DROP VARIABLE super_secret; CREATE VARIABLE super_secret ...;
But you don't do it in functions - these variables are persistent - you don't create it or drop inside functions. The content is secure, so you don't need to hide this variable against other.
ISTM that you are still missing my point.
I understood that you want a static analysis tool to re-assure you about how your session variables are manipulated. I do not see how such a tool can give any assurance without checking that the variable meta-data are not changed by some malicious code inserted in a function.
if you afraid this, then just use grep to verify functions that have this code. It is same like tables - you can generate it dynamicly, but is risks - similar to use dynamic SQL. Sure, there is a exceptions - but there are rules for PL - don't use dynamic SQL if it is not deadly necessary, use SQL security, not own, ...
I'm not sure that I understand these sentences.
so I don't prefer any design that increase a area where plpgsql_check should not work.
My assumption is that plpgsql_check can be improved. For instance, I assume that if "secure session variables" are added, then it will be enhanced to do some checking about these and take them into account. If "simple session variables" are added, I assume that it would also be updated accordingly.
in simple session variables there are not any safe point - any authoritative point. Sure I can do some - I can introduce some hints, etc - but it is workaround - nothing more - it like C development without header files.
I wrote my notes there.
Great! I restructured a little bit and tried to improve the English. I also added questions when some statement that I think are too optimistic, or are unclear to me.
we have just different perspectives
I'm trying to have sentences that are both clear and true. If I think that a sentence is imprecise because it is missing a key hypothesis, then I try to improve it, whether it is mine or someone else.