npm - @supabase/pg-delta - Versions diffs - 1.0.0-alpha.24 → 1.0.0-alpha.26 - Mend

@supabase/pg-delta 1.0.0-alpha.24 → 1.0.0-alpha.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/src/core/objects/foreign-data-wrapper/server/server.model.ts CHANGED Viewed

@@ -80,6 +80,16 @@ export class Server extends BasePgModel {
   }
 }
+/**
+ * Extract `pg_foreign_server` rows into `Server` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_foreign_server.srvoptions`, which means cleartext secrets like
+ * `password` are present in memory. Always route through
+ * `extractCatalog` (which calls `normalizeCatalog`) before emitting
+ * options to any output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractServers(pool: Pool): Promise<Server[]> {
   const { rows: serverRows } = await pool.query<ServerProps>(sql`
       select

package/src/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.alter.test.ts CHANGED Viewed

@@ -23,10 +23,43 @@ describe.concurrent("user-mapping", () => {
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER USER MAPPING FOR test_user SERVER test_server OPTIONS (ADD user 'remote_user', ADD password 'secret')",
+        "ALTER USER MAPPING FOR test_user SERVER test_server OPTIONS (ADD user 'remote_user', ADD password '__OPTION_PASSWORD__')",
       );
     });
+    test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+      const props: UserMappingProps = {
+        user: "postgres",
+        server: "live_risk_server",
+        options: null,
+      };
+      const userMapping = new UserMapping(props);
+      const change = new AlterUserMappingSetOptions({
+        userMapping,
+        options: [
+          { action: "ADD", option: "password", value: "real-user-password" },
+          { action: "SET", option: "user", value: "fdw_reader" },
+          {
+            action: "ADD",
+            option: "passfile",
+            value: "/etc/secrets/passfile",
+          },
+          { action: "SET", option: "sslpassword", value: "ssl-secret" },
+        ],
+      });
+      await assertValidSql(change.serialize());
+      const sql = change.serialize();
+      expect(sql).not.toContain("real-user-password");
+      expect(sql).not.toContain("/etc/secrets/passfile");
+      expect(sql).not.toContain("ssl-secret");
+      expect(sql).toContain("SET user 'fdw_reader'");
+      expect(sql).toContain("ADD password '__OPTION_PASSWORD__'");
+      expect(sql).toContain("ADD passfile '__OPTION_PASSFILE__'");
+      expect(sql).toContain("SET sslpassword '__OPTION_SSLPASSWORD__'");
+    });
     test("set options SET", async () => {
       const props: UserMappingProps = {
         user: "test_user",
@@ -42,7 +75,7 @@ describe.concurrent("user-mapping", () => {
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER USER MAPPING FOR test_user SERVER test_server OPTIONS (SET password 'new_secret')",
+        "ALTER USER MAPPING FOR test_user SERVER test_server OPTIONS (SET password '__OPTION_PASSWORD__')",
       );
     });
@@ -75,16 +108,16 @@ describe.concurrent("user-mapping", () => {
       const change = new AlterUserMappingSetOptions({
         userMapping,
         options: [
-          { action: "ADD", option: "new_option", value: "new_value" },
-          { action: "SET", option: "existing_option", value: "updated_value" },
-          { action: "DROP", option: "old_option" },
+          { action: "ADD", option: "user", value: "remote_user" },
+          { action: "SET", option: "sslmode", value: "require" },
+          { action: "DROP", option: "application_name" },
         ],
       });
       await assertValidSql(change.serialize());
       expect(change.serialize()).toBe(
-        "ALTER USER MAPPING FOR PUBLIC SERVER test_server OPTIONS (ADD new_option 'new_value', SET existing_option 'updated_value', DROP old_option)",
+        "ALTER USER MAPPING FOR PUBLIC SERVER test_server OPTIONS (ADD user 'remote_user', SET sslmode 'require', DROP application_name)",
       );
     });
   });

package/src/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.alter.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { UserMapping } from "../user-mapping.model.ts";
 import { AlterUserMappingChange } from "./user-mapping.base.ts";
@@ -53,7 +54,10 @@ export class AlterUserMappingSetOptions extends AlterUserMappingChange {
       if (opt.action === "DROP") {
         optionParts.push(`DROP ${opt.option}`);
       } else {
-        const value = opt.value !== undefined ? quoteLiteral(opt.value) : "''";
+        const value =
+          opt.value !== undefined
+            ? quoteLiteral(redactOptionValue(opt.option, opt.value))
+            : "''";
         optionParts.push(`${opt.action} ${opt.option} ${value}`);
       }
     }

package/src/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.base.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import type { UserMapping } from "../user-mapping.model.ts";
 abstract class BaseUserMappingChange extends BaseChange {
   abstract readonly userMapping: UserMapping;
   abstract readonly scope: "object";
-  readonly objectType: "user_mapping" = "user_mapping";
+  readonly objectType = "user_mapping" as const;
 }
 export abstract class CreateUserMappingChange extends BaseUserMappingChange {

package/src/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.create.test.ts CHANGED Viewed

@@ -72,7 +72,7 @@ describe("user-mapping", () => {
     await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
-      "CREATE USER MAPPING FOR test_user SERVER test_server OPTIONS (user 'remote_user', password 'secret')",
+      "CREATE USER MAPPING FOR test_user SERVER test_server OPTIONS (user 'remote_user', password '__OPTION_PASSWORD__')",
     );
   });
@@ -90,7 +90,43 @@ describe("user-mapping", () => {
     await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
-      "CREATE USER MAPPING FOR PUBLIC SERVER test_server OPTIONS (user 'remote_user', password 'secret')",
+      "CREATE USER MAPPING FOR PUBLIC SERVER test_server OPTIONS (user 'remote_user', password '__OPTION_PASSWORD__')",
     );
   });
+  test("redacts sensitive option values to prevent secret leakage (CLI-1467)", async () => {
+    const userMapping = new UserMapping({
+      user: "postgres",
+      server: "live_risk_server",
+      options: [
+        "user",
+        "fdw_reader",
+        "password",
+        "real-user-password",
+        "passfile",
+        "/etc/secrets/passfile",
+        "sslpassword",
+        "ssl-secret",
+        "passcode",
+        "krb-passcode",
+      ],
+    });
+    const change = new CreateUserMapping({
+      userMapping,
+    });
+    await assertValidSql(change.serialize());
+    const sql = change.serialize();
+    expect(sql).not.toContain("real-user-password");
+    expect(sql).not.toContain("/etc/secrets/passfile");
+    expect(sql).not.toContain("ssl-secret");
+    expect(sql).not.toContain("krb-passcode");
+    expect(sql).toContain("user 'fdw_reader'");
+    expect(sql).toContain("password '__OPTION_PASSWORD__'");
+    expect(sql).toContain("passfile '__OPTION_PASSFILE__'");
+    expect(sql).toContain("sslpassword '__OPTION_SSLPASSWORD__'");
+    expect(sql).toContain("passcode '__OPTION_PASSCODE__'");
+  });
 });

package/src/core/objects/foreign-data-wrapper/user-mapping/changes/user-mapping.create.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SerializeOptions } from "../../../../integrations/serialize/serialize.types.ts";
 import { quoteLiteral } from "../../../base.change.ts";
 import { stableId } from "../../../utils.ts";
+import { redactOptionValue } from "../../sensitive-options.ts";
 import type { UserMapping } from "../user-mapping.model.ts";
 import { CreateUserMappingChange } from "./user-mapping.base.ts";
@@ -51,11 +52,12 @@ export class CreateUserMapping extends CreateUserMappingChange {
     if (this.userMapping.options && this.userMapping.options.length > 0) {
       const optionPairs: string[] = [];
       for (let i = 0; i < this.userMapping.options.length; i += 2) {
-        if (i + 1 < this.userMapping.options.length) {
-          optionPairs.push(
-            `${this.userMapping.options[i]} ${quoteLiteral(this.userMapping.options[i + 1])}`,
-          );
-        }
+        const key = this.userMapping.options[i];
+        const value = this.userMapping.options[i + 1];
+        if (key === undefined || value === undefined) continue;
+        optionPairs.push(
+          `${key} ${quoteLiteral(redactOptionValue(key, value))}`,
+        );
       }
       if (optionPairs.length > 0) {
         parts.push(`OPTIONS (${optionPairs.join(", ")})`);

package/src/core/objects/foreign-data-wrapper/user-mapping/user-mapping.model.ts CHANGED Viewed

@@ -56,6 +56,16 @@ export class UserMapping extends BasePgModel {
   }
 }
+/**
+ * Extract `pg_user_mapping` rows into `UserMapping` models.
+ *
+ * The returned models carry option values **verbatim** from
+ * `pg_user_mapping.umoptions`, which means cleartext secrets like
+ * `password` are present in memory. Always route through
+ * `extractCatalog` (which calls `normalizeCatalog`) before emitting
+ * options to any output channel — see CLI-1467 and
+ * `packages/pg-delta/src/core/objects/foreign-data-wrapper/sensitive-options.ts`.
+ */
 export async function extractUserMappings(pool: Pool): Promise<UserMapping[]> {
   const { rows: mappingRows } = await pool.query<UserMappingProps>(sql`
       select

package/src/core/objects/index/changes/index.base.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import type { Index } from "../index.model.ts";
 abstract class BaseIndexChange extends BaseChange {
   abstract readonly index: Index;
   abstract readonly scope: "object" | "comment";
-  readonly objectType: "index" = "index";
+  readonly objectType = "index" as const;
 }
 export abstract class CreateIndexChange extends BaseIndexChange {

package/src/core/objects/language/changes/language.base.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import type { Language } from "../language.model.ts";
 abstract class BaseLanguageChange extends BaseChange {
   abstract readonly language: Language;
   abstract readonly scope: "object" | "comment" | "privilege";
-  readonly objectType: "language" = "language";
+  readonly objectType = "language" as const;
 }
 export abstract class CreateLanguageChange extends BaseLanguageChange {

package/src/core/objects/materialized-view/changes/materialized-view.base.ts CHANGED Viewed

@@ -8,7 +8,7 @@ abstract class BaseMaterializedViewChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "materialized_view" = "materialized_view";
+  readonly objectType = "materialized_view" as const;
 }
 export abstract class CreateMaterializedViewChange extends BaseMaterializedViewChange {

package/src/core/objects/procedure/changes/procedure.base.ts CHANGED Viewed

@@ -8,7 +8,7 @@ abstract class BaseProcedureChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "procedure" = "procedure";
+  readonly objectType = "procedure" as const;
 }
 export abstract class CreateProcedureChange extends BaseProcedureChange {

package/src/core/objects/rls-policy/changes/rls-policy.base.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import type { RlsPolicy } from "../rls-policy.model.ts";
 abstract class BaseRlsPolicyChange extends BaseChange {
   abstract readonly policy: RlsPolicy;
   abstract readonly scope: "object" | "comment";
-  readonly objectType: "rls_policy" = "rls_policy";
+  readonly objectType = "rls_policy" as const;
 }
 export abstract class CreateRlsPolicyChange extends BaseRlsPolicyChange {

package/src/core/objects/role/changes/role.base.ts CHANGED Viewed

@@ -9,7 +9,7 @@ abstract class BaseRoleChange extends BaseChange {
     | "membership"
     | "default_privilege"
     | "security_label";
-  readonly objectType: "role" = "role";
+  readonly objectType = "role" as const;
 }
 export abstract class CreateRoleChange extends BaseRoleChange {

package/src/core/objects/schema/changes/schema.base.ts CHANGED Viewed

@@ -8,7 +8,7 @@ abstract class BaseSchemaChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "schema" = "schema";
+  readonly objectType = "schema" as const;
 }
 export abstract class CreateSchemaChange extends BaseSchemaChange {

package/src/core/objects/sequence/changes/sequence.base.ts CHANGED Viewed

@@ -8,7 +8,7 @@ abstract class BaseSequenceChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "sequence" = "sequence";
+  readonly objectType = "sequence" as const;
 }
 export abstract class CreateSequenceChange extends BaseSequenceChange {

package/src/core/objects/table/changes/table.base.ts CHANGED Viewed

@@ -8,7 +8,7 @@ abstract class BaseTableChange extends BaseChange {
     | "comment"
     | "privilege"
     | "security_label";
-  readonly objectType: "table" = "table";
+  readonly objectType = "table" as const;
 }
 export abstract class CreateTableChange extends BaseTableChange {

package/src/core/objects/table/changes/table.comment.ts CHANGED Viewed

@@ -179,10 +179,7 @@ export class CreateCommentOnConstraint extends CreateTableChange {
   public readonly constraint: TableConstraintProps;
   public readonly scope = "comment" as const;
-  constructor(props: {
-    table: Table;
-    constraint: TableConstraintProps;
-  }) {
+  constructor(props: { table: Table; constraint: TableConstraintProps }) {
     super();
     this.table = props.table;
     this.constraint = props.constraint;
@@ -228,10 +225,7 @@ export class DropCommentOnConstraint extends DropTableChange {
   public readonly constraint: TableConstraintProps;
   public readonly scope = "comment" as const;
-  constructor(props: {
-    table: Table;
-    constraint: TableConstraintProps;
-  }) {
+  constructor(props: { table: Table; constraint: TableConstraintProps }) {
     super();
     this.table = props.table;
     this.constraint = props.constraint;

package/src/core/objects/table/table.diff.test.ts CHANGED Viewed

@@ -75,7 +75,7 @@ describe.concurrent("table.diff", () => {
     expect(dropped[0]).toBeInstanceOf(DropTable);
   });
-  test("created NOT VALID CHECK emits AddConstraint + ValidateConstraint", () => {
+  test("created NOT VALID CHECK emits AddConstraint only (no Validate)", () => {
     const main = new Table({
       ...base,
       name: "t_nv",
@@ -102,6 +102,7 @@ describe.concurrent("table.diff", () => {
       constraints: [],
     });
     const branch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...main,
       constraints: [
         {
@@ -132,20 +133,208 @@ describe.concurrent("table.diff", () => {
           match_type: null,
           check_expression: "a > 0",
           owner: "o1",
+          definition: "CHECK (a > 0) NOT VALID",
+        },
+      ],
+    });
+    const changes = diffTables(
+      testContext,
+      { [main.stableId]: main },
+      { [branch.stableId]: branch },
+    );
+    const add = changes.find((c) => c instanceof AlterTableAddConstraint);
+    expect(add).toBeInstanceOf(AlterTableAddConstraint);
+    expect(add?.serialize()).toContain("NOT VALID");
+    expect(changes.some((c) => c instanceof AlterTableValidateConstraint)).toBe(
+      false,
+    );
+  });
+  test("NOT VALID -> validated emits only VALIDATE CONSTRAINT (no drop+add)", () => {
+    const sharedConstraint = {
+      name: "ck_nv",
+      constraint_type: "c" as const,
+      deferrable: false,
+      initially_deferred: false,
+      is_local: true,
+      no_inherit: false,
+      is_temporal: false,
+      is_partition_clone: false,
+      parent_constraint_schema: null,
+      parent_constraint_name: null,
+      parent_table_schema: null,
+      parent_table_name: null,
+      key_columns: [],
+      foreign_key_columns: null,
+      foreign_key_table: null,
+      foreign_key_schema: null,
+      foreign_key_table_is_partition: null,
+      foreign_key_parent_schema: null,
+      foreign_key_parent_table: null,
+      foreign_key_effective_schema: null,
+      foreign_key_effective_table: null,
+      on_update: null,
+      on_delete: null,
+      match_type: null,
+      check_expression: "a > 0",
+      owner: "o1",
+      comment: null,
+    };
+    const main = new Table({
+      ...base,
+      name: "t_nv",
+      columns: [
+        {
+          name: "a",
+          position: 1,
+          data_type: "integer",
+          data_type_str: "integer",
+          is_custom_type: false,
+          custom_type_type: null,
+          custom_type_category: null,
+          custom_type_schema: null,
+          custom_type_name: null,
+          not_null: false,
+          is_identity: false,
+          is_identity_always: false,
+          is_generated: false,
+          collation: null,
+          default: null,
+          comment: null,
+        },
+      ],
+      constraints: [
+        {
+          ...sharedConstraint,
+          validated: false,
+          definition: "CHECK (a > 0) NOT VALID",
+        },
+      ],
+    });
+    const branch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...main,
+      constraints: [
+        {
+          ...sharedConstraint,
+          validated: true,
           definition: "CHECK (a > 0)",
         },
       ],
     });
+    const changes = diffTables(
+      testContext,
+      { [main.stableId]: main },
+      { [branch.stableId]: branch },
+    );
+    const validate = changes.find(
+      (c) => c instanceof AlterTableValidateConstraint,
+    );
+    expect(validate).toBeInstanceOf(AlterTableValidateConstraint);
+    expect(validate?.serialize()).toMatchInlineSnapshot(
+      `"ALTER TABLE public.t_nv VALIDATE CONSTRAINT ck_nv"`,
+    );
+    expect(changes.some((c) => c instanceof AlterTableDropConstraint)).toBe(
+      false,
+    );
+    expect(changes.some((c) => c instanceof AlterTableAddConstraint)).toBe(
+      false,
+    );
+  });
+  test("NOT VALID -> validated + other field change still drops+adds (no shortcut)", () => {
+    const sharedConstraint = {
+      name: "ck_nv",
+      constraint_type: "c" as const,
+      deferrable: false,
+      initially_deferred: false,
+      is_local: true,
+      no_inherit: false,
+      is_temporal: false,
+      is_partition_clone: false,
+      parent_constraint_schema: null,
+      parent_constraint_name: null,
+      parent_table_schema: null,
+      parent_table_name: null,
+      key_columns: [],
+      foreign_key_columns: null,
+      foreign_key_table: null,
+      foreign_key_schema: null,
+      foreign_key_table_is_partition: null,
+      foreign_key_parent_schema: null,
+      foreign_key_parent_table: null,
+      foreign_key_effective_schema: null,
+      foreign_key_effective_table: null,
+      on_update: null,
+      on_delete: null,
+      match_type: null,
+      owner: "o1",
+      comment: null,
+    };
+    const main = new Table({
+      ...base,
+      name: "t_nv",
+      columns: [
+        {
+          name: "a",
+          position: 1,
+          data_type: "integer",
+          data_type_str: "integer",
+          is_custom_type: false,
+          custom_type_type: null,
+          custom_type_category: null,
+          custom_type_schema: null,
+          custom_type_name: null,
+          not_null: false,
+          is_identity: false,
+          is_identity_always: false,
+          is_generated: false,
+          collation: null,
+          default: null,
+          comment: null,
+        },
+      ],
+      constraints: [
+        {
+          ...sharedConstraint,
+          validated: false,
+          check_expression: "a > 0",
+          definition: "CHECK (a > 0) NOT VALID",
+        },
+      ],
+    });
+    const branch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
+      ...main,
+      constraints: [
+        {
+          ...sharedConstraint,
+          validated: true,
+          check_expression: "a > 1",
+          definition: "CHECK (a > 1)",
+        },
+      ],
+    });
     const changes = diffTables(
       testContext,
       { [main.stableId]: main },
       { [branch.stableId]: branch },
     );
+    expect(changes.some((c) => c instanceof AlterTableDropConstraint)).toBe(
+      true,
+    );
     expect(changes.some((c) => c instanceof AlterTableAddConstraint)).toBe(
       true,
     );
     expect(changes.some((c) => c instanceof AlterTableValidateConstraint)).toBe(
-      true,
+      false,
     );
   });
@@ -362,7 +551,7 @@ describe.concurrent("table.diff", () => {
       true,
     );
     expect(created.some((c) => c instanceof AlterTableValidateConstraint)).toBe(
-      true,
+      false,
     );
     const dropped = diffTables(
@@ -480,6 +669,7 @@ describe.concurrent("table.diff", () => {
       ],
     });
     const tBranch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...tMain,
       constraints: [
         {
@@ -501,7 +691,7 @@ describe.concurrent("table.diff", () => {
     );
   });
-  test("altered foreign key properties triggers drop+add and validate when not validated", () => {
+  test("altered foreign key to NOT VALID triggers drop+add without validate", () => {
     const tMain = new Table({
       ...base,
       name: "t_fk",
@@ -559,12 +749,14 @@ describe.concurrent("table.diff", () => {
       ],
     });
     const tBranch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...tMain,
       constraints: [
         {
           ...(tMain.constraints[0] as (typeof tMain.constraints)[number]),
           on_delete: "c",
           validated: false,
+          definition: "FOREIGN KEY (a) REFERENCES other(a) NOT VALID",
         },
       ],
     });
@@ -606,7 +798,7 @@ describe.concurrent("table.diff", () => {
       true,
     );
     expect(changes.some((c) => c instanceof AlterTableValidateConstraint)).toBe(
-      true,
+      false,
     );
   });
@@ -686,6 +878,7 @@ describe.concurrent("table.diff", () => {
       ],
     });
     const tBranch = new Table({
+      // oxlint-disable-next-line typescript/no-misused-spread
       ...tMain,
       constraints: [
         {