npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.24 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/src/core/objects/schema/changes/schema.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Schema } from "../schema.model.ts";
+import { CreateSchemaChange, DropSchemaChange } from "./schema.base.ts";
+export type SecurityLabelSchema =
+  | CreateSecurityLabelOnSchema
+  | DropSecurityLabelOnSchema;
+export class CreateSecurityLabelOnSchema extends CreateSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.schema.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnSchema extends DropSchemaChange {
+  public readonly schema: Schema;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { schema: Schema; securityLabel: SecurityLabelProps }) {
+    super();
+    this.schema = props.schema;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.schema.stableId, this.securityLabel.provider),
+      this.schema.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SCHEMA",
+      this.schema.name,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/schema/changes/schema.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentSchema } from "./schema.comment.ts";
 import type { CreateSchema } from "./schema.create.ts";
 import type { DropSchema } from "./schema.drop.ts";
 import type { SchemaPrivilege } from "./schema.privilege.ts";
+import type { SecurityLabelSchema } from "./schema.security-label.ts";
 /** Union of all schema-related change variants (`objectType: "schema"`). @category Change Types */
 export type SchemaChange =
@@ -10,4 +11,5 @@ export type SchemaChange =
   | CommentSchema
   | CreateSchema
   | DropSchema
-  | SchemaPrivilege;
+  | SchemaPrivilege
+  | SecurityLabelSchema;

package/src/core/objects/schema/schema.diff.test.ts CHANGED Viewed

@@ -11,6 +11,7 @@ const base: SchemaProps = {
   owner: "o1",
   comment: null,
   privileges: [],
+  security_labels: [],
 };
 const testContext = {

package/src/core/objects/schema/schema.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitObjectPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { AlterSchemaChangeOwner } from "./changes/schema.alter.ts";
 import {
   CreateCommentOnSchema,
@@ -16,6 +17,10 @@ import {
   RevokeGrantOptionSchemaPrivileges,
   RevokeSchemaPrivileges,
 } from "./changes/schema.privilege.ts";
+import {
+  CreateSecurityLabelOnSchema,
+  DropSecurityLabelOnSchema,
+} from "./changes/schema.security-label.ts";
 import type { SchemaChange } from "./changes/schema.types.ts";
 import type { Schema } from "./schema.model.ts";
@@ -45,6 +50,14 @@ export function diffSchemas(
     if (sc.comment !== null) {
       changes.push(new CreateCommentOnSchema({ schema: sc }));
     }
+    for (const label of sc.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnSchema({
+          schema: sc,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -87,7 +100,16 @@ export function diffSchemas(
   }
   for (const schemaId of dropped) {
-    changes.push(new DropSchema({ schema: main[schemaId] }));
+    const mainSchema = main[schemaId];
+    for (const label of mainSchema.security_labels) {
+      changes.push(
+        new DropSecurityLabelOnSchema({
+          schema: mainSchema,
+          securityLabel: label,
+        }),
+      );
+    }
+    changes.push(new DropSchema({ schema: mainSchema }));
   }
   for (const schemaId of altered) {
@@ -113,6 +135,26 @@ export function diffSchemas(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnSchema | DropSecurityLabelOnSchema
+      >(
+        mainSchema.security_labels,
+        branchSchema.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnSchema({
+            schema: branchSchema,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnSchema({
+            schema: mainSchema,
+            securityLabel,
+          }),
+      ),
+    );
     // PRIVILEGES
     // Filter out owner privileges - owner always has ALL privileges implicitly
     // and shouldn't be compared. Use branch owner as the reference.

package/src/core/objects/schema/schema.model.ts CHANGED Viewed

@@ -6,6 +6,10 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../base.privilege-diff.ts";
+import {
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 /**
  * All properties exposed by CREATE SCHEMA statement are included in diff output.
@@ -19,6 +23,7 @@ const schemaPropsSchema = z.object({
   owner: z.string(),
   comment: z.string().nullable(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 type SchemaPrivilegeProps = PrivilegeProps;
@@ -29,6 +34,7 @@ export class Schema extends BasePgModel {
   public readonly owner: SchemaProps["owner"];
   public readonly comment: SchemaProps["comment"];
   public readonly privileges: SchemaPrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: SchemaProps) {
     super();
@@ -40,6 +46,7 @@ export class Schema extends BasePgModel {
     this.owner = props.owner;
     this.comment = props.comment;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `schema:${string}` {
@@ -57,6 +64,7 @@ export class Schema extends BasePgModel {
       owner: this.owner,
       comment: this.comment,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
 }
@@ -88,7 +96,19 @@ export async function extractSchemas(pool: Pool): Promise<Schema[]> {
           )
           from lateral aclexplode(COALESCE(nspacl, acldefault('n', nspowner))) as x(grantor, grantee, privilege_type, is_grantable)
         ), '[]'
-      ) as privileges
+      ) as privileges,
+      coalesce(
+        (
+          select json_agg(
+            json_build_object('provider', sl.provider, 'label', sl.label)
+            order by sl.provider
+          )
+          from pg_catalog.pg_seclabel sl
+          where sl.objoid = pg_namespace.oid
+            and sl.classoid = 'pg_namespace'::regclass
+            and sl.objsubid = 0
+        ), '[]'
+      ) as security_labels
     from
       pg_catalog.pg_namespace
       left outer join extension_oids e on e.objid = oid

package/src/core/objects/security-label.types.test.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import { describe, expect, test } from "bun:test";
+import {
+  diffSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "./security-label.types.ts";
+describe("securityLabelPropsSchema", () => {
+  test("parses valid props", () => {
+    const parsed = securityLabelPropsSchema.parse({
+      provider: "p",
+      label: "l",
+    });
+    expect(parsed).toEqual({ provider: "p", label: "l" });
+  });
+  test("rejects null provider", () => {
+    expect(() =>
+      securityLabelPropsSchema.parse({ provider: null, label: "l" }),
+    ).toThrow();
+  });
+  test("rejects null label", () => {
+    expect(() =>
+      securityLabelPropsSchema.parse({ provider: "p", label: null }),
+    ).toThrow();
+  });
+});
+describe("diffSecurityLabels", () => {
+  type Change = { kind: "create" | "drop" } & SecurityLabelProps;
+  const makeCreate = (p: SecurityLabelProps): Change => ({
+    kind: "create",
+    ...p,
+  });
+  const makeDrop = (p: SecurityLabelProps): Change => ({
+    kind: "drop",
+    ...p,
+  });
+  test("both empty → no changes", () => {
+    expect(diffSecurityLabels([], [], makeCreate, makeDrop)).toEqual([]);
+  });
+  test("added providers emit create", () => {
+    expect(
+      diffSecurityLabels(
+        [],
+        [{ provider: "a", label: "x" }],
+        makeCreate,
+        makeDrop,
+      ),
+    ).toEqual([{ kind: "create", provider: "a", label: "x" }]);
+  });
+  test("removed providers emit drop", () => {
+    expect(
+      diffSecurityLabels(
+        [{ provider: "a", label: "x" }],
+        [],
+        makeCreate,
+        makeDrop,
+      ),
+    ).toEqual([{ kind: "drop", provider: "a", label: "x" }]);
+  });
+  test("changed label emits create (overwrite semantics)", () => {
+    expect(
+      diffSecurityLabels(
+        [{ provider: "a", label: "old" }],
+        [{ provider: "a", label: "new" }],
+        makeCreate,
+        makeDrop,
+      ),
+    ).toEqual([{ kind: "create", provider: "a", label: "new" }]);
+  });
+  test("unchanged label emits nothing", () => {
+    expect(
+      diffSecurityLabels(
+        [{ provider: "a", label: "x" }],
+        [{ provider: "a", label: "x" }],
+        makeCreate,
+        makeDrop,
+      ),
+    ).toEqual([]);
+  });
+  test("mixed add/remove/change/unchanged across providers, sorted by provider", () => {
+    const main = [
+      { provider: "a", label: "stay" },
+      { provider: "b", label: "old" },
+      { provider: "c", label: "remove" },
+    ];
+    const branch = [
+      { provider: "a", label: "stay" },
+      { provider: "b", label: "new" },
+      { provider: "d", label: "add" },
+    ];
+    expect(diffSecurityLabels(main, branch, makeCreate, makeDrop)).toEqual([
+      { kind: "create", provider: "b", label: "new" },
+      { kind: "drop", provider: "c", label: "remove" },
+      { kind: "create", provider: "d", label: "add" },
+    ]);
+  });
+});

package/src/core/objects/security-label.types.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { z } from "zod";
+export const securityLabelPropsSchema = z.object({
+  provider: z.string(),
+  label: z.string(),
+});
+export type SecurityLabelProps = z.infer<typeof securityLabelPropsSchema>;
+export function normalizeSecurityLabels(
+  labels: readonly SecurityLabelProps[],
+): SecurityLabelProps[] {
+  return [...labels].sort((a, b) => a.provider.localeCompare(b.provider));
+}
+/**
+ * Pure helper: compares two arrays of security labels keyed by provider and
+ * returns a deterministic list of create/drop changes.
+ *
+ * - Labels present only on `branch` → emit create (via makeCreate).
+ * - Labels present only on `main` → emit drop (via makeDrop).
+ * - Labels with differing `label` under the same provider → emit create
+ *   (PostgreSQL's SECURITY LABEL … IS '…' overwrites, so no separate alter).
+ * - Unchanged labels → nothing.
+ *
+ * Output order: by provider ascending.
+ */
+export function diffSecurityLabels<C>(
+  main: readonly SecurityLabelProps[],
+  branch: readonly SecurityLabelProps[],
+  makeCreate: (props: SecurityLabelProps) => C,
+  makeDrop: (props: SecurityLabelProps) => C,
+): C[] {
+  const mainByProvider = new Map(main.map((l) => [l.provider, l.label]));
+  const branchByProvider = new Map(branch.map((l) => [l.provider, l.label]));
+  const providers = new Set<string>([
+    ...mainByProvider.keys(),
+    ...branchByProvider.keys(),
+  ]);
+  const sortedProviders = [...providers].sort();
+  const out: C[] = [];
+  for (const provider of sortedProviders) {
+    const mainLabel = mainByProvider.get(provider);
+    const branchLabel = branchByProvider.get(provider);
+    if (mainLabel === undefined && branchLabel !== undefined) {
+      out.push(makeCreate({ provider, label: branchLabel }));
+    } else if (mainLabel !== undefined && branchLabel === undefined) {
+      out.push(makeDrop({ provider, label: mainLabel }));
+    } else if (
+      mainLabel !== undefined &&
+      branchLabel !== undefined &&
+      mainLabel !== branchLabel
+    ) {
+      out.push(makeCreate({ provider, label: branchLabel }));
+    }
+  }
+  return out;
+}

package/src/core/objects/sequence/changes/sequence.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Sequence } from "../sequence.model.ts";
 abstract class BaseSequenceChange extends BaseChange {
   abstract readonly sequence: Sequence;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "sequence" = "sequence";
 }

package/src/core/objects/sequence/changes/sequence.security-label.test.ts ADDED Viewed

@@ -0,0 +1,58 @@
+import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
+import { stableId } from "../../utils.ts";
+import { Sequence, type SequenceProps } from "../sequence.model.ts";
+import {
+  CreateSecurityLabelOnSequence,
+  DropSecurityLabelOnSequence,
+} from "./sequence.security-label.ts";
+const makeSequence = (): Sequence =>
+  new Sequence({
+    schema: "public",
+    name: "s1",
+    data_type: "bigint",
+    start_value: 1,
+    minimum_value: BigInt(1),
+    maximum_value: BigInt("9223372036854775807"),
+    increment: 1,
+    cycle_option: false,
+    cache_size: 1,
+    persistence: "p",
+    owned_by_schema: null,
+    owned_by_table: null,
+    owned_by_column: null,
+    comment: null,
+    privileges: [],
+    owner: "postgres",
+  } as SequenceProps);
+describe("sequence.security-label", () => {
+  test("create serializes", async () => {
+    const sequence = makeSequence();
+    const change = new CreateSecurityLabelOnSequence({
+      sequence,
+      securityLabel: { provider: "dummy", label: "classified" },
+    });
+    expect(change.scope).toBe("security_label");
+    expect(change.creates).toEqual([
+      stableId.securityLabel(sequence.stableId, "dummy"),
+    ]);
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON SEQUENCE public.s1 IS 'classified'",
+    );
+  });
+  test("drop serializes to IS NULL", async () => {
+    const sequence = makeSequence();
+    const change = new DropSecurityLabelOnSequence({
+      sequence,
+      securityLabel: { provider: "dummy", label: "x" },
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "SECURITY LABEL FOR dummy ON SEQUENCE public.s1 IS NULL",
+    );
+  });
+});

package/src/core/objects/sequence/changes/sequence.security-label.ts ADDED Viewed

@@ -0,0 +1,92 @@
+import { quoteLiteral } from "../../base.change.ts";
+import type { SecurityLabelProps } from "../../security-label.types.ts";
+import { stableId } from "../../utils.ts";
+import type { Sequence } from "../sequence.model.ts";
+import { CreateSequenceChange, DropSequenceChange } from "./sequence.base.ts";
+export type SecurityLabelSequence =
+  | CreateSecurityLabelOnSequence
+  | DropSecurityLabelOnSequence;
+export class CreateSecurityLabelOnSequence extends CreateSequenceChange {
+  public readonly sequence: Sequence;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    sequence: Sequence;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.sequence = props.sequence;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.sequence.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.sequence.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SEQUENCE",
+      `${this.sequence.schema}.${this.sequence.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnSequence extends DropSequenceChange {
+  public readonly sequence: Sequence;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    sequence: Sequence;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.sequence = props.sequence;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.sequence.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.sequence.stableId,
+        this.securityLabel.provider,
+      ),
+      this.sequence.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON SEQUENCE",
+      `${this.sequence.schema}.${this.sequence.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/sequence/changes/sequence.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentSequence } from "./sequence.comment.ts";
 import type { CreateSequence } from "./sequence.create.ts";
 import type { DropSequence } from "./sequence.drop.ts";
 import type { SequencePrivilege } from "./sequence.privilege.ts";
+import type { SecurityLabelSequence } from "./sequence.security-label.ts";
 /** Union of all sequence-related change variants (`objectType: "sequence"`). @category Change Types */
 export type SequenceChange =
@@ -10,4 +11,5 @@ export type SequenceChange =
   | CommentSequence
   | CreateSequence
   | DropSequence
-  | SequencePrivilege;
+  | SequencePrivilege
+  | SecurityLabelSequence;

package/src/core/objects/sequence/sequence.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitObjectPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { AlterTableAlterColumnSetDefault } from "../table/changes/table.alter.ts";
 import type { Table } from "../table/table.model.ts";
 import { hasNonAlterableChanges } from "../utils.ts";
@@ -22,6 +23,10 @@ import {
   RevokeGrantOptionSequencePrivileges,
   RevokeSequencePrivileges,
 } from "./changes/sequence.privilege.ts";
+import {
+  CreateSecurityLabelOnSequence,
+  DropSecurityLabelOnSequence,
+} from "./changes/sequence.security-label.ts";
 import type { SequenceChange } from "./changes/sequence.types.ts";
 import type { Sequence } from "./sequence.model.ts";
@@ -59,6 +64,14 @@ export function diffSequences(
     if (createdSeq.comment !== null) {
       changes.push(new CreateCommentOnSequence({ sequence: createdSeq }));
     }
+    for (const label of createdSeq.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnSequence({
+          sequence: createdSeq,
+          securityLabel: label,
+        }),
+      );
+    }
     // If the created sequence is OWNED BY a column, emit an ALTER to set it
     if (
       createdSeq.owned_by_schema !== null &&
@@ -325,6 +338,26 @@ export function diffSequences(
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnSequence | DropSecurityLabelOnSequence
+        >(
+          mainSequence.security_labels,
+          branchSequence.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnSequence({
+              sequence: branchSequence,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnSequence({
+              sequence: mainSequence,
+              securityLabel,
+            }),
+        ),
+      );
       // PRIVILEGES
       // Filter out owner privileges - owner always has ALL privileges implicitly
       // and shouldn't be compared. Use branch owner as the reference.