npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.22 → 1.0.0-alpha.24 - Mend

@supabase/pg-delta 1.0.0-alpha.22 → 1.0.0-alpha.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/src/core/objects/table/table.diff.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   emitColumnPrivilegeChanges,
 } from "../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../diff-context.ts";
+import { diffSecurityLabels } from "../security-label.types.ts";
 import { deepEqual } from "../utils.ts";
 import {
   AlterTableAddColumn,
@@ -47,6 +48,12 @@ import {
   RevokeGrantOptionTablePrivileges,
   RevokeTablePrivileges,
 } from "./changes/table.privilege.ts";
+import {
+  CreateSecurityLabelOnColumn,
+  CreateSecurityLabelOnTable,
+  DropSecurityLabelOnColumn,
+  DropSecurityLabelOnTable,
+} from "./changes/table.security-label.ts";
 import type { TableChange } from "./changes/table.types.ts";
 import { Table } from "./table.model.ts";
@@ -279,6 +286,29 @@ export function diffTables(
       }
     }
+    // Table security labels on creation
+    for (const label of branchTable.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnTable({
+          table: branchTable,
+          securityLabel: label,
+        }),
+      );
+    }
+    // Column security labels on creation
+    for (const col of branchTable.columns) {
+      for (const label of col.security_labels ?? []) {
+        changes.push(
+          new CreateSecurityLabelOnColumn({
+            table: branchTable,
+            column: col,
+            securityLabel: label,
+          }),
+        );
+      }
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
     // so objects are created with the default privileges state in effect.
@@ -440,6 +470,26 @@ export function diffTables(
       }
     }
+    // TABLE SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnTable | DropSecurityLabelOnTable
+      >(
+        mainTable.security_labels,
+        branchTable.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnTable({
+            table: branchTable,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnTable({
+            table: mainTable,
+            securityLabel,
+          }),
+      ),
+    );
     // PARTITION ATTACH/DETACH
     const mainIsPartition = Boolean(
       mainTable.parent_schema && mainTable.parent_name,
@@ -886,6 +936,43 @@ export function diffTables(
           );
         }
       }
+      // SECURITY LABELS on column
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnColumn | DropSecurityLabelOnColumn
+        >(
+          mainCol.security_labels ?? [],
+          branchCol.security_labels ?? [],
+          (securityLabel) =>
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: branchCol,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnColumn({
+              table: mainTable,
+              column: mainCol,
+              securityLabel,
+            }),
+        ),
+      );
+    }
+    // Added columns with security labels (for created columns on existing tables)
+    for (const [name, col] of branchCols) {
+      if (!mainCols.has(name)) {
+        for (const label of col.security_labels ?? []) {
+          changes.push(
+            new CreateSecurityLabelOnColumn({
+              table: branchTable,
+              column: col,
+              securityLabel: label,
+            }),
+          );
+        }
+      }
     }
     // PRIVILEGES (unified object and column privileges)

package/src/core/objects/table/table.model.ts CHANGED Viewed

@@ -16,6 +16,11 @@ import {
   type ExtractRetryOptions,
   extractWithDefinitionRetry,
 } from "../extract-with-retry.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../security-label.types.ts";
 const RelationPersistenceSchema = z.enum([
   "p", // permanent
@@ -119,6 +124,7 @@ const tablePropsSchema = z.object({
   columns: z.array(columnPropsSchema),
   constraints: z.array(tableConstraintPropsSchema).optional(),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 const tableRowSchema = tablePropsSchema.extend({
@@ -126,6 +132,10 @@ const tableRowSchema = tablePropsSchema.extend({
 });
 type TablePrivilegeProps = PrivilegeProps;
+/**
+ * Table input props. `security_labels` is optional on direct construction
+ * (defaults to `[]`); extraction always produces it via the Zod default.
+ */
 export type TableProps = z.infer<typeof tablePropsSchema>;
 type TableRow = z.infer<typeof tableRowSchema>;
@@ -153,6 +163,7 @@ export class Table extends BasePgModel implements TableLikeObject {
   public readonly columns: TableProps["columns"];
   public readonly constraints: TableConstraintProps[];
   public readonly privileges: TablePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: TableProps) {
     super();
@@ -183,6 +194,7 @@ export class Table extends BasePgModel implements TableLikeObject {
     this.columns = props.columns;
     this.constraints = props.constraints ?? [];
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `table:${string}` {
@@ -214,6 +226,7 @@ export class Table extends BasePgModel implements TableLikeObject {
       columns: this.columns,
       constraints: this.constraints,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -233,6 +246,7 @@ export class Table extends BasePgModel implements TableLikeObject {
         options: this.options ? [...this.options].sort() : this.options,
         constraints: normalizeConstraints(),
         privileges: normalizePrivileges(this.privileges),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -446,7 +460,20 @@ select
             and a.attcollation <> t2.typcollation
         ),
         'default', pg_get_expr(ad.adbin, ad.adrelid),
-        'comment', col_description(a.attrelid, a.attnum)
+        'comment', col_description(a.attrelid, a.attnum),
+        'security_labels', coalesce(
+          (
+            select json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              order by sl.provider
+            )
+            from pg_catalog.pg_seclabel sl
+            where sl.objoid = t.oid
+              and sl.classoid = 'pg_class'::regclass
+              and sl.objsubid = a.attnum
+          ),
+          '[]'::json
+        )
       )
     end
     order by a.attnum
@@ -486,7 +513,20 @@ select
       join lateral aclexplode(src.acl) as x(grantor, grantee, privilege_type, is_grantable) on true
       group by x.grantee, x.privilege_type
     ) as grp
-  ), '[]') as privileges
+  ), '[]') as privileges,
+  coalesce(
+    (
+      select json_agg(
+        json_build_object('provider', sl.provider, 'label', sl.label)
+        order by sl.provider
+      )
+      from pg_catalog.pg_seclabel sl
+      where sl.objoid = t.oid
+        and sl.classoid = 'pg_class'::regclass
+        and sl.objsubid = 0
+    ),
+    '[]'::json
+  ) as security_labels
 from
   tables t
   left join pg_attribute a on a.attrelid = t.oid and a.attnum > 0 and not a.attisdropped

package/src/core/objects/type/composite-type/changes/composite-type.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { CompositeType } from "../composite-type.model.ts";
 abstract class BaseCompositeTypeChange extends BaseChange {
   abstract readonly compositeType: CompositeType;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "composite_type" = "composite_type";
 }

package/src/core/objects/type/composite-type/changes/composite-type.security-label.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { quoteLiteral } from "../../../base.change.ts";
+import type { SecurityLabelProps } from "../../../security-label.types.ts";
+import { stableId } from "../../../utils.ts";
+import type { CompositeType } from "../composite-type.model.ts";
+import {
+  CreateCompositeTypeChange,
+  DropCompositeTypeChange,
+} from "./composite-type.base.ts";
+export type SecurityLabelCompositeType =
+  | CreateSecurityLabelOnCompositeType
+  | DropSecurityLabelOnCompositeType;
+export class CreateSecurityLabelOnCompositeType extends CreateCompositeTypeChange {
+  public readonly compositeType: CompositeType;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    compositeType: CompositeType;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.compositeType = props.compositeType;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(
+        this.compositeType.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [this.compositeType.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.compositeType.schema}.${this.compositeType.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnCompositeType extends DropCompositeTypeChange {
+  public readonly compositeType: CompositeType;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: {
+    compositeType: CompositeType;
+    securityLabel: SecurityLabelProps;
+  }) {
+    super();
+    this.compositeType = props.compositeType;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(
+        this.compositeType.stableId,
+        this.securityLabel.provider,
+      ),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(
+        this.compositeType.stableId,
+        this.securityLabel.provider,
+      ),
+      this.compositeType.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.compositeType.schema}.${this.compositeType.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/type/composite-type/changes/composite-type.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentCompositeType } from "./composite-type.comment.ts";
 import type { CreateCompositeType } from "./composite-type.create.ts";
 import type { DropCompositeType } from "./composite-type.drop.ts";
 import type { CompositeTypePrivilege } from "./composite-type.privilege.ts";
+import type { SecurityLabelCompositeType } from "./composite-type.security-label.ts";
 /** Union of all composite-type-related change variants (`objectType: "composite_type"`). @category Change Types */
 export type CompositeTypeChange =
@@ -10,4 +11,5 @@ export type CompositeTypeChange =
   | CommentCompositeType
   | CreateCompositeType
   | DropCompositeType
-  | CompositeTypePrivilege;
+  | CompositeTypePrivilege
+  | SecurityLabelCompositeType;

package/src/core/objects/type/composite-type/composite-type.diff.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../../diff-context.ts";
+import { diffSecurityLabels } from "../../security-label.types.ts";
 import { deepEqual, hasNonAlterableChanges } from "../../utils.ts";
 import {
   AlterCompositeTypeAddAttribute,
@@ -25,6 +26,10 @@ import {
   RevokeCompositeTypePrivileges,
   RevokeGrantOptionCompositeTypePrivileges,
 } from "./changes/composite-type.privilege.ts";
+import {
+  CreateSecurityLabelOnCompositeType,
+  DropSecurityLabelOnCompositeType,
+} from "./changes/composite-type.security-label.ts";
 import type { CompositeTypeChange } from "./changes/composite-type.types.ts";
 import type { CompositeType } from "./composite-type.model.ts";
@@ -67,6 +72,14 @@ export function diffCompositeTypes(
     if (ct.comment !== null) {
       changes.push(new CreateCommentOnCompositeType({ compositeType: ct }));
     }
+    for (const label of ct.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnCompositeType({
+          compositeType: ct,
+          securityLabel: label,
+        }),
+      );
+    }
     // Attribute comments on creation
     for (const attr of ct.columns) {
       if (attr.comment !== null) {
@@ -189,6 +202,26 @@ export function diffCompositeTypes(
         }
       }
+      // SECURITY LABELS
+      changes.push(
+        ...diffSecurityLabels<
+          CreateSecurityLabelOnCompositeType | DropSecurityLabelOnCompositeType
+        >(
+          mainCompositeType.security_labels,
+          branchCompositeType.security_labels,
+          (securityLabel) =>
+            new CreateSecurityLabelOnCompositeType({
+              compositeType: branchCompositeType,
+              securityLabel,
+            }),
+          (securityLabel) =>
+            new DropSecurityLabelOnCompositeType({
+              compositeType: mainCompositeType,
+              securityLabel,
+            }),
+        ),
+      );
       // ATTRIBUTE diffs
       const mainAttrs = new Map(
         mainCompositeType.columns.map((c) => [c.name, c]),

package/src/core/objects/type/composite-type/composite-type.model.ts CHANGED Viewed

@@ -10,6 +10,11 @@ import {
   type PrivilegeProps,
   privilegePropsSchema,
 } from "../../base.privilege-diff.ts";
+import {
+  normalizeSecurityLabels,
+  type SecurityLabelProps,
+  securityLabelPropsSchema,
+} from "../../security-label.types.ts";
 import { ReplicaIdentitySchema } from "../../table/table.model.ts";
 const compositeTypePropsSchema = z.object({
@@ -30,6 +35,7 @@ const compositeTypePropsSchema = z.object({
   comment: z.string().nullable(),
   columns: z.array(columnPropsSchema),
   privileges: z.array(privilegePropsSchema),
+  security_labels: z.array(securityLabelPropsSchema).default([]).optional(),
 });
 type CompositeTypePrivilegeProps = PrivilegeProps;
@@ -53,6 +59,7 @@ export class CompositeType extends BasePgModel implements TableLikeObject {
   public readonly comment: CompositeTypeProps["comment"];
   public readonly columns: CompositeTypeProps["columns"];
   public readonly privileges: CompositeTypePrivilegeProps[];
+  public readonly security_labels: SecurityLabelProps[];
   constructor(props: CompositeTypeProps) {
     super();
@@ -77,6 +84,7 @@ export class CompositeType extends BasePgModel implements TableLikeObject {
     this.comment = props.comment;
     this.columns = props.columns;
     this.privileges = props.privileges;
+    this.security_labels = props.security_labels ?? [];
   }
   get stableId(): `type:${string}` {
@@ -107,6 +115,7 @@ export class CompositeType extends BasePgModel implements TableLikeObject {
       comment: this.comment,
       columns: this.columns,
       privileges: this.privileges,
+      security_labels: this.security_labels,
     };
   }
@@ -131,6 +140,7 @@ export class CompositeType extends BasePgModel implements TableLikeObject {
       data: {
         ...this.dataFields,
         columns: normalizeColumns(),
+        security_labels: normalizeSecurityLabels(this.security_labels),
       },
     };
   }
@@ -165,7 +175,8 @@ export async function extractCompositeTypes(
           obj_description(c.reltype, 'pg_type') AS comment,
           c.relacl                            AS relacl,    -- used by privileges LATERAL
           c.relowner                          AS relowner,
-          c.oid                                AS oid
+          c.oid                                AS oid,
+          c.reltype                            AS reltype
         FROM pg_catalog.pg_class c
         LEFT JOIN extension_oids e ON c.reltype = e.objid
         WHERE NOT c.relnamespace::regnamespace::text LIKE ANY (ARRAY['pg\\_%', 'information\\_schema'])
@@ -189,7 +200,20 @@ export async function extractCompositeTypes(
         ct.owner,
         ct.comment,
         COALESCE(priv.privileges, '[]') AS privileges,
-        COALESCE(cols.columns, '[]')    AS columns
+        COALESCE(cols.columns, '[]')    AS columns,
+        COALESCE(
+          (
+            SELECT json_agg(
+              json_build_object('provider', sl.provider, 'label', sl.label)
+              ORDER BY sl.provider
+            )
+            FROM pg_catalog.pg_seclabel sl
+            WHERE sl.objoid = ct.reltype
+              AND sl.classoid = 'pg_type'::regclass
+              AND sl.objsubid = 0
+          ),
+          '[]'::json
+        ) AS security_labels
       FROM composite_types ct
       -- privileges as a per-row LATERAL subquery

package/src/core/objects/type/enum/changes/enum.base.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import type { Enum } from "../enum.model.ts";
 abstract class BaseEnumChange extends BaseChange {
   abstract readonly enum: Enum;
-  abstract readonly scope: "object" | "comment" | "privilege";
+  abstract readonly scope:
+    | "object"
+    | "comment"
+    | "privilege"
+    | "security_label";
   readonly objectType: "enum" = "enum";
 }

package/src/core/objects/type/enum/changes/enum.security-label.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { quoteLiteral } from "../../../base.change.ts";
+import type { SecurityLabelProps } from "../../../security-label.types.ts";
+import { stableId } from "../../../utils.ts";
+import type { Enum } from "../enum.model.ts";
+import { CreateEnumChange, DropEnumChange } from "./enum.base.ts";
+export type SecurityLabelEnum =
+  | CreateSecurityLabelOnEnum
+  | DropSecurityLabelOnEnum;
+export class CreateSecurityLabelOnEnum extends CreateEnumChange {
+  public readonly enum: Enum;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { enum: Enum; securityLabel: SecurityLabelProps }) {
+    super();
+    this.enum = props.enum;
+    this.securityLabel = props.securityLabel;
+  }
+  get creates() {
+    return [
+      stableId.securityLabel(this.enum.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [this.enum.stableId];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.enum.schema}.${this.enum.name}`,
+      "IS",
+      quoteLiteral(this.securityLabel.label),
+    ].join(" ");
+  }
+}
+export class DropSecurityLabelOnEnum extends DropEnumChange {
+  public readonly enum: Enum;
+  public readonly securityLabel: SecurityLabelProps;
+  public readonly scope = "security_label" as const;
+  constructor(props: { enum: Enum; securityLabel: SecurityLabelProps }) {
+    super();
+    this.enum = props.enum;
+    this.securityLabel = props.securityLabel;
+  }
+  get drops() {
+    return [
+      stableId.securityLabel(this.enum.stableId, this.securityLabel.provider),
+    ];
+  }
+  get requires() {
+    return [
+      stableId.securityLabel(this.enum.stableId, this.securityLabel.provider),
+      this.enum.stableId,
+    ];
+  }
+  serialize(): string {
+    return [
+      "SECURITY LABEL FOR",
+      this.securityLabel.provider,
+      "ON TYPE",
+      `${this.enum.schema}.${this.enum.name}`,
+      "IS NULL",
+    ].join(" ");
+  }
+}

package/src/core/objects/type/enum/changes/enum.types.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { CommentEnum } from "./enum.comment.ts";
 import type { CreateEnum } from "./enum.create.ts";
 import type { DropEnum } from "./enum.drop.ts";
 import type { EnumPrivilege } from "./enum.privilege.ts";
+import type { SecurityLabelEnum } from "./enum.security-label.ts";
 /** Union of all enum-related change variants (`objectType: "enum"`). @category Change Types */
 export type EnumChange =
@@ -10,4 +11,5 @@ export type EnumChange =
   | CommentEnum
   | CreateEnum
   | DropEnum
-  | EnumPrivilege;
+  | EnumPrivilege
+  | SecurityLabelEnum;

package/src/core/objects/type/enum/enum.diff.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   filterPublicBuiltInDefaults,
 } from "../../base.privilege-diff.ts";
 import type { ObjectDiffContext } from "../../diff-context.ts";
+import { diffSecurityLabels } from "../../security-label.types.ts";
 import {
   AlterEnumAddValue,
   AlterEnumChangeOwner,
@@ -20,6 +21,10 @@ import {
   RevokeEnumPrivileges,
   RevokeGrantOptionEnumPrivileges,
 } from "./changes/enum.privilege.ts";
+import {
+  CreateSecurityLabelOnEnum,
+  DropSecurityLabelOnEnum,
+} from "./changes/enum.security-label.ts";
 import type { EnumChange } from "./changes/enum.types.ts";
 import type { Enum } from "./enum.model.ts";
@@ -61,6 +66,14 @@ export function diffEnums(
     if (createdEnum.comment !== null) {
       changes.push(new CreateCommentOnEnum({ enum: createdEnum }));
     }
+    for (const label of createdEnum.security_labels) {
+      changes.push(
+        new CreateSecurityLabelOnEnum({
+          enum: createdEnum,
+          securityLabel: label,
+        }),
+      );
+    }
     // PRIVILEGES: For created objects, compare against default privileges state
     // The migration script will run ALTER DEFAULT PRIVILEGES before CREATE (via constraint spec),
@@ -196,6 +209,26 @@ export function diffEnums(
       }
     }
+    // SECURITY LABELS
+    changes.push(
+      ...diffSecurityLabels<
+        CreateSecurityLabelOnEnum | DropSecurityLabelOnEnum
+      >(
+        mainEnum.security_labels,
+        branchEnum.security_labels,
+        (securityLabel) =>
+          new CreateSecurityLabelOnEnum({
+            enum: branchEnum,
+            securityLabel,
+          }),
+        (securityLabel) =>
+          new DropSecurityLabelOnEnum({
+            enum: mainEnum,
+            securityLabel,
+          }),
+      ),
+    );
     // PRIVILEGES
     // Filter out PUBLIC's built-in default USAGE privilege from main catalog
     // (PostgreSQL grants it automatically, so we shouldn't compare it)