npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.24 → 1.0.0-alpha.25 - Mend

@supabase/pg-delta 1.0.0-alpha.24 → 1.0.0-alpha.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.test.ts CHANGED Viewed

@@ -120,17 +120,47 @@ describe.concurrent("foreign-data-wrapper", () => {
       const change = new AlterForeignDataWrapperSetOptions({
         foreignDataWrapper: fdw,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "use_remote_estimate", value: "true" },
+          { action: "SET", option: "fetch_size", value: "200" },
+          { action: "DROP", option: "fdw_tuple_cost" },
         ],
       });
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD use_remote_estimate 'true', SET fetch_size '200', DROP fdw_tuple_cost)",
       );
     });
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const props: ForeignDataWrapperProps = {
+        name: "leaky_fdw",
+        owner: "postgres",
+        handler: null,
+        validator: null,
+        options: null,
+        comment: null,
+        privileges: [],
+      };
+      const fdw = new ForeignDataWrapper(props);
+      const change = new AlterForeignDataWrapperSetOptions({
+        foreignDataWrapper: fdw,
+        options: [
+          { action: "ADD", option: "password", value: "shared-fdw-secret" },
+          { action: "SET", option: "use_remote_estimate", value: "true" },
+          { action: "ADD", option: "api_key", value: "leaked-api-key" },
+        ],
+      });
+      await assertValidSql(change.serialize());
+      const sql = change.serialize();
+      expect(sql).not.toContain("shared-fdw-secret");
+      expect(sql).not.toContain("leaked-api-key");
+      expect(sql).toContain("SET use_remote_estimate 'true'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD api_key '__OPTION_API_KEY__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignDataWrapper } from "../foreign-data-wrapper.model.ts";
 import { AlterForeignDataWrapperChange } from "./foreign-data-wrapper.base.ts";
@@ -87,7 +88,10 @@ export class AlterForeignDataWrapperSetOptions extends AlterForeignDataWrapperCh
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.create.test.ts CHANGED Viewed

@@ -157,4 +157,38 @@ describe("foreign-data-wrapper", () => {
       "CREATE FOREIGN DATA WRAPPER test_fdw HANDLER extensions.iceberg_fdw_handler VALIDATOR extensions.iceberg_fdw_validator",
     );
   });
+  test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+    // FDW-level OPTIONS set defaults that flow down to every server using
+    // the wrapper, so a shared `password` or `api_key` here must redact.
+    const fdw = new ForeignDataWrapper({
+      name: "leaky_fdw",
+      owner: "postgres",
+      handler: null,
+      validator: null,
+      options: [
+        "use_remote_estimate",
+        "true",
+        "password",
+        "shared-fdw-secret",
+        "api_key",
+        "leaked-api-key",
+      ],
+      comment: null,
+      privileges: [],
+    });
+    const change = new CreateForeignDataWrapper({
+      foreignDataWrapper: fdw,
+    });
+    await assertValidSql(change.serialize());
+    const sql = change.serialize();
+    expect(sql).not.toContain("shared-fdw-secret");
+    expect(sql).not.toContain("leaked-api-key");
+    expect(sql).toContain("use_remote_estimate 'true'");
+    expect(sql).toContain("password '__OPTION_PASSWORD__'");
+    expect(sql).toContain("api_key '__OPTION_API_KEY__'");
+  });
 });

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.create.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignDataWrapper } from "../foreign-data-wrapper.model.ts";
 import { CreateForeignDataWrapperChange } from "./foreign-data-wrapper.base.ts";
@@ -80,11 +81,12 @@ export class CreateForeignDataWrapper extends CreateForeignDataWrapperChange {
     ) {
       const optionPairs: string[] = [];
       for (let i = 0; i < this.foreignDataWrapper.options.length; i += 2) {
-        if (i + 1 < this.foreignDataWrapper.options.length) {
-          optionPairs.push(
-            `${this.foreignDataWrapper.options[i]} ${quoteLiteral(this.foreignDataWrapper.options[i + 1])}`,
-          );
-        }
+        const key = this.foreignDataWrapper.options[i];
+        const value = this.foreignDataWrapper.options[i + 1];
+        if (key === undefined || value === undefined) continue;
+        optionPairs.push(
+          `${key} ${quoteLiteral(redactOptionValue(key, value))}`,
+        );
       }
       if (optionPairs.length > 0) {
         parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.ts CHANGED Viewed

@@ -78,6 +78,17 @@ export class ForeignDataWrapper extends BasePgModel {
   }
 }
+/**
+ * Extract `pg_foreign_data_wrapper` rows into `ForeignDataWrapper` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_data_wrapper.fdwoptions`, which means a wrapper that ships
+ * shared credentials (`password`, `api_key`, …) would expose them
+ * cleartext in memory. Always route through `extractCatalog` (which
+ * calls `normalizeCatalog`) before emitting options to any output
+ * channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractForeignDataWrappers(
   pool: Pool,
 ): Promise<ForeignDataWrapper[]> {

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.alter.test.ts CHANGED Viewed

@@ -324,17 +324,38 @@ describe.concurrent("foreign-table", () => {
       const change = new AlterForeignTableSetOptions({
         foreignTable,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "schema_name", value: "remote_schema" },
+          { action: "SET", option: "table_name", value: "updated_table" },
+          { action: "DROP", option: "column_name" },
         ],
       });
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER FOREIGN TABLE public.test_table OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER FOREIGN TABLE public.test_table OPTIONS (ADD schema_name 'remote_schema', SET table_name 'updated_table', DROP column_name)",
       );
     });
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const foreignTable = new ForeignTable(baseTableProps);
+      const change = new AlterForeignTableSetOptions({
+        foreignTable,
+        options: [
+          { action: "ADD", option: "password", value: "table-shared-secret" },
+          { action: "SET", option: "schema_name", value: "remote_schema" },
+          { action: "ADD", option: "api_key", value: "leaked-api-key" },
+        ],
+      });
+      await assertValidSql(change.serialize());
+      const sql = change.serialize();
+      expect(sql).not.toContain("table-shared-secret");
+      expect(sql).not.toContain("leaked-api-key");
+      expect(sql).toContain("SET schema_name 'remote_schema'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD api_key '__OPTION_API_KEY__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.alter.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import type { SerializeOptions } from "../../../../integrations/serialize/serial
 import { quoteLiteral } from "../../../base.change.ts";
 import type { ColumnProps } from "../../../base.model.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignTable } from "../foreign-table.model.ts";
 import { AlterForeignTableChange } from "./foreign-table.base.ts";
@@ -327,7 +328,10 @@ export class AlterForeignTableSetOptions extends AlterForeignTableChange {
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.create.test.ts CHANGED Viewed

@@ -207,4 +207,58 @@ describe("foreign-table", () => {
       "CREATE FOREIGN TABLE public.test_table (id integer, name text) SERVER test_server OPTIONS (schema_name 'remote_schema', table_name 'remote_table')",
     );
   });
+  test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+    // Foreign tables don't usually carry credentials, but a wrapper is
+    // free to define one — make sure the redaction policy still applies.
+    const foreignTable = new ForeignTable({
+      schema: "public",
+      name: "leaky_table",
+      owner: "postgres",
+      server: "test_server",
+      columns: [
+        {
+          name: "id",
+          position: 1,
+          data_type: "integer",
+          data_type_str: "integer",
+          is_custom_type: false,
+          custom_type_type: null,
+          custom_type_category: null,
+          custom_type_schema: null,
+          custom_type_name: null,
+          not_null: false,
+          is_identity: false,
+          is_identity_always: false,
+          is_generated: false,
+          collation: null,
+          default: null,
+          comment: null,
+        },
+      ],
+      options: [
+        "schema_name",
+        "remote_schema",
+        "api_key",
+        "leaked-api-key",
+        "password",
+        "table-shared-secret",
+      ],
+      comment: null,
+      privileges: [],
+    });
+    const change = new CreateForeignTable({
+      foreignTable,
+    });
+    await assertValidSql(change.serialize());
+    const sql = change.serialize();
+    expect(sql).not.toContain("leaked-api-key");
+    expect(sql).not.toContain("table-shared-secret");
+    expect(sql).toContain("schema_name 'remote_schema'");
+    expect(sql).toContain("api_key '__OPTION_API_KEY__'");
+    expect(sql).toContain("password '__OPTION_PASSWORD__'");
+  });
 });

package/src/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.create.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignTable } from "../foreign-table.model.ts";
 import { CreateForeignTableChange } from "./foreign-table.base.ts";
@@ -66,11 +67,12 @@ export class CreateForeignTable extends CreateForeignTableChange {
     if (this.foreignTable.options && this.foreignTable.options.length > 0) {
       const optionPairs: string[] = [];
       for (let i = 0; i < this.foreignTable.options.length; i += 2) {
-        if (i + 1 < this.foreignTable.options.length) {
-          optionPairs.push(
-            `${this.foreignTable.options[i]} ${quoteLiteral(this.foreignTable.options[i + 1])}`,
-          );
-        }
+        const key = this.foreignTable.options[i];
+        const value = this.foreignTable.options[i + 1];
+        if (key === undefined || value === undefined) continue;
+        optionPairs.push(
+          `${key} ${quoteLiteral(redactOptionValue(key, value))}`,
+        );
       }
       if (optionPairs.length > 0) {
         parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/src/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts CHANGED Viewed

@@ -119,6 +119,17 @@ export class ForeignTable extends BasePgModel implements TableLikeObject {
   }
 }
+/**
+ * Extract `pg_foreign_table` rows into `ForeignTable` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_table.ftoptions`, which means a wrapper that puts
+ * credentials at the table level (uncommon but possible) would expose
+ * them cleartext in memory. Always route through `extractCatalog`
+ * (which calls `normalizeCatalog`) before emitting options to any
+ * output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractForeignTables(
   pool: Pool,
 ): Promise<ForeignTable[]> {

package/src/core/objects/foreign-data-wrapper/sensitive-options.test.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import { describe, expect, test } from "bun:test";
+import {
+  redactOptionValue,
+  redactSensitiveOptionPairs,
+} from "./sensitive-options.ts";
+describe("sensitive-options", () => {
+  test("preserves allowlisted connection / behavior options (case-insensitive)", () => {
+    // One assertion per allowlist family so an accidental drop is caught
+    // here instead of silently turning real plans into placeholder soup.
+    expect(redactOptionValue("host", "prod.example.com")).toBe(
+      "prod.example.com",
+    );
+    expect(redactOptionValue("HOST", "prod.example.com")).toBe(
+      "prod.example.com",
+    );
+    expect(redactOptionValue("port", "5432")).toBe("5432");
+    expect(redactOptionValue("dbname", "appdb")).toBe("appdb");
+    expect(redactOptionValue("user", "fdw_reader")).toBe("fdw_reader");
+    expect(redactOptionValue("sslmode", "require")).toBe("require");
+    expect(redactOptionValue("fetch_size", "200")).toBe("200");
+    expect(redactOptionValue("schema_name", "public")).toBe("public");
+    expect(redactOptionValue("region", "us-east-1")).toBe("us-east-1");
+  });
+  test("redacts unknown / credential-shaped keys to the placeholder", () => {
+    // None of these are in the allowlist; the policy is default-redact, so
+    // they all collapse to `__OPTION_<KEY>__` regardless of the value.
+    expect(redactOptionValue("password", "supersecret")).toBe(
+      "__OPTION_PASSWORD__",
+    );
+    expect(redactOptionValue("PASSWORD", "supersecret")).toBe(
+      "__OPTION_PASSWORD__",
+    );
+    expect(redactOptionValue("passfile", "/etc/passfile")).toBe(
+      "__OPTION_PASSFILE__",
+    );
+    expect(redactOptionValue("sslpassword", "x")).toBe(
+      "__OPTION_SSLPASSWORD__",
+    );
+    expect(redactOptionValue("api_key", "x")).toBe("__OPTION_API_KEY__");
+    expect(redactOptionValue("aws_secret_access_key", "x")).toBe(
+      "__OPTION_AWS_SECRET_ACCESS_KEY__",
+    );
+    // An unrecognized FDW option key — default-redact catches it even
+    // though we have not enumerated this wrapper.
+    expect(redactOptionValue("brand_new_wrapper_token", "x")).toBe(
+      "__OPTION_BRAND_NEW_WRAPPER_TOKEN__",
+    );
+  });
+  test("matching is exact (not substring)", () => {
+    // `host` is allowlisted but `host_addr` is not — substring matches must
+    // not promote unknown keys into the allowlist.
+    expect(redactOptionValue("host_addr", "10.0.0.1")).toBe(
+      "__OPTION_HOST_ADDR__",
+    );
+    // Inverse direction: `password_validator_extension` is not in the
+    // allowlist, and must not be accidentally allowlisted because some
+    // future loose-match scheme thought "password" looked similar.
+    expect(
+      redactOptionValue("password_validator_extension", "passwordcheck"),
+    ).toBe("__OPTION_PASSWORD_VALIDATOR_EXTENSION__");
+  });
+  test("redactSensitiveOptionPairs preserves safe keys and redacts the rest", () => {
+    expect(
+      redactSensitiveOptionPairs([
+        "host",
+        "localhost",
+        "port",
+        "5432",
+        "password",
+        "supersecret",
+        "passfile",
+        "/etc/secrets/passfile",
+        "brand_new_wrapper_token",
+        "leaked",
+      ]),
+    ).toEqual([
+      "host",
+      "localhost",
+      "port",
+      "5432",
+      "password",
+      "__OPTION_PASSWORD__",
+      "passfile",
+      "__OPTION_PASSFILE__",
+      "brand_new_wrapper_token",
+      "__OPTION_BRAND_NEW_WRAPPER_TOKEN__",
+    ]);
+  });
+  test("redactSensitiveOptionPairs handles null and empty input", () => {
+    expect(redactSensitiveOptionPairs(null)).toBeNull();
+    expect(redactSensitiveOptionPairs([])).toEqual([]);
+  });
+});

package/src/core/objects/foreign-data-wrapper/sensitive-options.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * Sensitive-option redaction for foreign-data-wrapper objects.
+ *
+ * Foreign servers (`pg_foreign_server.srvoptions`) and user mappings
+ * (`pg_user_mapping.umoptions`) store libpq/FDW credentials in cleartext.
+ * Any code path that emits these option values verbatim — plan SQL, catalog
+ * snapshots, declarative export, fingerprints — leaks the credentials to
+ * disk, stdout, CI logs, and version control.
+ *
+ * The redaction policy is **allowlist-based**: replace every option value
+ * with `__OPTION_<KEY>__` unless the option key appears in
+ * {@link SAFE_OPTION_KEYS}. Failure mode of a missing entry is "the plan
+ * shows the placeholder instead of the real value" — annoying, but safe;
+ * a denylist's failure mode was secrets leaking, which is the bug we are
+ * fixing (CLI-1467).
+ *
+ * Match is case-insensitive but exact — substrings do not match, so an
+ * option key like `password_validator_extension` will be redacted unless
+ * explicitly allowlisted. When a new wrapper introduces a non-credential
+ * key we want to surface in plans, add it here.
+ */
+const SAFE_OPTION_KEYS = new Set<string>([
+  // libpq connection params (non-credential subset).
+  //   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
+  "host",
+  "hostaddr",
+  "port",
+  "dbname",
+  "user",
+  "sslmode",
+  "sslcompression",
+  "sslcert",
+  "sslkey",
+  "sslrootcert",
+  "sslcrl",
+  "sslcrldir",
+  "sslsni",
+  "requirepeer",
+  "krbsrvname",
+  "gsslib",
+  "sspi",
+  "gssencmode",
+  "gssdelegation",
+  "channel_binding",
+  "target_session_attrs",
+  "application_name",
+  "fallback_application_name",
+  "connect_timeout",
+  "client_encoding",
+  "options",
+  "keepalives",
+  "keepalives_idle",
+  "keepalives_interval",
+  "keepalives_count",
+  "tcp_user_timeout",
+  "replication",
+  "load_balance_hosts",
+  // postgres_fdw behavior tuning.
+  //   https://www.postgresql.org/docs/current/postgres-fdw.html#POSTGRES-FDW-OPTIONS-CONNECTION
+  "use_remote_estimate",
+  "fdw_startup_cost",
+  "fdw_tuple_cost",
+  "fetch_size",
+  "batch_size",
+  "async_capable",
+  "analyze_sampling",
+  "parallel_commit",
+  "parallel_abort",
+  "extensions",
+  "updatable",
+  "truncatable",
+  "schema_name",
+  "table_name",
+  "column_name",
+  // Common shape for table-like FDWs (file_fdw, cloud-storage wrappers).
+  "schema",
+  "database",
+  "table",
+  "format",
+  "header",
+  "delimiter",
+  "quote",
+  "escape",
+  "encoding",
+  "compression",
+  // Cloud / Supabase Wrappers non-credential shape.
+  //   https://github.com/supabase/wrappers
+  "region",
+  "endpoint",
+  "bucket",
+  "prefix",
+  "location",
+  "project_id",
+  "dataset_id",
+  "dataset",
+  "workspace",
+  "organization",
+  "api_version",
+]);
+function redactedOptionPlaceholder(key: string): string {
+  return `__OPTION_${key.toUpperCase()}__`;
+}
+export function redactOptionValue(key: string, value: string): string {
+  return SAFE_OPTION_KEYS.has(key.toLowerCase())
+    ? value
+    : redactedOptionPlaceholder(key);
+}
+/**
+ * Redact non-allowlisted values in a flat `[key, value, key, value, ...]`
+ * options array — the shape used by the {@link Server},
+ * {@link UserMapping}, {@link ForeignDataWrapper}, and {@link ForeignTable}
+ * models.
+ *
+ * Returns `null` for `null` input, and otherwise returns an array of the
+ * same length as the input with sensitive values replaced.
+ */
+export function redactSensitiveOptionPairs(
+  options: readonly string[] | null,
+): string[] | null {
+  if (options === null) return null;
+  const result: string[] = [];
+  for (let i = 0; i < options.length; i += 2) {
+    const key = options[i];
+    const value = options[i + 1];
+    if (key === undefined || value === undefined) continue;
+    result.push(key, redactOptionValue(key, value));
+  }
+  return result;
+}

package/src/core/objects/foreign-data-wrapper/server/changes/server.alter.test.ts CHANGED Viewed

@@ -167,17 +167,52 @@ describe.concurrent("server", () => {
       const change = new AlterServerSetOptions({
         server,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "host", value: "localhost" },
+          { action: "SET", option: "port", value: "5433" },
+          { action: "DROP", option: "dbname" },
         ],
       });
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER SERVER test_server OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER SERVER test_server OPTIONS (ADD host 'localhost', SET port '5433', DROP dbname)",
       );
     });
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const props: ServerProps = {
+        name: "live_risk_server",
+        owner: "postgres",
+        foreign_data_wrapper: "postgres_fdw",
+        type: null,
+        version: null,
+        options: null,
+        comment: null,
+        privileges: [],
+      };
+      const server = new Server(props);
+      const change = new AlterServerSetOptions({
+        server,
+        options: [
+          { action: "ADD", option: "password", value: "server-shared-secret" },
+          { action: "SET", option: "host", value: "remote.example.com" },
+          {
+            action: "ADD",
+            option: "passfile",
+            value: "/etc/secrets/passfile",
+          },
+        ],
+      });
+      await assertValidSql(change.serialize());
+      const sql = change.serialize();
+      expect(sql).not.toContain("server-shared-secret");
+      expect(sql).not.toContain("/etc/secrets/passfile");
+      expect(sql).toContain("SET host 'remote.example.com'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD passfile '__OPTION_PASSFILE__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/server/changes/server.alter.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { Server } from "../server.model.ts";
 import { AlterServerChange } from "./server.base.ts";
@@ -112,7 +113,10 @@ export class AlterServerSetOptions extends AlterServerChange {
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }