@xubylele/schema-forge 1.10.1 → 1.12.0

package/README.md

@@ -14,6 +14,7 @@ A modern CLI tool for database schema management with a clean DSL and automatic
 - **Postgres/Supabase** - Currently supports PostgreSQL and Supabase
 - **Constraint Diffing** - Detects UNIQUE and PRIMARY KEY changes with deterministic constraint names
 - **Live PostgreSQL Introspection** - Extract normalized schema directly from `information_schema`
+- **Policy (RLS) support** - Define Row Level Security policies in the DSL; invalid policies produce clear CLI errors during validation
 
 ## Installation
 
@@ -210,12 +211,13 @@ Creates the necessary directory structure and configuration files.
 Generate SQL migration from schema changes.
 
 ```bash
-schema-forge generate [--name "migration description"] [--safe] [--force]
+schema-forge generate [--name "migration description"] [--migration-format hyphen|underscore] [--safe] [--force]
 ```
 
 **Options:**
 
 - `--name` - Optional name for the migration (default: "migration")
+- `--migration-format <format>` - Migration file name: `hyphen` (e.g. `20250315120000-add-users.sql`) or `underscore` (e.g. `20250315120000_add_users.sql`, Supabase CLI style). Overrides `migrationFileNameFormat` in config.
 - `--safe` - Block execution if destructive operations are detected (exits with error)
 - `--force` - Bypass safety checks and proceed with destructive operations (shows warning)
 
@@ -269,6 +271,20 @@ Behavior:
 - Ignores unsupported SQL safely and prints warnings
 - Writes a normalized SchemaForge DSL schema file
 
+### `schema-forge config`
+
+Update `schemaforge/config.json` settings without editing the file.
+
+```bash
+schema-forge config migration-format <format>
+```
+
+**Subcommands:**
+
+- **`migration-format <format>`** – Set migration file name format: `hyphen` (e.g. `20250315120000-add-users.sql`) or `underscore` (e.g. `20250315120000_add_users.sql`, Supabase CLI style). Writes `migrationFileNameFormat` to config.
+
+Requires an initialized project. Other config keys are left unchanged.
+
 ### `schema-forge validate`
 
 Detect destructive or risky schema changes before generating/applying migrations.
@@ -309,6 +325,7 @@ Live `--json` output returns a structured `DriftReport`:
 
 Validation checks include:
 
+- **Policy validation** – Each policy must reference an existing table, use a valid command (`select` / `insert` / `update` / `delete`), and have at least one of `using` or `with check`. Invalid policies cause validation to fail with a clear error (exit code 1).
 - Dropped tables (`DROP_TABLE`, error)
 - Dropped columns (`DROP_COLUMN`, error)
 - Column type changes (`ALTER_COLUMN_TYPE`, warning/error based on compatibility heuristics)
@@ -551,6 +568,26 @@ table table_name {
 - `default <value>` - Default value (e.g., `default now()`, `default false`, `default 0`)
 - `fk <table>.<column>` - Foreign key reference (e.g., `fk users.id`)
 
+### Policies (RLS)
+
+Row Level Security policies are declared at the top level (the table must be defined first). Each policy must have a `for` command and at least one of `using` or `with check`.
+
+```sql
+table users {
+  id uuid pk
+  email text unique
+}
+
+policy "Users can read themselves" on users
+for select
+using auth.uid() = id
+```
+
+- **First line:** `policy "<name>" on <table>`
+- **Continuation:** `for <command>` (required; one of `select`, `insert`, `update`, `delete`), optional `using <expr>`, optional `with check <expr>`
+
+Invalid policies (missing table, invalid command, or no expressions) fail `schema-forge validate` with a clear error message.
+
 ### Examples
 
 #### Simple table
@@ -626,7 +663,8 @@ The `schemaforge/config.json` file contains project configuration. The `provider
 ```
 
 - **postgres**: `provider: "postgres"`, `outputDir: "migrations"`.
-- **supabase**: `provider: "supabase"`, `outputDir: "supabase/migrations"`.
+- **supabase**: `provider: "supabase"`, `outputDir: "supabase/migrations"`. Init also sets `migrationFileNameFormat: "hyphen"` so migrations are named `timestamp-name.sql` (Supabase CLI uses `timestamp_name.sql` by default; you can set `migrationFileNameFormat: "underscore"` in config or use `--migration-format underscore` to match).
+- **migrationFileNameFormat** (optional): `"hyphen"` (default) or `"underscore"`. Controls generated migration file names: `YYYYMMDDHHmmss-name.sql` vs `YYYYMMDDHHmmss_name.sql`. You can set it via **`schema-forge config migration-format <hyphen|underscore>`** instead of editing the file.
 
 ## Supported Databases
 

package/dist/api.d.ts

@@ -11,10 +11,13 @@ interface DoctorOptions {
     schema?: string;
 }
 
+type MigrationFileNameFormat = 'hyphen' | 'underscore';
+
 interface GenerateOptions {
     name?: string;
     safe?: boolean;
     force?: boolean;
+    migrationFormat?: MigrationFileNameFormat;
 }
 
 interface ImportOptions {
@@ -39,69 +42,22 @@ interface ValidateOptions {
     force?: boolean;
 }
 
-/**
- * Exit codes used throughout the CLI for deterministic behavior
- *
- * @see SF-106 Standardize Exit Codes
- */
 declare const EXIT_CODES: {
-    /** Successful operation */
     readonly SUCCESS: 0;
-    /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
     readonly VALIDATION_ERROR: 1;
-    /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
     readonly DRIFT_DETECTED: 2;
-    /** Destructive operation detected in CI environment without --force */
     readonly CI_DESTRUCTIVE: 3;
 };
 
-/**
- * Programmatic API for Schema Forge.
- * Use this entrypoint when integrating from Node (e.g. scripts, GitHub Actions)
- * instead of invoking the CLI via shell.
- *
- * @example
- * const { generate, EXIT_CODES } = require('@xubylele/schema-forge/api');
- * const result = await generate({ name: 'MyMigration' });
- * if (result.exitCode !== EXIT_CODES.SUCCESS) process.exit(result.exitCode);
- */
-
-/**
- * Result of a programmatic command run. Exit codes match the CLI contract.
- * @see docs/exit-codes.json
- */
 interface RunResult {
     exitCode: number;
 }
-/**
- * Initialize a new schema project in the current directory.
- * @param options.provider - Database provider: 'postgres' (default) or 'supabase'. Supabase uses supabase/migrations for output.
- */
 declare function init(options?: InitOptions): Promise<RunResult>;
-/**
- * Generate SQL migration from schema files.
- */
 declare function generate(options?: GenerateOptions): Promise<RunResult>;
-/**
- * Compare two schema versions and generate migration SQL (optionally against live DB).
- */
 declare function diff(options?: DiffOptions): Promise<RunResult>;
-/**
- * Check live database drift against state.
- */
 declare function doctor(options?: DoctorOptions): Promise<RunResult>;
-/**
- * Validate schema and optionally check for destructive changes or live drift.
- */
 declare function validate(options?: ValidateOptions): Promise<RunResult>;
-/**
- * Extract normalized live schema from PostgreSQL.
- */
 declare function introspect(options?: IntrospectOptions): Promise<RunResult>;
-/**
- * Import schema from SQL migrations.
- * @param inputPath - Path to .sql file or migrations directory
- */
 declare function importSchema(inputPath: string, options?: ImportOptions): Promise<RunResult>;
 
 export { type DiffOptions, type DoctorOptions, EXIT_CODES, type GenerateOptions, type ImportOptions, type InitOptions, type IntrospectOptions, type RunResult, type ValidateOptions, diff, doctor, generate, importSchema, init, introspect, validate };

package/dist/api.js

@@ -34,6 +34,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 function parseSchema(source) {
   const lines = source.split("\n");
   const tables = {};
+  const policyList = [];
   let currentLine = 0;
   const validBaseColumnTypes = /* @__PURE__ */ new Set([
     "uuid",
@@ -258,6 +259,67 @@ function parseSchema(source) {
     }
     return column;
   }
+  function parsePolicyBlock(startLine) {
+    const firstLine = cleanLine(lines[startLine]);
+    const declMatch = firstLine.match(/^policy\s+"([^"]*)"\s+on\s+(\w+)\s*$/);
+    if (!declMatch) {
+      throw new Error(`Line ${startLine + 1}: Invalid policy declaration. Expected: policy "<name>" on <table>`);
+    }
+    const policyName = declMatch[1];
+    const tableIdent = declMatch[2];
+    validateIdentifier(tableIdent, startLine + 1, "table");
+    let command;
+    let using;
+    let withCheck;
+    let lineIdx = startLine + 1;
+    while (lineIdx < lines.length) {
+      const cleaned = cleanLine(lines[lineIdx]);
+      if (!cleaned) {
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("for ")) {
+        const cmd = cleaned.slice(4).trim().toLowerCase();
+        if (!POLICY_COMMANDS.includes(cmd)) {
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+        }
+        if (command !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
+        }
+        command = cmd;
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("using ")) {
+        if (using !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'using' in policy`);
+        }
+        using = cleaned.slice(6).trim();
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("with check ")) {
+        if (withCheck !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'with check' in policy`);
+        }
+        withCheck = cleaned.slice(11).trim();
+        lineIdx++;
+        continue;
+      }
+      break;
+    }
+    if (command === void 0) {
+      throw new Error(`Line ${startLine + 1}: Policy is missing 'for <command>'`);
+    }
+    const policy = {
+      name: policyName,
+      table: tableIdent,
+      command,
+      ...using !== void 0 && { using },
+      ...withCheck !== void 0 && { withCheck }
+    };
+    return { policy, nextLineIndex: lineIdx };
+  }
   function parseTableBlock(startLine) {
     const firstLine = cleanLine(lines[startLine]);
     const match = firstLine.match(/^table\s+(\w+)\s*\{\s*$/);
@@ -301,6 +363,7 @@ function parseSchema(source) {
     };
     return lineIdx;
   }
+  const policyDeclRegex = /^policy\s+"([^"]*)"\s+on\s+\w+/;
   while (currentLine < lines.length) {
     const cleaned = cleanLine(lines[currentLine]);
     if (!cleaned) {
@@ -309,16 +372,31 @@ function parseSchema(source) {
     }
     if (cleaned.startsWith("table ")) {
       currentLine = parseTableBlock(currentLine);
+      currentLine++;
+    } else if (policyDeclRegex.test(cleaned)) {
+      const { policy, nextLineIndex } = parsePolicyBlock(currentLine);
+      policyList.push({ policy, startLine: currentLine + 1 });
+      currentLine = nextLineIndex;
     } else {
-      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table definition.`);
+      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table or policy definition.`);
     }
-    currentLine++;
+  }
+  for (const { policy, startLine } of policyList) {
+    if (!tables[policy.table]) {
+      throw new Error(`Line ${startLine}: Policy "${policy.name}" references undefined table "${policy.table}"`);
+    }
+    if (!tables[policy.table].policies) {
+      tables[policy.table].policies = [];
+    }
+    tables[policy.table].policies.push(policy);
   }
   return { tables };
 }
+var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
+    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
   }
 });
 
@@ -498,6 +576,18 @@ function resolveSchemaPrimaryKey(table) {
 function normalizeNullable(nullable) {
   return nullable ?? true;
 }
+function normalizePolicyExpression(s) {
+  return (s ?? "").trim().replace(/\s+/g, " ");
+}
+function policyEquals(oldP, newP) {
+  if (oldP.command !== newP.command)
+    return false;
+  if (normalizePolicyExpression(oldP.using) !== normalizePolicyExpression(newP.using))
+    return false;
+  if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
+    return false;
+  return true;
+}
 function diffSchemas(oldState, newSchema) {
   const operations = [];
   const oldTableNames = getTableNamesFromState(oldState);
@@ -674,6 +764,37 @@ function diffSchemas(oldState, newSchema) {
       }
     }
   }
+  const oldPolicyNamesByTable = (t) => new Set(Object.keys(t.policies ?? {}));
+  const newPolicyListByTable = (t) => t.policies ?? [];
+  for (const tableName of commonTableNames) {
+    const newTable = newSchema.tables[tableName];
+    const oldTable = oldState.tables[tableName];
+    if (!newTable || !oldTable)
+      continue;
+    const oldPolicyNames = oldPolicyNamesByTable(oldTable);
+    const newPolicies = newPolicyListByTable(newTable);
+    const newPolicyNames = new Set(newPolicies.map((p) => p.name));
+    const sortedNewPolicyNames = Array.from(newPolicyNames).sort((a, b) => a.localeCompare(b));
+    const sortedOldPolicyNames = Array.from(oldPolicyNames).sort((a, b) => a.localeCompare(b));
+    for (const policyName of sortedNewPolicyNames) {
+      const policy = newPolicies.find((p) => p.name === policyName);
+      if (!policy)
+        continue;
+      if (!oldPolicyNames.has(policyName)) {
+        operations.push({ kind: "create_policy", tableName, policy });
+      } else {
+        const oldP = oldTable.policies?.[policyName];
+        if (oldP && !policyEquals(oldP, policy)) {
+          operations.push({ kind: "modify_policy", tableName, policyName, policy });
+        }
+      }
+    }
+    for (const policyName of sortedOldPolicyNames) {
+      if (!newPolicyNames.has(policyName)) {
+        operations.push({ kind: "drop_policy", tableName, policyName });
+      }
+    }
+  }
   for (const tableName of sortedOldTableNames) {
     if (!newTableNames.has(tableName)) {
       operations.push({
@@ -774,6 +895,7 @@ function validateSchema(schema) {
     const table = schema.tables[tableName];
     validateTableColumns(tableName, table, schema.tables);
   }
+  validatePolicies(schema);
 }
 function validateDuplicateTables(schema) {
   const tableNames = Object.keys(schema.tables);
@@ -829,10 +951,36 @@ function validateTableColumns(tableName, table, allTables) {
     }
   }
 }
-var VALID_BASE_COLUMN_TYPES;
+function validatePolicies(schema) {
+  for (const tableName in schema.tables) {
+    const table = schema.tables[tableName];
+    if (!table.policies?.length)
+      continue;
+    for (const policy of table.policies) {
+      if (!schema.tables[policy.table]) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
+      }
+      if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+      }
+      const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
+      const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
+      if (!hasUsing && !hasWithCheck) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": must have at least one of "using" or "with check"`);
+      }
+    }
+  }
+}
+var VALID_POLICY_COMMANDS, VALID_BASE_COLUMN_TYPES;
 var init_validator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/validator.js"() {
     "use strict";
+    VALID_POLICY_COMMANDS = [
+      "select",
+      "insert",
+      "update",
+      "delete"
+    ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
       "varchar",
@@ -926,6 +1074,12 @@ function classifyOperation(operation) {
       return "DESTRUCTIVE";
     case "add_primary_key_constraint":
       return "SAFE";
+    case "create_policy":
+      return "SAFE";
+    case "drop_policy":
+      return "DESTRUCTIVE";
+    case "modify_policy":
+      return "WARNING";
     default:
       const _exhaustive = operation;
       return _exhaustive;
@@ -1048,6 +1202,22 @@ function checkOperationSafety(operation) {
         message: "Primary key constraint removed",
         operationKind: operation.kind
       };
+    case "drop_policy":
+      return {
+        safetyLevel,
+        code: "DROP_POLICY",
+        table: operation.tableName,
+        message: "Policy removed",
+        operationKind: operation.kind
+      };
+    case "modify_policy":
+      return {
+        safetyLevel,
+        code: "MODIFY_POLICY",
+        table: operation.tableName,
+        message: "Policy expression changed",
+        operationKind: operation.kind
+      };
     default:
       return null;
   }
@@ -1222,9 +1392,21 @@ async function schemaToState(schema) {
         ...column.foreignKey !== void 0 && { foreignKey: column.foreignKey }
       };
     }
+    let policies;
+    if (table.policies?.length) {
+      policies = {};
+      for (const p of table.policies) {
+        policies[p.name] = {
+          command: p.command,
+          ...p.using !== void 0 && { using: p.using },
+          ...p.withCheck !== void 0 && { withCheck: p.withCheck }
+        };
+      }
+    }
     tables[tableName] = {
       columns,
-      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn }
+      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn },
+      ...policies !== void 0 && { policies }
     };
   }
   return {
@@ -1259,9 +1441,20 @@ var init_state_manager = __esm({
 });
 
 // node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js
+function generateEnableRls(tableName) {
+  return `ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`;
+}
 function generateSql(diff2, provider, sqlConfig) {
   const statements = [];
+  const enabledRlsTables = /* @__PURE__ */ new Set();
   for (const operation of diff2.operations) {
+    if (operation.kind === "create_policy" || operation.kind === "modify_policy") {
+      const tableName = operation.tableName;
+      if (!enabledRlsTables.has(tableName)) {
+        statements.push(generateEnableRls(tableName));
+        enabledRlsTables.add(tableName);
+      }
+    }
     const sql = generateOperation(operation, provider, sqlConfig);
     if (sql) {
       statements.push(sql);
@@ -1291,6 +1484,12 @@ function generateOperation(operation, provider, sqlConfig) {
       return generateDropPrimaryKeyConstraint(operation.tableName);
     case "add_primary_key_constraint":
       return generateAddPrimaryKeyConstraint(operation.tableName, operation.columnName);
+    case "create_policy":
+      return generateCreatePolicy(operation.tableName, operation.policy);
+    case "drop_policy":
+      return generateDropPolicy(operation.tableName, operation.policyName);
+    case "modify_policy":
+      return generateModifyPolicy(operation.tableName, operation.policyName, operation.policy);
   }
 }
 function generateCreateTable(table, provider, sqlConfig) {
@@ -1371,6 +1570,25 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   }
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
+function generateCreatePolicy(tableName, policy) {
+  const command = policy.command.toUpperCase();
+  const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.using !== void 0 && policy.using !== "") {
+    parts.push(`USING (${policy.using})`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    parts.push(`WITH CHECK (${policy.withCheck})`);
+  }
+  return parts.join(" ") + ";";
+}
+function generateDropPolicy(tableName, policyName) {
+  return `DROP POLICY "${policyName}" ON ${tableName};`;
+}
+function generateModifyPolicy(tableName, policyName, policy) {
+  const drop = generateDropPolicy(tableName, policyName);
+  const create = generateCreatePolicy(tableName, policy);
+  return drop + "\n\n" + create;
+}
 var init_sql_generator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js"() {
     "use strict";
@@ -2941,13 +3159,9 @@ async function withPostgresQueryExecutor(connectionString, run) {
 
 // src/utils/exitCodes.ts
 var EXIT_CODES = {
-  /** Successful operation */
   SUCCESS: 0,
-  /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
   VALIDATION_ERROR: 1,
-  /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
   DRIFT_DETECTED: 2,
-  /** Destructive operation detected in CI environment without --force */
   CI_DESTRUCTIVE: 3
 };
 function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {
@@ -3241,6 +3455,10 @@ function nowTimestamp2() {
 function slugifyName2(name) {
   return name.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "migration";
 }
+function migrationFileName(timestamp, slug, format = "hyphen") {
+  const sep = format === "underscore" ? "_" : "-";
+  return `${timestamp}${sep}${slug}.sql`;
+}
 
 // src/commands/generate.ts
 var REQUIRED_CONFIG_FIELDS = [
@@ -3248,6 +3466,19 @@ var REQUIRED_CONFIG_FIELDS = [
   "stateFile",
   "outputDir"
 ];
+var MIGRATION_FORMATS = ["hyphen", "underscore"];
+function resolveMigrationFormat(cliFormat, configFormat) {
+  if (cliFormat !== void 0 && cliFormat !== "") {
+    const normalized = cliFormat.trim().toLowerCase();
+    if (MIGRATION_FORMATS.includes(normalized)) {
+      return normalized;
+    }
+    throw new Error(
+      `Invalid --migration-format "${cliFormat}". Allowed: ${MIGRATION_FORMATS.join(", ")}.`
+    );
+  }
+  return configFormat ?? "hyphen";
+}
 function resolveConfigPath3(root, targetPath) {
   return import_path9.default.isAbsolute(targetPath) ? targetPath : import_path9.default.join(root, targetPath);
 }
@@ -3328,7 +3559,11 @@ Remove --safe flag or modify schema to avoid destructive changes.`
   const sql = await generateSql2(diff2, provider, config.sql);
   const timestamp = nowTimestamp2();
   const slug = slugifyName2(options.name ?? "migration");
-  const fileName = `${timestamp}-${slug}.sql`;
+  const format = resolveMigrationFormat(
+    options.migrationFormat,
+    config.migrationFileNameFormat
+  );
+  const fileName = migrationFileName(timestamp, slug, format);
   await ensureDir(outputDir);
   const migrationPath = import_path9.default.join(outputDir, fileName);
   await writeTextFile(migrationPath, sql + "\n");
@@ -3464,6 +3699,9 @@ table users {
       timestampDefault: "now()"
     }
   };
+  if (provider === "supabase") {
+    config.migrationFileNameFormat = "hyphen";
+  }
   await writeJsonFile(configPath, config);
   success(`Created ${configPath}`);
   const state = {

package/dist/cli.js

@@ -34,6 +34,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 function parseSchema(source) {
   const lines = source.split("\n");
   const tables = {};
+  const policyList = [];
   let currentLine = 0;
   const validBaseColumnTypes = /* @__PURE__ */ new Set([
     "uuid",
@@ -258,6 +259,67 @@ function parseSchema(source) {
     }
     return column;
   }
+  function parsePolicyBlock(startLine) {
+    const firstLine = cleanLine(lines[startLine]);
+    const declMatch = firstLine.match(/^policy\s+"([^"]*)"\s+on\s+(\w+)\s*$/);
+    if (!declMatch) {
+      throw new Error(`Line ${startLine + 1}: Invalid policy declaration. Expected: policy "<name>" on <table>`);
+    }
+    const policyName = declMatch[1];
+    const tableIdent = declMatch[2];
+    validateIdentifier(tableIdent, startLine + 1, "table");
+    let command;
+    let using;
+    let withCheck;
+    let lineIdx = startLine + 1;
+    while (lineIdx < lines.length) {
+      const cleaned = cleanLine(lines[lineIdx]);
+      if (!cleaned) {
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("for ")) {
+        const cmd = cleaned.slice(4).trim().toLowerCase();
+        if (!POLICY_COMMANDS.includes(cmd)) {
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+        }
+        if (command !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
+        }
+        command = cmd;
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("using ")) {
+        if (using !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'using' in policy`);
+        }
+        using = cleaned.slice(6).trim();
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("with check ")) {
+        if (withCheck !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'with check' in policy`);
+        }
+        withCheck = cleaned.slice(11).trim();
+        lineIdx++;
+        continue;
+      }
+      break;
+    }
+    if (command === void 0) {
+      throw new Error(`Line ${startLine + 1}: Policy is missing 'for <command>'`);
+    }
+    const policy = {
+      name: policyName,
+      table: tableIdent,
+      command,
+      ...using !== void 0 && { using },
+      ...withCheck !== void 0 && { withCheck }
+    };
+    return { policy, nextLineIndex: lineIdx };
+  }
   function parseTableBlock(startLine) {
     const firstLine = cleanLine(lines[startLine]);
     const match = firstLine.match(/^table\s+(\w+)\s*\{\s*$/);
@@ -301,6 +363,7 @@ function parseSchema(source) {
     };
     return lineIdx;
   }
+  const policyDeclRegex = /^policy\s+"([^"]*)"\s+on\s+\w+/;
   while (currentLine < lines.length) {
     const cleaned = cleanLine(lines[currentLine]);
     if (!cleaned) {
@@ -309,16 +372,31 @@ function parseSchema(source) {
     }
     if (cleaned.startsWith("table ")) {
       currentLine = parseTableBlock(currentLine);
+      currentLine++;
+    } else if (policyDeclRegex.test(cleaned)) {
+      const { policy, nextLineIndex } = parsePolicyBlock(currentLine);
+      policyList.push({ policy, startLine: currentLine + 1 });
+      currentLine = nextLineIndex;
     } else {
-      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table definition.`);
+      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table or policy definition.`);
+    }
+  }
+  for (const { policy, startLine } of policyList) {
+    if (!tables[policy.table]) {
+      throw new Error(`Line ${startLine}: Policy "${policy.name}" references undefined table "${policy.table}"`);
+    }
+    if (!tables[policy.table].policies) {
+      tables[policy.table].policies = [];
     }
-    currentLine++;
+    tables[policy.table].policies.push(policy);
   }
   return { tables };
 }
+var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
+    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
   }
 });
 
@@ -498,6 +576,18 @@ function resolveSchemaPrimaryKey(table) {
 function normalizeNullable(nullable) {
   return nullable ?? true;
 }
+function normalizePolicyExpression(s) {
+  return (s ?? "").trim().replace(/\s+/g, " ");
+}
+function policyEquals(oldP, newP) {
+  if (oldP.command !== newP.command)
+    return false;
+  if (normalizePolicyExpression(oldP.using) !== normalizePolicyExpression(newP.using))
+    return false;
+  if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
+    return false;
+  return true;
+}
 function diffSchemas(oldState, newSchema) {
   const operations = [];
   const oldTableNames = getTableNamesFromState(oldState);
@@ -674,6 +764,37 @@ function diffSchemas(oldState, newSchema) {
       }
     }
   }
+  const oldPolicyNamesByTable = (t) => new Set(Object.keys(t.policies ?? {}));
+  const newPolicyListByTable = (t) => t.policies ?? [];
+  for (const tableName of commonTableNames) {
+    const newTable = newSchema.tables[tableName];
+    const oldTable = oldState.tables[tableName];
+    if (!newTable || !oldTable)
+      continue;
+    const oldPolicyNames = oldPolicyNamesByTable(oldTable);
+    const newPolicies = newPolicyListByTable(newTable);
+    const newPolicyNames = new Set(newPolicies.map((p) => p.name));
+    const sortedNewPolicyNames = Array.from(newPolicyNames).sort((a, b) => a.localeCompare(b));
+    const sortedOldPolicyNames = Array.from(oldPolicyNames).sort((a, b) => a.localeCompare(b));
+    for (const policyName of sortedNewPolicyNames) {
+      const policy = newPolicies.find((p) => p.name === policyName);
+      if (!policy)
+        continue;
+      if (!oldPolicyNames.has(policyName)) {
+        operations.push({ kind: "create_policy", tableName, policy });
+      } else {
+        const oldP = oldTable.policies?.[policyName];
+        if (oldP && !policyEquals(oldP, policy)) {
+          operations.push({ kind: "modify_policy", tableName, policyName, policy });
+        }
+      }
+    }
+    for (const policyName of sortedOldPolicyNames) {
+      if (!newPolicyNames.has(policyName)) {
+        operations.push({ kind: "drop_policy", tableName, policyName });
+      }
+    }
+  }
   for (const tableName of sortedOldTableNames) {
     if (!newTableNames.has(tableName)) {
       operations.push({
@@ -774,6 +895,7 @@ function validateSchema(schema) {
     const table = schema.tables[tableName];
     validateTableColumns(tableName, table, schema.tables);
   }
+  validatePolicies(schema);
 }
 function validateDuplicateTables(schema) {
   const tableNames = Object.keys(schema.tables);
@@ -829,10 +951,36 @@ function validateTableColumns(tableName, table, allTables) {
     }
   }
 }
-var VALID_BASE_COLUMN_TYPES;
+function validatePolicies(schema) {
+  for (const tableName in schema.tables) {
+    const table = schema.tables[tableName];
+    if (!table.policies?.length)
+      continue;
+    for (const policy of table.policies) {
+      if (!schema.tables[policy.table]) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
+      }
+      if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+      }
+      const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
+      const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
+      if (!hasUsing && !hasWithCheck) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": must have at least one of "using" or "with check"`);
+      }
+    }
+  }
+}
+var VALID_POLICY_COMMANDS, VALID_BASE_COLUMN_TYPES;
 var init_validator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/validator.js"() {
     "use strict";
+    VALID_POLICY_COMMANDS = [
+      "select",
+      "insert",
+      "update",
+      "delete"
+    ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
       "varchar",
@@ -926,6 +1074,12 @@ function classifyOperation(operation) {
       return "DESTRUCTIVE";
     case "add_primary_key_constraint":
       return "SAFE";
+    case "create_policy":
+      return "SAFE";
+    case "drop_policy":
+      return "DESTRUCTIVE";
+    case "modify_policy":
+      return "WARNING";
     default:
       const _exhaustive = operation;
       return _exhaustive;
@@ -1048,6 +1202,22 @@ function checkOperationSafety(operation) {
         message: "Primary key constraint removed",
         operationKind: operation.kind
       };
+    case "drop_policy":
+      return {
+        safetyLevel,
+        code: "DROP_POLICY",
+        table: operation.tableName,
+        message: "Policy removed",
+        operationKind: operation.kind
+      };
+    case "modify_policy":
+      return {
+        safetyLevel,
+        code: "MODIFY_POLICY",
+        table: operation.tableName,
+        message: "Policy expression changed",
+        operationKind: operation.kind
+      };
     default:
       return null;
   }
@@ -1130,14 +1300,14 @@ var init_validate = __esm({
 // node_modules/@xubylele/schema-forge-core/dist/core/fs.js
 async function ensureDir2(dirPath) {
   try {
-    await import_fs2.promises.mkdir(dirPath, { recursive: true });
+    await import_fs3.promises.mkdir(dirPath, { recursive: true });
   } catch (error2) {
     throw new Error(`Failed to create directory ${dirPath}: ${error2}`);
   }
 }
 async function fileExists2(filePath) {
   try {
-    await import_fs2.promises.access(filePath);
+    await import_fs3.promises.access(filePath);
     return true;
   } catch {
     return false;
@@ -1145,7 +1315,7 @@ async function fileExists2(filePath) {
 }
 async function readTextFile2(filePath) {
   try {
-    return await import_fs2.promises.readFile(filePath, "utf-8");
+    return await import_fs3.promises.readFile(filePath, "utf-8");
   } catch (error2) {
     throw new Error(`Failed to read file ${filePath}: ${error2}`);
   }
@@ -1154,7 +1324,7 @@ async function writeTextFile2(filePath, content) {
   try {
     const dir = import_path3.default.dirname(filePath);
     await ensureDir2(dir);
-    await import_fs2.promises.writeFile(filePath, content, "utf-8");
+    await import_fs3.promises.writeFile(filePath, content, "utf-8");
   } catch (error2) {
     throw new Error(`Failed to write file ${filePath}: ${error2}`);
   }
@@ -1182,7 +1352,7 @@ async function writeJsonFile2(filePath, data) {
 async function findFiles(dirPath, pattern) {
   const results = [];
   try {
-    const items = await import_fs2.promises.readdir(dirPath, { withFileTypes: true });
+    const items = await import_fs3.promises.readdir(dirPath, { withFileTypes: true });
     for (const item of items) {
       const fullPath = import_path3.default.join(dirPath, item.name);
       if (item.isDirectory()) {
@@ -1197,11 +1367,11 @@ async function findFiles(dirPath, pattern) {
   }
   return results;
 }
-var import_fs2, import_path3;
+var import_fs3, import_path3;
 var init_fs = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/fs.js"() {
     "use strict";
-    import_fs2 = require("fs");
+    import_fs3 = require("fs");
     import_path3 = __toESM(require("path"), 1);
   }
 });
@@ -1222,9 +1392,21 @@ async function schemaToState(schema) {
         ...column.foreignKey !== void 0 && { foreignKey: column.foreignKey }
       };
     }
+    let policies;
+    if (table.policies?.length) {
+      policies = {};
+      for (const p of table.policies) {
+        policies[p.name] = {
+          command: p.command,
+          ...p.using !== void 0 && { using: p.using },
+          ...p.withCheck !== void 0 && { withCheck: p.withCheck }
+        };
+      }
+    }
     tables[tableName] = {
       columns,
-      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn }
+      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn },
+      ...policies !== void 0 && { policies }
     };
   }
   return {
@@ -1259,9 +1441,20 @@ var init_state_manager = __esm({
 });
 
 // node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js
+function generateEnableRls(tableName) {
+  return `ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`;
+}
 function generateSql(diff, provider, sqlConfig) {
   const statements = [];
+  const enabledRlsTables = /* @__PURE__ */ new Set();
   for (const operation of diff.operations) {
+    if (operation.kind === "create_policy" || operation.kind === "modify_policy") {
+      const tableName = operation.tableName;
+      if (!enabledRlsTables.has(tableName)) {
+        statements.push(generateEnableRls(tableName));
+        enabledRlsTables.add(tableName);
+      }
+    }
     const sql = generateOperation(operation, provider, sqlConfig);
     if (sql) {
       statements.push(sql);
@@ -1291,6 +1484,12 @@ function generateOperation(operation, provider, sqlConfig) {
       return generateDropPrimaryKeyConstraint(operation.tableName);
     case "add_primary_key_constraint":
       return generateAddPrimaryKeyConstraint(operation.tableName, operation.columnName);
+    case "create_policy":
+      return generateCreatePolicy(operation.tableName, operation.policy);
+    case "drop_policy":
+      return generateDropPolicy(operation.tableName, operation.policyName);
+    case "modify_policy":
+      return generateModifyPolicy(operation.tableName, operation.policyName, operation.policy);
   }
 }
 function generateCreateTable(table, provider, sqlConfig) {
@@ -1371,6 +1570,25 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   }
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
+function generateCreatePolicy(tableName, policy) {
+  const command = policy.command.toUpperCase();
+  const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.using !== void 0 && policy.using !== "") {
+    parts.push(`USING (${policy.using})`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    parts.push(`WITH CHECK (${policy.withCheck})`);
+  }
+  return parts.join(" ") + ";";
+}
+function generateDropPolicy(tableName, policyName) {
+  return `DROP POLICY "${policyName}" ON ${tableName};`;
+}
+function generateModifyPolicy(tableName, policyName, policy) {
+  const drop = generateDropPolicy(tableName, policyName);
+  const create = generateCreatePolicy(tableName, policy);
+  return drop + "\n\n" + create;
+}
 var init_sql_generator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js"() {
     "use strict";
@@ -2204,7 +2422,7 @@ var init_schema_to_dsl = __esm({
 
 // node_modules/@xubylele/schema-forge-core/dist/core/sql/load-migrations.js
 async function loadMigrationSqlInput(inputPath) {
-  const stats = await import_fs4.promises.stat(inputPath);
+  const stats = await import_fs5.promises.stat(inputPath);
   if (stats.isFile()) {
     if (!inputPath.toLowerCase().endsWith(".sql")) {
       throw new Error(`Input file must be a .sql file: ${inputPath}`);
@@ -2225,11 +2443,11 @@ async function loadMigrationSqlInput(inputPath) {
   }
   return result;
 }
-var import_fs4, import_path5;
+var import_fs5, import_path5;
 var init_load_migrations = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/sql/load-migrations.js"() {
     "use strict";
-    import_fs4 = require("fs");
+    import_fs5 = require("fs");
     import_path5 = __toESM(require("path"), 1);
     init_fs();
   }
@@ -2733,7 +2951,7 @@ var import_commander8 = require("commander");
 // package.json
 var package_default = {
   name: "@xubylele/schema-forge",
-  version: "1.10.1",
+  version: "1.12.0",
   description: "Universal migration generator from schema DSL",
   main: "dist/cli.js",
   type: "commonjs",
@@ -2787,13 +3005,14 @@ var package_default = {
     boxen: "^8.0.1",
     chalk: "^5.6.2",
     commander: "^14.0.3",
-    pg: "^8.19.0"
+    pg: "^8.19.0",
+    "update-notifier": "^7.3.1"
   },
   devDependencies: {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.3.1",
+    "@xubylele/schema-forge-core": "^1.4.0",
     testcontainers: "^11.8.1",
     "ts-node": "^10.9.2",
     tsup: "^8.5.1",
@@ -2802,10 +3021,6 @@ var package_default = {
   }
 };
 
-// src/commands/diff.ts
-var import_commander = require("commander");
-var import_path7 = __toESM(require("path"));
-
 // src/core/fs.ts
 var import_fs = require("fs");
 var import_path = __toESM(require("path"));
@@ -2884,6 +3099,91 @@ function getStatePath(root, config) {
   return import_path2.default.join(schemaForgeDir, fileName);
 }
 
+// src/utils/exitCodes.ts
+var EXIT_CODES = {
+  SUCCESS: 0,
+  VALIDATION_ERROR: 1,
+  DRIFT_DETECTED: 2,
+  CI_DESTRUCTIVE: 3
+};
+function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {
+  return isCIEnvironment && hasDestructiveFindings2 && !isForceEnabled;
+}
+
+// src/utils/output.ts
+var import_boxen = __toESM(require("boxen"));
+var import_chalk = require("chalk");
+var isInteractive = Boolean(process.stdout?.isTTY);
+var colorsEnabled = isInteractive && process.env.FORCE_COLOR !== "0" && !("NO_COLOR" in process.env);
+var color = new import_chalk.Chalk({ level: colorsEnabled ? 3 : 0 });
+var theme = {
+  primary: color.cyanBright,
+  success: color.hex("#00FF88"),
+  warning: color.hex("#FFD166"),
+  error: color.hex("#EF476F"),
+  accent: color.magentaBright
+};
+function success(message) {
+  const text = theme.success(`[OK] ${message}`);
+  if (!isInteractive) {
+    console.log(text);
+    return;
+  }
+  try {
+    console.log(
+      (0, import_boxen.default)(text, {
+        padding: 1,
+        borderColor: "cyan",
+        borderStyle: "round"
+      })
+    );
+  } catch {
+    console.log(text);
+  }
+}
+function info(message) {
+  console.log(theme.primary(message));
+}
+function warning(message) {
+  console.warn(theme.warning(`[WARN] ${message}`));
+}
+function error(message) {
+  console.error(theme.error(`[ERROR] ${message}`));
+}
+function forceWarning(message) {
+  console.error(theme.warning(`[FORCE] ${message}`));
+}
+
+// src/commands/config.ts
+var MIGRATION_FORMATS = ["hyphen", "underscore"];
+async function runConfig(options) {
+  const root = getProjectRoot();
+  const configPath = getConfigPath(root);
+  if (!await fileExists(configPath)) {
+    throw new Error('SchemaForge project not initialized. Run "schema-forge init" first.');
+  }
+  const config = await readJsonFile(configPath, {});
+  if (options.migrationFormat !== void 0) {
+    const format = options.migrationFormat.trim().toLowerCase();
+    if (!MIGRATION_FORMATS.includes(format)) {
+      throw new Error(
+        `Invalid migration format "${options.migrationFormat}". Allowed: ${MIGRATION_FORMATS.join(", ")}.`
+      );
+    }
+    config.migrationFileNameFormat = format;
+  }
+  await writeJsonFile(configPath, config);
+  success(`Updated ${configPath}`);
+  if (options.migrationFormat !== void 0) {
+    success(`migrationFileNameFormat set to "${config.migrationFileNameFormat}" (${config.migrationFileNameFormat === "hyphen" ? "timestamp-name.sql" : "timestamp_name.sql"})`);
+  }
+  process.exitCode = EXIT_CODES.SUCCESS;
+}
+
+// src/commands/diff.ts
+var import_commander = require("commander");
+var import_path7 = __toESM(require("path"));
+
 // src/core/provider.ts
 var DEFAULT_PROVIDER = "postgres";
 function resolveProvider(provider) {
@@ -3004,65 +3304,6 @@ async function withPostgresQueryExecutor(connectionString, run) {
   }
 }
 
-// src/utils/exitCodes.ts
-var EXIT_CODES = {
-  /** Successful operation */
-  SUCCESS: 0,
-  /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
-  VALIDATION_ERROR: 1,
-  /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
-  DRIFT_DETECTED: 2,
-  /** Destructive operation detected in CI environment without --force */
-  CI_DESTRUCTIVE: 3
-};
-function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {
-  return isCIEnvironment && hasDestructiveFindings2 && !isForceEnabled;
-}
-
-// src/utils/output.ts
-var import_boxen = __toESM(require("boxen"));
-var import_chalk = require("chalk");
-var isInteractive = Boolean(process.stdout?.isTTY);
-var colorsEnabled = isInteractive && process.env.FORCE_COLOR !== "0" && !("NO_COLOR" in process.env);
-var color = new import_chalk.Chalk({ level: colorsEnabled ? 3 : 0 });
-var theme = {
-  primary: color.cyanBright,
-  success: color.hex("#00FF88"),
-  warning: color.hex("#FFD166"),
-  error: color.hex("#EF476F"),
-  accent: color.magentaBright
-};
-function success(message) {
-  const text = theme.success(`[OK] ${message}`);
-  if (!isInteractive) {
-    console.log(text);
-    return;
-  }
-  try {
-    console.log(
-      (0, import_boxen.default)(text, {
-        padding: 1,
-        borderColor: "cyan",
-        borderStyle: "round"
-      })
-    );
-  } catch {
-    console.log(text);
-  }
-}
-function info(message) {
-  console.log(theme.primary(message));
-}
-function warning(message) {
-  console.warn(theme.warning(`[WARN] ${message}`));
-}
-function error(message) {
-  console.error(theme.error(`[ERROR] ${message}`));
-}
-function forceWarning(message) {
-  console.error(theme.warning(`[FORCE] ${message}`));
-}
-
 // src/utils/prompt.ts
 var import_node_readline = __toESM(require("readline"));
 function isCI() {
@@ -3306,6 +3547,10 @@ function nowTimestamp2() {
 function slugifyName2(name) {
   return name.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "migration";
 }
+function migrationFileName(timestamp, slug, format = "hyphen") {
+  const sep = format === "underscore" ? "_" : "-";
+  return `${timestamp}${sep}${slug}.sql`;
+}
 
 // src/commands/generate.ts
 var REQUIRED_CONFIG_FIELDS = [
@@ -3313,6 +3558,19 @@ var REQUIRED_CONFIG_FIELDS = [
   "stateFile",
   "outputDir"
 ];
+var MIGRATION_FORMATS2 = ["hyphen", "underscore"];
+function resolveMigrationFormat(cliFormat, configFormat) {
+  if (cliFormat !== void 0 && cliFormat !== "") {
+    const normalized = cliFormat.trim().toLowerCase();
+    if (MIGRATION_FORMATS2.includes(normalized)) {
+      return normalized;
+    }
+    throw new Error(
+      `Invalid --migration-format "${cliFormat}". Allowed: ${MIGRATION_FORMATS2.join(", ")}.`
+    );
+  }
+  return configFormat ?? "hyphen";
+}
 function resolveConfigPath3(root, targetPath) {
   return import_path9.default.isAbsolute(targetPath) ? targetPath : import_path9.default.join(root, targetPath);
 }
@@ -3393,7 +3651,11 @@ Remove --safe flag or modify schema to avoid destructive changes.`
   const sql = await generateSql2(diff, provider, config.sql);
   const timestamp = nowTimestamp2();
   const slug = slugifyName2(options.name ?? "migration");
-  const fileName = `${timestamp}-${slug}.sql`;
+  const format = resolveMigrationFormat(
+    options.migrationFormat,
+    config.migrationFileNameFormat
+  );
+  const fileName = migrationFileName(timestamp, slug, format);
   await ensureDir(outputDir);
   const migrationPath = import_path9.default.join(outputDir, fileName);
   await writeTextFile(migrationPath, sql + "\n");
@@ -3529,6 +3791,9 @@ table users {
       timestampDefault: "now()"
     }
   };
+  if (provider === "supabase") {
+    config.migrationFileNameFormat = "hyphen";
+  }
   await writeJsonFile(configPath, config);
   success(`Created ${configPath}`);
   const state = {
@@ -3689,6 +3954,35 @@ function getCliMetaPath() {
 function getReleaseUrl(version) {
   return `https://github.com/xubylele/schema-forge/releases/tag/v${version}`;
 }
+function extractChangelogSection(changelogText, version) {
+  const heading = `## ${version}`;
+  const idx = changelogText.indexOf(heading);
+  if (idx === -1) {
+    return null;
+  }
+  const start = idx + heading.length;
+  const rest = changelogText.slice(start);
+  const nextHeading = rest.indexOf("\n## ");
+  const section = nextHeading === -1 ? rest : rest.slice(0, nextHeading);
+  return section.trim() || null;
+}
+async function fetchChangelogForVersion(version) {
+  const urls = [
+    `https://raw.githubusercontent.com/xubylele/schema-forge/v${version}/CHANGELOG.md`,
+    "https://raw.githubusercontent.com/xubylele/schema-forge/main/CHANGELOG.md"
+  ];
+  for (const url of urls) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+      if (!res.ok) continue;
+      const text = await res.text();
+      const section = extractChangelogSection(text, version);
+      if (section) return section;
+    } catch {
+    }
+  }
+  return null;
+}
 function shouldShowWhatsNew(argv) {
   if (argv.length === 0) {
     return false;
@@ -3708,7 +4002,14 @@ async function showWhatsNewIfUpdated(currentVersion, argv) {
     if (meta.lastSeenVersion === currentVersion) {
       return;
     }
-    info(`What's new in schema-forge v${currentVersion}: ${getReleaseUrl(currentVersion)}`);
+    const section = await fetchChangelogForVersion(currentVersion);
+    if (section) {
+      info(`What's new in schema-forge v${currentVersion}:`);
+      info(section);
+      info(`Release: ${getReleaseUrl(currentVersion)}`);
+    } else {
+      info(`What's new in schema-forge v${currentVersion}: ${getReleaseUrl(currentVersion)}`);
+    }
     await writeJsonFile(metaPath, { lastSeenVersion: currentVersion });
   } catch {
   }
@@ -3752,7 +4053,7 @@ program.command("init").description(
     await handleError(error2);
   }
 });
-program.command("generate").description("Generate SQL from schema files. In CI environments (CI=true), exits with code 3 if destructive operations are detected unless --force is used.").option("--name <string>", "Schema name to generate").action(async (options) => {
+program.command("generate").description("Generate SQL from schema files. In CI environments (CI=true), exits with code 3 if destructive operations are detected unless --force is used.").option("--name <string>", "Schema name to generate").option("--migration-format <format>", "Migration file name: hyphen (timestamp-name.sql) or underscore (timestamp_name.sql, Supabase CLI style)").action(async (options) => {
   try {
     const globalOptions = program.opts();
     validateFlagExclusivity(globalOptions);
@@ -3791,6 +4092,13 @@ program.command("import").description("Import schema from SQL migrations").argum
     await handleError(error2);
   }
 });
+program.command("config").description("Update schemaforge/config.json settings").command("migration-format <format>").description("Set migration file name format: hyphen (timestamp-name.sql) or underscore (timestamp_name.sql)").action(async (format) => {
+  try {
+    await runConfig({ migrationFormat: format });
+  } catch (error2) {
+    await handleError(error2);
+  }
+});
 program.command("validate").description("Detect destructive or risky schema changes. In CI environments (CI=true), exits with code 3 if destructive operations are detected unless --force is used.").option("--json", "Output structured JSON").option("--url <string>", "PostgreSQL connection URL for live drift validation (defaults to DATABASE_URL)").option("--schema <list>", "Comma-separated schema names to introspect (default: public)").action(async (options) => {
   try {
     const globalOptions = program.opts();
@@ -3800,10 +4108,21 @@ program.command("validate").description("Detect destructive or risky schema chan
     await handleError(error2);
   }
 });
+function shouldCheckForUpdate(argv) {
+  if (process.env.CI === "true") {
+    return false;
+  }
+  const onlyHelpOrVersion = argv.length === 0 || argv.length === 1 && ["--help", "-h", "--version", "-V"].includes(argv[0]);
+  return !onlyHelpOrVersion;
+}
 async function main() {
   const argv = process.argv.slice(2);
   await seedLastSeenVersion(package_default.version);
   await showWhatsNewIfUpdated(package_default.version, argv);
+  if (shouldCheckForUpdate(argv)) {
+    import("update-notifier").then((m) => m.default({ pkg: package_default, shouldNotifyInNpmScript: false }).notify()).catch(() => {
+    });
+  }
   program.parse(process.argv);
   if (!argv.length) {
     program.outputHelp();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xubylele/schema-forge",
-  "version": "1.10.1",
+  "version": "1.12.0",
   "description": "Universal migration generator from schema DSL",
   "main": "dist/cli.js",
   "type": "commonjs",
@@ -54,13 +54,14 @@
     "boxen": "^8.0.1",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
-    "pg": "^8.19.0"
+    "pg": "^8.19.0",
+    "update-notifier": "^7.3.1"
   },
   "devDependencies": {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.3.1",
+    "@xubylele/schema-forge-core": "^1.4.0",
     "testcontainers": "^11.8.1",
     "ts-node": "^10.9.2",
     "tsup": "^8.5.1",