@supabase/pg-delta 1.0.0-alpha.23 → 1.0.0-alpha.25

package/src/core/integrations/supabase.test.ts

@@ -0,0 +1,198 @@
+import { describe, expect, test } from "bun:test";
+import type { Change } from "../change.types.ts";
+import { evaluatePattern } from "./filter/dsl.ts";
+import { supabase } from "./supabase.ts";
+
+if (!supabase.filter) {
+  throw new Error("supabase integration is missing a filter");
+}
+const filter = supabase.filter;
+
+/**
+ * Build a synthetic FDW change shaped like what `flattenChange` consumes.
+ * The change carries a `foreignDataWrapper` model whose `handler`/`validator`
+ * are schema-qualified function references (the form
+ * `extractForeignDataWrappers` produces).
+ */
+function fdwChange(
+  operation: "create" | "alter" | "drop",
+  fdw: {
+    name: string;
+    owner: string;
+    handler: string | null;
+    validator: string | null;
+  },
+): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation,
+    scope: "object",
+    foreignDataWrapper: fdw,
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+/**
+ * Synthetic FDW privilege change. The three concrete privilege classes
+ * (`GrantForeignDataWrapperPrivileges`, `RevokeForeignDataWrapperPrivileges`,
+ * `RevokeGrantOptionForeignDataWrapperPrivileges`) all extend
+ * `AlterForeignDataWrapperChange`, so their `operation` is `"alter"` in
+ * production. The filter rule we exercise here keys off `scope` only,
+ * but pinning `operation: "alter"` keeps the synthetic shape honest.
+ */
+function fdwPrivilegeChange(fdw: { name: string; owner: string }): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation: "alter",
+    scope: "privilege",
+    foreignDataWrapper: { ...fdw, handler: null, validator: null },
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+function serverPrivilegeChange(server: {
+  name: string;
+  owner: string;
+}): Change {
+  return {
+    objectType: "server",
+    operation: "alter",
+    scope: "privilege",
+    server,
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+describe("supabase integration filter — foreign data wrappers", () => {
+  // Regression for CLI-1470. Wasm-based foreign data wrappers on Supabase
+  // (e.g. `clerk`, `clerk_oauth`) are provisioned at project creation by
+  // `supabase_admin` and their handler/validator live in `extensions.*`.
+  // pg-delta must not emit `CREATE/DROP/ALTER FOREIGN DATA WRAPPER` for
+  // them, even when the FDW owner has been rewritten away from
+  // `supabase_admin` (e.g. after a dump/restore).
+  test("suppresses CREATE for FDW with handler in extensions schema", () => {
+    const change = fdwChange("create", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses DROP for FDW with handler in extensions schema", () => {
+    const change = fdwChange("drop", {
+      name: "clerk_oauth",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses ALTER for FDW with handler in extensions schema", () => {
+    const change = fdwChange("alter", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses FDW when only the validator lives in extensions", () => {
+    const change = fdwChange("create", {
+      name: "partial_wasm",
+      owner: "postgres",
+      handler: null,
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("preserves user FDW whose handler lives outside extensions", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: "public.my_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+
+  test("preserves user FDW with no handler/validator", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw_bare",
+      owner: "postgres",
+      handler: null,
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});
+
+describe("supabase integration filter — foreign data wrapper / server ACLs", () => {
+  // Regression for CLI-1469. `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER`
+  // require superuser. On Supabase Cloud `postgres` has the elevated
+  // rights to make them work; the local Docker image does not, so
+  // `supabase db reset` aborts with `permission denied for foreign-data
+  // wrapper`. FDW ACL is platform-managed, not user-declarative state —
+  // suppress regardless of owner because `pg_dump` rewrites OWNER TO
+  // away from `supabase_admin`.
+  test("suppresses FDW ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses FDW ACL when owner=postgres (post-restore)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  // FOREIGN SERVER ACL is owner-scoped, not blanket-suppressed:
+  // server GRANT/REVOKE does not require superuser, so a user-owned
+  // server's ACL must roundtrip. The pre-existing `*/owner` rule
+  // already drops platform-managed servers (owner ∈ system roles).
+  test("suppresses server ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = serverPrivilegeChange({
+      name: "platform_server",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("preserves server ACL when owner=postgres", () => {
+    const change = serverPrivilegeChange({
+      name: "user_dblink_server",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+
+  // Non-privilege FDW changes whose handler/validator aren't in
+  // `extensions.*` should still pass through (a user FDW is plain DDL,
+  // not the platform-managed flavor).
+  test("preserves non-privilege FDW changes for user wrappers", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});

package/src/core/integrations/supabase.ts

@@ -99,6 +99,34 @@ export const supabase: IntegrationDSL = {
         operation: "drop",
         scope: "object",
       },
+      // Include user-attached triggers on tables in Supabase-managed schemas.
+      //
+      // Triggers live in the schema of the table they fire on, so a user
+      // trigger on `auth.users` reports `trigger/schema = auth` and is
+      // otherwise indistinguishable from Supabase's own triggers via the
+      // schema-level deny list. Triggers also have no real owner — pg-delta
+      // surfaces the parent table's owner as `trigger/owner`, which for
+      // `auth.users` and `storage.objects` is always a Supabase system role,
+      // so the owner-level deny list catches them too.
+      //
+      // The trigger function, however, is genuinely user-owned: a customer
+      // who wants to run code on an auth event creates a function in
+      // `public` (or any non-managed schema) and points the trigger at it.
+      // Supabase's own auth/storage triggers either come from extensions
+      // (already filtered out at extract time via `pg_depend`) or call
+      // functions inside the same managed schema, so `function_schema`
+      // outside the managed list is a reliable user-defined marker.
+      {
+        and: [
+          { objectType: "trigger" },
+          { "trigger/schema": [...SUPABASE_SYSTEM_SCHEMAS] },
+          {
+            not: {
+              "trigger/function_schema": [...SUPABASE_SYSTEM_SCHEMAS],
+            },
+          },
+        ],
+      },
       // Exclude system objects
       {
         not: {
@@ -131,6 +159,62 @@ export const supabase: IntegrationDSL = {
                 },
               ],
             },
+            // Platform-managed foreign data wrapper ACL.
+            // `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER` requires
+            // superuser. On Supabase Cloud `postgres` has the elevated
+            // rights to make this work, but the local Docker image does
+            // not, so `supabase db reset` aborts with
+            // `permission denied for foreign-data wrapper`. The
+            // `*/owner` rule above already covers wrappers owned by
+            // `supabase_admin`, but `pg_dump` rewrites OWNER TO clauses
+            // to whoever the dump runs under, so after a restore the
+            // FDW typically ends up owned by `postgres` and slips past
+            // the owner gate. A non-superuser `postgres` still can't
+            // grant on a FDW (this is true regardless of who owns the
+            // wrapper locally), so the ACL diff is not user-replayable.
+            // We don't apply the same blanket rule to `FOREIGN SERVER`:
+            // server GRANT/REVOKE doesn't require superuser, and
+            // user-created servers (e.g. a `dblink` server pointing to
+            // a peer DB) carry legitimate user ACL that should
+            // roundtrip — the existing `*/owner` rule already drops
+            // platform-managed servers.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                { scope: "privilege" },
+              ],
+            },
+            // Platform-managed foreign data wrappers — Wasm-based FDWs
+            // (e.g. `clerk`, `clerk_oauth`) whose handler/validator live in
+            // the `extensions` schema. `CREATE FOREIGN DATA WRAPPER`
+            // requires superuser, and Supabase Cloud provisions these via
+            // `supabase_admin` at project creation; replaying the DDL
+            // against a local image fails because the local environment
+            // has no equivalent pre-step. We can't rely on the FDW owner
+            // alone — after a dump/restore the owner is often rewritten
+            // away from `supabase_admin` — so match on the function
+            // reference instead.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                {
+                  or: [
+                    {
+                      "foreign_data_wrapper/handler": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                    {
+                      "foreign_data_wrapper/validator": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                  ],
+                },
+              ],
+            },
           ],
         },
       },

package/src/core/objects/aggregate/changes/aggregate.privilege.test.ts

@@ -92,6 +92,85 @@ describe("aggregate.privilege", () => {
     );
   });
 
+  // Regression for CLI-1471: ordered-set / hypothetical-set / variadic
+  // aggregates have `identity_arguments` that include `ORDER BY` or
+  // `VARIADIC` keywords. Those keywords are rejected by
+  // `GRANT ... ON FUNCTION (...)` (only positional argument types are
+  // accepted there), so the serializer must drop back to the
+  // `proargtypes`-derived `argument_types` list.
+  test("grant on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new GrantAggregatePrivileges({
+      aggregate,
+      grantee: "role_exec",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "GRANT ALL ON FUNCTION public.os_last(anyelement, anyelement) TO role_exec",
+    );
+  });
+
+  test("revoke on hypothetical-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "hyp_rank",
+      aggkind: "h",
+      identity_arguments: 'VARIADIC "any" ORDER BY VARIADIC "any"',
+      argument_types: ['"any"'],
+      return_type: "bigint",
+      transition_function:
+        'pg_catalog.ordered_set_transition_multi(internal,"any")',
+      state_data_type: "internal",
+      argument_count: 1,
+    });
+    const change = new RevokeAggregatePrivileges({
+      aggregate,
+      grantee: "role_old",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      'REVOKE ALL ON FUNCTION public.hyp_rank("any") FROM role_old',
+    );
+  });
+
+  test("revoke grant option on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new RevokeGrantOptionAggregatePrivileges({
+      aggregate,
+      grantee: "role_with_option",
+      privilegeNames: ["EXECUTE"],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "REVOKE GRANT OPTION FOR ALL ON FUNCTION public.os_last(anyelement, anyelement) FROM role_with_option",
+    );
+  });
+
   test("revoke privileges and grant option", async () => {
     const aggregate = new Aggregate(base);
     const revoke = new RevokeAggregatePrivileges({

package/src/core/objects/aggregate/changes/aggregate.privilege.ts

@@ -12,6 +12,25 @@ export type AggregatePrivilege =
   | RevokeAggregatePrivileges
   | RevokeGrantOptionAggregatePrivileges;
 
+/**
+ * Build the signature `<schema>.<name>(<argtypes>)` for use inside
+ * `GRANT`/`REVOKE ... ON FUNCTION (...)`.
+ *
+ * The aggregate's `identityArguments` (from
+ * `pg_get_function_identity_arguments`) embeds `ORDER BY` for ordered-set
+ * and hypothetical-set aggregates (`aggkind` of `o`/`h`) and `VARIADIC`
+ * for variadic aggregates — both of which the GRANT parser rejects with
+ * a syntax error. PostgreSQL resolves the aggregate from the positional
+ * argument types alone, so use `argument_types` here regardless of
+ * `aggkind`. Other aggregate DDL (`ALTER AGGREGATE`, `COMMENT ON
+ * AGGREGATE`, `SECURITY LABEL ON AGGREGATE`, `DROP AGGREGATE`) accepts
+ * the identity form and keeps using it.
+ */
+function aggregateGrantSignature(aggregate: Aggregate): string {
+  const args = (aggregate.argument_types ?? []).join(", ");
+  return `${aggregate.schema}.${aggregate.name}(${args})`;
+}
+
 export class GrantAggregatePrivileges extends AlterAggregateChange {
   public readonly aggregate: Aggregate;
   public readonly grantee: string;
@@ -52,9 +71,7 @@ export class GrantAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `GRANT ${privSql} ${kindPrefix} ${qualified} TO ${this.grantee}${withGrant}`;
   }
 }
@@ -97,9 +114,7 @@ export class RevokeAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }
@@ -139,9 +154,7 @@ export class RevokeGrantOptionAggregatePrivileges extends AlterAggregateChange {
       this.privilegeNames,
       this.version,
     );
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE GRANT OPTION FOR ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.test.ts

@@ -120,17 +120,47 @@ describe.concurrent("foreign-data-wrapper", () => {
       const change = new AlterForeignDataWrapperSetOptions({
         foreignDataWrapper: fdw,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "use_remote_estimate", value: "true" },
+          { action: "SET", option: "fetch_size", value: "200" },
+          { action: "DROP", option: "fdw_tuple_cost" },
         ],
       });
 
       await assertValidSql(change.serialize());
 
       expect(change.serialize()).toBe(
-        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD use_remote_estimate 'true', SET fetch_size '200', DROP fdw_tuple_cost)",
       );
     });
+
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const props: ForeignDataWrapperProps = {
+        name: "leaky_fdw",
+        owner: "postgres",
+        handler: null,
+        validator: null,
+        options: null,
+        comment: null,
+        privileges: [],
+      };
+      const fdw = new ForeignDataWrapper(props);
+      const change = new AlterForeignDataWrapperSetOptions({
+        foreignDataWrapper: fdw,
+        options: [
+          { action: "ADD", option: "password", value: "shared-fdw-secret" },
+          { action: "SET", option: "use_remote_estimate", value: "true" },
+          { action: "ADD", option: "api_key", value: "leaked-api-key" },
+        ],
+      });
+
+      await assertValidSql(change.serialize());
+
+      const sql = change.serialize();
+      expect(sql).not.toContain("shared-fdw-secret");
+      expect(sql).not.toContain("leaked-api-key");
+      expect(sql).toContain("SET use_remote_estimate 'true'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD api_key '__OPTION_API_KEY__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.ts

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignDataWrapper } from "../foreign-data-wrapper.model.ts";
 import { AlterForeignDataWrapperChange } from "./foreign-data-wrapper.base.ts";
 
@@ -87,7 +88,10 @@ export class AlterForeignDataWrapperSetOptions extends AlterForeignDataWrapperCh
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.create.test.ts

@@ -157,4 +157,38 @@ describe("foreign-data-wrapper", () => {
       "CREATE FOREIGN DATA WRAPPER test_fdw HANDLER extensions.iceberg_fdw_handler VALIDATOR extensions.iceberg_fdw_validator",
     );
   });
+
+  test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+    // FDW-level OPTIONS set defaults that flow down to every server using
+    // the wrapper, so a shared `password` or `api_key` here must redact.
+    const fdw = new ForeignDataWrapper({
+      name: "leaky_fdw",
+      owner: "postgres",
+      handler: null,
+      validator: null,
+      options: [
+        "use_remote_estimate",
+        "true",
+        "password",
+        "shared-fdw-secret",
+        "api_key",
+        "leaked-api-key",
+      ],
+      comment: null,
+      privileges: [],
+    });
+
+    const change = new CreateForeignDataWrapper({
+      foreignDataWrapper: fdw,
+    });
+
+    await assertValidSql(change.serialize());
+
+    const sql = change.serialize();
+    expect(sql).not.toContain("shared-fdw-secret");
+    expect(sql).not.toContain("leaked-api-key");
+    expect(sql).toContain("use_remote_estimate 'true'");
+    expect(sql).toContain("password '__OPTION_PASSWORD__'");
+    expect(sql).toContain("api_key '__OPTION_API_KEY__'");
+  });
 });

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.create.ts

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignDataWrapper } from "../foreign-data-wrapper.model.ts";
 import { CreateForeignDataWrapperChange } from "./foreign-data-wrapper.base.ts";
 
@@ -80,11 +81,12 @@ export class CreateForeignDataWrapper extends CreateForeignDataWrapperChange {
     ) {
       const optionPairs: string[] = [];
       for (let i = 0; i < this.foreignDataWrapper.options.length; i += 2) {
-        if (i + 1 < this.foreignDataWrapper.options.length) {
-          optionPairs.push(
-            `${this.foreignDataWrapper.options[i]} ${quoteLiteral(this.foreignDataWrapper.options[i + 1])}`,
-          );
-        }
+        const key = this.foreignDataWrapper.options[i];
+        const value = this.foreignDataWrapper.options[i + 1];
+        if (key === undefined || value === undefined) continue;
+        optionPairs.push(
+          `${key} ${quoteLiteral(redactOptionValue(key, value))}`,
+        );
       }
       if (optionPairs.length > 0) {
         parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.ts

@@ -78,6 +78,17 @@ export class ForeignDataWrapper extends BasePgModel {
   }
 }
 
+/**
+ * Extract `pg_foreign_data_wrapper` rows into `ForeignDataWrapper` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_data_wrapper.fdwoptions`, which means a wrapper that ships
+ * shared credentials (`password`, `api_key`, …) would expose them
+ * cleartext in memory. Always route through `extractCatalog` (which
+ * calls `normalizeCatalog`) before emitting options to any output
+ * channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractForeignDataWrappers(
   pool: Pool,
 ): Promise<ForeignDataWrapper[]> {

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.alter.test.ts

@@ -324,17 +324,38 @@ describe.concurrent("foreign-table", () => {
       const change = new AlterForeignTableSetOptions({
         foreignTable,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "schema_name", value: "remote_schema" },
+          { action: "SET", option: "table_name", value: "updated_table" },
+          { action: "DROP", option: "column_name" },
         ],
       });
 
       await assertValidSql(change.serialize());
 
       expect(change.serialize()).toBe(
-        "ALTER FOREIGN TABLE public.test_table OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER FOREIGN TABLE public.test_table OPTIONS (ADD schema_name 'remote_schema', SET table_name 'updated_table', DROP column_name)",
       );
     });
+
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const foreignTable = new ForeignTable(baseTableProps);
+      const change = new AlterForeignTableSetOptions({
+        foreignTable,
+        options: [
+          { action: "ADD", option: "password", value: "table-shared-secret" },
+          { action: "SET", option: "schema_name", value: "remote_schema" },
+          { action: "ADD", option: "api_key", value: "leaked-api-key" },
+        ],
+      });
+
+      await assertValidSql(change.serialize());
+
+      const sql = change.serialize();
+      expect(sql).not.toContain("table-shared-secret");
+      expect(sql).not.toContain("leaked-api-key");
+      expect(sql).toContain("SET schema_name 'remote_schema'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD api_key '__OPTION_API_KEY__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.alter.ts

@@ -2,6 +2,7 @@ import type { SerializeOptions } from "../../../../integrations/serialize/serial
 import { quoteLiteral } from "../../../base.change.ts";
 import type { ColumnProps } from "../../../base.model.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignTable } from "../foreign-table.model.ts";
 import { AlterForeignTableChange } from "./foreign-table.base.ts";
 
@@ -327,7 +328,10 @@ export class AlterForeignTableSetOptions extends AlterForeignTableChange {
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }