pg_lake_iceberg: refuse compatibility_mode rewrite of type-bound columns

A compatibility_mode rewrite swaps only a column's typeName. There is no
implicit or assignment cast from uuid to text, so a nested-uuid column that
also carries a DEFAULT / GENERATED / IDENTITY expression cannot be silently
re-coerced the way numeric->double can. Rather than emit a broken column (or
let core fail later with a confusing message), ErrorIfColumnRewriteUnsafe
fails fast with an actionable error when a column we would actually rewrite
carries such a clause.

This is reachable only from user-authored DDL: callers that build Iceberg
tables programmatically construct columns from type/typmod/collation alone and
never attach these clauses, so for them it is a defensive invariant, not a
reachable error path. Top-level uuid columns and uuid-free columns are never
rewritten, so a clause on them is left untouched.

Add CREATE and ALTER ADD COLUMN tests covering DEFAULT/GENERATED on a
rewritten column (incl. a nested composite), plus the allowed cases.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sfc-gh-okalaci

pg_lake_iceberg/src/iceberg/compatibility_mode.c

@@ -35,6 +35,16 @@
  * supplies the per-mode leaf rule.  Out-of-range value handling, timetz
  * normalization, and numeric->double live elsewhere and compose on top of
  * this pass (each leaves the fields it does not touch alone).
+ *
+ * Rewriting a column means swapping only its typeName, which is sound only if
+ * nothing else on the column is bound to the original type.  Any column we
+ * actually rewrite is therefore screened by ErrorIfColumnRewriteUnsafe, which
+ * refuses columns carrying a DEFAULT / GENERATED / IDENTITY expression (there
+ * is no implicit uuid->text cast for core to re-coerce them through).  This is
+ * reachable only from user-authored DDL: callers that build Iceberg tables
+ * programmatically construct each column from type/typmod/collation alone and
+ * never attach these clauses, so the check there is a defensive invariant, not
+ * an error path users of those callers can hit.
  */
 
 #include "postgres.h"
@@ -136,6 +146,71 @@ NestedUuidToText(Oid typeOid, int32 typeMod, int level, void *context,
 }
 
 
+/*
+ * ErrorIfColumnRewriteUnsafe refuses to rewrite a column whose declared type
+ * carries a clause whose meaning is bound to that type.
+ *
+ * Changing a column's type underneath a DEFAULT or GENERATED expression is only
+ * safe if the expression's result can be coerced to the new type the way the
+ * core CREATE/ALTER path expects.  numeric->double gets away with it because
+ * numeric->float8 is an implicit cast; but there is NO implicit or assignment
+ * cast from uuid to text, so a uuid-typed DEFAULT/GENERATED on a column we
+ * rewrite to text would either change the stored semantics or (more often) fail
+ * later with a confusing "default expression is of type uuid[]" error from
+ * core.  We fail fast with an actionable message instead.
+ *
+ * Identity is impossible here (it requires an integer type, never a column that
+ * contains a uuid) but is covered defensively so future leaf rules stay safe.
+ *
+ * Only user-authored DDL can reach this: callers that generate Iceberg tables
+ * programmatically build columns from type/typmod/collation alone and never
+ * attach a DEFAULT / GENERATED / IDENTITY, so for them this is unreachable.
+ *
+ * At this pre-transform stage these clauses live as Constraint nodes in
+ * columnDef->constraints; transformColumnDefinition() only fills the cooked
+ * raw_default/generated/identity fields later, but we check those too in case
+ * the pass is ever fed an already-transformed ColumnDef.
+ */
+static void
+ErrorIfColumnRewriteUnsafe(ColumnDef *columnDef)
+{
+	const char *clause = NULL;
+	ListCell   *lc;
+
+	if (columnDef->raw_default != NULL || columnDef->cooked_default != NULL)
+		clause = "a DEFAULT";
+	else if (columnDef->generated != '\0')
+		clause = "a GENERATED";
+	else if (columnDef->identity != '\0')
+		clause = "an IDENTITY";
+
+	foreach(lc, columnDef->constraints)
+	{
+		Constraint *con = lfirst_node(Constraint, lc);
+
+		if (con->contype == CONSTR_DEFAULT)
+			clause = "a DEFAULT";
+		else if (con->contype == CONSTR_GENERATED)
+			clause = "a GENERATED";
+		else if (con->contype == CONSTR_IDENTITY)
+			clause = "an IDENTITY";
+	}
+
+	if (clause == NULL)
+		return;
+
+	ereport(ERROR,
+			(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+			 errmsg("compatibility_mode cannot rewrite column \"%s\"",
+					columnDef->colname),
+			 errdetail("The column has %s expression bound to its original type, "
+					   "which would no longer match once a nested uuid is "
+					   "rewritten to text.", clause),
+			 errhint("Drop the expression, or keep the uuid at the top level "
+					 "of the column (top-level uuid columns are left unchanged).")));
+}
+
+
 /*
  * ApplyIcebergTableCompatibilityModeForSchema rewrites the column TYPES of a
  * ColumnDef list in place according to the compatibility mode.  Top-level
@@ -146,6 +221,10 @@ NestedUuidToText(Oid typeOid, int32 typeMod, int level, void *context,
  * ConvertTypeTree; this pass only supplies the per-mode leaf rule.  The two run
  * as independent passes on the same list and compose (each leaves untouched the
  * fields the other rewrote).
+ *
+ * Swapping only typeName is sound only for columns that carry nothing else
+ * bound to the original type, so any column we actually rewrite is first run
+ * through ErrorIfColumnRewriteUnsafe.
  */
 void
 ApplyIcebergTableCompatibilityModeForSchema(List *columnDefList,
@@ -196,6 +275,9 @@ ApplyIcebergTableCompatibilityModeForSchema(List *columnDefList,
 
 		if (ConvertTypeTree(typeOid, typmod, 0, leafConv, NULL,
 							&convertedOid, &convertedMod))
+		{
+			ErrorIfColumnRewriteUnsafe(columnDef);
 			columnDef->typeName = makeTypeNameFromOid(convertedOid, convertedMod);
+		}
 	}
 }

pg_lake_table/tests/pytests/test_compatibility_mode.py

@@ -579,6 +579,115 @@ def test_alter_add_without_option_keeps_uuid(
     pg_conn.rollback()
 
 
+# ---------------------------------------------------------------------------
+# type-bound clauses on a rewritten column are refused
+#
+# Rewriting a column swaps only its type; there is no implicit uuid->text cast,
+# so a DEFAULT/GENERATED expression bound to the original (uuid) type cannot be
+# silently re-coerced.  We fail fast instead of producing a broken column.
+# This is reachable only from user-authored DDL (programmatic Iceberg table
+# creation builds columns from type/typmod/collation alone, never these
+# clauses).  A clause on a column we DON'T rewrite (top-level uuid, or a
+# uuid-free column) is fine.
+# ---------------------------------------------------------------------------
+
+
+def test_default_on_rewritten_column_rejected(
+    s3, pg_conn, extension, with_default_location
+):
+    error = run_command(
+        "CREATE TABLE compat_def (id int, us uuid[] DEFAULT '{}'::uuid[]) "
+        "USING iceberg WITH (compatibility_mode = 'snowflake');",
+        pg_conn,
+        raise_error=False,
+    )
+    assert "cannot rewrite column" in error
+    assert "us" in error
+    pg_conn.rollback()
+
+
+def test_generated_on_rewritten_column_rejected(
+    s3, pg_conn, extension, with_default_location
+):
+    error = run_command(
+        "CREATE TABLE compat_gen "
+        "(u uuid, g uuid[] GENERATED ALWAYS AS (ARRAY[u]) STORED) "
+        "USING iceberg WITH (compatibility_mode = 'snowflake');",
+        pg_conn,
+        raise_error=False,
+    )
+    assert "cannot rewrite column" in error
+    assert "g" in error
+    pg_conn.rollback()
+
+
+def test_default_on_nested_composite_column_rejected(
+    s3, pg_conn, extension, with_default_location
+):
+    """The clause is refused even when the uuid is buried inside a composite."""
+    error = run_command(
+        """
+        CREATE TYPE def_comp AS (cid uuid, note text);
+        CREATE TABLE compat_def_comp
+            (id int, c def_comp DEFAULT ROW(NULL, 'x')::def_comp)
+            USING iceberg WITH (compatibility_mode = 'snowflake');
+        """,
+        pg_conn,
+        raise_error=False,
+    )
+    assert "cannot rewrite column" in error
+    pg_conn.rollback()
+
+
+def test_alter_add_default_on_rewritten_column_rejected(
+    s3, pg_conn, extension, with_default_location
+):
+    run_command(
+        "CREATE TABLE compat_alter_def (id int) USING iceberg "
+        "WITH (compatibility_mode = 'snowflake');",
+        pg_conn,
+    )
+    pg_conn.commit()
+    try:
+        error = run_command(
+            "ALTER TABLE compat_alter_def ADD COLUMN us uuid[] DEFAULT '{}'::uuid[];",
+            pg_conn,
+            raise_error=False,
+        )
+        assert "cannot rewrite column" in error
+        assert "us" in error
+        pg_conn.rollback()
+    finally:
+        run_command("DROP TABLE compat_alter_def", pg_conn)
+        pg_conn.commit()
+
+
+def test_default_on_top_level_uuid_allowed(
+    s3, pg_conn, extension, with_default_location
+):
+    """A top-level uuid is never rewritten, so a DEFAULT on it is fine."""
+    run_command(
+        "CREATE TABLE compat_top_def (id int, u uuid DEFAULT gen_random_uuid()) "
+        "USING iceberg WITH (compatibility_mode = 'snowflake');",
+        pg_conn,
+    )
+    assert _col_format_type(pg_conn, "compat_top_def", "u") == "uuid"
+    pg_conn.rollback()
+
+
+def test_default_on_uuid_free_column_allowed(
+    s3, pg_conn, extension, with_default_location
+):
+    """A DEFAULT on a column we don't rewrite is untouched by the guard."""
+    run_command(
+        "CREATE TABLE compat_clean_def (id int DEFAULT 7, note text DEFAULT 'x') "
+        "USING iceberg WITH (compatibility_mode = 'snowflake');",
+        pg_conn,
+    )
+    assert _col_format_type(pg_conn, "compat_clean_def", "id") == "integer"
+    pg_conn.rollback()
+
+
 # ---------------------------------------------------------------------------
 # dropped-column lifecycle (data written on both sides of the drop)
 # ---------------------------------------------------------------------------