test(postgres): add a new rls test

Author: andinux

plans/BATCH_MERGE_AND_RLS.md

@@ -163,5 +163,4 @@ The batch path is used for all platforms (SQLite client, SQLiteCloud, PostgreSQL
 
 ## TODO
 
- - add a new test like the n° 27 with more columns and more cases
  - update documentation: RLS.md, README.md and the https://github.com/sqlitecloud/docs repo

test/postgresql/27_rls_batch_merge.sql

@@ -105,7 +105,16 @@ SELECT COALESCE(max(db_version), 0) AS max_dbv_1 FROM cloudsync_changes \gset
 -- Apply as superuser (service-role pattern)
 \connect cloudsync_test_27_b
 \ir helper_psql_conn_setup.sql
-SELECT cloudsync_payload_apply(decode(:'payload_hex_1', 'hex')) AS _apply_1 \gset
+SELECT cloudsync_payload_apply(decode(:'payload_hex_1', 'hex')) AS apply_1 \gset
+
+-- 1 row × 3 non-PK columns = 3 column-change entries
+SELECT (:apply_1::int = 3) AS apply_1_ok \gset
+\if :apply_1_ok
+\echo [PASS] (:testid) RLS: apply returned :apply_1
+\else
+\echo [FAIL] (:testid) RLS: apply returned :apply_1 (expected 3)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
 
 -- Verify complete row written (all columns present)
 SELECT COUNT(*) AS doc1_count FROM documents WHERE id = 'doc1' AND title = 'Title 1' AND content = 'Content 1' AND user_id = :'USER1'::UUID \gset
@@ -135,7 +144,16 @@ SELECT COALESCE(max(db_version), 0) AS max_dbv_2 FROM cloudsync_changes \gset
 -- Apply as superuser
 \connect cloudsync_test_27_b
 \ir helper_psql_conn_setup.sql
-SELECT cloudsync_payload_apply(decode(:'payload_hex_2', 'hex')) AS _apply_2 \gset
+SELECT cloudsync_payload_apply(decode(:'payload_hex_2', 'hex')) AS apply_2 \gset
+
+-- 1 row × 3 non-PK columns = 3 entries
+SELECT (:apply_2::int = 3) AS apply_2_ok \gset
+\if :apply_2_ok
+\echo [PASS] (:testid) RLS: apply returned :apply_2
+\else
+\echo [FAIL] (:testid) RLS: apply returned :apply_2 (expected 3)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
 
 -- Verify doc2 exists (superuser sees all)
 SELECT COUNT(*) AS doc2_exists FROM documents WHERE id = 'doc2' \gset
@@ -172,7 +190,16 @@ SELECT COALESCE(max(db_version), 0) AS max_dbv_3 FROM cloudsync_changes \gset
 -- Apply as superuser
 \connect cloudsync_test_27_b
 \ir helper_psql_conn_setup.sql
-SELECT cloudsync_payload_apply(decode(:'payload_hex_3', 'hex')) AS _apply_3 \gset
+SELECT cloudsync_payload_apply(decode(:'payload_hex_3', 'hex')) AS apply_3 \gset
+
+-- 1 row × 1 changed column (title) = 1 entry
+SELECT (:apply_3::int = 1) AS apply_3_ok \gset
+\if :apply_3_ok
+\echo [PASS] (:testid) RLS: apply returned :apply_3
+\else
+\echo [FAIL] (:testid) RLS: apply returned :apply_3 (expected 1)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
 
 -- Verify update applied (superuser check)
 SELECT COUNT(*) AS doc1_updated FROM documents WHERE id = 'doc1' AND title = 'Title 1 Updated' \gset
@@ -210,9 +237,18 @@ SELECT COALESCE(max(db_version), 0) AS max_dbv_4 FROM cloudsync_changes \gset
 \ir helper_psql_conn_setup.sql
 SET app.current_user_id = :'USER1';
 SET ROLE test_rls_user;
-SELECT cloudsync_payload_apply(decode(:'payload_hex_4', 'hex')) AS _apply_4 \gset
+SELECT cloudsync_payload_apply(decode(:'payload_hex_4', 'hex')) AS apply_4 \gset
 RESET ROLE;
 
+-- 1 row × 3 non-PK columns = 3 entries
+SELECT (:apply_4::int = 3) AS apply_4_ok \gset
+\if :apply_4_ok
+\echo [PASS] (:testid) RLS auth: apply returned :apply_4
+\else
+\echo [FAIL] (:testid) RLS auth: apply returned :apply_4 (expected 3)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
+
 -- Verify doc3 exists with all columns correct
 SELECT COUNT(*) AS doc3_count FROM documents WHERE id = 'doc3' AND title = 'Title 3' AND content = 'Content 3' AND user_id = :'USER1'::UUID \gset
 SELECT (:doc3_count::int = 1) AS test4_ok \gset
@@ -243,12 +279,21 @@ SELECT COALESCE(max(db_version), 0) AS max_dbv_5 FROM cloudsync_changes \gset
 \ir helper_psql_conn_setup.sql
 SET app.current_user_id = :'USER1';
 SET ROLE test_rls_user;
-SELECT cloudsync_payload_apply(decode(:'payload_hex_5', 'hex'));
+SELECT cloudsync_payload_apply(decode(:'payload_hex_5', 'hex')) AS apply_5 \gset
 
 -- Reconnect for clean state after expected RLS denial
 \connect cloudsync_test_27_b
 \ir helper_psql_conn_setup.sql
 
+-- 1 row × 3 non-PK columns = 3 entries (returned even if denied)
+SELECT (:apply_5::int = 3) AS apply_5_ok \gset
+\if :apply_5_ok
+\echo [PASS] (:testid) RLS auth: denied apply returned :apply_5
+\else
+\echo [FAIL] (:testid) RLS auth: denied apply returned :apply_5 (expected 3)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
+
 -- Verify doc4 does NOT exist (superuser check)
 SELECT COUNT(*) AS doc4_count FROM documents WHERE id = 'doc4' \gset
 SELECT (:doc4_count::int = 0) AS test5_ok \gset
@@ -276,9 +321,18 @@ WHERE site_id = cloudsync_siteid()
 \ir helper_psql_conn_setup.sql
 SET app.current_user_id = :'USER1';
 SET ROLE test_rls_user;
-SELECT cloudsync_payload_apply(decode(:'payload_hex_6', 'hex')) AS _apply_6 \gset
+SELECT cloudsync_payload_apply(decode(:'payload_hex_6', 'hex')) AS apply_6 \gset
 RESET ROLE;
 
+-- 1 row × 1 changed column (title) = 1 entry
+SELECT (:apply_6::int = 1) AS apply_6_ok \gset
+\if :apply_6_ok
+\echo [PASS] (:testid) RLS auth: apply returned :apply_6
+\else
+\echo [FAIL] (:testid) RLS auth: apply returned :apply_6 (expected 1)
+SELECT (:fail::int + 1) AS fail \gset
+\endif
+
 -- Verify doc3 title was updated
 SELECT COUNT(*) AS doc3_updated FROM documents WHERE id = 'doc3' AND title = 'Title 3 Updated' \gset
 SELECT (:doc3_updated::int = 1) AS test6_ok \gset