@supabase/pg-delta 1.0.0-alpha.4 → 1.0.0-alpha.6

package/dist/core/plan/sql-format/keyword-case.js

@@ -198,6 +198,27 @@ const STRUCTURAL_TOP_LEVEL_KEYWORDS = new Set([
     "WRAPPER",
     "MAPPING",
 ]);
+const EMPTY_SCOPED_SET = new Set();
+const ALTER_DEFAULT_PRIVILEGES_KEYWORDS = new Set([
+    "PUBLIC",
+    "SEQUENCES",
+    "ROUTINES",
+    "TYPES",
+    "SCHEMAS",
+]);
+const GRANT_REVOKE_KEYWORDS = new Set(["PUBLIC"]);
+function getStatementScopedKeywords(topLevelTokens) {
+    const first = topLevelTokens[0]?.token.upper;
+    const second = topLevelTokens[1]?.token.upper;
+    const third = topLevelTokens[2]?.token.upper;
+    if (first === "ALTER" && second === "DEFAULT" && third === "PRIVILEGES") {
+        return ALTER_DEFAULT_PRIVILEGES_KEYWORDS;
+    }
+    if (first === "GRANT" || first === "REVOKE") {
+        return GRANT_REVOKE_KEYWORDS;
+    }
+    return EMPTY_SCOPED_SET;
+}
 const ALTER_TYPE_BOUNDARY_KEYWORDS = new Set([
     "COLLATE",
     "USING",
@@ -259,6 +280,7 @@ function collectCaseableTokenStarts(statement, tokens) {
     if (topLevelTokens.length === 0)
         return caseable;
     const command = topLevelTokens[0].token.upper;
+    const scopedKeywords = getStatementScopedKeywords(topLevelTokens);
     const objectNameTokenIndexes = new Set();
     for (let topIndex = 0; topIndex < topLevelTokens.length; topIndex += 1) {
         if (isLikelyObjectNameToken(command, topLevelTokens, topIndex)) {
@@ -268,7 +290,7 @@ function collectCaseableTokenStarts(statement, tokens) {
     for (let index = 0; index < tokens.length; index += 1) {
         const token = tokens[index];
         const upper = token.upper;
-        if (!STRUCTURAL_TOP_LEVEL_KEYWORDS.has(upper))
+        if (!STRUCTURAL_TOP_LEVEL_KEYWORDS.has(upper) && !scopedKeywords.has(upper))
             continue;
         if (objectNameTokenIndexes.has(index))
             continue;
@@ -379,6 +401,9 @@ function isCaseableInContext(command, upper, prev) {
     if (upper === "IDENTITY") {
         return prev === "REPLICA" || prev === "AS";
     }
+    if (upper === "PUBLIC") {
+        return prev === "TO" || prev === "FROM";
+    }
     if (upper === "OR") {
         return true;
     }

package/dist/core/plan/ssl-config.d.ts

@@ -0,0 +1,32 @@
+/**
+ * SSL configuration parsing for PostgreSQL connection URLs.
+ *
+ * Supports sslmode and certificate paths (URL params or env). Used by plan,
+ * apply, and catalog-export when connecting to source/target databases.
+ */
+/** Parsed SSL options for the pg client plus URL with SSL params stripped (internal). */
+type SslConfig = {
+    ssl?: boolean | {
+        rejectUnauthorized: boolean;
+        ca?: string;
+        cert?: string;
+        key?: string;
+        /**
+         * Custom server identity check function.
+         * Used to skip hostname verification for verify-ca mode.
+         * Returns undefined to indicate success (no error).
+         */
+        checkServerIdentity?: () => undefined;
+    };
+    cleanedUrl: string;
+};
+/**
+ * Parse SSL configuration from a PostgreSQL connection URL.
+ * Supports sslmode (require, verify-ca, verify-full, prefer, disable).
+ * Certificates can be provided via:
+ * - Query string parameters (file paths): sslrootcert, sslcert, sslkey (preferred)
+ * - Environment variables (content): PGDELTA_SOURCE_SSLROOTCERT/SSLCERT/SSLKEY or PGDELTA_TARGET_SSLROOTCERT/SSLCERT/SSLKEY
+ * Returns SSL options for the postgres.js library and a cleaned URL without SSL-related query parameters.
+ */
+export declare function parseSslConfig(url: string, connectionType: "source" | "target"): Promise<SslConfig>;
+export {};

package/dist/core/plan/ssl-config.js

@@ -0,0 +1,115 @@
+/**
+ * SSL configuration parsing for PostgreSQL connection URLs.
+ *
+ * Supports sslmode and certificate paths (URL params or env). Used by plan,
+ * apply, and catalog-export when connecting to source/target databases.
+ */
+import { readFile } from "node:fs/promises";
+/**
+ * Parse SSL configuration from a PostgreSQL connection URL.
+ * Supports sslmode (require, verify-ca, verify-full, prefer, disable).
+ * Certificates can be provided via:
+ * - Query string parameters (file paths): sslrootcert, sslcert, sslkey (preferred)
+ * - Environment variables (content): PGDELTA_SOURCE_SSLROOTCERT/SSLCERT/SSLKEY or PGDELTA_TARGET_SSLROOTCERT/SSLCERT/SSLKEY
+ * Returns SSL options for the postgres.js library and a cleaned URL without SSL-related query parameters.
+ */
+export async function parseSslConfig(url, connectionType) {
+    const urlObj = new URL(url);
+    const sslmode = urlObj.searchParams.get("sslmode");
+    const sslrootcert = urlObj.searchParams.get("sslrootcert");
+    const sslcert = urlObj.searchParams.get("sslcert");
+    const sslkey = urlObj.searchParams.get("sslkey");
+    // Remove SSL-related query parameters since we parse them ourselves
+    urlObj.searchParams.delete("sslmode");
+    urlObj.searchParams.delete("sslrootcert");
+    urlObj.searchParams.delete("sslcert");
+    urlObj.searchParams.delete("sslkey");
+    const cleanedUrl = urlObj.toString();
+    // Handle different SSL modes
+    if (sslmode === "disable") {
+        return { cleanedUrl, ssl: false };
+    }
+    if (sslmode === "require" ||
+        sslmode === "prefer" ||
+        sslmode === "verify-ca" ||
+        sslmode === "verify-full") {
+        // Helper function to get certificate value: query param (file path) takes precedence over env var (content)
+        const getCertValue = async (queryParam, envVarName) => {
+            // Prefer query parameter (file path)
+            if (queryParam) {
+                try {
+                    return await readFile(queryParam, "utf-8");
+                }
+                catch (error) {
+                    throw new Error(`Failed to read certificate file '${queryParam}': ${error instanceof Error ? error.message : String(error)}`);
+                }
+            }
+            // Fallback to environment variable (content)
+            const envValue = process.env[envVarName];
+            return envValue || undefined;
+        };
+        const hasExplicitVerification = sslmode === "verify-ca" || sslmode === "verify-full";
+        // Get CA certificate value.
+        // - verify-ca/verify-full: check query param first, then env var
+        // - require/prefer: only check query param (libpq backward compatibility
+        //   requires an explicit root CA *file*, not a global env var)
+        const caEnvVar = connectionType === "source"
+            ? "PGDELTA_SOURCE_SSLROOTCERT"
+            : "PGDELTA_TARGET_SSLROOTCERT";
+        let caValue;
+        if (sslrootcert) {
+            // Explicit file path in query param — always honour it
+            caValue = await getCertValue(sslrootcert, caEnvVar);
+        }
+        else if (hasExplicitVerification) {
+            // verify-ca / verify-full without file path — fall back to env var
+            caValue = await getCertValue(null, caEnvVar);
+        }
+        // require/prefer without sslrootcert: no CA cert, no verification
+        // Determine if we should verify the CA chain
+        //   From PostgreSQL docs: "if a root CA file exists, the behavior of sslmode=require
+        //   will be the same as that of verify-ca"
+        const hasLibpqCompatibility = (sslmode === "require" || sslmode === "prefer") && caValue !== undefined;
+        const shouldVerifyCa = hasExplicitVerification || hasLibpqCompatibility;
+        // Determine if we should verify hostname
+        // - verify-full: verify both CA and hostname
+        // - verify-ca: verify CA only (skip hostname)
+        // - require/prefer with CA (libpq compat): behaves like verify-ca (skip hostname)
+        const shouldVerifyHostname = sslmode === "verify-full";
+        const ssl = {
+            rejectUnauthorized: shouldVerifyCa,
+        };
+        // Add CA certificate if verifying
+        if (shouldVerifyCa && caValue) {
+            ssl.ca = caValue;
+        }
+        // For verify-ca and libpq compatibility mode: skip hostname verification
+        // This matches PostgreSQL semantics where verify-ca only checks the CA chain
+        if (shouldVerifyCa && !shouldVerifyHostname) {
+            ssl.checkServerIdentity = () => undefined;
+        }
+        // Get client certificate (optional, for mutual TLS)
+        const certEnvVar = connectionType === "source"
+            ? "PGDELTA_SOURCE_SSLCERT"
+            : "PGDELTA_TARGET_SSLCERT";
+        const certValue = await getCertValue(sslcert, certEnvVar);
+        if (certValue) {
+            ssl.cert = certValue;
+        }
+        // Get client key (optional, for mutual TLS, required if cert is provided)
+        const keyEnvVar = connectionType === "source"
+            ? "PGDELTA_SOURCE_SSLKEY"
+            : "PGDELTA_TARGET_SSLKEY";
+        const keyValue = await getCertValue(sslkey, keyEnvVar);
+        if (keyValue) {
+            ssl.key = keyValue;
+        }
+        // Warn if cert is provided without key (or vice versa)
+        if ((ssl.cert && !ssl.key) || (!ssl.cert && ssl.key)) {
+            throw new Error("Both client certificate and key must be provided together for mutual TLS");
+        }
+        return { ssl, cleanedUrl };
+    }
+    // No sslmode specified or invalid value - explicitly disable SSL
+    return { cleanedUrl, ssl: false };
+}

package/dist/core/plan/types.d.ts

@@ -138,5 +138,11 @@ export interface CreatePlanOptions {
     serialize?: SerializeDSL | ChangeSerializer;
     /** Role to use when executing the migration (SET ROLE will be added to statements) */
     role?: string;
+    /**
+     * When true, don't subtract privileges covered by ALTER DEFAULT PRIVILEGES
+     * from explicit GRANTs during diffing. Use this for declarative export where
+     * the output must be self-contained and not rely on statement execution order.
+     */
+    skipDefaultPrivilegeSubtraction?: boolean;
 }
 export {};

package/dist/core/postgres-config.d.ts

@@ -34,5 +34,19 @@ export declare function createPool(connectionString: string, options?: CreatePoo
  * inside each `client.end()` callback — ensuring all sockets are
  * truly closed before it resolves.
  */
+/**
+ * Create a pool from a connection URL with standard session setup:
+ * SSL parsing, search_path isolation, optional SET ROLE, and 57P01 suppression.
+ *
+ * Returns the pool and a `close` function that properly waits for all sockets
+ * to close (via {@link endPool}).
+ */
+export declare function createManagedPool(url: string, options?: {
+    role?: string;
+    label?: "source" | "target";
+}): Promise<{
+    pool: Pool;
+    close: () => Promise<void>;
+}>;
 export declare function endPool(pool: Pool): Promise<void>;
 export {};

package/dist/core/postgres-config.js

@@ -1,7 +1,8 @@
 /**
  * PostgreSQL connection configuration with custom type handlers.
  */
-import { Pool, types } from "pg";
+import { escapeIdentifier, Pool, types } from "pg";
+import { parseSslConfig } from "./plan/ssl-config.js";
 // ============================================================================
 // Array Parser
 // ============================================================================
@@ -92,12 +93,20 @@ types.setTypeParser(1005, (val) => parseArray(val, parseIntElement)); // int2[]
 types.setTypeParser(1007, (val) => parseArray(val, parseIntElement)); // int4[]
 // @ts-expect-error - pg types expects TypeId but raw OID numbers work fine
 types.setTypeParser(1016, (val) => parseArray(val, parseIntElement)); // int8[]
+const DEFAULT_POOL_MAX = Number(process.env.PGDELTA_POOL_MAX) || 5;
+const DEFAULT_CONNECTION_TIMEOUT_MS = Number(process.env.PGDELTA_CONNECTION_TIMEOUT_MS) || 3_000;
+const DEFAULT_CONNECT_TIMEOUT_MS = Number(process.env.PGDELTA_CONNECT_TIMEOUT_MS) || 2_500;
 /**
  * Create a Pool with custom type handlers and optional event listeners.
  */
 export function createPool(connectionString, options) {
     const { onConnect, onError, onAcquire, onRemove, ...config } = options ?? {};
-    const pool = new Pool({ connectionString, ...config });
+    const pool = new Pool({
+        connectionString,
+        max: DEFAULT_POOL_MAX,
+        connectionTimeoutMillis: DEFAULT_CONNECTION_TIMEOUT_MS,
+        ...config,
+    });
     if (onConnect)
         pool.on("connect", onConnect);
     if (onError)
@@ -122,6 +131,48 @@ export function createPool(connectionString, options) {
  * inside each `client.end()` callback — ensuring all sockets are
  * truly closed before it resolves.
  */
+/**
+ * Create a pool from a connection URL with standard session setup:
+ * SSL parsing, search_path isolation, optional SET ROLE, and 57P01 suppression.
+ *
+ * Returns the pool and a `close` function that properly waits for all sockets
+ * to close (via {@link endPool}).
+ */
+export async function createManagedPool(url, options) {
+    const sslConfig = await parseSslConfig(url, options?.label ?? "target");
+    const pool = createPool(sslConfig.cleanedUrl, {
+        ...(sslConfig.ssl !== undefined ? { ssl: sslConfig.ssl } : {}),
+        onError: (err) => {
+            if (err.code !== "57P01") {
+                console.error("Pool error:", err);
+            }
+        },
+        onConnect: async (client) => {
+            await client.query("SET search_path = ''");
+            if (options?.role) {
+                await client.query(`SET ROLE ${escapeIdentifier(options.role)}`);
+            }
+        },
+    });
+    // Eagerly validate connectivity so SSL/auth failures surface immediately
+    // instead of hanging on the first real query. node-pg's connectionTimeoutMillis
+    // is not reliably enforced under Bun when SSL negotiation hangs.
+    const label = options?.label ?? "target";
+    const timeoutMs = DEFAULT_CONNECT_TIMEOUT_MS;
+    try {
+        const client = await Promise.race([
+            pool.connect(),
+            new Promise((_, reject) => setTimeout(() => reject(new Error(`Connection to ${label} database timed out after ${timeoutMs}ms. ` +
+                `The server may require SSL, use an invalid certificate, or be unreachable.`)), timeoutMs)),
+        ]);
+        client.release();
+    }
+    catch (err) {
+        await pool.end().catch(() => { });
+        throw err;
+    }
+    return { pool, close: () => endPool(pool) };
+}
 export function endPool(pool) {
     const clientCount = pool.totalCount;
     if (clientCount === 0) {

package/dist/core/sort/graph-builder.js

@@ -56,7 +56,17 @@ export function convertExplicitRequirementsToConstraints(phaseChanges, graphData
         const requiredIds = graphData.explicitRequirementSets[consumerIndex];
         if (requiredIds.size === 0)
             continue;
+        // Collect dropped IDs for this change so we can skip requirements
+        // for stableIds that this change also drops.  A change that drops a
+        // stableId should not depend on another change that creates the same
+        // stableId, because the entity already exists in the source database.
+        // This prevents false ordering constraints such as Grant → Revoke
+        // when both operate on the same ACL stableId.
+        const droppedIds = new Set(phaseChanges[consumerIndex].drops);
         for (const requiredId of requiredIds) {
+            if (droppedIds.has(requiredId)) {
+                continue;
+            }
             const producerIndexes = graphData.changeIndexesByCreatedId.get(requiredId);
             if (!producerIndexes || producerIndexes.size === 0)
                 continue;

package/dist/core/sort/logical-sort.js

@@ -145,6 +145,25 @@ function getMainStableId(change) {
         }
         return null;
     }
+    // For default_privilege operations: group by role + schema combination (before CREATE so we group and use tiebreaker)
+    if (change.scope === "default_privilege") {
+        if (change.requires.length > 0) {
+            let grantingRole = null;
+            let schemaId = null;
+            for (const id of change.requires) {
+                if (id.startsWith("role:")) {
+                    grantingRole = id;
+                }
+                else if (id.startsWith("schema:")) {
+                    schemaId = id;
+                }
+            }
+            if (schemaId && grantingRole) {
+                return `${grantingRole}:${schemaId}`;
+            }
+            return grantingRole ?? null;
+        }
+    }
     // For CREATE operations: check if creating a constraint (sub-entity of table)
     if (change.operation === "create" && change.creates.length > 0) {
         // Iterate through creates to find the first non-metadata stable ID
@@ -182,29 +201,6 @@ function getMainStableId(change) {
         // Fallback: if all drops are metadata, use first
         return change.drops[0] ?? null;
     }
-    // For default_privilege operations: group by role + schema combination
-    // This groups all "FOR ROLE X IN SCHEMA Y" statements together
-    if (change.scope === "default_privilege") {
-        if (change.requires.length > 0) {
-            // Iterate through requires to find role and schema
-            let grantingRole = null;
-            let schemaId = null;
-            for (const id of change.requires) {
-                if (id.startsWith("role:")) {
-                    grantingRole = id;
-                }
-                else if (id.startsWith("schema:")) {
-                    schemaId = id;
-                }
-            }
-            if (schemaId && grantingRole) {
-                // Create composite key: "role:postgres:schema:public"
-                return `${grantingRole}:${schemaId}`;
-            }
-            // If no schema, just group by role
-            return grantingRole ?? null;
-        }
-    }
     // For ALTER operations: check if creating/dropping a constraint
     // Skip this for privilege/comment/default_privilege scopes (handled above)
     if (change.operation === "alter") {
@@ -525,6 +521,18 @@ function sortPhase(changes, phase) {
         if (operationOrderA !== operationOrderB) {
             return operationOrderA - operationOrderB;
         }
+        // 6b. For default_privilege: deterministic tiebreaker by objtype then grantee (canonical order for objtype)
+        if (scopeA === "default_privilege" && scopeB === "default_privilege") {
+            const defPrivA = changeA;
+            const defPrivB = changeB;
+            const objtypeOrder = (code) => ({ n: 0, r: 1, S: 2, f: 3, T: 4 })[code] ?? 99;
+            const objtypeCompare = objtypeOrder(defPrivA.objtype) - objtypeOrder(defPrivB.objtype);
+            if (objtypeCompare !== 0)
+                return objtypeCompare;
+            const granteeCompare = defPrivA.grantee.localeCompare(defPrivB.grantee);
+            if (granteeCompare !== 0)
+                return granteeCompare;
+        }
         // 7. Preserve original order (stability)
         return a.originalIndex - b.originalIndex;
     });

package/dist/core/test-utils/assert-valid-sql.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Assert that the given SQL string is syntactically valid PostgreSQL.
+ *
+ * Uses the PostgreSQL parser from `@supabase/pg-topo` to ensure that
+ * serialized DDL statements are syntactically correct. This catches
+ * issues like malformed function signatures, missing keywords, etc.
+ *
+ * @param sql - The SQL string to validate (typically from `change.serialize()`).
+ */
+export declare function assertValidSql(sql: string): Promise<void>;

package/dist/core/test-utils/assert-valid-sql.js

@@ -0,0 +1,19 @@
+import { validateSqlSyntax } from "@supabase/pg-topo";
+/**
+ * Assert that the given SQL string is syntactically valid PostgreSQL.
+ *
+ * Uses the PostgreSQL parser from `@supabase/pg-topo` to ensure that
+ * serialized DDL statements are syntactically correct. This catches
+ * issues like malformed function signatures, missing keywords, etc.
+ *
+ * @param sql - The SQL string to validate (typically from `change.serialize()`).
+ */
+export async function assertValidSql(sql) {
+    try {
+        await validateSqlSyntax(sql);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unknown parser error";
+        throw new Error(`Invalid SQL syntax: ${message}\nSQL: ${sql}`);
+    }
+}

package/dist/index.d.ts

@@ -3,8 +3,14 @@
  *
  * This module exports the public API for the pg-delta library.
  */
+export { Catalog, createEmptyCatalog, extractCatalog, } from "./core/catalog.model.ts";
+export type { CatalogSnapshot } from "./core/catalog.snapshot.ts";
+export { deserializeCatalog, serializeCatalog, stringifyCatalogSnapshot, } from "./core/catalog.snapshot.ts";
+export { exportDeclarativeSchema } from "./core/export/index.ts";
+export type { DeclarativeSchemaOutput, FileCategory, FileEntry, FileMetadata, } from "./core/export/types.ts";
 export type { IntegrationDSL } from "./core/integrations/integration-dsl.ts";
 export { applyPlan } from "./core/plan/apply.ts";
+export type { CatalogInput } from "./core/plan/create.ts";
 export { createPlan } from "./core/plan/create.ts";
 export type { SqlFormatOptions } from "./core/plan/sql-format.ts";
 export { formatSqlStatements } from "./core/plan/sql-format.ts";

package/dist/index.js

@@ -3,7 +3,12 @@
  *
  * This module exports the public API for the pg-delta library.
  */
+// Catalog model and extraction
+export { Catalog, createEmptyCatalog, extractCatalog, } from "./core/catalog.model.js";
+export { deserializeCatalog, serializeCatalog, stringifyCatalogSnapshot, } from "./core/catalog.snapshot.js";
+// Declarative schema export
+export { exportDeclarativeSchema } from "./core/export/index.js";
+// Plan operations
 export { applyPlan } from "./core/plan/apply.js";
-// Core operations
 export { createPlan } from "./core/plan/create.js";
 export { formatSqlStatements } from "./core/plan/sql-format.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/pg-delta",
-  "version": "1.0.0-alpha.4",
+  "version": "1.0.0-alpha.6",
   "description": "PostgreSQL migrations made easy",
   "type": "module",
   "sideEffects": false,
@@ -20,6 +20,20 @@
       "require": "./dist/core/integrations/supabase.js",
       "types": "./dist/core/integrations/supabase.d.ts",
       "default": "./dist/core/integrations/supabase.js"
+    },
+    "./declarative": {
+      "bun": "./src/core/declarative-apply/index.ts",
+      "import": "./dist/core/declarative-apply/index.js",
+      "require": "./dist/core/declarative-apply/index.js",
+      "types": "./dist/core/declarative-apply/index.d.ts",
+      "default": "./dist/core/declarative-apply/index.js"
+    },
+    "./catalog-export": {
+      "bun": "./src/core/catalog-export/index.ts",
+      "import": "./dist/core/catalog-export/index.js",
+      "require": "./dist/core/catalog-export/index.js",
+      "types": "./dist/core/catalog-export/index.d.ts",
+      "default": "./dist/core/catalog-export/index.js"
     }
   },
   "bin": {
@@ -57,20 +71,23 @@
     "format-and-lint": "biome check . --error-on-warnings",
     "knip": "knip",
     "pgdelta": "bun src/cli/bin/cli.ts",
-    "test": "bun test --concurrent --timeout 15000 --preload ./tests/global-setup.ts",
-    "test:unit": "bun test --concurrent src/",
-    "test:integration": "bun test --concurrent --timeout 15000 --preload ./tests/global-setup.ts --max-concurrency=4 tests/",
+    "test": "bun scripts/run-tests.ts",
+    "test:unit": "bun run test src/",
+    "test:integration": "bun run test tests/",
+    "update-empty-baseline": "bun scripts/update-empty-catalog-baseline.ts",
     "version": "changeset version && bun install --no-frozen-lockfile && bun run format-and-lint --write"
   },
   "dependencies": {
     "@stricli/core": "^1.2.4",
     "@ts-safeql/sql-tag": "^0.2.0",
+    "@supabase/pg-topo": "^1.0.0-alpha.1",
     "chalk": "^5.6.2",
     "debug": "^4.3.7",
     "pg": "^8.17.2",
     "zod": "^4.2.1"
   },
   "devDependencies": {
+    "@supabase/bun-istanbul-coverage": "workspace:*",
     "@tsconfig/node-ts": "^23.6.2",
     "@tsconfig/node24": "^24.0.3",
     "@types/bun": "^1.3.9",

package/src/cli/app.ts

@@ -1,13 +1,35 @@
 import { buildApplication, buildRouteMap } from "@stricli/core";
 import { applyCommand } from "./commands/apply.ts";
+import { catalogExportCommand } from "./commands/catalog-export.ts";
+import { declarativeApplyCommand } from "./commands/declarative-apply.ts";
+import { declarativeExportCommand } from "./commands/declarative-export.ts";
 import { planCommand } from "./commands/plan.ts";
 import { syncCommand } from "./commands/sync.ts";
 
+const declarativeRouteMap = buildRouteMap({
+  routes: {
+    apply: declarativeApplyCommand,
+    export: declarativeExportCommand,
+  },
+  docs: {
+    brief: "Declarative schema management",
+    fullDescription: `
+Manage declarative SQL schemas.
+
+Commands:
+  apply  - Apply a declarative SQL schema to a database
+  export - Export a declarative schema from a database diff
+    `.trim(),
+  },
+});
+
 const root = buildRouteMap({
   routes: {
     plan: planCommand,
     apply: applyCommand,
     sync: syncCommand,
+    declarative: declarativeRouteMap,
+    "catalog-export": catalogExportCommand,
   },
   defaultCommand: "sync",
   docs: {
@@ -16,9 +38,11 @@ const root = buildRouteMap({
 pgdelta generates migration scripts by comparing two PostgreSQL databases.
 
 Commands:
-  plan   - Compute schema diff and preview changes
-  apply  - Apply a plan's migration script to a database
-  sync   - Plan and apply changes in one go
+  plan           - Compute schema diff and preview changes
+  apply          - Apply a plan's migration script to a database
+  sync           - Plan and apply changes in one go
+  declarative    - Declarative schema (apply | export)
+  catalog-export - Export a database catalog as a snapshot JSON file
     `.trim(),
   },
 });

package/src/cli/bin/cli.ts

@@ -2,8 +2,14 @@
 
 import { run } from "@stricli/core";
 import { app } from "../app.ts";
+import { getCommandExitCode } from "../exit-code.ts";
 
 await run(app, process.argv.slice(2), { process }).catch((error) => {
   console.error(error);
   process.exit(1);
 });
+
+const code = getCommandExitCode();
+if (code !== undefined) {
+  process.exitCode = code;
+}