npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.23 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

package/dist/core/objects/role/changes/role.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Role } from "../role.model.ts";
+import { CreateRoleChange, DropRoleChange } from "./role.base.ts";
+export type SecurityLabelRole = CreateSecurityLabelOnRole | DropSecurityLabelOnRole;
+export declare class CreateSecurityLabelOnRole extends CreateRoleChange {
+    readonly role: Role;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        role: Role;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `role:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnRole extends DropRoleChange {
+    readonly role: Role;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        role: Role;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `role:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/role/changes/role.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateRoleChange, DropRoleChange } from "./role.base.js";
+export class CreateSecurityLabelOnRole extends CreateRoleChange {
+    role;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.role = props.role;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.role.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON ROLE",
+            this.role.name,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnRole extends DropRoleChange {
+    role;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.role = props.role;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.role.stableId, this.securityLabel.provider),
+            this.role.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON ROLE",
+            this.role.name,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/role/changes/role.types.d.ts CHANGED Viewed

@@ -3,5 +3,6 @@ import type { CommentRole } from "./role.comment.ts";
 import type { CreateRole } from "./role.create.ts";
 import type { DropRole } from "./role.drop.ts";
 import type { RolePrivilege } from "./role.privilege.ts";
+import type { SecurityLabelRole } from "./role.security-label.ts";
 /** Union of all role-related change variants (`objectType: "role"`). @category Change Types */
-export type RoleChange = AlterRole | CommentRole | CreateRole | DropRole | RolePrivilege;
+export type RoleChange = AlterRole | CommentRole | CreateRole | DropRole | RolePrivilege | SecurityLabelRole;

package/dist/core/objects/role/role.diff.js CHANGED Viewed

@@ -1,9 +1,11 @@
 import { diffObjects } from "../base.diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { AlterRoleSetConfig, AlterRoleSetOptions, } from "./changes/role.alter.js";
 import { CreateCommentOnRole, DropCommentOnRole, } from "./changes/role.comment.js";
 import { CreateRole } from "./changes/role.create.js";
 import { DropRole } from "./changes/role.drop.js";
 import { GrantRoleDefaultPrivileges, GrantRoleMembership, RevokeRoleDefaultPrivileges, RevokeRoleMembership, RevokeRoleMembershipOptions, } from "./changes/role.privilege.js";
+import { CreateSecurityLabelOnRole, DropSecurityLabelOnRole, } from "./changes/role.security-label.js";
 /**
  * Diff two sets of roles from main and branch catalogs.
  *
@@ -31,6 +33,12 @@ export function diffRoles(ctx, main, branch) {
         if (role.comment !== null) {
             changes.push(new CreateCommentOnRole({ role }));
         }
+        for (const label of role.security_labels) {
+            changes.push(new CreateSecurityLabelOnRole({
+                role,
+                securityLabel: label,
+            }));
+        }
         // MEMBERSHIPS: Grant memberships immediately after role creation.
         // Members are already deduplicated by the Role model constructor.
         for (const membership of role.members) {
@@ -171,6 +179,14 @@ export function diffRoles(ctx, main, branch) {
                 changes.push(new CreateCommentOnRole({ role: branchRole }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainRole.security_labels, branchRole.security_labels, (securityLabel) => new CreateSecurityLabelOnRole({
+            role: branchRole,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnRole({
+            role: mainRole,
+            securityLabel,
+        })));
         // MEMBERSHIPS
         // Members are already deduplicated by the Role model constructor.
         const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));

package/dist/core/objects/role/role.model.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 declare const rolePropsSchema: z.ZodObject<{
     name: z.ZodString;
     is_superuser: z.ZodBoolean;
@@ -36,6 +37,10 @@ declare const rolePropsSchema: z.ZodObject<{
         }, z.z.core.$strip>>;
         is_implicit: z.ZodBoolean;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 export type RoleProps = z.infer<typeof rolePropsSchema>;
 export declare class Role extends BasePgModel {
@@ -52,6 +57,7 @@ export declare class Role extends BasePgModel {
     readonly comment: RoleProps["comment"];
     readonly members: RoleProps["members"];
     readonly default_privileges: RoleProps["default_privileges"];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: RoleProps);
     get stableId(): `role:${string}`;
     get identityFields(): {
@@ -84,6 +90,10 @@ export declare class Role extends BasePgModel {
             objtype: "n" | "r" | "f" | "S" | "T";
             grantee: string;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 export declare function extractRoles(pool: Pool): Promise<Role[]>;

package/dist/core/objects/role/role.model.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
+import { securityLabelPropsSchema, } from "../security-label.types.js";
 const membershipInfoSchema = z.object({
     member: z.string(),
     grantor: z.string(),
@@ -29,6 +30,7 @@ const rolePropsSchema = z.object({
     comment: z.string().nullable(),
     members: z.array(membershipInfoSchema),
     default_privileges: z.array(defaultPrivilegeSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export class Role extends BasePgModel {
     name;
@@ -44,6 +46,7 @@ export class Role extends BasePgModel {
     comment;
     members;
     default_privileges;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -61,6 +64,7 @@ export class Role extends BasePgModel {
         this.comment = props.comment;
         this.members = deduplicateMembers(props.members);
         this.default_privileges = props.default_privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `role:${this.name}`;
@@ -106,6 +110,7 @@ export class Role extends BasePgModel {
             comment: this.comment,
             members: sortedMembers,
             default_privileges: sortedDefaultPrivs,
+            security_labels: this.security_labels,
         };
     }
 }
@@ -200,6 +205,18 @@ export async function extractRoles(pool) {
             r.rolbypassrls  AS can_bypass_rls,
             r.rolconfig     AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (
@@ -322,6 +339,18 @@ export async function extractRoles(pool) {
             r.rolbypassrls   AS can_bypass_rls,
             r.rolconfig      AS config,
             obj_description(r.oid, 'pg_authid') AS comment,
+            COALESCE(
+              (
+                SELECT json_agg(
+                  json_build_object('provider', sl.provider, 'label', sl.label)
+                  ORDER BY sl.provider
+                )
+                FROM pg_catalog.pg_shseclabel sl
+                WHERE sl.objoid = r.oid
+                  AND sl.classoid = 'pg_authid'::regclass
+              ),
+              '[]'::json
+            ) AS security_labels,
             COALESCE(rm.members, '[]') AS members,
             COALESCE(
               (

package/dist/core/objects/schema/changes/schema.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Schema } from "../schema.model.ts";
 declare abstract class BaseSchemaChange extends BaseChange {
     abstract readonly schema: Schema;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "schema";
 }
 export declare abstract class CreateSchemaChange extends BaseSchemaChange {

package/dist/core/objects/schema/changes/schema.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Schema } from "../schema.model.ts";
+import { CreateSchemaChange, DropSchemaChange } from "./schema.base.ts";
+export type SecurityLabelSchema = CreateSecurityLabelOnSchema | DropSecurityLabelOnSchema;
+export declare class CreateSecurityLabelOnSchema extends CreateSchemaChange {
+    readonly schema: Schema;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        schema: Schema;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `schema:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnSchema extends DropSchemaChange {
+    readonly schema: Schema;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        schema: Schema;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`schema:${string}` | `securityLabel:${string}::provider:${string}`)[];
+    serialize(): string;
+}

package/dist/core/objects/schema/changes/schema.security-label.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { quoteLiteral } from "../../base.change.js";
+import { stableId } from "../../utils.js";
+import { CreateSchemaChange, DropSchemaChange } from "./schema.base.js";
+export class CreateSecurityLabelOnSchema extends CreateSchemaChange {
+    schema;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.schema = props.schema;
+        this.securityLabel = props.securityLabel;
+    }
+    get creates() {
+        return [
+            stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [this.schema.stableId];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON SCHEMA",
+            this.schema.name,
+            "IS",
+            quoteLiteral(this.securityLabel.label),
+        ].join(" ");
+    }
+}
+export class DropSecurityLabelOnSchema extends DropSchemaChange {
+    schema;
+    securityLabel;
+    scope = "security_label";
+    constructor(props) {
+        super();
+        this.schema = props.schema;
+        this.securityLabel = props.securityLabel;
+    }
+    get drops() {
+        return [
+            stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+        ];
+    }
+    get requires() {
+        return [
+            stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+            this.schema.stableId,
+        ];
+    }
+    serialize() {
+        return [
+            "SECURITY LABEL FOR",
+            this.securityLabel.provider,
+            "ON SCHEMA",
+            this.schema.name,
+            "IS NULL",
+        ].join(" ");
+    }
+}

package/dist/core/objects/schema/changes/schema.types.d.ts CHANGED Viewed

@@ -3,5 +3,6 @@ import type { CommentSchema } from "./schema.comment.ts";
 import type { CreateSchema } from "./schema.create.ts";
 import type { DropSchema } from "./schema.drop.ts";
 import type { SchemaPrivilege } from "./schema.privilege.ts";
+import type { SecurityLabelSchema } from "./schema.security-label.ts";
 /** Union of all schema-related change variants (`objectType: "schema"`). @category Change Types */
-export type SchemaChange = AlterSchema | CommentSchema | CreateSchema | DropSchema | SchemaPrivilege;
+export type SchemaChange = AlterSchema | CommentSchema | CreateSchema | DropSchema | SchemaPrivilege | SecurityLabelSchema;

package/dist/core/objects/schema/schema.diff.js CHANGED Viewed

@@ -1,10 +1,12 @@
 import { diffObjects } from "../base.diff.js";
 import { diffPrivileges, emitObjectPrivilegeChanges, } from "../base.privilege-diff.js";
+import { diffSecurityLabels } from "../security-label.types.js";
 import { AlterSchemaChangeOwner } from "./changes/schema.alter.js";
 import { CreateCommentOnSchema, DropCommentOnSchema, } from "./changes/schema.comment.js";
 import { CreateSchema } from "./changes/schema.create.js";
 import { DropSchema } from "./changes/schema.drop.js";
 import { GrantSchemaPrivileges, RevokeGrantOptionSchemaPrivileges, RevokeSchemaPrivileges, } from "./changes/schema.privilege.js";
+import { CreateSecurityLabelOnSchema, DropSecurityLabelOnSchema, } from "./changes/schema.security-label.js";
 /**
  * Diff two sets of schemas from main and branch catalogs.
  *
@@ -22,6 +24,12 @@ export function diffSchemas(ctx, main, branch) {
         if (sc.comment !== null) {
             changes.push(new CreateCommentOnSchema({ schema: sc }));
         }
+        for (const label of sc.security_labels) {
+            changes.push(new CreateSecurityLabelOnSchema({
+                schema: sc,
+                securityLabel: label,
+            }));
+        }
         // PRIVILEGES: For created objects, compare against default privileges state
         // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
         // so objects are created with the default privileges state in effect.
@@ -43,7 +51,14 @@ export function diffSchemas(ctx, main, branch) {
         }, ctx.version));
     }
     for (const schemaId of dropped) {
-        changes.push(new DropSchema({ schema: main[schemaId] }));
+        const mainSchema = main[schemaId];
+        for (const label of mainSchema.security_labels) {
+            changes.push(new DropSecurityLabelOnSchema({
+                schema: mainSchema,
+                securityLabel: label,
+            }));
+        }
+        changes.push(new DropSchema({ schema: mainSchema }));
     }
     for (const schemaId of altered) {
         const mainSchema = main[schemaId];
@@ -64,6 +79,14 @@ export function diffSchemas(ctx, main, branch) {
                 changes.push(new CreateCommentOnSchema({ schema: branchSchema }));
             }
         }
+        // SECURITY LABELS
+        changes.push(...diffSecurityLabels(mainSchema.security_labels, branchSchema.security_labels, (securityLabel) => new CreateSecurityLabelOnSchema({
+            schema: branchSchema,
+            securityLabel,
+        }), (securityLabel) => new DropSecurityLabelOnSchema({
+            schema: mainSchema,
+            securityLabel,
+        })));
         // PRIVILEGES
         // Filter out owner privileges - owner always has ALL privileges implicitly
         // and shouldn't be compared. Use branch owner as the reference.

package/dist/core/objects/schema/schema.model.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import type { Pool } from "pg";
 import z from "zod";
 import { BasePgModel } from "../base.model.ts";
 import { type PrivilegeProps } from "../base.privilege-diff.ts";
+import { type SecurityLabelProps } from "../security-label.types.ts";
 /**
  * All properties exposed by CREATE SCHEMA statement are included in diff output.
  * https://www.postgresql.org/docs/current/sql-createschema.html
@@ -19,6 +20,10 @@ declare const schemaPropsSchema: z.ZodObject<{
         grantable: z.ZodBoolean;
         columns: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
     }, z.z.core.$strip>>;
+    security_labels: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodObject<{
+        provider: z.ZodString;
+        label: z.ZodString;
+    }, z.z.core.$strip>>>>;
 }, z.z.core.$strip>;
 type SchemaPrivilegeProps = PrivilegeProps;
 export type SchemaProps = z.infer<typeof schemaPropsSchema>;
@@ -27,6 +32,7 @@ export declare class Schema extends BasePgModel {
     readonly owner: SchemaProps["owner"];
     readonly comment: SchemaProps["comment"];
     readonly privileges: SchemaPrivilegeProps[];
+    readonly security_labels: SecurityLabelProps[];
     constructor(props: SchemaProps);
     get stableId(): `schema:${string}`;
     get identityFields(): {
@@ -41,6 +47,10 @@ export declare class Schema extends BasePgModel {
             grantable: boolean;
             columns?: string[] | null | undefined;
         }[];
+        security_labels: {
+            provider: string;
+            label: string;
+        }[];
     };
 }
 export declare function extractSchemas(pool: Pool): Promise<Schema[]>;

package/dist/core/objects/schema/schema.model.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { sql } from "@ts-safeql/sql-tag";
 import z from "zod";
 import { BasePgModel } from "../base.model.js";
 import { privilegePropsSchema, } from "../base.privilege-diff.js";
+import { securityLabelPropsSchema, } from "../security-label.types.js";
 /**
  * All properties exposed by CREATE SCHEMA statement are included in diff output.
  * https://www.postgresql.org/docs/current/sql-createschema.html
@@ -14,12 +15,14 @@ const schemaPropsSchema = z.object({
     owner: z.string(),
     comment: z.string().nullable(),
     privileges: z.array(privilegePropsSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 export class Schema extends BasePgModel {
     name;
     owner;
     comment;
     privileges;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -28,6 +31,7 @@ export class Schema extends BasePgModel {
         this.owner = props.owner;
         this.comment = props.comment;
         this.privileges = props.privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `schema:${this.name}`;
@@ -42,6 +46,7 @@ export class Schema extends BasePgModel {
             owner: this.owner,
             comment: this.comment,
             privileges: this.privileges,
+            security_labels: this.security_labels,
         };
     }
 }
@@ -72,7 +77,19 @@ export async function extractSchemas(pool) {
           )
           from lateral aclexplode(COALESCE(nspacl, acldefault('n', nspowner))) as x(grantor, grantee, privilege_type, is_grantable)
         ), '[]'
-      ) as privileges
+      ) as privileges,
+      coalesce(
+        (
+          select json_agg(
+            json_build_object('provider', sl.provider, 'label', sl.label)
+            order by sl.provider
+          )
+          from pg_catalog.pg_seclabel sl
+          where sl.objoid = pg_namespace.oid
+            and sl.classoid = 'pg_namespace'::regclass
+            and sl.objsubid = 0
+        ), '[]'
+      ) as security_labels
     from
       pg_catalog.pg_namespace
       left outer join extension_oids e on e.objid = oid

package/dist/core/objects/security-label.types.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { z } from "zod";
+export declare const securityLabelPropsSchema: z.ZodObject<{
+    provider: z.ZodString;
+    label: z.ZodString;
+}, z.core.$strip>;
+export type SecurityLabelProps = z.infer<typeof securityLabelPropsSchema>;
+export declare function normalizeSecurityLabels(labels: readonly SecurityLabelProps[]): SecurityLabelProps[];
+/**
+ * Pure helper: compares two arrays of security labels keyed by provider and
+ * returns a deterministic list of create/drop changes.
+ *
+ * - Labels present only on `branch` → emit create (via makeCreate).
+ * - Labels present only on `main` → emit drop (via makeDrop).
+ * - Labels with differing `label` under the same provider → emit create
+ *   (PostgreSQL's SECURITY LABEL … IS '…' overwrites, so no separate alter).
+ * - Unchanged labels → nothing.
+ *
+ * Output order: by provider ascending.
+ */
+export declare function diffSecurityLabels<C>(main: readonly SecurityLabelProps[], branch: readonly SecurityLabelProps[], makeCreate: (props: SecurityLabelProps) => C, makeDrop: (props: SecurityLabelProps) => C): C[];

package/dist/core/objects/security-label.types.js ADDED Viewed

@@ -0,0 +1,46 @@
+import { z } from "zod";
+export const securityLabelPropsSchema = z.object({
+    provider: z.string(),
+    label: z.string(),
+});
+export function normalizeSecurityLabels(labels) {
+    return [...labels].sort((a, b) => a.provider.localeCompare(b.provider));
+}
+/**
+ * Pure helper: compares two arrays of security labels keyed by provider and
+ * returns a deterministic list of create/drop changes.
+ *
+ * - Labels present only on `branch` → emit create (via makeCreate).
+ * - Labels present only on `main` → emit drop (via makeDrop).
+ * - Labels with differing `label` under the same provider → emit create
+ *   (PostgreSQL's SECURITY LABEL … IS '…' overwrites, so no separate alter).
+ * - Unchanged labels → nothing.
+ *
+ * Output order: by provider ascending.
+ */
+export function diffSecurityLabels(main, branch, makeCreate, makeDrop) {
+    const mainByProvider = new Map(main.map((l) => [l.provider, l.label]));
+    const branchByProvider = new Map(branch.map((l) => [l.provider, l.label]));
+    const providers = new Set([
+        ...mainByProvider.keys(),
+        ...branchByProvider.keys(),
+    ]);
+    const sortedProviders = [...providers].sort();
+    const out = [];
+    for (const provider of sortedProviders) {
+        const mainLabel = mainByProvider.get(provider);
+        const branchLabel = branchByProvider.get(provider);
+        if (mainLabel === undefined && branchLabel !== undefined) {
+            out.push(makeCreate({ provider, label: branchLabel }));
+        }
+        else if (mainLabel !== undefined && branchLabel === undefined) {
+            out.push(makeDrop({ provider, label: mainLabel }));
+        }
+        else if (mainLabel !== undefined &&
+            branchLabel !== undefined &&
+            mainLabel !== branchLabel) {
+            out.push(makeCreate({ provider, label: branchLabel }));
+        }
+    }
+    return out;
+}

package/dist/core/objects/sequence/changes/sequence.base.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { BaseChange } from "../../base.change.ts";
 import type { Sequence } from "../sequence.model.ts";
 declare abstract class BaseSequenceChange extends BaseChange {
     abstract readonly sequence: Sequence;
-    abstract readonly scope: "object" | "comment" | "privilege";
+    abstract readonly scope: "object" | "comment" | "privilege" | "security_label";
     readonly objectType: "sequence";
 }
 export declare abstract class CreateSequenceChange extends BaseSequenceChange {

package/dist/core/objects/sequence/changes/sequence.security-label.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import type { Sequence } from "../sequence.model.ts";
+import { CreateSequenceChange, DropSequenceChange } from "./sequence.base.ts";
+export type SecurityLabelSequence = CreateSecurityLabelOnSequence | DropSecurityLabelOnSequence;
+export declare class CreateSecurityLabelOnSequence extends CreateSequenceChange {
+    readonly sequence: Sequence;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        sequence: Sequence;
+        securityLabel: SecurityLabelProps;
+    });
+    get creates(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): `sequence:${string}`[];
+    serialize(): string;
+}
+export declare class DropSecurityLabelOnSequence extends DropSequenceChange {
+    readonly sequence: Sequence;
+    readonly securityLabel: SecurityLabelProps;
+    readonly scope: "security_label";
+    constructor(props: {
+        sequence: Sequence;
+        securityLabel: SecurityLabelProps;
+    });
+    get drops(): `securityLabel:${string}::provider:${string}`[];
+    get requires(): (`securityLabel:${string}::provider:${string}` | `sequence:${string}`)[];
+    serialize(): string;
+}