Module diff 

Convergent diff engine.

Compares two RoleGraph instances (current vs desired) and produces an ordered list of Change operations needed to bring the database from its current state to the desired state.

The model is convergent: anything present in the current state but absent from the desired state is revoked/dropped. This is the Terraform-style “manifest is the entire truth” approach.

Enums

Change

A single change to be applied to the database.

PasswordResolutionError

Errors that can occur during password resolution.

ReconciliationMode

Controls how aggressively pgroles converges the database to the manifest.

Functions

apply_role_retirements

Augment a diff plan with explicit role-retirement actions.

diff

Compute the list of changes needed to bring current to desired.

filter_changes

Filter a list of changes according to the reconciliation mode.

inject_password_changes

Inject SetPassword changes into a plan for roles that declare passwords.

resolve_passwords

Resolve password sources from environment variables.