment;
         this.privileges = props.privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         const args = this.argument_types?.join(",") ?? "";
@@ -160,11 +173,17 @@ export class Procedure extends BasePgModel {
             owner: this.owner,
             comment: this.comment,
             privileges: this.privileges,
+            security_labels: this.security_labels,
         };
     }
 }
-export async function extractProcedures(pool) {
-    const { rows: procedureRows } = await pool.query(sql `
+export async function extractProcedures(pool, options) {
+    const procedureRows = await extractWithDefinitionRetry({
+        label: "procedures",
+        options,
+        hasNullDefinition: (row) => row.definition === null,
+        query: async () => {
+            const result = await pool.query(sql `
 with extension_oids as (
   select
     objid
@@ -224,7 +243,20 @@ select
       )
       from lateral aclexplode(COALESCE(p.proacl, acldefault('f', p.proowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = p.oid
+        and sl.classoid = 'pg_proc'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_proc p
   inner join pg_catalog.pg_language l on l.oid = p.prolang
@@ -236,7 +268,9 @@ from
 order by
   1, 2
   `);
-    // Validate and parse each row using the Zod schema
-    const validatedRows = procedureRows.map((row) => procedurePropsSchema.parse(row));
+            return result.rows.map((row) => procedureRowSchema.parse(row));
+        },
+    });
+    const validatedRows = procedureRows.filter((row) => row.definition !== null);
     return validatedRows.map((row) => new Procedure(row));
 }

package/dist/core/objects/publication/changes/publication.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Publication } from "../publication.model.ts";
 declare abstract class BasePublicationChange extends BaseChange {
     abstract readonly publication: Publication;
-    abstract readonly scope: "object" | "comment";
+    abstract readonly scope: "object" | "comment" | "security_label";
     readonly objectType: "publication";
 }
 export declare abstract class CreatePublicationChange extends BasePublicationChange {

package/dist/core/objects/publication/changes/publication.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Publication } from "../publication.model.ts";
+import { CreatePublicationChange, DropPublicationChange } from "./publication.base.ts";
+export type SecurityLabelPublication = CreateSecurityLabelOnPublication | DropSecurityLabelOnPublication;
+export declare class CreateSecurityLabelOnPublication extends CreatePublicationChange {
+    readonly publication: Publication;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        publication: Publication;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `publication:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnPublication extends DropPublicationChange {
+    readonly publication: Publication;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        publication: Publication;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `publication:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/publication/changes/publication.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreatePublicationChange, DropPublicationChange, } from "./publication.base.js";
+export class CreateSecurityLabelOnPublication extends CreatePublicationChange {
+    publication;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.publication = props.publication;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.publication.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.publication.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON PUBLICATION",
+            this.publication.name,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnPublication extends DropPublicationChange {
+    publication;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.publication = props.publication;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.publication.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.publication.stableId, this.securityLabel.provider),
+            this.publication.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON PUBLICATION",
+            this.publication.name,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/publication/changes/publication.types.d.ts CHANGED Viewed

@@ -2,5 +2,6 @@ import type { AlterPublicationAddSchemas, AlterPublicationAddTables, AlterPublic
 import type { CommentPublication } from "./publication.comment.ts";
 import type { CreatePublication } from "./publication.create.ts";
 import type { DropPublication } from "./publication.drop.ts";
+import type { SecurityLabelPublication } from "./publication.security-label.ts";
 /** Union of all publication-related change variants (`objectType: "publication"`). @category Change Types */
-export type PublicationChange = AlterPublicationAddSchemas | AlterPublicationAddTables | AlterPublicationDropSchemas | AlterPublicationDropTables | AlterPublicationSetList | AlterPublicationSetOptions | AlterPublicationSetOwner | CommentPublication | CreatePublication | DropPublication;
+export type PublicationChange = AlterPublicationAddSchemas | AlterPublicationAddTables | AlterPublicationDropSchemas | AlterPublicationDropTables | AlterPublicationSetList | AlterPublicationSetOptions | AlterPublicationSetOwner | CommentPublication | CreatePublication | DropPublication | SecurityLabelPublication;

package/dist/core/objects/publication/publication.diff.js CHANGED Viewed

@@ -1,9 +1,11 @@
 import { diffObjects } from "../base.diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { deepEqual } from "../utils.js";
 import { AlterPublicationAddSchemas, AlterPublicationAddTables, AlterPublicationDropSchemas, AlterPublicationDropTables, AlterPublicationSetOptions, AlterPublicationSetOwner, } from "./changes/publication.alter.js";
 import { CreateCommentOnPublication, DropCommentOnPublication, } from "./changes/publication.comment.js";
 import { CreatePublication } from "./changes/publication.create.js";
 import { DropPublication } from "./changes/publication.drop.js";
+import { CreateSecurityLabelOnPublication, DropSecurityLabelOnPublication, } from "./changes/publication.security-label.js";
 export function diffPublications(ctx, main, branch) {
     const { created, dropped, altered } = diffObjects(main, branch);
     const changes = [];
@@ -21,6 +23,12 @@ export function diffPublications(ctx, main, branch) {
         if (publication.comment !== null) {
             changes.push(new CreateCommentOnPublication({ publication }));
         }
+        for (const label of publication.security_labels) {
+            changes.push(new CreateSecurityLabelOnPublication({
+                publication,
+                securityLabel: label,
+            }));
+        }
     }
     for (const id of dropped) {
         changes.push(new DropPublication({ publication: main[id] }));
@@ -107,6 +115,14 @@ export function diffPublications(ctx, main, branch) {
                 changes.push(new CreateCommentOnPublication({ publication: branchPublication }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainPublication.security_labels, branchPublication.security_labels, (securityLabel) => new CreateSecurityLabelOnPublication({
+            publication: branchPublication,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnPublication({
+            publication: mainPublication,
+            securityLabel,
+        })));
     }
     return changes;
 }

package/dist/core/objects/publication/publication.model.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const publicationTablePropsSchema: z.ZodObject<{
     schema: z.ZodString;
     name: z.ZodString;
@@ -24,6 +25,10 @@ declare const publicationPropsSchema: z.ZodObject<{
         row_filter: z.ZodNullable<z.ZodString>;
     }, z.z.core.$strip>>;
     schemas: z.ZodArray<z.ZodString>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 export type PublicationTableProps = z.infer<typeof publicationTablePropsSchema>;
 export type PublicationProps = z.infer<typeof publicationPropsSchema>;
@@ -44,6 +49,7 @@ export declare class Publication extends BasePgModel {
     readonly publish_via_partition_root: PublicationProps["publish_via_partition_root"];
     readonly tables: PublicationTableProps[];
     readonly schemas: PublicationProps["schemas"];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: PublicationProps);
     get stableId(): `publication:${string}`;
     get identityFields(): {
@@ -65,6 +71,10 @@ export declare class Publication extends BasePgModel {
             row_filter: string | null;
         }[];
         schemas: string[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
     stableSnapshot(): {
         identity: {
@@ -78,6 +88,10 @@ export declare class Publication extends BasePgModel {
                 row_filter: string | null;
             }[];
             schemas: string[];
+            security_labels: {
+                provider: string;
+                label: string;
+            }[];
             owner: string;
             comment: string | null;
             all_tables: boolean;

package/dist/core/objects/publication/publication.model.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
+import { normalizeSecurityLabels, securityLabelPropsSchema, } from "../security-label.types.js";
 const publicationTablePropsSchema = z.object({
     schema: z.string(),
     name: z.string(),
@@ -19,6 +20,7 @@ const publicationPropsSchema = z.object({
     publish_via_partition_root: z.boolean(),
     tables: z.array(publicationTablePropsSchema),
     schemas: z.array(z.string()),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 /**
  * Logical replication publication definition extracted from pg_publication.
@@ -37,6 +39,7 @@ export class Publication extends BasePgModel {
     publish_via_partition_root;
     tables;
     schemas;
+    security_labels;
     constructor(props) {
         super();
         this.name = props.name;
@@ -60,6 +63,7 @@ export class Publication extends BasePgModel {
             return a.schema.localeCompare(b.schema) || a.name.localeCompare(b.name);
         });
         this.schemas = [...props.schemas].sort((a, b) => a.localeCompare(b));
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `publication:${this.name}`;
@@ -81,6 +85,7 @@ export class Publication extends BasePgModel {
             publish_via_partition_root: this.publish_via_partition_root,
             tables: this.tables,
             schemas: this.schemas,
+            security_labels: this.security_labels,
         };
     }
     stableSnapshot() {
@@ -98,6 +103,7 @@ export class Publication extends BasePgModel {
                 ...this.dataFields,
                 tables: normalizedTables.sort((a, b) => a.schema.localeCompare(b.schema) || a.name.localeCompare(b.name)),
                 schemas: [...this.schemas].sort((a, b) => a.localeCompare(b)),
+                security_labels: normalizeSecurityLabels(this.security_labels),
             },
         };
     }
@@ -173,7 +179,20 @@ export async function extractPublications(pool) {
             where s.pnpubid = p.oid
           ),
           '[]'::json
-        ) as schemas
+        ) as schemas,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = p.oid
+              and sl.classoid = 'pg_publication'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from pg_publication p
       left join extension_oids e on e.objid = p.oid
       where e.objid is null

package/dist/core/objects/rls-policy/rls-policy.diff.js CHANGED Viewed

@@ -35,7 +35,19 @@ export function diffRlsPolicies(main, branch) {
             "permissive",
         ];
         const nonAlterablePropsChanged = hasNonAlterableChanges(mainRlsPolicy, branchRlsPolicy, NON_ALTERABLE_FIELDS, {});
-        if (nonAlterablePropsChanged) {
+        // The set of relations and procedures that the policy's USING / WITH
+        // CHECK expressions reference is recorded by PostgreSQL in pg_depend
+        // (recordDependencyOnExpr at policy creation). When that set changes
+        // it is unsafe to ALTER POLICY in place: the old reference target may
+        // be dropped in the same plan, and the new reference target may only
+        // exist after the create phase. Drop+create lets the sort phase order
+        // the policy's drop before the referenced object's drop and the
+        // policy's recreate after the referenced object's create.
+        const referencedDependenciesChanged = hasNonAlterableChanges(mainRlsPolicy, branchRlsPolicy, ["referenced_procedures", "referenced_relations"], {
+            referenced_procedures: deepEqual,
+            referenced_relations: deepEqual,
+        });
+        if (nonAlterablePropsChanged || referencedDependenciesChanged) {
             // Replace the entire RLS policy (drop + create)
             changes.push(new DropRlsPolicy({ policy: mainRlsPolicy }), new CreateRlsPolicy({ policy: branchRlsPolicy }));
         }

package/dist/core/objects/role/changes/role.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Role } from "../role.model.ts";
 declare abstract class BaseRoleChange extends BaseChange {
     abstract readonly role: Role;
-    abstract readonly scope: "object" | "comment" | "membership" | "default_privilege";
+    abstract readonly scope: "object" | "comment" | "membership" | "default_privilege" | "security_label";
     readonly objectType: "role";
 }
 export declare abstract class CreateRoleChange extends BaseRoleChange {

package/dist/core/objects/role/changes/role.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Role } from "../role.model.ts";
+import { CreateRoleChange, DropRoleChange } from "./role.base.ts";
+export type SecurityLabelRole = CreateSecurityLabelOnRole | DropSecurityLabelOnRole;
+export declare class CreateSecurityLabelOnRole extends CreateRoleChange {
+    readonly role: Role;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        role: Role;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `role:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnRole extends DropRoleChange {
+    readonly role: Role;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        role: Role;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `role:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/role/changes/role.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateRoleChange, DropRoleChange } from "./role.base.js";
+export class CreateSecurityLabelOnRole extends CreateRoleChange {
+    role;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.role = props.role;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.role.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON ROLE",
+            this.role.name,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnRole extends DropRoleChange {
+    role;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.role = props.role;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+            this.role.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON ROLE",
+            this.role.name,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/role/changes/role.types.d.ts CHANGED Viewed

@@ -3,5 +3,6 @@ import type { CommentRole } from "./role.comment.ts";
 import type { CreateRole } from "./role.create.ts";
 import type { DropRole } from "./role.drop.ts";
 import type { RolePrivilege } from "./role.privilege.ts";
+import type { SecurityLabelRole } from "./role.security-label.ts";
 /** Union of all role-related change variants (`objectType: "role"`). @category Change Types */
-export type RoleChange = AlterRole | CommentRole | CreateRole | DropRole | RolePrivilege;
+export type RoleChange = AlterRole | CommentRole | CreateRole | DropRole | RolePrivilege | SecurityLabelRole;

package/dist/core/objects/role/role.diff.js CHANGED Viewed

@@ -1,9 +1,11 @@
 import { diffObjects } from "../base.diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { AlterRoleSetConfig, AlterRoleSetOptions, } from "./changes/role.alter.js";
 import { CreateCommentOnRole, DropCommentOnRole, } from "./changes/role.comment.js";
 import { CreateRole } from "./changes/role.create.js";
 import { DropRole } from "./changes/role.drop.js";
 import { GrantRoleDefaultPrivileges, GrantRoleMembership, RevokeRoleDefaultPrivileges, RevokeRoleMembership, RevokeRoleMembershipOptions, } from "./changes/role.privilege.js";
+import { CreateSecurityLabelOnRole, DropSecurityLabelOnRole, } from "./changes/role.security-label.js";
 /**
  * Diff two sets of roles from main and branch catalogs.
  *
@@ -31,6 +33,12 @@ export function diffRoles(ctx, main, branch) {
         if (role.comment !== null) {
             changes.push(new CreateCommentOnRole({ role }));
         }
+        for (const label of role.security_labels) {
+            changes.push(new CreateSecurityLabelOnRole({
+                role,
+                securityLabel: label,
+            }));
+        }
         // MEMBERSHIPS: Grant memberships immediately after role creation.
         // Members are already deduplicated by the Role model constructor.
         for (const membership of role.members) {
@@ -171,6 +179,14 @@ export function diffRoles(ctx, main, branch) {
                 changes.push(new CreateCommentOnRole({ role: branchRole }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainRole.security_labels, branchRole.security_labels, (securityLabel) => new CreateSecurityLabelOnRole({
+            role: branchRole,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnRole({
+            role: mainRole,
+            securityLabel,
+        })));
         // MEMBERSHIPS
         // Members are already deduplicated by the Role model constructor.
         const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));

package/dist/core/objects/role/role.model.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const rolePropsSchema: z.ZodObject<{
     name: z.ZodString;
     is_superuser: z.ZodBoolean;
@@ -36,6 +37,10 @@ declare const rolePropsSchema: z.ZodObject<{
         }, z.z.core.$strip>>;
         is_implicit: z.ZodBoolean;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 export type RoleProps = z.infer<typeof rolePropsSchema>;
 export declare class Role extends BasePgModel {
@@ -52,6 +57,7 @@ export declare class Role extends BasePgModel {
     readonly comment: RoleProps["comment"];
     readonly members: RoleProps["members"];
     readonly default_privileges: RoleProps["default_privileges"];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: RoleProps);
     get stableId(): `role:${string}`;
     get identityFields(): {
@@ -84,6 +90,10 @@ export declare class Role extends BasePgModel {
             objtype: "n" | "r" | "f" | "S" | "T";
             grantee: string;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 export declare function extractRoles(pool: Pool): Promise<Role[]>;