@supabase/pg-delta 1.0.0-alpha.4 → 1.0.0-alpha.6

package/src/core/plan/sql-format/format-pretty-narrow.test.ts

@@ -494,10 +494,6 @@ describe("sql formatting snapshots", () => {
         'insert, update, delete, truncate',
         publish_via_partition_root = false);
 
-      -- publication.alter.set_all_tables
-      ALTER PUBLICATION pub_custom
-        SET FOR ALL TABLES;
-
       -- publication.alter.set_list
       ALTER PUBLICATION pub_custom
         SET TABLE
@@ -636,31 +632,31 @@ describe("sql formatting snapshots", () => {
 
       -- function.alter.change_owner
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name OWNER TO new_admin;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) OWNER TO new_admin;
 
       -- function.alter.set_security
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name SECURITY INVOKER;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) SECURITY INVOKER;
 
       -- function.alter.set_config
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name SET work_mem TO '256MB';
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) SET work_mem TO '256MB';
 
       -- function.alter.set_volatility
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name IMMUTABLE;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) IMMUTABLE;
 
       -- function.alter.set_strictness
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name CALLED ON NULL INPUT;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) CALLED ON NULL INPUT;
 
       -- function.alter.set_leakproof
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name LEAKPROOF;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) LEAKPROOF;
 
       -- function.alter.set_parallel
       ALTER FUNCTION
-        public.calculate_metrics_for_analytics_dashboard_with_extended_name PARALLEL RESTRICTED;
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) PARALLEL RESTRICTED;
 
       -- function.comment
       COMMENT ON FUNCTION
@@ -746,17 +742,17 @@ describe("sql formatting snapshots", () => {
         public.table_with_very_long_name_for_formatting_and_wrapping_test;
 
       -- policy.alter.set_roles
-      ALTER POLICY public.allow_select_own
+      ALTER POLICY allow_select_own
         ON
         public.table_with_very_long_name_for_formatting_and_wrapping_test TO authenticated, anon;
 
       -- policy.alter.set_using
-      ALTER POLICY public.allow_select_own
+      ALTER POLICY allow_select_own
         ON
         public.table_with_very_long_name_for_formatting_and_wrapping_test USING (auth.uid() = user_id AND status = 'active');
 
       -- policy.alter.set_with_check
-      ALTER POLICY public.allow_select_own
+      ALTER POLICY allow_select_own
         ON
         public.table_with_very_long_name_for_formatting_and_wrapping_test WITH CHECK (auth.uid() = user_id);
 
@@ -906,7 +902,7 @@ describe("sql formatting snapshots", () => {
         STYPE       = anycompatiblearray,
         COMBINEFUNC = array_cat,
         INITCOND    = '{}',
-        PARALLEL SAFE,
+        PARALLEL    = SAFE,
         STRICT
       );
 
@@ -1201,18 +1197,18 @@ describe("sql formatting snapshots", () => {
         NULL;
 
       -- foreign_table.grant
-      GRANT SELECT ON
-        FOREIGN TABLE public.remote_users TO
+      GRANT SELECT
+        ON TABLE public.remote_users TO
         app_reader;
 
       -- foreign_table.revoke
-      REVOKE SELECT ON
-        FOREIGN TABLE public.remote_users FROM
+      REVOKE SELECT
+        ON TABLE public.remote_users FROM
         app_reader;
 
       -- foreign_table.revoke_grant_option
-      REVOKE GRANT OPTION FOR SELECT ON
-        FOREIGN TABLE public.remote_users FROM
+      REVOKE GRANT OPTION FOR SELECT
+        ON TABLE public.remote_users FROM
         app_reader;
 
       -- server.create

package/src/core/plan/sql-format/format-pretty-preserve.test.ts

@@ -401,9 +401,6 @@ describe("sql formatting snapshots", () => {
       ALTER PUBLICATION pub_custom
          SET (publish = 'insert, update, delete, truncate', publish_via_partition_root = false);
 
-      -- publication.alter.set_all_tables
-      ALTER PUBLICATION pub_custom SET FOR ALL TABLES;
-
       -- publication.alter.set_list
       ALTER PUBLICATION pub_custom
          SET TABLE
@@ -518,28 +515,38 @@ describe("sql formatting snapshots", () => {
          IN "p_table_name_for_metrics" text, IN "p_limit_count_default" integer);
 
       -- function.alter.change_owner
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name OWNER TO
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) OWNER TO
          new_admin;
 
       -- function.alter.set_security
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name SECURITY INVOKER;
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) SECURITY
+         INVOKER;
 
       -- function.alter.set_config
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer)
          SET work_mem TO '256MB';
 
       -- function.alter.set_volatility
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name IMMUTABLE;
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer)
+         IMMUTABLE;
 
       -- function.alter.set_strictness
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name CALLED
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) CALLED
          ON NULL INPUT;
 
       -- function.alter.set_leakproof
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name LEAKPROOF;
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer)
+         LEAKPROOF;
 
       -- function.alter.set_parallel
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name PARALLEL
+      ALTER FUNCTION
+         public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) PARALLEL
          RESTRICTED;
 
       -- function.comment
@@ -620,18 +627,16 @@ describe("sql formatting snapshots", () => {
       DROP POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test;
 
       -- policy.alter.set_roles
-      ALTER POLICY public.allow_select_own
+      ALTER POLICY allow_select_own
          ON public.table_with_very_long_name_for_formatting_and_wrapping_test TO authenticated, anon;
 
       -- policy.alter.set_using
-      ALTER POLICY public.allow_select_own
-         ON public.table_with_very_long_name_for_formatting_and_wrapping_test
+      ALTER POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test
          USING (auth.uid() = user_id AND status = 'active');
 
       -- policy.alter.set_with_check
-      ALTER POLICY public.allow_select_own
-         ON public.table_with_very_long_name_for_formatting_and_wrapping_test WITH
-         CHECK (auth.uid() = user_id);
+      ALTER POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test
+         WITH CHECK (auth.uid() = user_id);
 
       -- policy.comment
       COMMENT ON POLICY allow_select_own
@@ -741,7 +746,7 @@ describe("sql formatting snapshots", () => {
          STYPE = anycompatiblearray,
          COMBINEFUNC = array_cat,
          INITCOND = '{}',
-         PARALLEL SAFE,
+         PARALLEL = SAFE,
          STRICT
       );
 
@@ -986,13 +991,13 @@ describe("sql formatting snapshots", () => {
       COMMENT ON FOREIGN TABLE public.remote_users IS NULL;
 
       -- foreign_table.grant
-      GRANT SELECT ON FOREIGN TABLE public.remote_users TO app_reader;
+      GRANT SELECT ON TABLE public.remote_users TO app_reader;
 
       -- foreign_table.revoke
-      REVOKE SELECT ON FOREIGN TABLE public.remote_users FROM app_reader;
+      REVOKE SELECT ON TABLE public.remote_users FROM app_reader;
 
       -- foreign_table.revoke_grant_option
-      REVOKE GRANT OPTION FOR SELECT ON FOREIGN TABLE public.remote_users FROM app_reader;
+      REVOKE GRANT OPTION FOR SELECT ON TABLE public.remote_users FROM app_reader;
 
       -- server.create
       CREATE SERVER remote_server

package/src/core/plan/sql-format/format-pretty-upper.test.ts

@@ -396,9 +396,6 @@ describe("sql formatting snapshots", () => {
       ALTER PUBLICATION pub_custom
         SET (publish = 'insert, update, delete, truncate', publish_via_partition_root = false);
 
-      -- publication.alter.set_all_tables
-      ALTER PUBLICATION pub_custom SET FOR ALL TABLES;
-
       -- publication.alter.set_list
       ALTER PUBLICATION pub_custom
         SET TABLE
@@ -513,28 +510,36 @@ describe("sql formatting snapshots", () => {
         IN "p_table_name_for_metrics" text, IN "p_limit_count_default" integer);
 
       -- function.alter.change_owner
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name OWNER TO
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) OWNER TO
         new_admin;
 
       -- function.alter.set_security
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name SECURITY INVOKER;
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) SECURITY
+        INVOKER;
 
       -- function.alter.set_config
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer)
         SET work_mem TO '256MB';
 
       -- function.alter.set_volatility
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name IMMUTABLE;
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) IMMUTABLE;
 
       -- function.alter.set_strictness
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name CALLED
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) CALLED
         ON NULL INPUT;
 
       -- function.alter.set_leakproof
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name LEAKPROOF;
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) LEAKPROOF;
 
       -- function.alter.set_parallel
-      ALTER FUNCTION public.calculate_metrics_for_analytics_dashboard_with_extended_name PARALLEL
+      ALTER FUNCTION
+        public.calculate_metrics_for_analytics_dashboard_with_extended_name(text, text, integer) PARALLEL
         RESTRICTED;
 
       -- function.comment
@@ -613,18 +618,16 @@ describe("sql formatting snapshots", () => {
       DROP POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test;
 
       -- policy.alter.set_roles
-      ALTER POLICY public.allow_select_own
+      ALTER POLICY allow_select_own
         ON public.table_with_very_long_name_for_formatting_and_wrapping_test TO authenticated, anon;
 
       -- policy.alter.set_using
-      ALTER POLICY public.allow_select_own
-        ON public.table_with_very_long_name_for_formatting_and_wrapping_test
+      ALTER POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test
         USING (auth.uid() = user_id AND status = 'active');
 
       -- policy.alter.set_with_check
-      ALTER POLICY public.allow_select_own
-        ON public.table_with_very_long_name_for_formatting_and_wrapping_test WITH
-        CHECK (auth.uid() = user_id);
+      ALTER POLICY allow_select_own ON public.table_with_very_long_name_for_formatting_and_wrapping_test
+        WITH CHECK (auth.uid() = user_id);
 
       -- policy.comment
       COMMENT ON POLICY allow_select_own
@@ -734,7 +737,7 @@ describe("sql formatting snapshots", () => {
         STYPE       = anycompatiblearray,
         COMBINEFUNC = array_cat,
         INITCOND    = '{}',
-        PARALLEL SAFE,
+        PARALLEL    = SAFE,
         STRICT
       );
 
@@ -979,13 +982,13 @@ describe("sql formatting snapshots", () => {
       COMMENT ON FOREIGN TABLE public.remote_users IS NULL;
 
       -- foreign_table.grant
-      GRANT SELECT ON FOREIGN TABLE public.remote_users TO app_reader;
+      GRANT SELECT ON TABLE public.remote_users TO app_reader;
 
       -- foreign_table.revoke
-      REVOKE SELECT ON FOREIGN TABLE public.remote_users FROM app_reader;
+      REVOKE SELECT ON TABLE public.remote_users FROM app_reader;
 
       -- foreign_table.revoke_grant_option
-      REVOKE GRANT OPTION FOR SELECT ON FOREIGN TABLE public.remote_users FROM app_reader;
+      REVOKE GRANT OPTION FOR SELECT ON TABLE public.remote_users FROM app_reader;
 
       -- server.create
       CREATE SERVER remote_server

package/src/core/plan/sql-format/keyword-case.ts

@@ -207,6 +207,36 @@ const STRUCTURAL_TOP_LEVEL_KEYWORDS = new Set([
   "WRAPPER",
   "MAPPING",
 ]);
+const EMPTY_SCOPED_SET: ReadonlySet<string> = new Set();
+
+const ALTER_DEFAULT_PRIVILEGES_KEYWORDS: ReadonlySet<string> = new Set([
+  "PUBLIC",
+  "SEQUENCES",
+  "ROUTINES",
+  "TYPES",
+  "SCHEMAS",
+]);
+
+const GRANT_REVOKE_KEYWORDS: ReadonlySet<string> = new Set(["PUBLIC"]);
+
+function getStatementScopedKeywords(
+  topLevelTokens: Array<{ token: Token; index: number }>,
+): ReadonlySet<string> {
+  const first = topLevelTokens[0]?.token.upper;
+  const second = topLevelTokens[1]?.token.upper;
+  const third = topLevelTokens[2]?.token.upper;
+
+  if (first === "ALTER" && second === "DEFAULT" && third === "PRIVILEGES") {
+    return ALTER_DEFAULT_PRIVILEGES_KEYWORDS;
+  }
+
+  if (first === "GRANT" || first === "REVOKE") {
+    return GRANT_REVOKE_KEYWORDS;
+  }
+
+  return EMPTY_SCOPED_SET;
+}
+
 const ALTER_TYPE_BOUNDARY_KEYWORDS = new Set([
   "COLLATE",
   "USING",
@@ -287,6 +317,7 @@ function collectCaseableTokenStarts(
   if (topLevelTokens.length === 0) return caseable;
 
   const command = topLevelTokens[0].token.upper;
+  const scopedKeywords = getStatementScopedKeywords(topLevelTokens);
   const objectNameTokenIndexes = new Set<number>();
   for (let topIndex = 0; topIndex < topLevelTokens.length; topIndex += 1) {
     if (isLikelyObjectNameToken(command, topLevelTokens, topIndex)) {
@@ -297,7 +328,8 @@ function collectCaseableTokenStarts(
   for (let index = 0; index < tokens.length; index += 1) {
     const token = tokens[index];
     const upper = token.upper;
-    if (!STRUCTURAL_TOP_LEVEL_KEYWORDS.has(upper)) continue;
+    if (!STRUCTURAL_TOP_LEVEL_KEYWORDS.has(upper) && !scopedKeywords.has(upper))
+      continue;
     if (objectNameTokenIndexes.has(index)) continue;
     if (isQualifiedIdentifierToken(statement, token)) continue;
 
@@ -436,6 +468,9 @@ function isCaseableInContext(
   if (upper === "IDENTITY") {
     return prev === "REPLICA" || prev === "AS";
   }
+  if (upper === "PUBLIC") {
+    return prev === "TO" || prev === "FROM";
+  }
   if (upper === "OR") {
     return true;
   }

package/src/core/plan/ssl-config.ts

@@ -0,0 +1,172 @@
+/**
+ * SSL configuration parsing for PostgreSQL connection URLs.
+ *
+ * Supports sslmode and certificate paths (URL params or env). Used by plan,
+ * apply, and catalog-export when connecting to source/target databases.
+ */
+
+import { readFile } from "node:fs/promises";
+
+/** Parsed SSL options for the pg client plus URL with SSL params stripped (internal). */
+type SslConfig = {
+  ssl?:
+    | boolean
+    | {
+        rejectUnauthorized: boolean;
+        ca?: string;
+        cert?: string;
+        key?: string;
+        /**
+         * Custom server identity check function.
+         * Used to skip hostname verification for verify-ca mode.
+         * Returns undefined to indicate success (no error).
+         */
+        checkServerIdentity?: () => undefined;
+      };
+  cleanedUrl: string;
+};
+
+/**
+ * Parse SSL configuration from a PostgreSQL connection URL.
+ * Supports sslmode (require, verify-ca, verify-full, prefer, disable).
+ * Certificates can be provided via:
+ * - Query string parameters (file paths): sslrootcert, sslcert, sslkey (preferred)
+ * - Environment variables (content): PGDELTA_SOURCE_SSLROOTCERT/SSLCERT/SSLKEY or PGDELTA_TARGET_SSLROOTCERT/SSLCERT/SSLKEY
+ * Returns SSL options for the postgres.js library and a cleaned URL without SSL-related query parameters.
+ */
+export async function parseSslConfig(
+  url: string,
+  connectionType: "source" | "target",
+): Promise<SslConfig> {
+  const urlObj = new URL(url);
+  const sslmode = urlObj.searchParams.get("sslmode");
+  const sslrootcert = urlObj.searchParams.get("sslrootcert");
+  const sslcert = urlObj.searchParams.get("sslcert");
+  const sslkey = urlObj.searchParams.get("sslkey");
+
+  // Remove SSL-related query parameters since we parse them ourselves
+  urlObj.searchParams.delete("sslmode");
+  urlObj.searchParams.delete("sslrootcert");
+  urlObj.searchParams.delete("sslcert");
+  urlObj.searchParams.delete("sslkey");
+  const cleanedUrl = urlObj.toString();
+
+  // Handle different SSL modes
+  if (sslmode === "disable") {
+    return { cleanedUrl, ssl: false };
+  }
+
+  if (
+    sslmode === "require" ||
+    sslmode === "prefer" ||
+    sslmode === "verify-ca" ||
+    sslmode === "verify-full"
+  ) {
+    // Helper function to get certificate value: query param (file path) takes precedence over env var (content)
+    const getCertValue = async (
+      queryParam: string | null,
+      envVarName: string,
+    ): Promise<string | undefined> => {
+      // Prefer query parameter (file path)
+      if (queryParam) {
+        try {
+          return await readFile(queryParam, "utf-8");
+        } catch (error) {
+          throw new Error(
+            `Failed to read certificate file '${queryParam}': ${error instanceof Error ? error.message : String(error)}`,
+          );
+        }
+      }
+      // Fallback to environment variable (content)
+      const envValue = process.env[envVarName];
+      return envValue || undefined;
+    };
+
+    const hasExplicitVerification =
+      sslmode === "verify-ca" || sslmode === "verify-full";
+
+    // Get CA certificate value.
+    // - verify-ca/verify-full: check query param first, then env var
+    // - require/prefer: only check query param (libpq backward compatibility
+    //   requires an explicit root CA *file*, not a global env var)
+    const caEnvVar =
+      connectionType === "source"
+        ? "PGDELTA_SOURCE_SSLROOTCERT"
+        : "PGDELTA_TARGET_SSLROOTCERT";
+    let caValue: string | undefined;
+    if (sslrootcert) {
+      // Explicit file path in query param — always honour it
+      caValue = await getCertValue(sslrootcert, caEnvVar);
+    } else if (hasExplicitVerification) {
+      // verify-ca / verify-full without file path — fall back to env var
+      caValue = await getCertValue(null, caEnvVar);
+    }
+    // require/prefer without sslrootcert: no CA cert, no verification
+
+    // Determine if we should verify the CA chain
+    //   From PostgreSQL docs: "if a root CA file exists, the behavior of sslmode=require
+    //   will be the same as that of verify-ca"
+    const hasLibpqCompatibility =
+      (sslmode === "require" || sslmode === "prefer") && caValue !== undefined;
+    const shouldVerifyCa = hasExplicitVerification || hasLibpqCompatibility;
+
+    // Determine if we should verify hostname
+    // - verify-full: verify both CA and hostname
+    // - verify-ca: verify CA only (skip hostname)
+    // - require/prefer with CA (libpq compat): behaves like verify-ca (skip hostname)
+    const shouldVerifyHostname = sslmode === "verify-full";
+
+    const ssl: {
+      rejectUnauthorized: boolean;
+      ca?: string;
+      cert?: string;
+      key?: string;
+      checkServerIdentity?: () => undefined;
+    } = {
+      rejectUnauthorized: shouldVerifyCa,
+    };
+
+    // Add CA certificate if verifying
+    if (shouldVerifyCa && caValue) {
+      ssl.ca = caValue;
+    }
+
+    // For verify-ca and libpq compatibility mode: skip hostname verification
+    // This matches PostgreSQL semantics where verify-ca only checks the CA chain
+    if (shouldVerifyCa && !shouldVerifyHostname) {
+      ssl.checkServerIdentity = () => undefined;
+    }
+
+    // Get client certificate (optional, for mutual TLS)
+    const certEnvVar =
+      connectionType === "source"
+        ? "PGDELTA_SOURCE_SSLCERT"
+        : "PGDELTA_TARGET_SSLCERT";
+    const certValue = await getCertValue(sslcert, certEnvVar);
+    if (certValue) {
+      ssl.cert = certValue;
+    }
+
+    // Get client key (optional, for mutual TLS, required if cert is provided)
+    const keyEnvVar =
+      connectionType === "source"
+        ? "PGDELTA_SOURCE_SSLKEY"
+        : "PGDELTA_TARGET_SSLKEY";
+    const keyValue = await getCertValue(sslkey, keyEnvVar);
+    if (keyValue) {
+      ssl.key = keyValue;
+    }
+
+    // Warn if cert is provided without key (or vice versa)
+    if ((ssl.cert && !ssl.key) || (!ssl.cert && ssl.key)) {
+      throw new Error(
+        "Both client certificate and key must be provided together for mutual TLS",
+      );
+    }
+
+    return { ssl, cleanedUrl };
+  }
+
+  // No sslmode specified or invalid value - explicitly disable SSL
+  return { cleanedUrl, ssl: false };
+}

package/src/core/plan/types.ts

@@ -162,4 +162,10 @@ export interface CreatePlanOptions {
   serialize?: SerializeDSL | ChangeSerializer;
   /** Role to use when executing the migration (SET ROLE will be added to statements) */
   role?: string;
+  /**
+   * When true, don't subtract privileges covered by ALTER DEFAULT PRIVILEGES
+   * from explicit GRANTs during diffing. Use this for declarative export where
+   * the output must be self-contained and not rely on statement execution order.
+   */
+  skipDefaultPrivilegeSubtraction?: boolean;
 }

package/src/core/postgres-config.ts

@@ -3,7 +3,8 @@
  */
 
 import type { PoolClient, PoolConfig } from "pg";
-import { Pool, types } from "pg";
+import { escapeIdentifier, Pool, types } from "pg";
+import { parseSslConfig } from "./plan/ssl-config.ts";
 
 // ============================================================================
 // Array Parser
@@ -103,6 +104,12 @@ types.setTypeParser(1007, (val: string) => parseArray(val, parseIntElement)); //
 // @ts-expect-error - pg types expects TypeId but raw OID numbers work fine
 types.setTypeParser(1016, (val: string) => parseArray(val, parseIntElement)); // int8[]
 
+const DEFAULT_POOL_MAX = Number(process.env.PGDELTA_POOL_MAX) || 5;
+const DEFAULT_CONNECTION_TIMEOUT_MS =
+  Number(process.env.PGDELTA_CONNECTION_TIMEOUT_MS) || 3_000;
+const DEFAULT_CONNECT_TIMEOUT_MS =
+  Number(process.env.PGDELTA_CONNECT_TIMEOUT_MS) || 2_500;
+
 /**
  * Options for creating a Pool with event listeners.
  */
@@ -125,7 +132,12 @@ export function createPool(
   options?: CreatePoolOptions,
 ): Pool {
   const { onConnect, onError, onAcquire, onRemove, ...config } = options ?? {};
-  const pool = new Pool({ connectionString, ...config });
+  const pool = new Pool({
+    connectionString,
+    max: DEFAULT_POOL_MAX,
+    connectionTimeoutMillis: DEFAULT_CONNECTION_TIMEOUT_MS,
+    ...config,
+  });
 
   if (onConnect) pool.on("connect", onConnect);
   if (onError) pool.on("error", onError);
@@ -149,6 +161,63 @@ export function createPool(
  * inside each `client.end()` callback — ensuring all sockets are
  * truly closed before it resolves.
  */
+/**
+ * Create a pool from a connection URL with standard session setup:
+ * SSL parsing, search_path isolation, optional SET ROLE, and 57P01 suppression.
+ *
+ * Returns the pool and a `close` function that properly waits for all sockets
+ * to close (via {@link endPool}).
+ */
+export async function createManagedPool(
+  url: string,
+  options?: { role?: string; label?: "source" | "target" },
+): Promise<{ pool: Pool; close: () => Promise<void> }> {
+  const sslConfig = await parseSslConfig(url, options?.label ?? "target");
+  const pool = createPool(sslConfig.cleanedUrl, {
+    ...(sslConfig.ssl !== undefined ? { ssl: sslConfig.ssl } : {}),
+    onError: (err: Error & { code?: string }) => {
+      if (err.code !== "57P01") {
+        console.error("Pool error:", err);
+      }
+    },
+    onConnect: async (client) => {
+      await client.query("SET search_path = ''");
+      if (options?.role) {
+        await client.query(`SET ROLE ${escapeIdentifier(options.role)}`);
+      }
+    },
+  });
+
+  // Eagerly validate connectivity so SSL/auth failures surface immediately
+  // instead of hanging on the first real query. node-pg's connectionTimeoutMillis
+  // is not reliably enforced under Bun when SSL negotiation hangs.
+  const label = options?.label ?? "target";
+  const timeoutMs = DEFAULT_CONNECT_TIMEOUT_MS;
+  try {
+    const client = await Promise.race([
+      pool.connect(),
+      new Promise<never>((_, reject) =>
+        setTimeout(
+          () =>
+            reject(
+              new Error(
+                `Connection to ${label} database timed out after ${timeoutMs}ms. ` +
+                  `The server may require SSL, use an invalid certificate, or be unreachable.`,
+              ),
+            ),
+          timeoutMs,
+        ),
+      ),
+    ]);
+    client.release();
+  } catch (err) {
+    await pool.end().catch(() => {});
+    throw err;
+  }
+
+  return { pool, close: () => endPool(pool) };
+}
+
 export function endPool(pool: Pool): Promise<void> {
   const clientCount = pool.totalCount;
 

package/src/core/sort/graph-builder.ts

@@ -87,7 +87,19 @@ export function convertExplicitRequirementsToConstraints(
 
     if (requiredIds.size === 0) continue;
 
+    // Collect dropped IDs for this change so we can skip requirements
+    // for stableIds that this change also drops.  A change that drops a
+    // stableId should not depend on another change that creates the same
+    // stableId, because the entity already exists in the source database.
+    // This prevents false ordering constraints such as Grant → Revoke
+    // when both operate on the same ACL stableId.
+    const droppedIds = new Set<string>(phaseChanges[consumerIndex].drops);
+
     for (const requiredId of requiredIds) {
+      if (droppedIds.has(requiredId)) {
+        continue;
+      }
+
       const producerIndexes =
         graphData.changeIndexesByCreatedId.get(requiredId);
       if (!producerIndexes || producerIndexes.size === 0) continue;