@supabase/pg-delta 1.0.0-alpha.24 → 1.0.0-alpha.26

package/dist/core/catalog.model.d.ts

@@ -6,8 +6,8 @@ import { type Collation } from "./objects/collation/collation.model.ts";
 import type { Domain } from "./objects/domain/domain.model.ts";
 import { type EventTrigger } from "./objects/event-trigger/event-trigger.model.ts";
 import { type Extension } from "./objects/extension/extension.model.ts";
-import { type ForeignDataWrapper } from "./objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.ts";
-import { type ForeignTable } from "./objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts";
+import { ForeignDataWrapper } from "./objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.ts";
+import { ForeignTable } from "./objects/foreign-data-wrapper/foreign-table/foreign-table.model.ts";
 import { Server } from "./objects/foreign-data-wrapper/server/server.model.ts";
 import { UserMapping } from "./objects/foreign-data-wrapper/user-mapping/user-mapping.model.ts";
 import { type Index } from "./objects/index/index.model.ts";

package/dist/core/catalog.model.js

@@ -5,8 +5,9 @@ import { extractCollations, } from "./objects/collation/collation.model.js";
 import { extractDomains } from "./objects/domain/domain.model.js";
 import { extractEventTriggers, } from "./objects/event-trigger/event-trigger.model.js";
 import { extractExtensions, } from "./objects/extension/extension.model.js";
-import { extractForeignDataWrappers, } from "./objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.js";
-import { extractForeignTables, } from "./objects/foreign-data-wrapper/foreign-table/foreign-table.model.js";
+import { extractForeignDataWrappers, ForeignDataWrapper, } from "./objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.js";
+import { extractForeignTables, ForeignTable, } from "./objects/foreign-data-wrapper/foreign-table/foreign-table.model.js";
+import { redactSensitiveOptionPairs } from "./objects/foreign-data-wrapper/sensitive-options.js";
 import { extractServers, Server, } from "./objects/foreign-data-wrapper/server/server.model.js";
 import { extractUserMappings, UserMapping, } from "./objects/foreign-data-wrapper/user-mapping/user-mapping.model.js";
 import { extractIndexes } from "./objects/index/index.model.js";
@@ -146,10 +147,12 @@ async function getPg17Baseline() {
 export async function createEmptyCatalog(version, currentUser) {
     if (version >= 170000) {
         const baseline = await getPg17Baseline();
+        // oxlint-disable-next-line typescript/no-misused-spread
         return new Catalog({ ...baseline, version, currentUser });
     }
     if (version >= 150000) {
         const baseline = await getPg1516Baseline();
+        // oxlint-disable-next-line typescript/no-misused-spread
         return new Catalog({ ...baseline, version, currentUser });
     }
     const publicSchema = new Schema({
@@ -264,27 +267,44 @@ function listToRecord(list) {
     return Object.fromEntries(list.map((item) => [item.stableId, item]));
 }
 function normalizeCatalog(catalog) {
+    const foreignDataWrappers = mapRecord(catalog.foreignDataWrappers, (fdw) => new ForeignDataWrapper({
+        name: fdw.name,
+        owner: fdw.owner,
+        handler: fdw.handler,
+        validator: fdw.validator,
+        options: redactSensitiveOptionPairs(fdw.options),
+        comment: fdw.comment,
+        privileges: fdw.privileges,
+    }));
     const servers = mapRecord(catalog.servers, (server) => {
-        const maskedOptions = maskOptions(server.options);
         return new Server({
             name: server.name,
             owner: server.owner,
             foreign_data_wrapper: server.foreign_data_wrapper,
             type: server.type,
             version: server.version,
-            options: maskedOptions,
+            options: redactSensitiveOptionPairs(server.options),
             comment: server.comment,
             privileges: server.privileges,
         });
     });
     const userMappings = mapRecord(catalog.userMappings, (mapping) => {
-        const maskedOptions = maskOptions(mapping.options);
         return new UserMapping({
             user: mapping.user,
             server: mapping.server,
-            options: maskedOptions,
+            options: redactSensitiveOptionPairs(mapping.options),
         });
     });
+    const foreignTables = mapRecord(catalog.foreignTables, (foreignTable) => new ForeignTable({
+        schema: foreignTable.schema,
+        name: foreignTable.name,
+        owner: foreignTable.owner,
+        server: foreignTable.server,
+        columns: foreignTable.columns,
+        options: redactSensitiveOptionPairs(foreignTable.options),
+        comment: foreignTable.comment,
+        privileges: foreignTable.privileges,
+    }));
     const subscriptions = mapRecord(catalog.subscriptions, (subscription) => {
         return new Subscription({
             name: subscription.name,
@@ -330,29 +350,16 @@ function normalizeCatalog(catalog) {
         rules: catalog.rules,
         ranges: catalog.ranges,
         views: catalog.views,
-        foreignDataWrappers: catalog.foreignDataWrappers,
+        foreignDataWrappers,
         servers,
         userMappings,
-        foreignTables: catalog.foreignTables,
+        foreignTables,
         depends: catalog.depends,
         indexableObjects: catalog.indexableObjects,
         version: catalog.version,
         currentUser: catalog.currentUser,
     });
 }
-function maskOptions(options) {
-    if (!options || options.length === 0)
-        return options;
-    const masked = [];
-    for (let i = 0; i < options.length; i += 2) {
-        const key = options[i];
-        const value = options[i + 1];
-        if (key === undefined || value === undefined)
-            continue;
-        masked.push(key, `__OPTION_${key.toUpperCase()}__`);
-    }
-    return masked.length > 0 ? masked : null;
-}
 function mapRecord(record, mapper) {
     return Object.fromEntries(Object.entries(record).map(([key, value]) => [key, mapper(value)]));
 }

package/dist/core/expand-replace-dependencies.js

@@ -6,7 +6,7 @@ import { CreateMaterializedView } from "./objects/materialized-view/changes/mate
 import { DropMaterializedView } from "./objects/materialized-view/changes/materialized-view.drop.js";
 import { CreateProcedure } from "./objects/procedure/changes/procedure.create.js";
 import { DropProcedure } from "./objects/procedure/changes/procedure.drop.js";
-import { AlterTableAddConstraint, AlterTableValidateConstraint, } from "./objects/table/changes/table.alter.js";
+import { AlterTableAddConstraint } from "./objects/table/changes/table.alter.js";
 import { CreateCommentOnConstraint } from "./objects/table/changes/table.comment.js";
 import { CreateTable } from "./objects/table/changes/table.create.js";
 import { DropTable } from "./objects/table/changes/table.drop.js";
@@ -312,12 +312,6 @@ function buildReplaceChanges(resolved, options) {
                                     constraint,
                                 }),
                             ];
-                            if (!constraint.validated) {
-                                items.push(new AlterTableValidateConstraint({
-                                    table: resolved.branch,
-                                    constraint,
-                                }));
-                            }
                             if (constraint.comment !== null &&
                                 constraint.comment !== undefined) {
                                 items.push(new CreateCommentOnConstraint({

package/dist/core/integrations/supabase.js

@@ -94,6 +94,34 @@ export const supabase = {
                 operation: "drop",
                 scope: "object",
             },
+            // Include user-attached triggers on tables in Supabase-managed schemas.
+            //
+            // Triggers live in the schema of the table they fire on, so a user
+            // trigger on `auth.users` reports `trigger/schema = auth` and is
+            // otherwise indistinguishable from Supabase's own triggers via the
+            // schema-level deny list. Triggers also have no real owner — pg-delta
+            // surfaces the parent table's owner as `trigger/owner`, which for
+            // `auth.users` and `storage.objects` is always a Supabase system role,
+            // so the owner-level deny list catches them too.
+            //
+            // The trigger function, however, is genuinely user-owned: a customer
+            // who wants to run code on an auth event creates a function in
+            // `public` (or any non-managed schema) and points the trigger at it.
+            // Supabase's own auth/storage triggers either come from extensions
+            // (already filtered out at extract time via `pg_depend`) or call
+            // functions inside the same managed schema, so `function_schema`
+            // outside the managed list is a reliable user-defined marker.
+            {
+                and: [
+                    { objectType: "trigger" },
+                    { "trigger/schema": [...SUPABASE_SYSTEM_SCHEMAS] },
+                    {
+                        not: {
+                            "trigger/function_schema": [...SUPABASE_SYSTEM_SCHEMAS],
+                        },
+                    },
+                ],
+            },
             // Exclude system objects
             {
                 not: {
@@ -126,6 +154,62 @@ export const supabase = {
                                 },
                             ],
                         },
+                        // Platform-managed foreign data wrapper ACL.
+                        // `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER` requires
+                        // superuser. On Supabase Cloud `postgres` has the elevated
+                        // rights to make this work, but the local Docker image does
+                        // not, so `supabase db reset` aborts with
+                        // `permission denied for foreign-data wrapper`. The
+                        // `*/owner` rule above already covers wrappers owned by
+                        // `supabase_admin`, but `pg_dump` rewrites OWNER TO clauses
+                        // to whoever the dump runs under, so after a restore the
+                        // FDW typically ends up owned by `postgres` and slips past
+                        // the owner gate. A non-superuser `postgres` still can't
+                        // grant on a FDW (this is true regardless of who owns the
+                        // wrapper locally), so the ACL diff is not user-replayable.
+                        // We don't apply the same blanket rule to `FOREIGN SERVER`:
+                        // server GRANT/REVOKE doesn't require superuser, and
+                        // user-created servers (e.g. a `dblink` server pointing to
+                        // a peer DB) carry legitimate user ACL that should
+                        // roundtrip — the existing `*/owner` rule already drops
+                        // platform-managed servers.
+                        {
+                            and: [
+                                { objectType: "foreign_data_wrapper" },
+                                { scope: "privilege" },
+                            ],
+                        },
+                        // Platform-managed foreign data wrappers — Wasm-based FDWs
+                        // (e.g. `clerk`, `clerk_oauth`) whose handler/validator live in
+                        // the `extensions` schema. `CREATE FOREIGN DATA WRAPPER`
+                        // requires superuser, and Supabase Cloud provisions these via
+                        // `supabase_admin` at project creation; replaying the DDL
+                        // against a local image fails because the local environment
+                        // has no equivalent pre-step. We can't rely on the FDW owner
+                        // alone — after a dump/restore the owner is often rewritten
+                        // away from `supabase_admin` — so match on the function
+                        // reference instead.
+                        {
+                            and: [
+                                { objectType: "foreign_data_wrapper" },
+                                {
+                                    or: [
+                                        {
+                                            "foreign_data_wrapper/handler": {
+                                                op: "regex",
+                                                value: "^extensions\\.",
+                                            },
+                                        },
+                                        {
+                                            "foreign_data_wrapper/validator": {
+                                                op: "regex",
+                                                value: "^extensions\\.",
+                                            },
+                                        },
+                                    ],
+                                },
+                            ],
+                        },
                     ],
                 },
             },

package/dist/core/objects/aggregate/changes/aggregate.privilege.js

@@ -1,6 +1,24 @@
 import { formatObjectPrivilegeList, getObjectKindPrefix, } from "../../base.privilege.js";
 import { stableId } from "../../utils.js";
 import { AlterAggregateChange } from "./aggregate.base.js";
+/**
+ * Build the signature `<schema>.<name>(<argtypes>)` for use inside
+ * `GRANT`/`REVOKE ... ON FUNCTION (...)`.
+ *
+ * The aggregate's `identityArguments` (from
+ * `pg_get_function_identity_arguments`) embeds `ORDER BY` for ordered-set
+ * and hypothetical-set aggregates (`aggkind` of `o`/`h`) and `VARIADIC`
+ * for variadic aggregates — both of which the GRANT parser rejects with
+ * a syntax error. PostgreSQL resolves the aggregate from the positional
+ * argument types alone, so use `argument_types` here regardless of
+ * `aggkind`. Other aggregate DDL (`ALTER AGGREGATE`, `COMMENT ON
+ * AGGREGATE`, `SECURITY LABEL ON AGGREGATE`, `DROP AGGREGATE`) accepts
+ * the identity form and keeps using it.
+ */
+function aggregateGrantSignature(aggregate) {
+    const args = (aggregate.argument_types ?? []).join(", ");
+    return `${aggregate.schema}.${aggregate.name}(${args})`;
+}
 export class GrantAggregatePrivileges extends AlterAggregateChange {
     aggregate;
     grantee;
@@ -30,9 +48,7 @@ export class GrantAggregatePrivileges extends AlterAggregateChange {
         const kindPrefix = getObjectKindPrefix("FUNCTION");
         const list = this.privileges.map((p) => p.privilege);
         const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-        const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-        const signature = this.aggregate.identityArguments;
-        const qualified = `${aggregateName}(${signature})`;
+        const qualified = aggregateGrantSignature(this.aggregate);
         return `GRANT ${privSql} ${kindPrefix} ${qualified} TO ${this.grantee}${withGrant}`;
     }
 }
@@ -65,9 +81,7 @@ export class RevokeAggregatePrivileges extends AlterAggregateChange {
         const kindPrefix = getObjectKindPrefix("FUNCTION");
         const list = this.privileges.map((p) => p.privilege);
         const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-        const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-        const signature = this.aggregate.identityArguments;
-        const qualified = `${aggregateName}(${signature})`;
+        const qualified = aggregateGrantSignature(this.aggregate);
         return `REVOKE ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
     }
 }
@@ -94,9 +108,7 @@ export class RevokeGrantOptionAggregatePrivileges extends AlterAggregateChange {
     serialize(_options) {
         const kindPrefix = getObjectKindPrefix("FUNCTION");
         const privSql = formatObjectPrivilegeList("FUNCTION", this.privilegeNames, this.version);
-        const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-        const signature = this.aggregate.identityArguments;
-        const qualified = `${aggregateName}(${signature})`;
+        const qualified = aggregateGrantSignature(this.aggregate);
         return `REVOKE GRANT OPTION FOR ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
     }
 }

package/dist/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { AlterForeignDataWrapperChange } from "./foreign-data-wrapper.base.js";
 /**
  * ALTER FOREIGN DATA WRAPPER ... OWNER TO ...
@@ -47,7 +48,9 @@ export class AlterForeignDataWrapperSetOptions extends AlterForeignDataWrapperCh
                 optionParts.push(`DROP ${opt.option}`);
             }
             else {
-                const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+                const value = opt.value !== undefined
+                    ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+                    : "''";
                 optionParts.push(`${opt.action} ${opt.option} ${value}`);
             }
         }

package/dist/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.create.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { CreateForeignDataWrapperChange } from "./foreign-data-wrapper.base.js";
 /**
  * Create a foreign data wrapper.
@@ -65,9 +66,11 @@ export class CreateForeignDataWrapper extends CreateForeignDataWrapperChange {
             this.foreignDataWrapper.options.length > 0) {
             const optionPairs = [];
             for (let i = 0; i < this.foreignDataWrapper.options.length; i += 2) {
-                if (i + 1 < this.foreignDataWrapper.options.length) {
-                    optionPairs.push(`${this.foreignDataWrapper.options[i]} ${quoteLiteral(this.foreignDataWrapper.options[i + 1])}`);
-                }
+                const key = this.foreignDataWrapper.options[i];
+                const value = this.foreignDataWrapper.options[i + 1];
+                if (key === undefined || value === undefined)
+                    continue;
+                optionPairs.push(`${key} ${quoteLiteral(redactOptionValue(key, value))}`);
             }
             if (optionPairs.length > 0) {
                 parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/dist/core/objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.d.ts

@@ -55,5 +55,16 @@ export declare class ForeignDataWrapper extends BasePgModel {
         }[];
     };
 }
+/**
+ * Extract `pg_foreign_data_wrapper` rows into `ForeignDataWrapper` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_data_wrapper.fdwoptions`, which means a wrapper that ships
+ * shared credentials (`password`, `api_key`, …) would expose them
+ * cleartext in memory. Always route through `extractCatalog` (which
+ * calls `normalizeCatalog`) before emitting options to any output
+ * channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export declare function extractForeignDataWrappers(pool: Pool): Promise<ForeignDataWrapper[]>;
 export {};

package/dist/core/objects/foreign-data-wrapper/foreign-data-wrapper/foreign-data-wrapper.model.js

@@ -60,6 +60,17 @@ export class ForeignDataWrapper extends BasePgModel {
         };
     }
 }
+/**
+ * Extract `pg_foreign_data_wrapper` rows into `ForeignDataWrapper` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_data_wrapper.fdwoptions`, which means a wrapper that ships
+ * shared credentials (`password`, `api_key`, …) would expose them
+ * cleartext in memory. Always route through `extractCatalog` (which
+ * calls `normalizeCatalog`) before emitting options to any output
+ * channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractForeignDataWrappers(pool) {
     const { rows: fdwRows } = await pool.query(sql `
       with extension_oids as (

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.alter.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { AlterForeignTableChange } from "./foreign-table.base.js";
 /**
  * ALTER FOREIGN TABLE ... OWNER TO ...
@@ -234,7 +235,9 @@ export class AlterForeignTableSetOptions extends AlterForeignTableChange {
                 optionParts.push(`DROP ${opt.option}`);
             }
             else {
-                const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+                const value = opt.value !== undefined
+                    ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+                    : "''";
                 optionParts.push(`${opt.action} ${opt.option} ${value}`);
             }
         }

package/dist/core/objects/foreign-data-wrapper/foreign-table/changes/foreign-table.create.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { CreateForeignTableChange } from "./foreign-table.base.js";
 /**
  * Create a foreign table.
@@ -51,9 +52,11 @@ export class CreateForeignTable extends CreateForeignTableChange {
         if (this.foreignTable.options && this.foreignTable.options.length > 0) {
             const optionPairs = [];
             for (let i = 0; i < this.foreignTable.options.length; i += 2) {
-                if (i + 1 < this.foreignTable.options.length) {
-                    optionPairs.push(`${this.foreignTable.options[i]} ${quoteLiteral(this.foreignTable.options[i + 1])}`);
-                }
+                const key = this.foreignTable.options[i];
+                const value = this.foreignTable.options[i + 1];
+                if (key === undefined || value === undefined)
+                    continue;
+                optionPairs.push(`${key} ${quoteLiteral(redactOptionValue(key, value))}`);
             }
             if (optionPairs.length > 0) {
                 parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/dist/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.d.ts

@@ -135,5 +135,16 @@ export declare class ForeignTable extends BasePgModel implements TableLikeObject
         };
     };
 }
+/**
+ * Extract `pg_foreign_table` rows into `ForeignTable` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_table.ftoptions`, which means a wrapper that puts
+ * credentials at the table level (uncommon but possible) would expose
+ * them cleartext in memory. Always route through `extractCatalog`
+ * (which calls `normalizeCatalog`) before emitting options to any
+ * output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export declare function extractForeignTables(pool: Pool): Promise<ForeignTable[]>;
 export {};

package/dist/core/objects/foreign-data-wrapper/foreign-table/foreign-table.model.js

@@ -89,6 +89,17 @@ export class ForeignTable extends BasePgModel {
         };
     }
 }
+/**
+ * Extract `pg_foreign_table` rows into `ForeignTable` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_table.ftoptions`, which means a wrapper that puts
+ * credentials at the table level (uncommon but possible) would expose
+ * them cleartext in memory. Always route through `extractCatalog`
+ * (which calls `normalizeCatalog`) before emitting options to any
+ * output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractForeignTables(pool) {
     const { rows: tableRows } = await pool.query(sql `
       with extension_oids as (

package/dist/core/objects/foreign-data-wrapper/sensitive-options.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Sensitive-option redaction for foreign-data-wrapper objects.
+ *
+ * Foreign servers (`pg_foreign_server.srvoptions`) and user mappings
+ * (`pg_user_mapping.umoptions`) store libpq/FDW credentials in cleartext.
+ * Any code path that emits these option values verbatim — plan SQL, catalog
+ * snapshots, declarative export, fingerprints — leaks the credentials to
+ * disk, stdout, CI logs, and version control.
+ *
+ * The redaction policy is **allowlist-based**: replace every option value
+ * with `__OPTION_<KEY>__` unless the option key appears in
+ * {@link SAFE_OPTION_KEYS}. Failure mode of a missing entry is "the plan
+ * shows the placeholder instead of the real value" — annoying, but safe;
+ * a denylist's failure mode was secrets leaking, which is the bug we are
+ * fixing (CLI-1467).
+ *
+ * Match is case-insensitive but exact — substrings do not match, so an
+ * option key like `password_validator_extension` will be redacted unless
+ * explicitly allowlisted. When a new wrapper introduces a non-credential
+ * key we want to surface in plans, add it here.
+ */
+export declare function redactOptionValue(key: string, value: string): string;
+/**
+ * Redact non-allowlisted values in a flat `[key, value, key, value, ...]`
+ * options array — the shape used by the {@link Server},
+ * {@link UserMapping}, {@link ForeignDataWrapper}, and {@link ForeignTable}
+ * models.
+ *
+ * Returns `null` for `null` input, and otherwise returns an array of the
+ * same length as the input with sensitive values replaced.
+ */
+export declare function redactSensitiveOptionPairs(options: readonly string[] | null): string[] | null;

package/dist/core/objects/foreign-data-wrapper/sensitive-options.js

@@ -0,0 +1,129 @@
+/**
+ * Sensitive-option redaction for foreign-data-wrapper objects.
+ *
+ * Foreign servers (`pg_foreign_server.srvoptions`) and user mappings
+ * (`pg_user_mapping.umoptions`) store libpq/FDW credentials in cleartext.
+ * Any code path that emits these option values verbatim — plan SQL, catalog
+ * snapshots, declarative export, fingerprints — leaks the credentials to
+ * disk, stdout, CI logs, and version control.
+ *
+ * The redaction policy is **allowlist-based**: replace every option value
+ * with `__OPTION_<KEY>__` unless the option key appears in
+ * {@link SAFE_OPTION_KEYS}. Failure mode of a missing entry is "the plan
+ * shows the placeholder instead of the real value" — annoying, but safe;
+ * a denylist's failure mode was secrets leaking, which is the bug we are
+ * fixing (CLI-1467).
+ *
+ * Match is case-insensitive but exact — substrings do not match, so an
+ * option key like `password_validator_extension` will be redacted unless
+ * explicitly allowlisted. When a new wrapper introduces a non-credential
+ * key we want to surface in plans, add it here.
+ */
+const SAFE_OPTION_KEYS = new Set([
+    // libpq connection params (non-credential subset).
+    //   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
+    "host",
+    "hostaddr",
+    "port",
+    "dbname",
+    "user",
+    "sslmode",
+    "sslcompression",
+    "sslcert",
+    "sslkey",
+    "sslrootcert",
+    "sslcrl",
+    "sslcrldir",
+    "sslsni",
+    "requirepeer",
+    "krbsrvname",
+    "gsslib",
+    "sspi",
+    "gssencmode",
+    "gssdelegation",
+    "channel_binding",
+    "target_session_attrs",
+    "application_name",
+    "fallback_application_name",
+    "connect_timeout",
+    "client_encoding",
+    "options",
+    "keepalives",
+    "keepalives_idle",
+    "keepalives_interval",
+    "keepalives_count",
+    "tcp_user_timeout",
+    "replication",
+    "load_balance_hosts",
+    // postgres_fdw behavior tuning.
+    //   https://www.postgresql.org/docs/current/postgres-fdw.html#POSTGRES-FDW-OPTIONS-CONNECTION
+    "use_remote_estimate",
+    "fdw_startup_cost",
+    "fdw_tuple_cost",
+    "fetch_size",
+    "batch_size",
+    "async_capable",
+    "analyze_sampling",
+    "parallel_commit",
+    "parallel_abort",
+    "extensions",
+    "updatable",
+    "truncatable",
+    "schema_name",
+    "table_name",
+    "column_name",
+    // Common shape for table-like FDWs (file_fdw, cloud-storage wrappers).
+    "schema",
+    "database",
+    "table",
+    "format",
+    "header",
+    "delimiter",
+    "quote",
+    "escape",
+    "encoding",
+    "compression",
+    // Cloud / Supabase Wrappers non-credential shape.
+    //   https://github.com/supabase/wrappers
+    "region",
+    "endpoint",
+    "bucket",
+    "prefix",
+    "location",
+    "project_id",
+    "dataset_id",
+    "dataset",
+    "workspace",
+    "organization",
+    "api_version",
+]);
+function redactedOptionPlaceholder(key) {
+    return `__OPTION_${key.toUpperCase()}__`;
+}
+export function redactOptionValue(key, value) {
+    return SAFE_OPTION_KEYS.has(key.toLowerCase())
+        ? value
+        : redactedOptionPlaceholder(key);
+}
+/**
+ * Redact non-allowlisted values in a flat `[key, value, key, value, ...]`
+ * options array — the shape used by the {@link Server},
+ * {@link UserMapping}, {@link ForeignDataWrapper}, and {@link ForeignTable}
+ * models.
+ *
+ * Returns `null` for `null` input, and otherwise returns an array of the
+ * same length as the input with sensitive values replaced.
+ */
+export function redactSensitiveOptionPairs(options) {
+    if (options === null)
+        return null;
+    const result = [];
+    for (let i = 0; i < options.length; i += 2) {
+        const key = options[i];
+        const value = options[i + 1];
+        if (key === undefined || value === undefined)
+            continue;
+        result.push(key, redactOptionValue(key, value));
+    }
+    return result;
+}

package/dist/core/objects/foreign-data-wrapper/server/changes/server.alter.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { AlterServerChange } from "./server.base.js";
 /**
  * ALTER SERVER ... OWNER TO ...
@@ -70,7 +71,9 @@ export class AlterServerSetOptions extends AlterServerChange {
                 optionParts.push(`DROP ${opt.option}`);
             }
             else {
-                const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+                const value = opt.value !== undefined
+                    ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+                    : "''";
                 optionParts.push(`${opt.action} ${opt.option} ${value}`);
             }
         }

package/dist/core/objects/foreign-data-wrapper/server/changes/server.create.js

@@ -1,5 +1,6 @@
 import { quoteLiteral } from "../../../base.change.js";
 import { stableId } from "../../../utils.js";
+import { redactOptionValue } from "../../sensitive-options.js";
 import { CreateServerChange } from "./server.base.js";
 /**
  * Create a server.
@@ -49,9 +50,11 @@ export class CreateServer extends CreateServerChange {
         if (this.server.options && this.server.options.length > 0) {
             const optionPairs = [];
             for (let i = 0; i < this.server.options.length; i += 2) {
-                if (i + 1 < this.server.options.length) {
-                    optionPairs.push(`${this.server.options[i]} ${quoteLiteral(this.server.options[i + 1])}`);
-                }
+                const key = this.server.options[i];
+                const value = this.server.options[i + 1];
+                if (key === undefined || value === undefined)
+                    continue;
+                optionPairs.push(`${key} ${quoteLiteral(redactOptionValue(key, value))}`);
             }
             if (optionPairs.length > 0) {
                 parts.push(`OPTIONS (${optionPairs.join(", ")})`);