@supabase/pg-delta 1.0.0-alpha.4 → 1.0.0-alpha.6

package/src/core/objects/role/role.diff.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { AlterRoleSetOptions } from "./changes/role.alter.ts";
 import { CreateRole } from "./changes/role.create.ts";
 import { DropRole } from "./changes/role.drop.ts";
+import { GrantRoleMembership } from "./changes/role.privilege.ts";
 import { diffRoles } from "./role.diff.ts";
 import { Role, type RoleProps } from "./role.model.ts";
 
@@ -41,4 +42,238 @@ describe.concurrent("role.diff", () => {
     );
     expect(changes[0]).toBeInstanceOf(AlterRoleSetOptions);
   });
+
+  test("no duplicate membership grants when members have multiple grantors", () => {
+    // In PG 16+, pg_auth_members can have multiple rows for the same
+    // (roleid, member) pair with different grantors. The Role constructor
+    // should deduplicate these so diffRoles doesn't emit duplicate changes.
+    const parentRole = new Role({
+      ...base,
+      name: "postgres",
+      members: [
+        {
+          member: "cli_login_postgres",
+          grantor: "postgres",
+          admin_option: false,
+          inherit_option: false,
+          set_option: false,
+        },
+        {
+          member: "cli_login_postgres",
+          grantor: "supabase_admin",
+          admin_option: false,
+          inherit_option: false,
+          set_option: false,
+        },
+      ],
+    });
+
+    // After deduplication, should have only one member entry
+    expect(parentRole.members).toHaveLength(1);
+    expect(parentRole.members[0].member).toBe("cli_login_postgres");
+
+    // When diffing, the created role should emit only one GRANT
+    const changes = diffRoles(
+      { version: 170000 },
+      {},
+      { [parentRole.stableId]: parentRole },
+    );
+    const grantChanges = changes.filter(
+      (c) => c instanceof GrantRoleMembership,
+    );
+    expect(grantChanges).toHaveLength(1);
+  });
+
+  test("duplicate members are merged with most permissive options", () => {
+    const role = new Role({
+      ...base,
+      name: "test_role",
+      members: [
+        {
+          member: "member1",
+          grantor: "grantor_a",
+          admin_option: false,
+          inherit_option: false,
+          set_option: true,
+        },
+        {
+          member: "member1",
+          grantor: "grantor_b",
+          admin_option: true,
+          inherit_option: false,
+          set_option: false,
+        },
+      ],
+    });
+
+    expect(role.members).toHaveLength(1);
+    expect(role.members[0].admin_option).toBe(true);
+    expect(role.members[0].set_option).toBe(true);
+  });
+
+  test("no false alter when both sides have duplicate members from different grantors", () => {
+    // Both main and branch have the same membership but from different
+    // grantors. After deduplication the roles should be equal, producing
+    // no changes.
+    const main = new Role({
+      ...base,
+      name: "parent",
+      members: [
+        {
+          member: "child",
+          grantor: "postgres",
+          admin_option: false,
+          inherit_option: false,
+          set_option: false,
+        },
+        {
+          member: "child",
+          grantor: "supabase_admin",
+          admin_option: false,
+          inherit_option: false,
+          set_option: false,
+        },
+      ],
+    });
+    const branch = new Role({
+      ...base,
+      name: "parent",
+      members: [
+        {
+          member: "child",
+          grantor: "another_admin",
+          admin_option: false,
+          inherit_option: false,
+          set_option: false,
+        },
+      ],
+    });
+
+    const changes = diffRoles(
+      { version: 170000 },
+      { [main.stableId]: main },
+      { [branch.stableId]: branch },
+    );
+    expect(changes).toHaveLength(0);
+  });
+
+  test("create role skips self-granted membership (member === grantor)", () => {
+    // Simulates the auto-created membership when postgres creates a role:
+    // PostgreSQL automatically makes the creator a member with grantor=self.
+    const role = new Role({
+      ...base,
+      name: "developer",
+      members: [
+        {
+          member: "postgres",
+          grantor: "postgres",
+          admin_option: true,
+          inherit_option: true,
+          set_option: true,
+        },
+      ],
+    });
+    const changes = diffRoles(
+      { version: 170000 },
+      {},
+      { [role.stableId]: role },
+    );
+    // Should only have CreateRole, no GrantRoleMembership for postgres
+    expect(changes).toHaveLength(1);
+    expect(changes[0]).toBeInstanceOf(CreateRole);
+  });
+
+  test("create role keeps membership when member differs from grantor", () => {
+    const role = new Role({
+      ...base,
+      name: "developer",
+      members: [
+        {
+          member: "app_user",
+          grantor: "postgres",
+          admin_option: true,
+          inherit_option: true,
+          set_option: true,
+        },
+      ],
+    });
+    const changes = diffRoles(
+      { version: 170000 },
+      {},
+      { [role.stableId]: role },
+    );
+    // Should have CreateRole + GrantRoleMembership
+    expect(changes).toHaveLength(2);
+    expect(changes[0]).toBeInstanceOf(CreateRole);
+    expect(changes[1]).toBeInstanceOf(GrantRoleMembership);
+  });
+
+  test("create role keeps mixed-grantor membership where not all grantors equal member", () => {
+    // Model dedup should prefer the non-self grantor, so diff keeps the membership
+    const role = new Role({
+      ...base,
+      name: "developer",
+      members: [
+        {
+          member: "postgres",
+          grantor: "postgres",
+          admin_option: false,
+          inherit_option: true,
+          set_option: true,
+        },
+        {
+          member: "postgres",
+          grantor: "supabase_admin",
+          admin_option: true,
+          inherit_option: true,
+          set_option: true,
+        },
+      ],
+    });
+    const changes = diffRoles(
+      { version: 170000 },
+      {},
+      { [role.stableId]: role },
+    );
+    // One grantor is different from member, dedup prefers it → membership kept
+    expect(changes).toHaveLength(2);
+    expect(changes[0]).toBeInstanceOf(CreateRole);
+    expect(changes[1]).toBeInstanceOf(GrantRoleMembership);
+  });
+
+  test("alter role skips granting admin to self-granted membership", () => {
+    const mainRole = new Role({
+      ...base,
+      name: "developer",
+      members: [
+        {
+          member: "postgres",
+          grantor: "postgres",
+          admin_option: false,
+          inherit_option: true,
+          set_option: true,
+        },
+      ],
+    });
+    const branchRole = new Role({
+      ...base,
+      name: "developer",
+      members: [
+        {
+          member: "postgres",
+          grantor: "postgres",
+          admin_option: true,
+          inherit_option: true,
+          set_option: true,
+        },
+      ],
+    });
+    const changes = diffRoles(
+      { version: 170000 },
+      { [mainRole.stableId]: mainRole },
+      { [branchRole.stableId]: branchRole },
+    );
+    // Should produce no changes — granting admin back to self would fail
+    expect(changes).toHaveLength(0);
+  });
 });

package/src/core/objects/role/role.diff.ts

@@ -51,8 +51,15 @@ export function diffRoles(
     if (role.comment !== null) {
       changes.push(new CreateCommentOnRole({ role }));
     }
-    // MEMBERSHIPS: Grant memberships immediately after role creation
+    // MEMBERSHIPS: Grant memberships immediately after role creation.
+    // Members are already deduplicated by the Role model constructor.
     for (const membership of role.members) {
+      // Skip memberships where the member is the grantor (auto-created by
+      // CREATE ROLE — re-granting them, especially WITH ADMIN OPTION, fails
+      // with "ADMIN option cannot be granted back to your own grantor").
+      if (membership.grantor === membership.member) {
+        continue;
+      }
       changes.push(
         new GrantRoleMembership({
           role,
@@ -67,6 +74,7 @@ export function diffRoles(
     }
     // DEFAULT PRIVILEGES: Grant default privileges immediately after role creation
     for (const defaultPriv of role.default_privileges) {
+      if (defaultPriv.is_implicit) continue;
       if (defaultPriv.privileges.length === 0) continue;
       const grantGroups = new Map<
         boolean,
@@ -208,12 +216,19 @@ export function diffRoles(
     }
 
     // MEMBERSHIPS
+    // Members are already deduplicated by the Role model constructor.
     const mainMembers = new Map(mainRole.members.map((m) => [m.member, m]));
     const branchMembers = new Map(branchRole.members.map((m) => [m.member, m]));
 
     // Find new members to grant
     for (const [member, membership] of branchMembers) {
       if (!mainMembers.has(member)) {
+        // Skip memberships where the member is the grantor (auto-created by
+        // CREATE ROLE — re-granting them fails with "ADMIN option cannot be
+        // granted back to your own grantor").
+        if (membership.grantor === membership.member) {
+          continue;
+        }
         changes.push(
           new GrantRoleMembership({
             role: branchRole,
@@ -280,6 +295,11 @@ export function diffRoles(
           );
         }
         if (toGrant.admin || toGrant.inherit || toGrant.set) {
+          // Skip granting options back to the grantor (same restriction as
+          // for newly created roles).
+          if (branchMembership.grantor === branchMembership.member) {
+            continue;
+          }
           changes.push(
             new GrantRoleMembership({
               role: branchRole,

package/src/core/objects/role/role.model.ts

@@ -18,6 +18,7 @@ const defaultPrivilegeSchema = z.object({
   privileges: z.array(
     z.object({ privilege: z.string(), grantable: z.boolean() }),
   ),
+  is_implicit: z.boolean(),
 });
 
 const rolePropsSchema = z.object({
@@ -70,7 +71,7 @@ export class Role extends BasePgModel {
     this.can_bypass_rls = props.can_bypass_rls;
     this.config = props.config;
     this.comment = props.comment;
-    this.members = props.members;
+    this.members = deduplicateMembers(props.members);
     this.default_privileges = props.default_privileges;
   }
 
@@ -95,15 +96,18 @@ export class Role extends BasePgModel {
       );
     });
 
-    const sortedDefaultPrivs = [...this.default_privileges].map((dp) => ({
-      ...dp,
-      privileges: [...dp.privileges].sort((a, b) => {
-        return (
-          a.privilege.localeCompare(b.privilege) ||
-          Number(a.grantable) - Number(b.grantable)
-        );
-      }),
-    }));
+    const sortedDefaultPrivs = [...this.default_privileges].map((dp) => {
+      const { is_implicit: _, ...rest } = dp;
+      return {
+        ...rest,
+        privileges: [...dp.privileges].sort((a, b) => {
+          return (
+            a.privilege.localeCompare(b.privilege) ||
+            Number(a.grantable) - Number(b.grantable)
+          );
+        }),
+      };
+    });
     sortedDefaultPrivs.sort((a, b) => {
       return (
         (a.in_schema ?? "").localeCompare(b.in_schema ?? "") ||
@@ -129,6 +133,48 @@ export class Role extends BasePgModel {
   }
 }
 
+/**
+ * Deduplicate members by member name.
+ *
+ * In PostgreSQL 16+, `pg_auth_members` can have multiple rows for the same
+ * (roleid, member) pair with different grantors. Merge them into a single
+ * entry per member, combining options with OR so the most permissive wins.
+ *
+ * When merging, prefer a non-self grantor (grantor !== member) so that
+ * downstream code can detect true self-grants (auto-created by CREATE ROLE)
+ * by checking `grantor === member`.
+ */
+function deduplicateMembers(
+  members: RoleProps["members"],
+): RoleProps["members"] {
+  const map = new Map<string, RoleProps["members"][number]>();
+  for (const m of members) {
+    const existing = map.get(m.member);
+    if (existing) {
+      // admin_option is always boolean (non-nullable in schema)
+      existing.admin_option = existing.admin_option || m.admin_option;
+      // inherit_option and set_option are nullish (only available in PG 16+)
+      if (m.inherit_option != null) {
+        existing.inherit_option =
+          (existing.inherit_option ?? false) || m.inherit_option;
+      }
+      if (m.set_option != null) {
+        existing.set_option = (existing.set_option ?? false) || m.set_option;
+      }
+      // Prefer a non-self grantor so diff can detect true self-grants.
+      // Once a non-self grantor is chosen the value is kept (the specific
+      // non-self grantor doesn't matter — only the self vs non-self
+      // distinction is used downstream).
+      if (existing.grantor === existing.member && m.grantor !== m.member) {
+        existing.grantor = m.grantor;
+      }
+    } else {
+      map.set(m.member, { ...m });
+    }
+  }
+  return [...map.values()];
+}
+
 export async function extractRoles(pool: Pool): Promise<Role[]> {
   // Check PostgreSQL version capabilities for membership options
   const { rows: capabilitiesRows } = await pool.query<{
@@ -202,13 +248,15 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
                                     THEN 'PUBLIC'
                                     ELSE s.grantee::regrole::text
                             END,
-                          'privileges', s.privileges
+                          'privileges', s.privileges,
+                          'is_implicit', s.is_implicit
                         )
                         ORDER BY s.defaclnamespace NULLS FIRST,
                                   s.defaclobjtype,
                                   s.grantee
                       )
                 FROM (
+                  -- Explicit entries from pg_default_acl
                   SELECT
                     d.defaclnamespace,
                     d.defaclobjtype,
@@ -219,12 +267,41 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
                         'grantable',  x.is_grantable
                       )
                       ORDER BY x.privilege_type, x.is_grantable
-                    ) AS privileges
+                    ) AS privileges,
+                    false AS is_implicit
                   FROM pg_default_acl d
                   CROSS JOIN LATERAL aclexplode(COALESCE(d.defaclacl, ARRAY[]::aclitem[]))
                     AS x(grantor, grantee, privilege_type, is_grantable)
                   WHERE d.defaclrole = r.oid
                   GROUP BY d.defaclnamespace, d.defaclobjtype, x.grantee
+                  UNION ALL
+                  -- Implicit defaults from acldefault() for objtypes without a
+                  -- global pg_default_acl entry.  PostgreSQL applies these implicit
+                  -- defaults (e.g. PUBLIC gets EXECUTE on functions) when no
+                  -- explicit ALTER DEFAULT PRIVILEGES has been issued.  Including
+                  -- them lets the diff detect REVOKEs of implicit grants.
+                  SELECT
+                    0 AS defaclnamespace,
+                    v.t::"char" AS defaclobjtype,
+                    x.grantee,
+                    json_agg(
+                      json_build_object(
+                        'privilege',  x.privilege_type,
+                        'grantable',  x.is_grantable
+                      )
+                      ORDER BY x.privilege_type, x.is_grantable
+                    ) AS privileges,
+                    true AS is_implicit
+                  FROM (VALUES ('r'), ('S'), ('f'), ('T'), ('n')) AS v(t)
+                  CROSS JOIN LATERAL aclexplode(acldefault(v.t::"char", r.oid))
+                    AS x(grantor, grantee, privilege_type, is_grantable)
+                  WHERE NOT EXISTS (
+                    SELECT 1 FROM pg_default_acl d2
+                    WHERE d2.defaclrole     = r.oid
+                      AND d2.defaclobjtype  = v.t::"char"
+                      AND d2.defaclnamespace = 0
+                  )
+                  GROUP BY v.t, x.grantee
                 ) AS s
               ),
               '[]'
@@ -292,13 +369,15 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
                                     THEN 'PUBLIC'
                                     ELSE s.grantee::regrole::text
                             END,
-                          'privileges', s.privileges
+                          'privileges', s.privileges,
+                          'is_implicit', s.is_implicit
                         )
                         ORDER BY s.defaclnamespace NULLS FIRST,
                                   s.defaclobjtype,
                                   s.grantee
                       )
                 FROM (
+                  -- Explicit entries from pg_default_acl
                   SELECT
                     d.defaclnamespace,
                     d.defaclobjtype,
@@ -309,12 +388,41 @@ export async function extractRoles(pool: Pool): Promise<Role[]> {
                         'grantable',  x.is_grantable
                       )
                       ORDER BY x.privilege_type, x.is_grantable
-                    ) AS privileges
+                    ) AS privileges,
+                    false AS is_implicit
                   FROM pg_default_acl d
                   CROSS JOIN LATERAL aclexplode(COALESCE(d.defaclacl, ARRAY[]::aclitem[]))
                     AS x(grantor, grantee, privilege_type, is_grantable)
                   WHERE d.defaclrole = r.oid
                   GROUP BY d.defaclnamespace, d.defaclobjtype, x.grantee
+                  UNION ALL
+                  -- Implicit defaults from acldefault() for objtypes without a
+                  -- global pg_default_acl entry.  PostgreSQL applies these implicit
+                  -- defaults (e.g. PUBLIC gets EXECUTE on functions) when no
+                  -- explicit ALTER DEFAULT PRIVILEGES has been issued.  Including
+                  -- them lets the diff detect REVOKEs of implicit grants.
+                  SELECT
+                    0 AS defaclnamespace,
+                    v.t::"char" AS defaclobjtype,
+                    x.grantee,
+                    json_agg(
+                      json_build_object(
+                        'privilege',  x.privilege_type,
+                        'grantable',  x.is_grantable
+                      )
+                      ORDER BY x.privilege_type, x.is_grantable
+                    ) AS privileges,
+                    true AS is_implicit
+                  FROM (VALUES ('r'), ('S'), ('f'), ('T'), ('n')) AS v(t)
+                  CROSS JOIN LATERAL aclexplode(acldefault(v.t::"char", r.oid))
+                    AS x(grantor, grantee, privilege_type, is_grantable)
+                  WHERE NOT EXISTS (
+                    SELECT 1 FROM pg_default_acl d2
+                    WHERE d2.defaclrole     = r.oid
+                      AND d2.defaclobjtype  = v.t::"char"
+                      AND d2.defaclnamespace = 0
+                  )
+                  GROUP BY v.t, x.grantee
                 ) AS s
               ),
               '[]'

package/src/core/objects/rule/changes/rule.alter.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
 import { stableId } from "../../utils.ts";
 import { Rule } from "../rule.model.ts";
 import { ReplaceRule, SetRuleEnabledState } from "./rule.alter.ts";
@@ -28,7 +29,7 @@ const makeRule = (override: Partial<RuleProps> = {}) =>
   });
 
 describe("rule.alter", () => {
-  test("replace rule serializes using create or replace and tracks dependencies", () => {
+  test("replace rule serializes using create or replace and tracks dependencies", async () => {
     const rule = makeRule({ columns: ["id", "amount"] });
     const change = new ReplaceRule({ rule });
 
@@ -39,12 +40,13 @@ describe("rule.alter", () => {
         stableId.column(rule.schema, rule.table_name, column),
       ),
     ]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       'CREATE OR REPLACE RULE "my_rule" AS ON INSERT TO public."my_table" DO INSTEAD NOTHING',
     );
   });
 
-  test("set rule enabled state serializes appropriate clause", () => {
+  test("set rule enabled state serializes appropriate clause", async () => {
     const rule = makeRule({ columns: ["id", "amount"] });
     const change = new SetRuleEnabledState({ rule, enabled: "D" });
 
@@ -55,12 +57,13 @@ describe("rule.alter", () => {
         stableId.column(rule.schema, rule.table_name, column),
       ),
     ]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       'ALTER TABLE public."my_table" DISABLE RULE "my_rule"',
     );
   });
 
-  test("set rule enabled state defaults to rule value and supports views", () => {
+  test("set rule enabled state defaults to rule value and supports views", async () => {
     const rule = makeRule({
       table_name: '"my_view"',
       relation_kind: "v",
@@ -71,6 +74,7 @@ describe("rule.alter", () => {
     const change = new SetRuleEnabledState({ rule });
 
     expect(change.requires).toEqual([rule.stableId, rule.relationStableId]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       'ALTER TABLE public."my_view" ENABLE REPLICA RULE "my_rule"',
     );

package/src/core/objects/rule/changes/rule.comment.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
 import { stableId } from "../../utils.ts";
 import { Rule } from "../rule.model.ts";
 import { CreateCommentOnRule, DropCommentOnRule } from "./rule.comment.ts";
@@ -28,18 +29,19 @@ const makeRule = (override: Partial<RuleProps> = {}) =>
   });
 
 describe("rule.comment", () => {
-  test("create comment serializes and tracks dependencies", () => {
+  test("create comment serializes and tracks dependencies", async () => {
     const rule = makeRule({ comment: "rule's description" });
     const change = new CreateCommentOnRule({ rule });
 
     expect(change.creates).toEqual([stableId.comment(rule.stableId)]);
     expect(change.requires).toEqual([rule.stableId]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       "COMMENT ON RULE \"my_rule\" ON public.\"my_table\" IS 'rule''s description'",
     );
   });
 
-  test("drop comment serializes and tracks dependencies", () => {
+  test("drop comment serializes and tracks dependencies", async () => {
     const rule = makeRule({ comment: "temporary comment" });
     const change = new DropCommentOnRule({ rule });
 
@@ -48,6 +50,7 @@ describe("rule.comment", () => {
       stableId.comment(rule.stableId),
       rule.stableId,
     ]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       'COMMENT ON RULE "my_rule" ON public."my_table" IS NULL',
     );

package/src/core/objects/rule/changes/rule.create.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
 import { stableId } from "../../utils.ts";
 import { Rule } from "../rule.model.ts";
 import { CreateRule } from "./rule.create.ts";
@@ -28,7 +29,7 @@ const makeRule = (override: Partial<RuleProps> = {}) =>
   });
 
 describe("rule.create", () => {
-  test("serialize rule definition and track dependencies", () => {
+  test("serialize rule definition and track dependencies", async () => {
     const rule = makeRule();
     const change = new CreateRule({ rule });
 
@@ -39,12 +40,13 @@ describe("rule.create", () => {
         stableId.column(rule.schema, rule.table_name, column),
       ),
     ]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe(
       'CREATE RULE "my_rule" AS ON INSERT TO public."my_table" DO INSTEAD NOTHING',
     );
   });
 
-  test("serialize rule definition with or replace override", () => {
+  test("serialize rule definition with or replace override", async () => {
     const rule = makeRule({
       definition:
         '  CREATE RULE "my_rule" AS ON INSERT TO public."my_table" DO INSTEAD NOTHING  ',
@@ -52,6 +54,8 @@ describe("rule.create", () => {
 
     const change = new CreateRule({ rule, orReplace: true });
 
+    await assertValidSql(change.serialize());
+
     expect(change.serialize()).toBe(
       'CREATE OR REPLACE RULE "my_rule" AS ON INSERT TO public."my_table" DO INSTEAD NOTHING',
     );

package/src/core/objects/rule/changes/rule.drop.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
 import { Rule } from "../rule.model.ts";
 import { DropRule } from "./rule.drop.ts";
 
@@ -27,12 +28,13 @@ const makeRule = (override: Partial<RuleProps> = {}) =>
   });
 
 describe("rule.drop", () => {
-  test("serialize rule drop and track dependencies", () => {
+  test("serialize rule drop and track dependencies", async () => {
     const rule = makeRule();
     const change = new DropRule({ rule });
 
     expect(change.drops).toEqual([rule.stableId]);
     expect(change.requires).toEqual([rule.stableId, rule.relationStableId]);
+    await assertValidSql(change.serialize());
     expect(change.serialize()).toBe('DROP RULE "my_rule" ON public."my_table"');
   });
 });

package/src/core/objects/schema/changes/schema.alter.test.ts

@@ -1,10 +1,11 @@
 import { describe, expect, test } from "bun:test";
+import { assertValidSql } from "../../../test-utils/assert-valid-sql.ts";
 import { Schema, type SchemaProps } from "../schema.model.ts";
 import { AlterSchemaChangeOwner } from "./schema.alter.ts";
 
 describe.concurrent("schema", () => {
   describe("alter", () => {
-    test("change owner", () => {
+    test("change owner", async () => {
       const props: Omit<SchemaProps, "owner"> = {
         name: "test_schema",
         comment: null,
@@ -20,6 +21,8 @@ describe.concurrent("schema", () => {
         owner: "new_owner",
       });
 
+      await assertValidSql(change.serialize());
+
       expect(change.serialize()).toBe(
         "ALTER SCHEMA test_schema OWNER TO new_owner",
       );