@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.23

package/dist/core/objects/view/view.model.js

@@ -3,6 +3,7 @@ import z from "zod";
 import { BasePgModel, columnPropsSchema, normalizeColumns, } from "../base.model.js";
 import { privilegePropsSchema, } from "../base.privilege-diff.js";
 import { extractWithDefinitionRetry, } from "../extract-with-retry.js";
+import { normalizeSecurityLabels, securityLabelPropsSchema, } from "../security-label.types.js";
 import { ReplicaIdentitySchema } from "../table/table.model.js";
 const viewPropsSchema = z.object({
     schema: z.string(),
@@ -23,6 +24,7 @@ const viewPropsSchema = z.object({
     comment: z.string().nullable(),
     columns: z.array(columnPropsSchema),
     privileges: z.array(privilegePropsSchema),
+    security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 // pg_get_viewdef(oid) can return NULL when the underlying view (or its
 // pg_rewrite row) is dropped between catalog scan and resolution, or under
@@ -51,6 +53,7 @@ export class View extends BasePgModel {
     comment;
     columns;
     privileges;
+    security_labels;
     constructor(props) {
         super();
         // Identity fields
@@ -73,6 +76,7 @@ export class View extends BasePgModel {
         this.comment = props.comment;
         this.columns = props.columns;
         this.privileges = props.privileges;
+        this.security_labels = props.security_labels ?? [];
     }
     get stableId() {
         return `view:${this.schema}.${this.name}`;
@@ -101,6 +105,7 @@ export class View extends BasePgModel {
             comment: this.comment,
             columns: this.columns,
             privileges: this.privileges,
+            security_labels: this.security_labels,
         };
     }
     stableSnapshot() {
@@ -109,6 +114,7 @@ export class View extends BasePgModel {
             data: {
                 ...this.dataFields,
                 columns: normalizeColumns(this.columns),
+                security_labels: normalizeSecurityLabels(this.security_labels),
             },
         };
     }
@@ -235,7 +241,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = v.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   views v
   left join pg_attribute a on a.attrelid = v.oid and a.attnum > 0 and not a.attisdropped

package/dist/core/plan/sql-format/fixtures.js

@@ -806,6 +806,7 @@ const schema = new Schema({
     owner: "admin",
     comment: "application schema",
     privileges: [],
+    security_labels: [],
 });
 const extension = new Extension({
     name: "pgcrypto",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/pg-delta",
-  "version": "1.0.0-alpha.22",
+  "version": "1.0.0-alpha.23",
   "description": "PostgreSQL migrations made easy",
   "type": "module",
   "sideEffects": false,

package/src/core/catalog.model.ts

@@ -267,6 +267,7 @@ export async function createEmptyCatalog(
     owner: currentUser,
     comment: "standard public schema",
     privileges: [],
+    security_labels: [],
   });
 
   return new Catalog({

package/src/core/integrations/filter/dsl.test.ts

@@ -41,6 +41,16 @@ const membershipChange = {
   requires: [],
 } as unknown as Change;
 
+const securityLabelChange = {
+  objectType: "schema",
+  operation: "create",
+  scope: "security_label",
+  schema: { name: "labeled" },
+  securityLabel: { provider: "dummy", label: "classified" },
+  requires: ["schema:labeled"],
+  creates: ["security_label:schema:labeled:dummy"],
+} as unknown as Change;
+
 describe("evaluatePattern", () => {
   describe("bare key matching (top-level properties)", () => {
     test("objectType match", () => {
@@ -242,6 +252,23 @@ describe("evaluatePattern", () => {
     });
   });
 
+  describe("security label matching", () => {
+    test("provider matches security label changes", () => {
+      expect(
+        evaluatePattern(
+          { scope: "security_label", provider: "dummy" },
+          securityLabelChange,
+        ),
+      ).toBe(true);
+      expect(
+        evaluatePattern(
+          { scope: "security_label", provider: "other" },
+          securityLabelChange,
+        ),
+      ).toBe(false);
+    });
+  });
+
   describe("composition patterns", () => {
     test("not negates a pattern", () => {
       expect(

package/src/core/integrations/filter/flatten.ts

@@ -105,6 +105,22 @@ export function flattenChange(change: Change): Record<string, FlatValue> {
           flat[`${prefix}/${subKey}`] = flatVal;
         }
       }
+    } else if (
+      key === "securityLabel" &&
+      value &&
+      typeof value === "object" &&
+      !Array.isArray(value)
+    ) {
+      // Security labels are change-level metadata, so expose provider/label as
+      // bare keys for filters like { scope: "security_label", provider: "..." }.
+      for (const [subKey, subValue] of Object.entries(
+        value as Record<string, unknown>,
+      )) {
+        const flatVal = toFlatValue(subValue);
+        if (flatVal !== undefined) {
+          flat[subKey] = flatVal;
+        }
+      }
     } else {
       const flatVal = toFlatValue(value);
       if (flatVal !== undefined) {

package/src/core/objects/aggregate/aggregate.diff.ts

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../utils.ts";
 import type { Aggregate } from "./aggregate.model.ts";
 import { AlterAggregateChangeOwner } from "./changes/aggregate.alter.ts";
@@ -19,6 +20,10 @@ import {
   RevokeAggregatePrivileges,
   RevokeGrantOptionAggregatePrivileges,
 } from "./changes/aggregate.privilege.ts";
+import {
+  CreateSecurityLabelOnAggregate,
+  DropSecurityLabelOnAggregate,
+} from "./changes/aggregate.security-label.ts";
 import type { AggregateChange } from "./changes/aggregate.types.ts";
 
 export function diffAggregates(
@@ -51,6 +56,14 @@ export function diffAggregates(
     if (aggregate.comment !== null) {
       changes.push(new CreateCommentOnAggregate({ aggregate }));
     }
+    for (const label of aggregate.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnAggregate({
+          aggregate,
+          securityLabel: label,
+        }),
+      );
+    }
 
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -182,6 +195,26 @@ export function diffAggregates(
       }
     }
 
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnAggregate | DropSecurityLabelOnAggregate
+      >(
+        mainAggregate.security_labels,
+        branchAggregate.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnAggregate({
+            aggregate: branchAggregate,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnAggregate({
+            aggregate: mainAggregate,
+            securityLabel,
+          }),
+      ),
+    );
+
     // PRIVILEGES
     // Filter out PUBLIC's built-in default EXECUTE privilege from main catalog
     // (PostgreSQL grants it automatically, so we shouldn't compare it)

package/src/core/objects/aggregate/aggregate.model.ts

@@ -6,6 +6,10 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 
 const AggregateKindSchema = z.enum([
   "n", // normal aggregate
@@ -75,6 +79,7 @@ const aggregatePropsSchema = z.object({
   owner: z.string(),
   comment: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 
 type AggregatePrivilegeProps = PrivilegeProps;
@@ -122,6 +127,7 @@ export class Aggregate extends BasePgModel {
   public readonly owner: AggregateProps["owner"];
   public readonly comment: AggregateProps["comment"];
   public readonly privileges: AggregatePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
 
   constructor(props: AggregateProps) {
     super();
@@ -168,6 +174,7 @@ export class Aggregate extends BasePgModel {
     this.owner = props.owner;
     this.comment = props.comment;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
 
   get stableId(): `aggregate:${string}` {
@@ -224,6 +231,7 @@ export class Aggregate extends BasePgModel {
       owner: this.owner,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -294,7 +302,20 @@ select
       )
       from lateral aclexplode(COALESCE(p.proacl, acldefault('f', p.proowner))) as x(grantor, grantee, privilege_type, is_grantable)
     ), '[]'
-  ) as privileges
+  ) as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = p.oid
+        and sl.classoid = 'pg_proc'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   pg_catalog.pg_proc p
   inner join pg_catalog.pg_aggregate a on a.aggfnoid = p.oid

package/src/core/objects/aggregate/changes/aggregate.base.ts

@@ -3,7 +3,11 @@ import type { Aggregate } from "../aggregate.model.ts";
 
 abstract class BaseAggregateChange extends BaseChange {
   abstract readonly aggregate: Aggregate;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "aggregate" = "aggregate";
 }
 

package/src/core/objects/aggregate/changes/aggregate.security-label.ts

@@ -0,0 +1,99 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Aggregate } from "../aggregate.model.ts";
+import {
+  CreateAggregateChange,
+  DropAggregateChange,
+} from "./aggregate.base.ts";
+
+export type SecurityLabelAggregate =
+  | CreateSecurityLabelOnAggregate
+  | DropSecurityLabelOnAggregate;
+
+function aggregateIdentity(a: Aggregate): string {
+  return `${a.schema}.${a.name}(${a.identityArguments})`;
+}
+
+export class CreateSecurityLabelOnAggregate extends CreateAggregateChange {
+  public readonly aggregate: Aggregate;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    aggregate: Aggregate;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.aggregate = props.aggregate;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.aggregate.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [this.aggregate.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON AGGREGATE",
+      aggregateIdentity(this.aggregate),
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnAggregate extends DropAggregateChange {
+  public readonly aggregate: Aggregate;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: {
+    aggregate: Aggregate;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.aggregate = props.aggregate;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.aggregate.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.aggregate.stableId,
+        this.securityLabel.provider,
+      ),
+      this.aggregate.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON AGGREGATE",
+      aggregateIdentity(this.aggregate),
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/aggregate/changes/aggregate.types.ts

@@ -3,6 +3,7 @@ import type { CommentAggregate } from "./aggregate.comment.ts";
 import type { CreateAggregate } from "./aggregate.create.ts";
 import type { DropAggregate } from "./aggregate.drop.ts";
 import type { AggregatePrivilege } from "./aggregate.privilege.ts";
+import type { SecurityLabelAggregate } from "./aggregate.security-label.ts";
 
 /** Union of all aggregate-related change variants (`objectType: "aggregate"`). @category Change Types */
 export type AggregateChange =
@@ -10,4 +11,5 @@ export type AggregateChange =
   | CommentAggregate
   | CreateAggregate
   | DropAggregate
-  | AggregatePrivilege;
+  | AggregatePrivilege
+  | SecurityLabelAggregate;

package/src/core/objects/base.model.ts

@@ -1,4 +1,5 @@
 import z from "zod";
+import { securityLabelPropsSchema } from "./security-label.types.ts";
 import { deepEqual } from "./utils.ts";
 
 export const columnPropsSchema = z.object({
@@ -18,6 +19,7 @@ export const columnPropsSchema = z.object({
   collation: z.string().nullable(),
   default: z.string().nullable(),
   comment: z.string().nullable(),
+  security_labels: z.array(securityLabelPropsSchema).optional(),
 });
 
 export type ColumnProps = z.infer<typeof columnPropsSchema>;

package/src/core/objects/domain/changes/domain.base.ts

@@ -3,7 +3,11 @@ import type { Domain } from "../domain.model.ts";
 
 abstract class BaseDomainChange extends BaseChange {
   abstract readonly domain: Domain;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "domain" = "domain";
 }
 

package/src/core/objects/domain/changes/domain.security-label.test.ts

@@ -0,0 +1,56 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { Domain, type DomainProps } from "../domain.model.ts";
+import {
+  CreateSecurityLabelOnDomain,
+  DropSecurityLabelOnDomain,
+} from "./domain.security-label.ts";
+
+const makeDomain = (): Domain =>
+  new Domain({
+    schema: "public",
+    name: "email_t",
+    base_type: "text",
+    base_type_schema: "pg_catalog",
+    not_null: false,
+    type_modifier: -1,
+    array_dimensions: 0,
+    collation: null,
+    default_bin: null,
+    default_value: null,
+    owner: "postgres",
+    comment: null,
+    constraints: [],
+    privileges: [],
+  } as DomainProps);
+
+describe("domain.security-label", () => {
+  test("create serializes", async () => {
+    const domain = makeDomain();
+    const change = new CreateSecurityLabelOnDomain({
+      domain,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(domain.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON DOMAIN public.email_t IS 'classified'",
+    );
+  });
+
+  test("drop serializes to IS NULL", async () => {
+    const domain = makeDomain();
+    const change = new DropSecurityLabelOnDomain({
+      domain,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON DOMAIN public.email_t IS NULL",
+    );
+  });
+});

package/src/core/objects/domain/changes/domain.security-label.ts

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Domain } from "../domain.model.ts";
+import { CreateDomainChange, DropDomainChange } from "./domain.base.ts";
+
+export type SecurityLabelDomain =
+  | CreateSecurityLabelOnDomain
+  | DropSecurityLabelOnDomain;
+
+export class CreateSecurityLabelOnDomain extends CreateDomainChange {
+  public readonly domain: Domain;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { domain: Domain; securityLabel: SecurityLabelProps }) {
+    super();
+    this.domain = props.domain;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get creates() {
+    return [
+      stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [this.domain.stableId];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON DOMAIN",
+      `${this.domain.schema}.${this.domain.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+
+export class DropSecurityLabelOnDomain extends DropDomainChange {
+  public readonly domain: Domain;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+
+  constructor(props: { domain: Domain; securityLabel: SecurityLabelProps }) {
+    super();
+    this.domain = props.domain;
+    this.securityLabel = props.securityLabel;
+  }
+
+  get drops() {
+    return [
+      stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+    ];
+  }
+
+  get requires() {
+    return [
+      stableId.securityLabel(this.domain.stableId, this.securityLabel.provider),
+      this.domain.stableId,
+    ];
+  }
+
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON DOMAIN",
+      `${this.domain.schema}.${this.domain.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/domain/changes/domain.types.ts

@@ -3,6 +3,7 @@ import type { CommentDomain } from "./domain.comment.ts";
 import type { CreateDomain } from "./domain.create.ts";
 import type { DropDomain } from "./domain.drop.ts";
 import type { DomainPrivilege } from "./domain.privilege.ts";
+import type { SecurityLabelDomain } from "./domain.security-label.ts";
 
 /** Union of all domain-related change variants (`objectType: "domain"`). @category Change Types */
 export type DomainChange =
@@ -10,4 +11,5 @@ export type DomainChange =
   | CommentDomain
   | CreateDomain
   | DropDomain
-  | DomainPrivilege;
+  | DomainPrivilege
+  | SecurityLabelDomain;

package/src/core/objects/domain/domain.diff.ts

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import {
   AlterDomainAddConstraint,
   AlterDomainChangeOwner,
@@ -26,6 +27,10 @@ import {
   RevokeDomainPrivileges,
   RevokeGrantOptionDomainPrivileges,
 } from "./changes/domain.privilege.ts";
+import {
+  CreateSecurityLabelOnDomain,
+  DropSecurityLabelOnDomain,
+} from "./changes/domain.security-label.ts";
 import type { DomainChange } from "./changes/domain.types.ts";
 import type { Domain } from "./domain.model.ts";
 
@@ -67,6 +72,14 @@ export function diffDomains(
     if (newDomain.comment !== null) {
       changes.push(new CreateCommentOnDomain({ domain: newDomain }));
     }
+    for (const label of newDomain.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnDomain({
+          domain: newDomain,
+          securityLabel: label,
+        }),
+      );
+    }
     // For unvalidated constraints, CREATE DOMAIN cannot specify NOT VALID.
     // Add them after creation and validate to match branch state semantics.
     // For already validated constraints, they are emitted inline in CREATE DOMAIN.
@@ -255,6 +268,26 @@ export function diffDomains(
       }
     }
 
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnDomain | DropSecurityLabelOnDomain
+      >(
+        mainDomain.security_labels,
+        branchDomain.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnDomain({
+            domain: branchDomain,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnDomain({
+            domain: mainDomain,
+            securityLabel,
+          }),
+      ),
+    );
+
     // PRIVILEGES
     // Filter out PUBLIC's built-in default USAGE privilege from main catalog
     // (PostgreSQL grants it automatically, so we shouldn't compare it)