npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

package/src/core/objects/publication/publication.diff.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { diffObjects } from "../base.diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterPublicationAddSchemas,
@@ -15,6 +16,10 @@ import {
 } from "./changes/publication.comment.ts";
 import { CreatePublication } from "./changes/publication.create.ts";
 import { DropPublication } from "./changes/publication.drop.ts";
+import {
+  CreateSecurityLabelOnPublication,
+  DropSecurityLabelOnPublication,
+} from "./changes/publication.security-label.ts";
 import type { PublicationChange } from "./changes/publication.types.ts";
 import type {
   Publication,
@@ -47,6 +52,14 @@ export function diffPublications(
     if (publication.comment !== null) {
       changes.push(new CreateCommentOnPublication({ publication }));
     }
+    for (const label of publication.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnPublication({
+          publication,
+          securityLabel: label,
+        }),
+      );
+    }
   }
   for (const id of dropped) {
@@ -172,6 +185,26 @@ export function diffPublications(
         );
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnPublication | DropSecurityLabelOnPublication
+      >(
+        mainPublication.security_labels,
+        branchPublication.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnPublication({
+            publication: branchPublication,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnPublication({
+            publication: mainPublication,
+            securityLabel,
+          }),
+      ),
+    );
   }
   return changes;

package/src/core/objects/publication/publication.model.ts CHANGED Viewed

@@ -2,6 +2,11 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const publicationTablePropsSchema = z.object({
   schema: z.string(),
@@ -22,6 +27,7 @@ const publicationPropsSchema = z.object({
   publish_via_partition_root: z.boolean(),
   tables: z.array(publicationTablePropsSchema),
   schemas: z.array(z.string()),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type PublicationTableProps = z.infer<typeof publicationTablePropsSchema>;
@@ -44,6 +50,7 @@ export class Publication extends BasePgModel {
   public readonly publish_via_partition_root: PublicationProps["publish_via_partition_root"];
   public readonly tables: PublicationTableProps[];
   public readonly schemas: PublicationProps["schemas"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: PublicationProps) {
     super();
@@ -72,6 +79,7 @@ export class Publication extends BasePgModel {
     });
     this.schemas = [...props.schemas].sort((a, b) => a.localeCompare(b));
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `publication:${string}` {
@@ -96,6 +104,7 @@ export class Publication extends BasePgModel {
       publish_via_partition_root: this.publish_via_partition_root,
       tables: this.tables,
       schemas: this.schemas,
+      security_labels: this.security_labels,
     };
   }
@@ -118,6 +127,7 @@ export class Publication extends BasePgModel {
             a.schema.localeCompare(b.schema) || a.name.localeCompare(b.name),
         ),
         schemas: [...this.schemas].sort((a, b) => a.localeCompare(b)),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -194,7 +204,20 @@ export async function extractPublications(pool: Pool): Promise<Publication[]> {
             where s.pnpubid = p.oid
           ),
           '[]'::json
-        ) as schemas
+        ) as schemas,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = p.oid
+              and sl.classoid = 'pg_publication'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from pg_publication p
       left join extension_oids e on e.objid = p.oid
       where e.objid is null

package/src/core/objects/role/changes/role.base.ts CHANGED Viewed

@@ -7,7 +7,8 @@ abstract class BaseRoleChange extends BaseChange {
     | "object"
     | "comment"
     | "membership"
-    | "default_privilege";
+    | "default_privilege"
+    | "security_label";
   readonly objectType: "role" = "role";
 }

package/src/core/objects/role/changes/role.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Role } from "../role.model.ts";
+import { CreateRoleChange, DropRoleChange } from "./role.base.ts";
+export type SecurityLabelRole =
+  | CreateSecurityLabelOnRole
+  | DropSecurityLabelOnRole;
+export class CreateSecurityLabelOnRole extends CreateRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.role.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnRole extends DropRoleChange {
+  public readonly role: Role;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { role: Role; securityLabel: SecurityLabelProps }) {
+    super();
+    this.role = props.role;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+      this.role.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON ROLE",
+      this.role.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/role/changes/role.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentRole } from "./role.comment.ts";
 import type { CreateRole } from "./role.create.ts";
 import type { DropRole } from "./role.drop.ts";
 import type { RolePrivilege } from "./role.privilege.ts";
+import type { SecurityLabelRole } from "./role.security-label.ts";
 /** Union of all role-related change variants (`objectType: "role"`). @category Change Types */
 export type RoleChange =
@@ -10,4 +11,5 @@ export type RoleChange =
   | CommentRole
   | CreateRole
   | DropRole
-  | RolePrivilege;
+  | RolePrivilege
+  | SecurityLabelRole;

package/src/core/objects/role/role.diff.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { diffObjects } from "../base.diff.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import {
   AlterRoleSetConfig,
   AlterRoleSetOptions,
@@ -16,6 +17,10 @@ import {
   RevokeRoleMembership,
   RevokeRoleMembershipOptions,
 } from "./changes/role.privilege.ts";
+import {
+  CreateSecurityLabelOnRole,
+  DropSecurityLabelOnRole,
+} from "./changes/role.security-label.ts";
 import type { RoleChange } from "./changes/role.types.ts";
 import type { Role } from "./role.model.ts";
@@ -51,6 +56,14 @@ export function diffRoles(
     if (role.comment !== null) {
       changes.push(new CreateCommentOnRole({ role }));
     }
+    for (const label of role.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnRole({
+          role,
+          securityLabel: label,
+        }),
+      );
+    }
     // MEMBERSHIPS: Grant memberships immediately after role creation.
     // Members are already deduplicated by the Role model constructor.
     for (const membership of role.members) {
@@ -215,6 +228,26 @@ export function diffRoles(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnRole | DropSecurityLabelOnRole
+      >(
+        mainRole.security_labels,
+        branchRole.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnRole({
+            role: branchRole,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnRole({
+            role: mainRole,
+            securityLabel,
+          }),
+      ),
+    );
     // MEMBERSHIPS
     // Members are already deduplicated by the Role model constructor.
     const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));

package/src/core/objects/role/role.model.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import { sql } from "@ts-safeql/sql-tag";
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const membershipInfoSchema = z.object({
   member: z.string(),
@@ -35,6 +39,7 @@ const rolePropsSchema = z.object({
   comment: z.string().nullable(),
   members: z.array(membershipInfoSchema),
   default_privileges: z.array(defaultPrivilegeSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type RoleProps = z.infer<typeof rolePropsSchema>;
@@ -53,6 +58,7 @@ export class Role extends BasePgModel {
   public readonly comment: RoleProps["comment"];
   public readonly members: RoleProps["members"];
   public readonly default_privileges: RoleProps["default_privileges"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: RoleProps) {
     super();
@@ -73,6 +79,7 @@ export class Role extends BasePgModel {
     this.comment = props.comment;
     this.members = deduplicateMembers(props.members);
     this.default_privileges = props.default_privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `role:${string}` {
@@ -129,6 +136,7 @@ export class Role extends BasePgModel {
       comment: this.comment,
       members: sortedMembers,
       default_privileges: sortedDefaultPrivs,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -232,6 +240,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls  AS can_bypass_rls,
             r.rolconfig     AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (
@@ -353,6 +373,18 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
             r.rolbypassrls   AS can_bypass_rls,
             r.rolconfig      AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (

package/src/core/objects/schema/changes/schema.alter.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe.concurrent("schema", () => {
         name: "test_schema",
         comment: null,
         privileges: [],
+        security_labels: [],
       };
       const schemaObj = new Schema({
         ...props,

package/src/core/objects/schema/changes/schema.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Schema } from "../schema.model.ts";
 abstract class BaseSchemaChange extends BaseChange {
   abstract readonly schema: Schema;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "schema" = "schema";
 }

package/src/core/objects/schema/changes/schema.create.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new CreateSchema({

package/src/core/objects/schema/changes/schema.drop.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ describe("schema", () => {
       owner: "test",
       comment: null,
       privileges: [],
+      security_labels: [],
     });
     const change = new DropSchema({

package/src/core/objects/schema/changes/schema.security-label.test.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { Schema } from "../schema.model.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./schema.security-label.ts";
+const makeSchema = () =>
+  new Schema({
+    name: "app",
+    owner: "postgres",
+    comment: null,
+    privileges: [],
+    security_labels: [],
+  });
+describe("schema.security-label", () => {
+  test("create serializes and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: {
+        provider: "pg_graphql",
+        label: '{"inflect_names":true}',
+      },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("create");
+    expect(change.objectType).toBe("schema");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([schema.stableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      `SECURITY LABEL FOR pg_graphql ON SCHEMA app IS '{"inflect_names":true}'`,
+    );
+  });
+  test("drop serializes to IS NULL and tracks dependencies", async () => {
+    const schema = makeSchema();
+    const change = new DropSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "pg_graphql", label: "old" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.operation).toBe("drop");
+    expect(change.drops).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+    ]);
+    expect(change.requires).toEqual([
+      stableId.securityLabel(schema.stableId, "pg_graphql"),
+      schema.stableId,
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR pg_graphql ON SCHEMA app IS NULL",
+    );
+  });
+  test("create escapes single quotes in label", async () => {
+    const schema = makeSchema();
+    const change = new CreateSecurityLabelOnSchema({
+      schema,
+      securityLabel: { provider: "p", label: "it's a test" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR p ON SCHEMA app IS 'it''s a test'",
+    );
+  });
+});

package/src/core/objects/schema/changes/schema.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Schema } from "../schema.model.ts";
+import { CreateSchemaChange, DropSchemaChange } from "./schema.base.ts";
+export type SecurityLabelSchema =
+  | CreateSecurityLabelOnSchema
+  | DropSecurityLabelOnSchema;
+export class CreateSecurityLabelOnSchema extends CreateSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.schema.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnSchema extends DropSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+      this.schema.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/schema/changes/schema.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentSchema } from "./schema.comment.ts";
 import type { CreateSchema } from "./schema.create.ts";
 import type { DropSchema } from "./schema.drop.ts";
 import type { SchemaPrivilege } from "./schema.privilege.ts";
+import type { SecurityLabelSchema } from "./schema.security-label.ts";
 /** Union of all schema-related change variants (`objectType: "schema"`). @category Change Types */
 export type SchemaChange =
@@ -10,4 +11,5 @@ export type SchemaChange =
   | CommentSchema
   | CreateSchema
   | DropSchema
-  | SchemaPrivilege;
+  | SchemaPrivilege
+  | SecurityLabelSchema;

package/src/core/objects/schema/schema.diff.test.ts CHANGED Viewed

@@ -11,6 +11,7 @@ const base: SchemaProps = {
   owner: "o1",
   comment: null,
   privileges: [],
+  security_labels: [],
 };
 const testContext = {

package/src/core/objects/schema/schema.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitObjectPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { AlterSchemaChangeOwner } from "./changes/schema.alter.ts";
 import {
   CreateCommentOnSchema,
@@ -16,6 +17,10 @@ import {
   RevokeGrantOptionSchemaPrivileges,
   RevokeSchemaPrivileges,
 } from "./changes/schema.privilege.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./changes/schema.security-label.ts";
 import type { SchemaChange } from "./changes/schema.types.ts";
 import type { Schema } from "./schema.model.ts";
@@ -45,6 +50,14 @@ export function diffSchemas(
     if (sc.comment !== null) {
       changes.push(new CreateCommentOnSchema({ schema: sc }));
     }
+    for (const label of sc.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnSchema({
+          schema: sc,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -87,7 +100,16 @@ export function diffSchemas(
   }
   for (const schemaId of dropped) {
-    changes.push(new DropSchema({ schema: main[schemaId] }));
+    const mainSchema = main[schemaId];
+    for (const label of mainSchema.security_labels) {
+      changes.push(
+        new DropSecurityLabelOnSchema({
+          schema: mainSchema,
+          securityLabel: label,
+        }),
+      );
+    }
+    changes.push(new DropSchema({ schema: mainSchema }));
   }
   for (const schemaId of altered) {
@@ -113,6 +135,26 @@ export function diffSchemas(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnSchema | DropSecurityLabelOnSchema
+      >(
+        mainSchema.security_labels,
+        branchSchema.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnSchema({
+            schema: branchSchema,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnSchema({
+            schema: mainSchema,
+            securityLabel,
+          }),
+      ),
+    );
     // PRIVILEGES
     // Filter out owner privileges - owner always has ALL privileges implicitly
     // and shouldn't be compared. Use branch owner as the reference.