@supabase/pg-delta 1.0.0-alpha.24 → 1.0.0-alpha.26

package/src/core/expand-replace-dependencies.test.ts

@@ -189,11 +189,13 @@ describe("expandReplaceDependencies", () => {
       privileges: [],
     });
     const branchView = new View({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...mainView,
       definition: " SELECT count(*) AS n FROM public.members;",
     });
 
     const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       tables: { [usersTable.stableId]: usersTable },
       views: { [mainView.stableId]: mainView },
@@ -206,6 +208,7 @@ describe("expandReplaceDependencies", () => {
       ],
     });
     const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       views: { [branchView.stableId]: branchView },
     });
@@ -253,6 +256,7 @@ describe("expandReplaceDependencies", () => {
       owner: "postgres",
     });
     const branchSequence = new Sequence({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...mainSequence,
       persistence: "p",
     });
@@ -309,6 +313,7 @@ describe("expandReplaceDependencies", () => {
       { [usersTable.stableId]: usersTable },
     );
     const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       sequences: { [mainSequence.stableId]: mainSequence },
       tables: { [usersTable.stableId]: usersTable },
@@ -326,6 +331,7 @@ describe("expandReplaceDependencies", () => {
       ],
     });
     const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       sequences: { [branchSequence.stableId]: branchSequence },
       tables: { [usersTable.stableId]: usersTable },
@@ -369,6 +375,7 @@ describe("expandReplaceDependencies", () => {
       privileges: [],
     });
     const branchEnum = new Enum({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...mainEnum,
       labels: [
         { sort_order: 1, label: "draft" },
@@ -430,6 +437,7 @@ describe("expandReplaceDependencies", () => {
       privileges: [],
     });
     const branchChildren = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...mainChildren,
       columns: [
         { ...columnTemplate, name: "id", position: 1, not_null: true },
@@ -522,6 +530,7 @@ describe("expandReplaceDependencies", () => {
     ];
 
     const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       enums: { [mainEnum.stableId]: mainEnum },
       tables: { [mainChildren.stableId]: mainChildren },
@@ -535,6 +544,7 @@ describe("expandReplaceDependencies", () => {
       ],
     });
     const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       enums: { [branchEnum.stableId]: branchEnum },
       tables: { [branchChildren.stableId]: branchChildren },
@@ -657,6 +667,7 @@ describe("expandReplaceDependencies", () => {
     ];
 
     const mainCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       procedures: { [mainProcedure.stableId]: mainProcedure },
       views: { [mainView.stableId]: mainView },
@@ -669,6 +680,7 @@ describe("expandReplaceDependencies", () => {
       ],
     });
     const branchCatalog = new Catalog({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...baseline,
       procedures: { [branchProcedure.stableId]: branchProcedure },
       views: { [branchView.stableId]: branchView },

package/src/core/expand-replace-dependencies.ts

@@ -8,10 +8,7 @@ import { CreateMaterializedView } from "./objects/materialized-view/changes/mate
 import { DropMaterializedView } from "./objects/materialized-view/changes/materialized-view.drop.ts";
 import { CreateProcedure } from "./objects/procedure/changes/procedure.create.ts";
 import { DropProcedure } from "./objects/procedure/changes/procedure.drop.ts";
-import {
-  AlterTableAddConstraint,
-  AlterTableValidateConstraint,
-} from "./objects/table/changes/table.alter.ts";
+import { AlterTableAddConstraint } from "./objects/table/changes/table.alter.ts";
 import { CreateCommentOnConstraint } from "./objects/table/changes/table.comment.ts";
 import { CreateTable } from "./objects/table/changes/table.create.ts";
 import { DropTable } from "./objects/table/changes/table.drop.ts";
@@ -455,14 +452,6 @@ function buildReplaceChanges(
                       constraint,
                     }),
                   ];
-                  if (!constraint.validated) {
-                    items.push(
-                      new AlterTableValidateConstraint({
-                        table: resolved.branch,
-                        constraint,
-                      }),
-                    );
-                  }
                   if (
                     constraint.comment !== null &&
                     constraint.comment !== undefined

package/src/core/integrations/supabase.test.ts

@@ -0,0 +1,198 @@
+import { describe, expect, test } from "bun:test";
+import type { Change } from "../change.types.ts";
+import { evaluatePattern } from "./filter/dsl.ts";
+import { supabase } from "./supabase.ts";
+
+if (!supabase.filter) {
+  throw new Error("supabase integration is missing a filter");
+}
+const filter = supabase.filter;
+
+/**
+ * Build a synthetic FDW change shaped like what `flattenChange` consumes.
+ * The change carries a `foreignDataWrapper` model whose `handler`/`validator`
+ * are schema-qualified function references (the form
+ * `extractForeignDataWrappers` produces).
+ */
+function fdwChange(
+  operation: "create" | "alter" | "drop",
+  fdw: {
+    name: string;
+    owner: string;
+    handler: string | null;
+    validator: string | null;
+  },
+): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation,
+    scope: "object",
+    foreignDataWrapper: fdw,
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+/**
+ * Synthetic FDW privilege change. The three concrete privilege classes
+ * (`GrantForeignDataWrapperPrivileges`, `RevokeForeignDataWrapperPrivileges`,
+ * `RevokeGrantOptionForeignDataWrapperPrivileges`) all extend
+ * `AlterForeignDataWrapperChange`, so their `operation` is `"alter"` in
+ * production. The filter rule we exercise here keys off `scope` only,
+ * but pinning `operation: "alter"` keeps the synthetic shape honest.
+ */
+function fdwPrivilegeChange(fdw: { name: string; owner: string }): Change {
+  return {
+    objectType: "foreign_data_wrapper",
+    operation: "alter",
+    scope: "privilege",
+    foreignDataWrapper: { ...fdw, handler: null, validator: null },
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+function serverPrivilegeChange(server: {
+  name: string;
+  owner: string;
+}): Change {
+  return {
+    objectType: "server",
+    operation: "alter",
+    scope: "privilege",
+    server,
+    grantee: "postgres",
+    requires: [],
+    creates: [],
+    drops: [],
+  } as unknown as Change;
+}
+
+describe("supabase integration filter — foreign data wrappers", () => {
+  // Regression for CLI-1470. Wasm-based foreign data wrappers on Supabase
+  // (e.g. `clerk`, `clerk_oauth`) are provisioned at project creation by
+  // `supabase_admin` and their handler/validator live in `extensions.*`.
+  // pg-delta must not emit `CREATE/DROP/ALTER FOREIGN DATA WRAPPER` for
+  // them, even when the FDW owner has been rewritten away from
+  // `supabase_admin` (e.g. after a dump/restore).
+  test("suppresses CREATE for FDW with handler in extensions schema", () => {
+    const change = fdwChange("create", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses DROP for FDW with handler in extensions schema", () => {
+    const change = fdwChange("drop", {
+      name: "clerk_oauth",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses ALTER for FDW with handler in extensions schema", () => {
+    const change = fdwChange("alter", {
+      name: "clerk",
+      owner: "postgres",
+      handler: "extensions.wasm_fdw_handler",
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses FDW when only the validator lives in extensions", () => {
+    const change = fdwChange("create", {
+      name: "partial_wasm",
+      owner: "postgres",
+      handler: null,
+      validator: "extensions.wasm_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("preserves user FDW whose handler lives outside extensions", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: "public.my_fdw_validator",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+
+  test("preserves user FDW with no handler/validator", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw_bare",
+      owner: "postgres",
+      handler: null,
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});
+
+describe("supabase integration filter — foreign data wrapper / server ACLs", () => {
+  // Regression for CLI-1469. `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER`
+  // require superuser. On Supabase Cloud `postgres` has the elevated
+  // rights to make them work; the local Docker image does not, so
+  // `supabase db reset` aborts with `permission denied for foreign-data
+  // wrapper`. FDW ACL is platform-managed, not user-declarative state —
+  // suppress regardless of owner because `pg_dump` rewrites OWNER TO
+  // away from `supabase_admin`.
+  test("suppresses FDW ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("suppresses FDW ACL when owner=postgres (post-restore)", () => {
+    const change = fdwPrivilegeChange({
+      name: "dblink_fdw",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  // FOREIGN SERVER ACL is owner-scoped, not blanket-suppressed:
+  // server GRANT/REVOKE does not require superuser, so a user-owned
+  // server's ACL must roundtrip. The pre-existing `*/owner` rule
+  // already drops platform-managed servers (owner ∈ system roles).
+  test("suppresses server ACL when owner=supabase_admin (existing */owner rule)", () => {
+    const change = serverPrivilegeChange({
+      name: "platform_server",
+      owner: "supabase_admin",
+    });
+    expect(evaluatePattern(filter, change)).toBe(false);
+  });
+
+  test("preserves server ACL when owner=postgres", () => {
+    const change = serverPrivilegeChange({
+      name: "user_dblink_server",
+      owner: "postgres",
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+
+  // Non-privilege FDW changes whose handler/validator aren't in
+  // `extensions.*` should still pass through (a user FDW is plain DDL,
+  // not the platform-managed flavor).
+  test("preserves non-privilege FDW changes for user wrappers", () => {
+    const change = fdwChange("create", {
+      name: "user_fdw",
+      owner: "postgres",
+      handler: "public.my_fdw_handler",
+      validator: null,
+    });
+    expect(evaluatePattern(filter, change)).toBe(true);
+  });
+});

package/src/core/integrations/supabase.ts

@@ -99,6 +99,34 @@ export const supabase: IntegrationDSL = {
         operation: "drop",
         scope: "object",
       },
+      // Include user-attached triggers on tables in Supabase-managed schemas.
+      //
+      // Triggers live in the schema of the table they fire on, so a user
+      // trigger on `auth.users` reports `trigger/schema = auth` and is
+      // otherwise indistinguishable from Supabase's own triggers via the
+      // schema-level deny list. Triggers also have no real owner — pg-delta
+      // surfaces the parent table's owner as `trigger/owner`, which for
+      // `auth.users` and `storage.objects` is always a Supabase system role,
+      // so the owner-level deny list catches them too.
+      //
+      // The trigger function, however, is genuinely user-owned: a customer
+      // who wants to run code on an auth event creates a function in
+      // `public` (or any non-managed schema) and points the trigger at it.
+      // Supabase's own auth/storage triggers either come from extensions
+      // (already filtered out at extract time via `pg_depend`) or call
+      // functions inside the same managed schema, so `function_schema`
+      // outside the managed list is a reliable user-defined marker.
+      {
+        and: [
+          { objectType: "trigger" },
+          { "trigger/schema": [...SUPABASE_SYSTEM_SCHEMAS] },
+          {
+            not: {
+              "trigger/function_schema": [...SUPABASE_SYSTEM_SCHEMAS],
+            },
+          },
+        ],
+      },
       // Exclude system objects
       {
         not: {
@@ -131,6 +159,62 @@ export const supabase: IntegrationDSL = {
                 },
               ],
             },
+            // Platform-managed foreign data wrapper ACL.
+            // `GRANT`/`REVOKE ... ON FOREIGN DATA WRAPPER` requires
+            // superuser. On Supabase Cloud `postgres` has the elevated
+            // rights to make this work, but the local Docker image does
+            // not, so `supabase db reset` aborts with
+            // `permission denied for foreign-data wrapper`. The
+            // `*/owner` rule above already covers wrappers owned by
+            // `supabase_admin`, but `pg_dump` rewrites OWNER TO clauses
+            // to whoever the dump runs under, so after a restore the
+            // FDW typically ends up owned by `postgres` and slips past
+            // the owner gate. A non-superuser `postgres` still can't
+            // grant on a FDW (this is true regardless of who owns the
+            // wrapper locally), so the ACL diff is not user-replayable.
+            // We don't apply the same blanket rule to `FOREIGN SERVER`:
+            // server GRANT/REVOKE doesn't require superuser, and
+            // user-created servers (e.g. a `dblink` server pointing to
+            // a peer DB) carry legitimate user ACL that should
+            // roundtrip — the existing `*/owner` rule already drops
+            // platform-managed servers.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                { scope: "privilege" },
+              ],
+            },
+            // Platform-managed foreign data wrappers — Wasm-based FDWs
+            // (e.g. `clerk`, `clerk_oauth`) whose handler/validator live in
+            // the `extensions` schema. `CREATE FOREIGN DATA WRAPPER`
+            // requires superuser, and Supabase Cloud provisions these via
+            // `supabase_admin` at project creation; replaying the DDL
+            // against a local image fails because the local environment
+            // has no equivalent pre-step. We can't rely on the FDW owner
+            // alone — after a dump/restore the owner is often rewritten
+            // away from `supabase_admin` — so match on the function
+            // reference instead.
+            {
+              and: [
+                { objectType: "foreign_data_wrapper" },
+                {
+                  or: [
+                    {
+                      "foreign_data_wrapper/handler": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                    {
+                      "foreign_data_wrapper/validator": {
+                        op: "regex",
+                        value: "^extensions\\.",
+                      },
+                    },
+                  ],
+                },
+              ],
+            },
           ],
         },
       },

package/src/core/objects/aggregate/changes/aggregate.base.ts

@@ -8,7 +8,7 @@ abstract class BaseAggregateChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "aggregate" = "aggregate";
+  readonly objectType = "aggregate" as const;
 }
 
 export abstract class CreateAggregateChange extends BaseAggregateChange {

package/src/core/objects/aggregate/changes/aggregate.privilege.test.ts

@@ -92,6 +92,85 @@ describe("aggregate.privilege", () => {
     );
   });
 
+  // Regression for CLI-1471: ordered-set / hypothetical-set / variadic
+  // aggregates have `identity_arguments` that include `ORDER BY` or
+  // `VARIADIC` keywords. Those keywords are rejected by
+  // `GRANT ... ON FUNCTION (...)` (only positional argument types are
+  // accepted there), so the serializer must drop back to the
+  // `proargtypes`-derived `argument_types` list.
+  test("grant on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new GrantAggregatePrivileges({
+      aggregate,
+      grantee: "role_exec",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "GRANT ALL ON FUNCTION public.os_last(anyelement, anyelement) TO role_exec",
+    );
+  });
+
+  test("revoke on hypothetical-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "hyp_rank",
+      aggkind: "h",
+      identity_arguments: 'VARIADIC "any" ORDER BY VARIADIC "any"',
+      argument_types: ['"any"'],
+      return_type: "bigint",
+      transition_function:
+        'pg_catalog.ordered_set_transition_multi(internal,"any")',
+      state_data_type: "internal",
+      argument_count: 1,
+    });
+    const change = new RevokeAggregatePrivileges({
+      aggregate,
+      grantee: "role_old",
+      privileges: [{ privilege: "EXECUTE", grantable: false }],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      'REVOKE ALL ON FUNCTION public.hyp_rank("any") FROM role_old',
+    );
+  });
+
+  test("revoke grant option on ordered-set aggregate emits proargtypes signature", async () => {
+    const aggregate = new Aggregate({
+      ...base,
+      name: "os_last",
+      aggkind: "o",
+      identity_arguments: "anyelement ORDER BY anyelement",
+      argument_types: ["anyelement", "anyelement"],
+      return_type: "anyelement",
+      transition_function: "public.os_last_sfunc(anyelement,anyelement)",
+      state_data_type: "anyelement",
+      argument_count: 2,
+    });
+    const change = new RevokeGrantOptionAggregatePrivileges({
+      aggregate,
+      grantee: "role_with_option",
+      privilegeNames: ["EXECUTE"],
+      version: 170000,
+    });
+    await assertValidSql(change.serialize());
+    expect(change.serialize()).toBe(
+      "REVOKE GRANT OPTION FOR ALL ON FUNCTION public.os_last(anyelement, anyelement) FROM role_with_option",
+    );
+  });
+
   test("revoke privileges and grant option", async () => {
     const aggregate = new Aggregate(base);
     const revoke = new RevokeAggregatePrivileges({

package/src/core/objects/aggregate/changes/aggregate.privilege.ts

@@ -12,6 +12,25 @@ export type AggregatePrivilege =
   | RevokeAggregatePrivileges
   | RevokeGrantOptionAggregatePrivileges;
 
+/**
+ * Build the signature `<schema>.<name>(<argtypes>)` for use inside
+ * `GRANT`/`REVOKE ... ON FUNCTION (...)`.
+ *
+ * The aggregate's `identityArguments` (from
+ * `pg_get_function_identity_arguments`) embeds `ORDER BY` for ordered-set
+ * and hypothetical-set aggregates (`aggkind` of `o`/`h`) and `VARIADIC`
+ * for variadic aggregates — both of which the GRANT parser rejects with
+ * a syntax error. PostgreSQL resolves the aggregate from the positional
+ * argument types alone, so use `argument_types` here regardless of
+ * `aggkind`. Other aggregate DDL (`ALTER AGGREGATE`, `COMMENT ON
+ * AGGREGATE`, `SECURITY LABEL ON AGGREGATE`, `DROP AGGREGATE`) accepts
+ * the identity form and keeps using it.
+ */
+function aggregateGrantSignature(aggregate: Aggregate): string {
+  const args = (aggregate.argument_types ?? []).join(", ");
+  return `${aggregate.schema}.${aggregate.name}(${args})`;
+}
+
 export class GrantAggregatePrivileges extends AlterAggregateChange {
   public readonly aggregate: Aggregate;
   public readonly grantee: string;
@@ -52,9 +71,7 @@ export class GrantAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `GRANT ${privSql} ${kindPrefix} ${qualified} TO ${this.grantee}${withGrant}`;
   }
 }
@@ -97,9 +114,7 @@ export class RevokeAggregatePrivileges extends AlterAggregateChange {
     const kindPrefix = getObjectKindPrefix("FUNCTION");
     const list = this.privileges.map((p) => p.privilege);
     const privSql = formatObjectPrivilegeList("FUNCTION", list, this.version);
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }
@@ -139,9 +154,7 @@ export class RevokeGrantOptionAggregatePrivileges extends AlterAggregateChange {
       this.privilegeNames,
       this.version,
     );
-    const aggregateName = `${this.aggregate.schema}.${this.aggregate.name}`;
-    const signature = this.aggregate.identityArguments;
-    const qualified = `${aggregateName}(${signature})`;
+    const qualified = aggregateGrantSignature(this.aggregate);
     return `REVOKE GRANT OPTION FOR ${privSql} ${kindPrefix} ${qualified} FROM ${this.grantee}`;
   }
 }

package/src/core/objects/collation/changes/collation.base.ts

@@ -4,7 +4,7 @@ import type { Collation } from "../collation.model.ts";
 abstract class BaseCollationChange extends BaseChange {
   abstract readonly collation: Collation;
   abstract readonly scope: "object" | "comment";
-  readonly objectType: "collation" = "collation";
+  readonly objectType = "collation" as const;
 }
 
 export abstract class CreateCollationChange extends BaseCollationChange {

package/src/core/objects/domain/changes/domain.base.ts

@@ -8,7 +8,7 @@ abstract class BaseDomainChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "domain" = "domain";
+  readonly objectType = "domain" as const;
 }
 
 export abstract class CreateDomainChange extends BaseDomainChange {

package/src/core/objects/extension/changes/extension.base.ts

@@ -4,7 +4,7 @@ import type { Extension } from "../extension.model.ts";
 abstract class BaseExtensionChange extends BaseChange {
   abstract readonly extension: Extension;
   abstract readonly scope: "object" | "comment";
-  readonly objectType: "extension" = "extension";
+  readonly objectType = "extension" as const;
 }
 
 export abstract class CreateExtensionChange extends BaseExtensionChange {

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.test.ts

@@ -120,17 +120,47 @@ describe.concurrent("foreign-data-wrapper", () => {
       const change = new AlterForeignDataWrapperSetOptions({
         foreignDataWrapper: fdw,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "use_remote_estimate", value: "true" },
+          { action: "SET", option: "fetch_size", value: "200" },
+          { action: "DROP", option: "fdw_tuple_cost" },
         ],
       });
 
       await assertValidSql(change.serialize());
 
       expect(change.serialize()).toBe(
-        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER FOREIGN DATA WRAPPER test_fdw OPTIONS (ADD use_remote_estimate 'true', SET fetch_size '200', DROP fdw_tuple_cost)",
       );
     });
+
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const props: ForeignDataWrapperProps = {
+        name: "leaky_fdw",
+        owner: "postgres",
+        handler: null,
+        validator: null,
+        options: null,
+        comment: null,
+        privileges: [],
+      };
+      const fdw = new ForeignDataWrapper(props);
+      const change = new AlterForeignDataWrapperSetOptions({
+        foreignDataWrapper: fdw,
+        options: [
+          { action: "ADD", option: "password", value: "shared-fdw-secret" },
+          { action: "SET", option: "use_remote_estimate", value: "true" },
+          { action: "ADD", option: "api_key", value: "leaked-api-key" },
+        ],
+      });
+
+      await assertValidSql(change.serialize());
+
+      const sql = change.serialize();
+      expect(sql).not.toContain("shared-fdw-secret");
+      expect(sql).not.toContain("leaked-api-key");
+      expect(sql).toContain("SET use_remote_estimate 'true'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD api_key '__OPTION_API_KEY__'");
+    });
   });
 });

package/src/core/objects/foreign-data-wrapper/foreign-data-wrapper/changes/foreign-data-wrapper.alter.ts

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { ForeignDataWrapper } from "../foreign-data-wrapper.model.ts";
 import { AlterForeignDataWrapperChange } from "./foreign-data-wrapper.base.ts";
 
@@ -87,7 +88,10 @@ export class AlterForeignDataWrapperSetOptions extends AlterForeignDataWrapperCh
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }