npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

package/dist/core/objects/event-trigger/changes/event-trigger.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateEventTriggerChange, DropEventTriggerChange, } from "./event-trigger.base.js";
+export class CreateSecurityLabelOnEventTrigger extends CreateEventTriggerChange {
+    eventTrigger;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.eventTrigger = props.eventTrigger;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.eventTrigger.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.eventTrigger.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON EVENT TRIGGER",
+            this.eventTrigger.name,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnEventTrigger extends DropEventTriggerChange {
+    eventTrigger;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.eventTrigger = props.eventTrigger;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.eventTrigger.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.eventTrigger.stableId, this.securityLabel.provider),
+            this.eventTrigger.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON EVENT TRIGGER",
+            this.eventTrigger.name,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/event-trigger/changes/event-trigger.types.d.ts CHANGED Viewed

@@ -2,5 +2,6 @@ import type { AlterEventTrigger } from "./event-trigger.alter.ts";
 import type { CommentEventTrigger } from "./event-trigger.comment.ts";
 import type { CreateEventTrigger } from "./event-trigger.create.ts";
 import type { DropEventTrigger } from "./event-trigger.drop.ts";
+import type { SecurityLabelEventTrigger } from "./event-trigger.security-label.ts";
 /** Union of all event-trigger-related change variants (`objectType: "event_trigger"`). @category Change Types */
-export type EventTriggerChange = AlterEventTrigger | CommentEventTrigger | CreateEventTrigger | DropEventTrigger;
+export type EventTriggerChange = AlterEventTrigger | CommentEventTrigger | CreateEventTrigger | DropEventTrigger | SecurityLabelEventTrigger;

package/dist/core/objects/event-trigger/event-trigger.diff.js CHANGED Viewed

@@ -1,9 +1,11 @@
 import { diffObjects } from "../base.diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { deepEqual, hasNonAlterableChanges } from "../utils.js";
 import { AlterEventTriggerChangeOwner, AlterEventTriggerSetEnabled, } from "./changes/event-trigger.alter.js";
 import { CreateCommentOnEventTrigger, DropCommentOnEventTrigger, } from "./changes/event-trigger.comment.js";
 import { CreateEventTrigger } from "./changes/event-trigger.create.js";
 import { DropEventTrigger } from "./changes/event-trigger.drop.js";
+import { CreateSecurityLabelOnEventTrigger, DropSecurityLabelOnEventTrigger, } from "./changes/event-trigger.security-label.js";
 /**
  * Diff two sets of event triggers from main and branch catalogs.
  *
@@ -29,6 +31,12 @@ export function diffEventTriggers(ctx, main, branch) {
         if (eventTrigger.comment !== null) {
             changes.push(new CreateCommentOnEventTrigger({ eventTrigger }));
         }
+        for (const label of eventTrigger.security_labels) {
+            changes.push(new CreateSecurityLabelOnEventTrigger({
+                eventTrigger,
+                securityLabel: label,
+            }));
+        }
     }
     for (const eventTriggerId of dropped) {
         changes.push(new DropEventTrigger({ eventTrigger: main[eventTriggerId] }));
@@ -76,6 +84,14 @@ export function diffEventTriggers(ctx, main, branch) {
                 }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainEventTrigger.security_labels, branchEventTrigger.security_labels, (securityLabel) => new CreateSecurityLabelOnEventTrigger({
+            eventTrigger: branchEventTrigger,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnEventTrigger({
+            eventTrigger: mainEventTrigger,
+            securityLabel,
+        })));
     }
     return changes;
 }

package/dist/core/objects/event-trigger/event-trigger.model.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const eventTriggerPropsSchema: z.ZodObject<{
     name: z.ZodString;
     event: z.ZodString;
@@ -15,6 +16,10 @@ declare const eventTriggerPropsSchema: z.ZodObject<{
     tags: z.ZodNullable<z.ZodArray<z.ZodString>>;
     owner: z.ZodString;
     comment: z.ZodNullable<z.ZodString>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 export type EventTriggerProps = z.infer<typeof eventTriggerPropsSchema>;
 export declare class EventTrigger extends BasePgModel {
@@ -26,6 +31,7 @@ export declare class EventTrigger extends BasePgModel {
     readonly tags: EventTriggerProps["tags"];
     readonly owner: EventTriggerProps["owner"];
     readonly comment: EventTriggerProps["comment"];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: EventTriggerProps);
     get stableId(): `eventTrigger:${string}`;
     get identityFields(): {
@@ -39,6 +45,10 @@ export declare class EventTrigger extends BasePgModel {
         tags: string[] | null;
         owner: string;
         comment: string | null;
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 export declare function extractEventTriggers(pool: Pool): Promise<EventTrigger[]>;

package/dist/core/objects/event-trigger/event-trigger.model.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
+import { securityLabelPropsSchema, } from "../security-label.types.js";
 const EventTriggerEnabledSchema = z.enum([
     "O", // ORIGIN - trigger fires in origin mode
     "D", // DISABLED - trigger does not fire
@@ -16,6 +17,7 @@ const eventTriggerPropsSchema = z.object({
     tags: z.array(z.string()).nullable(),
     owner: z.string(),
     comment: z.string().nullable(),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export class EventTrigger extends BasePgModel {
     name;
@@ -26,6 +28,7 @@ export class EventTrigger extends BasePgModel {
     tags;
     owner;
     comment;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -38,6 +41,7 @@ export class EventTrigger extends BasePgModel {
         this.tags = props.tags;
         this.owner = props.owner;
         this.comment = props.comment;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `eventTrigger:${this.name}`;
@@ -56,6 +60,7 @@ export class EventTrigger extends BasePgModel {
             tags: this.tags,
             owner: this.owner,
             comment: this.comment,
+            security_labels: this.security_labels,
         };
     }
 }
@@ -75,7 +80,20 @@ select
   et.evtenabled as enabled,
   et.evttags as tags,
   et.evtowner::regrole::text as owner,
-  obj_description(et.oid, 'pg_event_trigger') as comment
+  obj_description(et.oid, 'pg_event_trigger') as comment,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = et.oid
+        and sl.classoid = 'pg_event_trigger'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from pg_catalog.pg_event_trigger et
 join pg_catalog.pg_proc p on p.oid = et.evtfoid
 left join extension_oids e on e.objid = et.oid

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../../base.change.ts";
 import type { ForeignTable } from "../foreign-table.model.ts";
 declare abstract class BaseForeignTableChange extends BaseChange {
     abstract readonly foreignTable: ForeignTable;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "foreign_table";
 }
 export declare abstract class CreateForeignTableChange extends BaseForeignTableChange {

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../../security-label.types.ts";
+import type { ForeignTable } from "../foreign-table.model.ts";
+import { CreateForeignTableChange, DropForeignTableChange } from "./foreign-table.base.ts";
+export type SecurityLabelForeignTable = CreateSecurityLabelOnForeignTable | DropSecurityLabelOnForeignTable;
+export declare class CreateSecurityLabelOnForeignTable extends CreateForeignTableChange {
+    readonly foreignTable: ForeignTable;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        foreignTable: ForeignTable;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `foreignTable:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnForeignTable extends DropForeignTableChange {
+    readonly foreignTable: ForeignTable;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        foreignTable: ForeignTable;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `foreignTable:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../../base.change.js";
+import { stableId } from "../../../utils.js";
+import { CreateForeignTableChange, DropForeignTableChange, } from "./foreign-table.base.js";
+export class CreateSecurityLabelOnForeignTable extends CreateForeignTableChange {
+    foreignTable;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.foreignTable = props.foreignTable;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.foreignTable.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.foreignTable.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON FOREIGN TABLE",
+            `${this.foreignTable.schema}.${this.foreignTable.name}`,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnForeignTable extends DropForeignTableChange {
+    foreignTable;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.foreignTable = props.foreignTable;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.foreignTable.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.foreignTable.stableId, this.securityLabel.provider),
+            this.foreignTable.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON FOREIGN TABLE",
+            `${this.foreignTable.schema}.${this.foreignTable.name}`,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.types.d.ts CHANGED Viewed

@@ -3,5 +3,6 @@ import type { CommentForeignTable } from "./foreign-table.comment.ts";
 import type { CreateForeignTable } from "./foreign-table.create.ts";
 import type { DropForeignTable } from "./foreign-table.drop.ts";
 import type { ForeignTablePrivilege } from "./foreign-table.privilege.ts";
+import type { SecurityLabelForeignTable } from "./foreign-table.security-label.ts";
 /** Union of all foreign-table-related change variants (`objectType: "foreign_table"`). @category Change Types */
-export type ForeignTableChange = AlterForeignTable | CommentForeignTable | CreateForeignTable | DropForeignTable | ForeignTablePrivilege;
+export type ForeignTableChange = AlterForeignTable | CommentForeignTable | CreateForeignTable | DropForeignTable | ForeignTablePrivilege | SecurityLabelForeignTable;

package/dist/core/objects/foreign-data-wrapper/foreign-table/foreign-table.diff.js CHANGED Viewed

@@ -1,10 +1,12 @@
 import { diffObjects } from "../../base.diff.js";
 import { diffPrivileges, emitObjectPrivilegeChanges, filterPublicBuiltInDefaults, } from "../../base.privilege-diff.js";
+import { diffSecurityLabels } from "../../security-label.types.js";
 import { AlterForeignTableAddColumn, AlterForeignTableAlterColumnDropDefault, AlterForeignTableAlterColumnDropNotNull, AlterForeignTableAlterColumnSetDefault, AlterForeignTableAlterColumnSetNotNull, AlterForeignTableAlterColumnType, AlterForeignTableChangeOwner, AlterForeignTableDropColumn, AlterForeignTableSetOptions, } from "./changes/foreign-table.alter.js";
 import { CreateCommentOnForeignTable, DropCommentOnForeignTable, } from "./changes/foreign-table.comment.js";
 import { CreateForeignTable } from "./changes/foreign-table.create.js";
 import { DropForeignTable } from "./changes/foreign-table.drop.js";
 import { GrantForeignTablePrivileges, RevokeForeignTablePrivileges, RevokeGrantOptionForeignTablePrivileges, } from "./changes/foreign-table.privilege.js";
+import { CreateSecurityLabelOnForeignTable, DropSecurityLabelOnForeignTable, } from "./changes/foreign-table.security-label.js";
 /**
  * Diff two sets of foreign tables from main and branch catalogs.
  *
@@ -30,6 +32,12 @@ export function diffForeignTables(ctx, main, branch) {
         if (createdTable.comment !== null) {
             changes.push(new CreateCommentOnForeignTable({ foreignTable: createdTable }));
         }
+        for (const label of createdTable.security_labels) {
+            changes.push(new CreateSecurityLabelOnForeignTable({
+                foreignTable: createdTable,
+                securityLabel: label,
+            }));
+        }
         // PRIVILEGES: For created objects, compare against default privileges state
         const effectiveDefaults = ctx.defaultPrivilegeState.getEffectiveDefaults(ctx.currentUser, "foreign_table", createdTable.schema ?? "");
         const creatorFilteredDefaults = createdTable.owner !== ctx.currentUser
@@ -148,6 +156,14 @@ export function diffForeignTables(ctx, main, branch) {
                 changes.push(new CreateCommentOnForeignTable({ foreignTable: branchTable }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainTable.security_labels, branchTable.security_labels, (securityLabel) => new CreateSecurityLabelOnForeignTable({
+            foreignTable: branchTable,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnForeignTable({
+            foreignTable: mainTable,
+            securityLabel,
+        })));
         // PRIVILEGES
         const mainPrivilegesFiltered = filterPublicBuiltInDefaults("foreign_table", mainTable.privileges);
         const branchPrivilegesFiltered = filterPublicBuiltInDefaults("foreign_table", branchTable.privileges);

package/dist/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel, type TableLikeObject } from "../../base.model.ts";
 import { type PrivilegeProps } from "../../base.privilege-diff.ts";
+import { type SecurityLabelProps } from "../../security-label.types.ts";
 /**
  * All properties exposed by CREATE FOREIGN TABLE statement are included in diff output.
  * https://www.postgresql.org/docs/17/sql-createforeigntable.html
@@ -36,6 +37,10 @@ declare const foreignTablePropsSchema: z.ZodObject<{
         collation: z.ZodNullable<z.ZodString>;
         default: z.ZodNullable<z.ZodString>;
         comment: z.ZodNullable<z.ZodString>;
+        security_labels: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            provider: z.ZodString;
+            label: z.ZodString;
+        }, z.z.core.$strip>>>;
     }, z.z.core.$strip>>;
     privileges: z.ZodArray<z.ZodObject<{
         grantee: z.ZodString;
@@ -43,6 +48,10 @@ declare const foreignTablePropsSchema: z.ZodObject<{
         grantable: z.ZodBoolean;
         columns: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 type ForeignTablePrivilegeProps = PrivilegeProps;
 export type ForeignTableProps = z.infer<typeof foreignTablePropsSchema>;
@@ -55,6 +64,7 @@ export declare class ForeignTable extends BasePgModel implements TableLikeObject
     readonly comment: ForeignTableProps["comment"];
     readonly columns: ForeignTableProps["columns"];
     readonly privileges: ForeignTablePrivilegeProps[];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: ForeignTableProps);
     get stableId(): `foreignTable:${string}`;
     get identityFields(): {
@@ -83,6 +93,10 @@ export declare class ForeignTable extends BasePgModel implements TableLikeObject
             collation: string | null;
             default: string | null;
             comment: string | null;
+            security_labels?: {
+                provider: string;
+                label: string;
+            }[] | undefined;
         }[];
         privileges: {
             grantee: string;
@@ -90,6 +104,10 @@ export declare class ForeignTable extends BasePgModel implements TableLikeObject
             grantable: boolean;
             columns?: string[] | null | undefined;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
     stableSnapshot(): {
         identity: {
@@ -100,6 +118,10 @@ export declare class ForeignTable extends BasePgModel implements TableLikeObject
             columns: {
                 [x: string]: unknown;
             }[];
+            security_labels: {
+                provider: string;
+                label: string;
+            }[];
             owner: string;
             server: string;
             options: string[] | null;

package/dist/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel, columnPropsSchema, } from "../../base.model.js";
 import { privilegePropsSchema, } from "../../base.privilege-diff.js";
+import { normalizeSecurityLabels, securityLabelPropsSchema, } from "../../security-label.types.js";
 /**
  * All properties exposed by CREATE FOREIGN TABLE statement are included in diff output.
  * https://www.postgresql.org/docs/17/sql-createforeigntable.html
@@ -21,6 +22,7 @@ const foreignTablePropsSchema = z.object({
     comment: z.string().nullable(),
     columns: z.array(columnPropsSchema),
     privileges: z.array(privilegePropsSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export class ForeignTable extends BasePgModel {
     schema;
@@ -31,6 +33,7 @@ export class ForeignTable extends BasePgModel {
     comment;
     columns;
     privileges;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -43,6 +46,7 @@ export class ForeignTable extends BasePgModel {
         this.comment = props.comment;
         this.columns = props.columns;
         this.privileges = props.privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `foreignTable:${this.schema}.${this.name}`;
@@ -61,6 +65,7 @@ export class ForeignTable extends BasePgModel {
             comment: this.comment,
             columns: this.columns,
             privileges: this.privileges,
+            security_labels: this.security_labels,
         };
     }
     stableSnapshot() {
@@ -79,6 +84,7 @@ export class ForeignTable extends BasePgModel {
             data: {
                 ...this.dataFields,
                 columns: normalizeColumns(),
+                security_labels: normalizeSecurityLabels(this.security_labels),
             },
         };
     }
@@ -181,7 +187,20 @@ export async function extractForeignTables(pool) {
             join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
             group by x.grantee, x.privilege_type
           ) as grp
-        ), '[]') as privileges
+        ), '[]') as privileges,
+        coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = ft.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = 0
+          ),
+          '[]'::json
+        ) as security_labels
       from
         foreign_tables ft
         left join pg_attribute a on a.attrelid = ft.oid and a.attnum > 0 and not a.attisdropped

package/dist/core/objects/materialized-view/changes/materialized-view.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { MaterializedView } from "../materialized-view.model.ts";
 declare abstract class BaseMaterializedViewChange extends BaseChange {
     abstract readonly materializedView: MaterializedView;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "materialized_view";
 }
 export declare abstract class CreateMaterializedViewChange extends BaseMaterializedViewChange {

package/dist/core/objects/materialized-view/changes/materialized-view.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { MaterializedView } from "../materialized-view.model.ts";
+import { CreateMaterializedViewChange, DropMaterializedViewChange } from "./materialized-view.base.ts";
+export type SecurityLabelMaterializedView = CreateSecurityLabelOnMaterializedView | DropSecurityLabelOnMaterializedView;
+export declare class CreateSecurityLabelOnMaterializedView extends CreateMaterializedViewChange {
+    readonly materializedView: MaterializedView;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        materializedView: MaterializedView;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `materializedView:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnMaterializedView extends DropMaterializedViewChange {
+    readonly materializedView: MaterializedView;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        materializedView: MaterializedView;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `materializedView:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/materialized-view/changes/materialized-view.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateMaterializedViewChange, DropMaterializedViewChange, } from "./materialized-view.base.js";
+export class CreateSecurityLabelOnMaterializedView extends CreateMaterializedViewChange {
+    materializedView;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.materializedView = props.materializedView;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.materializedView.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.materializedView.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON MATERIALIZED VIEW",
+            `${this.materializedView.schema}.${this.materializedView.name}`,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnMaterializedView extends DropMaterializedViewChange {
+    materializedView;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.materializedView = props.materializedView;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.materializedView.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.materializedView.stableId, this.securityLabel.provider),
+            this.materializedView.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON MATERIALIZED VIEW",
+            `${this.materializedView.schema}.${this.materializedView.name}`,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/materialized-view/changes/materialized-view.types.d.ts CHANGED Viewed

@@ -3,5 +3,6 @@ import type { CommentMaterializedView } from "./materialized-view.comment.ts";
 import type { CreateMaterializedView } from "./materialized-view.create.ts";
 import type { DropMaterializedView } from "./materialized-view.drop.ts";
 import type { MaterializedViewPrivilege } from "./materialized-view.privilege.ts";
+import type { SecurityLabelMaterializedView } from "./materialized-view.security-label.ts";
 /** Union of all materialized-view-related change variants (`objectType: "materialized_view"`). @category Change Types */
-export type MaterializedViewChange = AlterMaterializedView | CommentMaterializedView | CreateMaterializedView | DropMaterializedView | MaterializedViewPrivilege;
+export type MaterializedViewChange = AlterMaterializedView | CommentMaterializedView | CreateMaterializedView | DropMaterializedView | MaterializedViewPrivilege | SecurityLabelMaterializedView;

package/dist/core/objects/materialized-view/materialized-view.diff.js CHANGED Viewed

@@ -1,11 +1,13 @@
 import { diffObjects } from "../base.diff.js";
 import { diffPrivileges, emitColumnPrivilegeChanges, } from "../base.privilege-diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { deepEqual, hasNonAlterableChanges } from "../utils.js";
 import { AlterMaterializedViewChangeOwner, AlterMaterializedViewSetStorageParams, } from "./changes/materialized-view.alter.js";
 import { CreateCommentOnMaterializedView, CreateCommentOnMaterializedViewColumn, DropCommentOnMaterializedView, DropCommentOnMaterializedViewColumn, } from "./changes/materialized-view.comment.js";
 import { CreateMaterializedView } from "./changes/materialized-view.create.js";
 import { DropMaterializedView } from "./changes/materialized-view.drop.js";
 import { GrantMaterializedViewPrivileges, RevokeGrantOptionMaterializedViewPrivileges, RevokeMaterializedViewPrivileges, } from "./changes/materialized-view.privilege.js";
+import { CreateSecurityLabelOnMaterializedView, DropSecurityLabelOnMaterializedView, } from "./changes/materialized-view.security-label.js";
 /**
  * Diff two sets of materialized views from main and branch catalogs.
  *
@@ -48,6 +50,14 @@ export function diffMaterializedViews(ctx, main, branch) {
                 }));
             }
         }
+        // Security labels on the matview itself (columns of matviews are not
+        // supported targets of SECURITY LABEL, so we only label the relation).
+        for (const label of mv.security_labels) {
+            changes.push(new CreateSecurityLabelOnMaterializedView({
+                materializedView: mv,
+                securityLabel: label,
+            }));
+        }
         // PRIVILEGES: For created objects, compare against default privileges state
         // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
         // so objects are created with the default privileges state in effect.
@@ -156,6 +166,14 @@ export function diffMaterializedViews(ctx, main, branch) {
                     }));
                 }
             }
+            // SECURITY LABELS
+            changes.push(...diffSecurityLabels(mainMaterializedView.security_labels, branchMaterializedView.security_labels, (securityLabel) => new CreateSecurityLabelOnMaterializedView({
+                materializedView: branchMaterializedView,
+                securityLabel,
+            }), (securityLabel) => new DropSecurityLabelOnMaterializedView({
+                materializedView: mainMaterializedView,
+                securityLabel,
+            })));
             // COMMENT changes on columns
             const mainCols = new Map(mainMaterializedView.columns.map((c) => [c.name, c]));
             const branchCols = new Map(branchMaterializedView.columns.map((c) => [c.name, c]));