npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

package/src/core/objects/subscription/subscription.diff.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { diffObjects } from "../base.diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { hasNonAlterableChanges } from "../utils.ts";
 import {
   AlterSubscriptionDisable,
@@ -15,6 +16,10 @@ import {
 } from "./changes/subscription.comment.ts";
 import { CreateSubscription } from "./changes/subscription.create.ts";
 import { DropSubscription } from "./changes/subscription.drop.ts";
+import {
+  CreateSecurityLabelOnSubscription,
+  DropSecurityLabelOnSubscription,
+} from "./changes/subscription.security-label.ts";
 import type { SubscriptionChange } from "./changes/subscription.types.ts";
 import type { Subscription } from "./subscription.model.ts";
 import type { SubscriptionSettableOption } from "./utils.ts";
@@ -61,6 +66,14 @@ export function diffSubscriptions(
     if (subscription.comment !== null) {
       changes.push(new CreateCommentOnSubscription({ subscription }));
     }
+    for (const label of subscription.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnSubscription({
+          subscription,
+          securityLabel: label,
+        }),
+      );
+    }
   }
   for (const id of dropped) {
@@ -236,6 +249,26 @@ export function diffSubscriptions(
         );
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnSubscription | DropSecurityLabelOnSubscription
+      >(
+        mainSubscription.security_labels,
+        branchSubscription.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnSubscription({
+            subscription: branchSubscription,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnSubscription({
+            subscription: mainSubscription,
+            securityLabel,
+          }),
+      ),
+    );
   }
   return changes;

package/src/core/objects/subscription/subscription.model.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import type { Pool } from "pg";
 import z from "zod";
 import { extractVersion } from "../../context.ts";
 import { BasePgModel } from "../base.model.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const subscriptionPropsSchema = z.object({
   name: z.string(),
@@ -23,6 +27,7 @@ const subscriptionPropsSchema = z.object({
   synchronous_commit: z.string(),
   publications: z.array(z.string()),
   origin: z.enum(["any", "none"]),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export type SubscriptionProps = z.infer<typeof subscriptionPropsSchema>;
@@ -47,6 +52,7 @@ export class Subscription extends BasePgModel {
   public readonly synchronous_commit: SubscriptionProps["synchronous_commit"];
   public readonly publications: SubscriptionProps["publications"];
   public readonly origin: SubscriptionProps["origin"];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: SubscriptionProps) {
     super();
@@ -72,6 +78,7 @@ export class Subscription extends BasePgModel {
       a.localeCompare(b),
     );
     this.origin = props.origin;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `subscription:${string}` {
@@ -104,6 +111,7 @@ export class Subscription extends BasePgModel {
       synchronous_commit: this.synchronous_commit,
       publications: this.publications,
       origin: this.origin,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -173,7 +181,20 @@ export async function extractSubscriptions(
           ),
           '[]'::json
         ) as publications,
-        ${originExpr} as origin
+        ${originExpr} as origin,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = s.oid
+              and sl.classoid = 'pg_subscription'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from scoped_subscriptions s
       left join pg_replication_slots r
         on r.slot_name = s.subslotname

package/src/core/objects/table/changes/table.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Table } from "../table.model.ts";
 abstract class BaseTableChange extends BaseChange {
   abstract readonly table: Table;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "table" = "table";
 }

package/src/core/objects/table/changes/table.security-label.test.ts ADDED Viewed

@@ -0,0 +1,140 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import type { ColumnProps } from "../../base.model.ts";
+import { stableId } from "../../utils.ts";
+import { Table, type TableProps } from "../table.model.ts";
+import {
+  CreateSecurityLabelOnColumn,
+  CreateSecurityLabelOnTable,
+  DropSecurityLabelOnColumn,
+  DropSecurityLabelOnTable,
+} from "./table.security-label.ts";
+const makeColumn = (overrides: Partial<ColumnProps> = {}): ColumnProps => ({
+  name: "id",
+  position: 1,
+  data_type: "integer",
+  data_type_str: "integer",
+  is_custom_type: false,
+  custom_type_type: null,
+  custom_type_category: null,
+  custom_type_schema: null,
+  custom_type_name: null,
+  not_null: false,
+  is_identity: false,
+  is_identity_always: false,
+  is_generated: false,
+  collation: null,
+  default: null,
+  comment: null,
+  ...overrides,
+});
+const makeTable = (): Table =>
+  new Table({
+    schema: "public",
+    name: "users",
+    persistence: "p",
+    row_security: false,
+    force_row_security: false,
+    has_indexes: false,
+    has_rules: false,
+    has_triggers: false,
+    has_subclasses: false,
+    is_populated: true,
+    replica_identity: "d",
+    is_partition: false,
+    options: null,
+    partition_bound: null,
+    partition_by: null,
+    owner: "postgres",
+    comment: null,
+    parent_schema: null,
+    parent_name: null,
+    columns: [makeColumn({ name: "email" })],
+    privileges: [],
+    security_labels: [],
+  } as TableProps);
+describe("table.security-label", () => {
+  test("table create serializes and tracks dependencies", async () => {
+    const table = makeTable();
+    const change = new CreateSecurityLabelOnTable({
+      table,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.objectType).toBe("table");
+    expect(change.operation).toBe("create");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(table.stableId, "dummy"),
+    ]);
+    expect(change.requires).toEqual([table.stableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON TABLE public.users IS 'classified'",
+    );
+  });
+  test("table drop serializes to IS NULL", async () => {
+    const table = makeTable();
+    const change = new DropSecurityLabelOnTable({
+      table,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.drops).toEqual([
+      stableId.securityLabel(table.stableId, "dummy"),
+    ]);
+    expect(change.requires).toEqual([
+      stableId.securityLabel(table.stableId, "dummy"),
+      table.stableId,
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON TABLE public.users IS NULL",
+    );
+  });
+  test("column create serializes and tracks dependencies", async () => {
+    const table = makeTable();
+    const column = makeColumn({ name: "email" });
+    const change = new CreateSecurityLabelOnColumn({
+      table,
+      column,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    const colStableId = stableId.column(table.schema, table.name, column.name);
+    expect(change.creates).toEqual([
+      stableId.securityLabel(colStableId, "dummy"),
+    ]);
+    expect(change.requires).toEqual([colStableId]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON COLUMN public.users.email IS 'classified'",
+    );
+  });
+  test("column drop serializes to IS NULL", async () => {
+    const table = makeTable();
+    const column = makeColumn({ name: "email" });
+    const change = new DropSecurityLabelOnColumn({
+      table,
+      column,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    const colStableId = stableId.column(table.schema, table.name, column.name);
+    expect(change.drops).toEqual([
+      stableId.securityLabel(colStableId, "dummy"),
+    ]);
+    expect(change.requires).toEqual([
+      stableId.securityLabel(colStableId, "dummy"),
+      colStableId,
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON COLUMN public.users.email IS NULL",
+    );
+  });
+});

package/src/core/objects/table/changes/table.security-label.ts ADDED Viewed

@@ -0,0 +1,183 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { ColumnProps } from "../../base.model.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Table } from "../table.model.ts";
+import { CreateTableChange, DropTableChange } from "./table.base.ts";
+export type SecurityLabelTable =
+  | CreateSecurityLabelOnTable
+  | DropSecurityLabelOnTable
+  | CreateSecurityLabelOnColumn
+  | DropSecurityLabelOnColumn;
+/**
+ * SECURITY LABEL FOR <provider> ON TABLE <schema>.<table> IS <literal>
+ */
+export class CreateSecurityLabelOnTable extends CreateTableChange {
+  public readonly table: Table;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { table: Table; securityLabel: SecurityLabelProps }) {
+    super();
+    this.table = props.table;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.table.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.table.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TABLE",
+      `${this.table.schema}.${this.table.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnTable extends DropTableChange {
+  public readonly table: Table;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { table: Table; securityLabel: SecurityLabelProps }) {
+    super();
+    this.table = props.table;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.table.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.table.stableId, this.securityLabel.provider),
+      this.table.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TABLE",
+      `${this.table.schema}.${this.table.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}
+/**
+ * SECURITY LABEL FOR <provider> ON COLUMN <schema>.<table>.<column> IS <literal>
+ */
+export class CreateSecurityLabelOnColumn extends CreateTableChange {
+  public readonly table: Table;
+  public readonly column: ColumnProps;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    table: Table;
+    column: ColumnProps;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.table = props.table;
+    this.column = props.column;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    const columnStableId = stableId.column(
+      this.table.schema,
+      this.table.name,
+      this.column.name,
+    );
+    return [
+      stableId.securityLabel(columnStableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.column(this.table.schema, this.table.name, this.column.name),
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON COLUMN",
+      `${this.table.schema}.${this.table.name}.${this.column.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnColumn extends DropTableChange {
+  public readonly table: Table;
+  public readonly column: ColumnProps;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    table: Table;
+    column: ColumnProps;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.table = props.table;
+    this.column = props.column;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    const columnStableId = stableId.column(
+      this.table.schema,
+      this.table.name,
+      this.column.name,
+    );
+    return [
+      stableId.securityLabel(columnStableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    const columnStableId = stableId.column(
+      this.table.schema,
+      this.table.name,
+      this.column.name,
+    );
+    return [
+      stableId.securityLabel(columnStableId, this.securityLabel.provider),
+      columnStableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON COLUMN",
+      `${this.table.schema}.${this.table.name}.${this.column.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/table/changes/table.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentTable } from "./table.comment.ts";
 import type { CreateTable } from "./table.create.ts";
 import type { DropTable } from "./table.drop.ts";
 import type { TablePrivilege } from "./table.privilege.ts";
+import type { SecurityLabelTable } from "./table.security-label.ts";
 /** Union of all table-related change variants (`objectType: "table"`). @category Change Types */
 export type TableChange =
@@ -10,4 +11,5 @@ export type TableChange =
   | CommentTable
   | CreateTable
   | DropTable
-  | TablePrivilege;
+  | TablePrivilege
+  | SecurityLabelTable;

package/src/core/objects/table/table.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterTableAddColumn,
@@ -47,6 +48,12 @@ import {
   RevokeGrantOptionTablePrivileges,
   RevokeTablePrivileges,
 } from "./changes/table.privilege.ts";
+import {
+  CreateSecurityLabelOnColumn,
+  CreateSecurityLabelOnTable,
+  DropSecurityLabelOnColumn,
+  DropSecurityLabelOnTable,
+} from "./changes/table.security-label.ts";
 import type { TableChange } from "./changes/table.types.ts";
 import { Table } from "./table.model.ts";
@@ -279,6 +286,29 @@ export function diffTables(
       }
     }
+    // Table security labels on creation
+    for (const label of branchTable.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnTable({
+          table: branchTable,
+          securityLabel: label,
+        }),
+      );
+    }
+    // Column security labels on creation
+    for (const col of branchTable.columns) {
+      for (const label of col.security_labels ?? []) {
+        changes.push(
+          new CreateSecurityLabelOnColumn({
+            table: branchTable,
+            column: col,
+            securityLabel: label,
+          }),
+        );
+      }
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -440,6 +470,26 @@ export function diffTables(
       }
     }
+    // TABLE SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnTable | DropSecurityLabelOnTable
+      >(
+        mainTable.security_labels,
+        branchTable.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnTable({
+            table: branchTable,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnTable({
+            table: mainTable,
+            securityLabel,
+          }),
+      ),
+    );
     // PARTITION ATTACH/DETACH
     const mainIsPartition = Boolean(
       mainTable.parent_schema && mainTable.parent_name,
@@ -886,6 +936,43 @@ export function diffTables(
           );
         }
       }
+      // SECURITY LABELS on column
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnColumn | DropSecurityLabelOnColumn
+        >(
+          mainCol.security_labels ?? [],
+          branchCol.security_labels ?? [],
+          (securityLabel) =>
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: branchCol,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnColumn({
+              table: mainTable,
+              column: mainCol,
+              securityLabel,
+            }),
+        ),
+      );
+    }
+    // Added columns with security labels (for created columns on existing tables)
+    for (const [name, col] of branchCols) {
+      if (!mainCols.has(name)) {
+        for (const label of col.security_labels ?? []) {
+          changes.push(
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: col,
+              securityLabel: label,
+            }),
+          );
+        }
+      }
     }
     // PRIVILEGES (unified object and column privileges)

package/src/core/objects/table/table.model.ts CHANGED Viewed

@@ -16,6 +16,11 @@ import {
   type ExtractRetryOptions,
   extractWithDefinitionRetry,
 } from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const RelationPersistenceSchema = z.enum([
   "p", // permanent
@@ -119,6 +124,7 @@ const tablePropsSchema = z.object({
   columns: z.array(columnPropsSchema),
   constraints: z.array(tableConstraintPropsSchema).optional(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 const tableRowSchema = tablePropsSchema.extend({
@@ -126,6 +132,10 @@ const tableRowSchema = tablePropsSchema.extend({
 });
 type TablePrivilegeProps = PrivilegeProps;
+/**
+ * Table input props. `security_labels` is optional on direct construction
+ * (defaults to `[]`); extraction always produces it via the Zod default.
+ */
 export type TableProps = z.infer<typeof tablePropsSchema>;
 type TableRow = z.infer<typeof tableRowSchema>;
@@ -153,6 +163,7 @@ export class Table extends BasePgModel implements TableLikeObject {
   public readonly columns: TableProps["columns"];
   public readonly constraints: TableConstraintProps[];
   public readonly privileges: TablePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: TableProps) {
     super();
@@ -183,6 +194,7 @@ export class Table extends BasePgModel implements TableLikeObject {
     this.columns = props.columns;
     this.constraints = props.constraints ?? [];
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `table:${string}` {
@@ -214,6 +226,7 @@ export class Table extends BasePgModel implements TableLikeObject {
       columns: this.columns,
       constraints: this.constraints,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -233,6 +246,7 @@ export class Table extends BasePgModel implements TableLikeObject {
         options: this.options ? [...this.options].sort() : this.options,
         constraints: normalizeConstraints(),
         privileges: normalizePrivileges(this.privileges),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -446,7 +460,20 @@ select
             and a.attcollation <> t2.typcollation
         ),
         'default', pg_get_expr(ad.adbin, ad.adrelid),
-        'comment', col_description(a.attrelid, a.attnum)
+        'comment', col_description(a.attrelid, a.attnum),
+        'security_labels', coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = t.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = a.attnum
+          ),
+          '[]'::json
+        )
       )
     end
     order by a.attnum
@@ -486,7 +513,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = t.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   tables t
   left join pg_attribute a on a.attrelid = t.oid and a.attnum > 0 and not a.attisdropped