@xubylele/schema-forge 1.11.0 → 1.12.0

package/README.md

@@ -14,6 +14,7 @@ A modern CLI tool for database schema management with a clean DSL and automatic
 - **Postgres/Supabase** - Currently supports PostgreSQL and Supabase
 - **Constraint Diffing** - Detects UNIQUE and PRIMARY KEY changes with deterministic constraint names
 - **Live PostgreSQL Introspection** - Extract normalized schema directly from `information_schema`
+- **Policy (RLS) support** - Define Row Level Security policies in the DSL; invalid policies produce clear CLI errors during validation
 
 ## Installation
 
@@ -324,6 +325,7 @@ Live `--json` output returns a structured `DriftReport`:
 
 Validation checks include:
 
+- **Policy validation** – Each policy must reference an existing table, use a valid command (`select` / `insert` / `update` / `delete`), and have at least one of `using` or `with check`. Invalid policies cause validation to fail with a clear error (exit code 1).
 - Dropped tables (`DROP_TABLE`, error)
 - Dropped columns (`DROP_COLUMN`, error)
 - Column type changes (`ALTER_COLUMN_TYPE`, warning/error based on compatibility heuristics)
@@ -566,6 +568,26 @@ table table_name {
 - `default <value>` - Default value (e.g., `default now()`, `default false`, `default 0`)
 - `fk <table>.<column>` - Foreign key reference (e.g., `fk users.id`)
 
+### Policies (RLS)
+
+Row Level Security policies are declared at the top level (the table must be defined first). Each policy must have a `for` command and at least one of `using` or `with check`.
+
+```sql
+table users {
+  id uuid pk
+  email text unique
+}
+
+policy "Users can read themselves" on users
+for select
+using auth.uid() = id
+```
+
+- **First line:** `policy "<name>" on <table>`
+- **Continuation:** `for <command>` (required; one of `select`, `insert`, `update`, `delete`), optional `using <expr>`, optional `with check <expr>`
+
+Invalid policies (missing table, invalid command, or no expressions) fail `schema-forge validate` with a clear error message.
+
 ### Examples
 
 #### Simple table

package/dist/api.d.ts

@@ -11,14 +11,12 @@ interface DoctorOptions {
     schema?: string;
 }
 
-/** Migration file name format: hyphen (timestamp-name.sql) or underscore (timestamp_name.sql, Supabase CLI style). */
 type MigrationFileNameFormat = 'hyphen' | 'underscore';
 
 interface GenerateOptions {
     name?: string;
     safe?: boolean;
     force?: boolean;
-    /** Override migration file name format: hyphen (timestamp-name.sql) or underscore (timestamp_name.sql). */
     migrationFormat?: MigrationFileNameFormat;
 }
 
@@ -44,69 +42,22 @@ interface ValidateOptions {
     force?: boolean;
 }
 
-/**
- * Exit codes used throughout the CLI for deterministic behavior
- *
- * @see SF-106 Standardize Exit Codes
- */
 declare const EXIT_CODES: {
-    /** Successful operation */
     readonly SUCCESS: 0;
-    /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
     readonly VALIDATION_ERROR: 1;
-    /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
     readonly DRIFT_DETECTED: 2;
-    /** Destructive operation detected in CI environment without --force */
     readonly CI_DESTRUCTIVE: 3;
 };
 
-/**
- * Programmatic API for Schema Forge.
- * Use this entrypoint when integrating from Node (e.g. scripts, GitHub Actions)
- * instead of invoking the CLI via shell.
- *
- * @example
- * const { generate, EXIT_CODES } = require('@xubylele/schema-forge/api');
- * const result = await generate({ name: 'MyMigration' });
- * if (result.exitCode !== EXIT_CODES.SUCCESS) process.exit(result.exitCode);
- */
-
-/**
- * Result of a programmatic command run. Exit codes match the CLI contract.
- * @see docs/exit-codes.json
- */
 interface RunResult {
     exitCode: number;
 }
-/**
- * Initialize a new schema project in the current directory.
- * @param options.provider - Database provider: 'postgres' (default) or 'supabase'. Supabase uses supabase/migrations for output.
- */
 declare function init(options?: InitOptions): Promise<RunResult>;
-/**
- * Generate SQL migration from schema files.
- */
 declare function generate(options?: GenerateOptions): Promise<RunResult>;
-/**
- * Compare two schema versions and generate migration SQL (optionally against live DB).
- */
 declare function diff(options?: DiffOptions): Promise<RunResult>;
-/**
- * Check live database drift against state.
- */
 declare function doctor(options?: DoctorOptions): Promise<RunResult>;
-/**
- * Validate schema and optionally check for destructive changes or live drift.
- */
 declare function validate(options?: ValidateOptions): Promise<RunResult>;
-/**
- * Extract normalized live schema from PostgreSQL.
- */
 declare function introspect(options?: IntrospectOptions): Promise<RunResult>;
-/**
- * Import schema from SQL migrations.
- * @param inputPath - Path to .sql file or migrations directory
- */
 declare function importSchema(inputPath: string, options?: ImportOptions): Promise<RunResult>;
 
 export { type DiffOptions, type DoctorOptions, EXIT_CODES, type GenerateOptions, type ImportOptions, type InitOptions, type IntrospectOptions, type RunResult, type ValidateOptions, diff, doctor, generate, importSchema, init, introspect, validate };

package/dist/api.js

@@ -34,6 +34,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 function parseSchema(source) {
   const lines = source.split("\n");
   const tables = {};
+  const policyList = [];
   let currentLine = 0;
   const validBaseColumnTypes = /* @__PURE__ */ new Set([
     "uuid",
@@ -258,6 +259,67 @@ function parseSchema(source) {
     }
     return column;
   }
+  function parsePolicyBlock(startLine) {
+    const firstLine = cleanLine(lines[startLine]);
+    const declMatch = firstLine.match(/^policy\s+"([^"]*)"\s+on\s+(\w+)\s*$/);
+    if (!declMatch) {
+      throw new Error(`Line ${startLine + 1}: Invalid policy declaration. Expected: policy "<name>" on <table>`);
+    }
+    const policyName = declMatch[1];
+    const tableIdent = declMatch[2];
+    validateIdentifier(tableIdent, startLine + 1, "table");
+    let command;
+    let using;
+    let withCheck;
+    let lineIdx = startLine + 1;
+    while (lineIdx < lines.length) {
+      const cleaned = cleanLine(lines[lineIdx]);
+      if (!cleaned) {
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("for ")) {
+        const cmd = cleaned.slice(4).trim().toLowerCase();
+        if (!POLICY_COMMANDS.includes(cmd)) {
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+        }
+        if (command !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
+        }
+        command = cmd;
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("using ")) {
+        if (using !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'using' in policy`);
+        }
+        using = cleaned.slice(6).trim();
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("with check ")) {
+        if (withCheck !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'with check' in policy`);
+        }
+        withCheck = cleaned.slice(11).trim();
+        lineIdx++;
+        continue;
+      }
+      break;
+    }
+    if (command === void 0) {
+      throw new Error(`Line ${startLine + 1}: Policy is missing 'for <command>'`);
+    }
+    const policy = {
+      name: policyName,
+      table: tableIdent,
+      command,
+      ...using !== void 0 && { using },
+      ...withCheck !== void 0 && { withCheck }
+    };
+    return { policy, nextLineIndex: lineIdx };
+  }
   function parseTableBlock(startLine) {
     const firstLine = cleanLine(lines[startLine]);
     const match = firstLine.match(/^table\s+(\w+)\s*\{\s*$/);
@@ -301,6 +363,7 @@ function parseSchema(source) {
     };
     return lineIdx;
   }
+  const policyDeclRegex = /^policy\s+"([^"]*)"\s+on\s+\w+/;
   while (currentLine < lines.length) {
     const cleaned = cleanLine(lines[currentLine]);
     if (!cleaned) {
@@ -309,16 +372,31 @@ function parseSchema(source) {
     }
     if (cleaned.startsWith("table ")) {
       currentLine = parseTableBlock(currentLine);
+      currentLine++;
+    } else if (policyDeclRegex.test(cleaned)) {
+      const { policy, nextLineIndex } = parsePolicyBlock(currentLine);
+      policyList.push({ policy, startLine: currentLine + 1 });
+      currentLine = nextLineIndex;
     } else {
-      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table definition.`);
+      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table or policy definition.`);
     }
-    currentLine++;
+  }
+  for (const { policy, startLine } of policyList) {
+    if (!tables[policy.table]) {
+      throw new Error(`Line ${startLine}: Policy "${policy.name}" references undefined table "${policy.table}"`);
+    }
+    if (!tables[policy.table].policies) {
+      tables[policy.table].policies = [];
+    }
+    tables[policy.table].policies.push(policy);
   }
   return { tables };
 }
+var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
+    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
   }
 });
 
@@ -498,6 +576,18 @@ function resolveSchemaPrimaryKey(table) {
 function normalizeNullable(nullable) {
   return nullable ?? true;
 }
+function normalizePolicyExpression(s) {
+  return (s ?? "").trim().replace(/\s+/g, " ");
+}
+function policyEquals(oldP, newP) {
+  if (oldP.command !== newP.command)
+    return false;
+  if (normalizePolicyExpression(oldP.using) !== normalizePolicyExpression(newP.using))
+    return false;
+  if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
+    return false;
+  return true;
+}
 function diffSchemas(oldState, newSchema) {
   const operations = [];
   const oldTableNames = getTableNamesFromState(oldState);
@@ -674,6 +764,37 @@ function diffSchemas(oldState, newSchema) {
       }
     }
   }
+  const oldPolicyNamesByTable = (t) => new Set(Object.keys(t.policies ?? {}));
+  const newPolicyListByTable = (t) => t.policies ?? [];
+  for (const tableName of commonTableNames) {
+    const newTable = newSchema.tables[tableName];
+    const oldTable = oldState.tables[tableName];
+    if (!newTable || !oldTable)
+      continue;
+    const oldPolicyNames = oldPolicyNamesByTable(oldTable);
+    const newPolicies = newPolicyListByTable(newTable);
+    const newPolicyNames = new Set(newPolicies.map((p) => p.name));
+    const sortedNewPolicyNames = Array.from(newPolicyNames).sort((a, b) => a.localeCompare(b));
+    const sortedOldPolicyNames = Array.from(oldPolicyNames).sort((a, b) => a.localeCompare(b));
+    for (const policyName of sortedNewPolicyNames) {
+      const policy = newPolicies.find((p) => p.name === policyName);
+      if (!policy)
+        continue;
+      if (!oldPolicyNames.has(policyName)) {
+        operations.push({ kind: "create_policy", tableName, policy });
+      } else {
+        const oldP = oldTable.policies?.[policyName];
+        if (oldP && !policyEquals(oldP, policy)) {
+          operations.push({ kind: "modify_policy", tableName, policyName, policy });
+        }
+      }
+    }
+    for (const policyName of sortedOldPolicyNames) {
+      if (!newPolicyNames.has(policyName)) {
+        operations.push({ kind: "drop_policy", tableName, policyName });
+      }
+    }
+  }
   for (const tableName of sortedOldTableNames) {
     if (!newTableNames.has(tableName)) {
       operations.push({
@@ -774,6 +895,7 @@ function validateSchema(schema) {
     const table = schema.tables[tableName];
     validateTableColumns(tableName, table, schema.tables);
   }
+  validatePolicies(schema);
 }
 function validateDuplicateTables(schema) {
   const tableNames = Object.keys(schema.tables);
@@ -829,10 +951,36 @@ function validateTableColumns(tableName, table, allTables) {
     }
   }
 }
-var VALID_BASE_COLUMN_TYPES;
+function validatePolicies(schema) {
+  for (const tableName in schema.tables) {
+    const table = schema.tables[tableName];
+    if (!table.policies?.length)
+      continue;
+    for (const policy of table.policies) {
+      if (!schema.tables[policy.table]) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
+      }
+      if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+      }
+      const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
+      const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
+      if (!hasUsing && !hasWithCheck) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": must have at least one of "using" or "with check"`);
+      }
+    }
+  }
+}
+var VALID_POLICY_COMMANDS, VALID_BASE_COLUMN_TYPES;
 var init_validator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/validator.js"() {
     "use strict";
+    VALID_POLICY_COMMANDS = [
+      "select",
+      "insert",
+      "update",
+      "delete"
+    ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
       "varchar",
@@ -926,6 +1074,12 @@ function classifyOperation(operation) {
       return "DESTRUCTIVE";
     case "add_primary_key_constraint":
       return "SAFE";
+    case "create_policy":
+      return "SAFE";
+    case "drop_policy":
+      return "DESTRUCTIVE";
+    case "modify_policy":
+      return "WARNING";
     default:
       const _exhaustive = operation;
       return _exhaustive;
@@ -1048,6 +1202,22 @@ function checkOperationSafety(operation) {
         message: "Primary key constraint removed",
         operationKind: operation.kind
       };
+    case "drop_policy":
+      return {
+        safetyLevel,
+        code: "DROP_POLICY",
+        table: operation.tableName,
+        message: "Policy removed",
+        operationKind: operation.kind
+      };
+    case "modify_policy":
+      return {
+        safetyLevel,
+        code: "MODIFY_POLICY",
+        table: operation.tableName,
+        message: "Policy expression changed",
+        operationKind: operation.kind
+      };
     default:
       return null;
   }
@@ -1222,9 +1392,21 @@ async function schemaToState(schema) {
         ...column.foreignKey !== void 0 && { foreignKey: column.foreignKey }
       };
     }
+    let policies;
+    if (table.policies?.length) {
+      policies = {};
+      for (const p of table.policies) {
+        policies[p.name] = {
+          command: p.command,
+          ...p.using !== void 0 && { using: p.using },
+          ...p.withCheck !== void 0 && { withCheck: p.withCheck }
+        };
+      }
+    }
     tables[tableName] = {
       columns,
-      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn }
+      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn },
+      ...policies !== void 0 && { policies }
     };
   }
   return {
@@ -1259,9 +1441,20 @@ var init_state_manager = __esm({
 });
 
 // node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js
+function generateEnableRls(tableName) {
+  return `ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`;
+}
 function generateSql(diff2, provider, sqlConfig) {
   const statements = [];
+  const enabledRlsTables = /* @__PURE__ */ new Set();
   for (const operation of diff2.operations) {
+    if (operation.kind === "create_policy" || operation.kind === "modify_policy") {
+      const tableName = operation.tableName;
+      if (!enabledRlsTables.has(tableName)) {
+        statements.push(generateEnableRls(tableName));
+        enabledRlsTables.add(tableName);
+      }
+    }
     const sql = generateOperation(operation, provider, sqlConfig);
     if (sql) {
       statements.push(sql);
@@ -1291,6 +1484,12 @@ function generateOperation(operation, provider, sqlConfig) {
       return generateDropPrimaryKeyConstraint(operation.tableName);
     case "add_primary_key_constraint":
       return generateAddPrimaryKeyConstraint(operation.tableName, operation.columnName);
+    case "create_policy":
+      return generateCreatePolicy(operation.tableName, operation.policy);
+    case "drop_policy":
+      return generateDropPolicy(operation.tableName, operation.policyName);
+    case "modify_policy":
+      return generateModifyPolicy(operation.tableName, operation.policyName, operation.policy);
   }
 }
 function generateCreateTable(table, provider, sqlConfig) {
@@ -1371,6 +1570,25 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   }
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
+function generateCreatePolicy(tableName, policy) {
+  const command = policy.command.toUpperCase();
+  const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.using !== void 0 && policy.using !== "") {
+    parts.push(`USING (${policy.using})`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    parts.push(`WITH CHECK (${policy.withCheck})`);
+  }
+  return parts.join(" ") + ";";
+}
+function generateDropPolicy(tableName, policyName) {
+  return `DROP POLICY "${policyName}" ON ${tableName};`;
+}
+function generateModifyPolicy(tableName, policyName, policy) {
+  const drop = generateDropPolicy(tableName, policyName);
+  const create = generateCreatePolicy(tableName, policy);
+  return drop + "\n\n" + create;
+}
 var init_sql_generator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js"() {
     "use strict";
@@ -2941,13 +3159,9 @@ async function withPostgresQueryExecutor(connectionString, run) {
 
 // src/utils/exitCodes.ts
 var EXIT_CODES = {
-  /** Successful operation */
   SUCCESS: 0,
-  /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
   VALIDATION_ERROR: 1,
-  /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
   DRIFT_DETECTED: 2,
-  /** Destructive operation detected in CI environment without --force */
   CI_DESTRUCTIVE: 3
 };
 function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {

package/dist/cli.js

@@ -34,6 +34,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 function parseSchema(source) {
   const lines = source.split("\n");
   const tables = {};
+  const policyList = [];
   let currentLine = 0;
   const validBaseColumnTypes = /* @__PURE__ */ new Set([
     "uuid",
@@ -258,6 +259,67 @@ function parseSchema(source) {
     }
     return column;
   }
+  function parsePolicyBlock(startLine) {
+    const firstLine = cleanLine(lines[startLine]);
+    const declMatch = firstLine.match(/^policy\s+"([^"]*)"\s+on\s+(\w+)\s*$/);
+    if (!declMatch) {
+      throw new Error(`Line ${startLine + 1}: Invalid policy declaration. Expected: policy "<name>" on <table>`);
+    }
+    const policyName = declMatch[1];
+    const tableIdent = declMatch[2];
+    validateIdentifier(tableIdent, startLine + 1, "table");
+    let command;
+    let using;
+    let withCheck;
+    let lineIdx = startLine + 1;
+    while (lineIdx < lines.length) {
+      const cleaned = cleanLine(lines[lineIdx]);
+      if (!cleaned) {
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("for ")) {
+        const cmd = cleaned.slice(4).trim().toLowerCase();
+        if (!POLICY_COMMANDS.includes(cmd)) {
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+        }
+        if (command !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
+        }
+        command = cmd;
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("using ")) {
+        if (using !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'using' in policy`);
+        }
+        using = cleaned.slice(6).trim();
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("with check ")) {
+        if (withCheck !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'with check' in policy`);
+        }
+        withCheck = cleaned.slice(11).trim();
+        lineIdx++;
+        continue;
+      }
+      break;
+    }
+    if (command === void 0) {
+      throw new Error(`Line ${startLine + 1}: Policy is missing 'for <command>'`);
+    }
+    const policy = {
+      name: policyName,
+      table: tableIdent,
+      command,
+      ...using !== void 0 && { using },
+      ...withCheck !== void 0 && { withCheck }
+    };
+    return { policy, nextLineIndex: lineIdx };
+  }
   function parseTableBlock(startLine) {
     const firstLine = cleanLine(lines[startLine]);
     const match = firstLine.match(/^table\s+(\w+)\s*\{\s*$/);
@@ -301,6 +363,7 @@ function parseSchema(source) {
     };
     return lineIdx;
   }
+  const policyDeclRegex = /^policy\s+"([^"]*)"\s+on\s+\w+/;
   while (currentLine < lines.length) {
     const cleaned = cleanLine(lines[currentLine]);
     if (!cleaned) {
@@ -309,16 +372,31 @@ function parseSchema(source) {
     }
     if (cleaned.startsWith("table ")) {
       currentLine = parseTableBlock(currentLine);
+      currentLine++;
+    } else if (policyDeclRegex.test(cleaned)) {
+      const { policy, nextLineIndex } = parsePolicyBlock(currentLine);
+      policyList.push({ policy, startLine: currentLine + 1 });
+      currentLine = nextLineIndex;
     } else {
-      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table definition.`);
+      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table or policy definition.`);
+    }
+  }
+  for (const { policy, startLine } of policyList) {
+    if (!tables[policy.table]) {
+      throw new Error(`Line ${startLine}: Policy "${policy.name}" references undefined table "${policy.table}"`);
+    }
+    if (!tables[policy.table].policies) {
+      tables[policy.table].policies = [];
     }
-    currentLine++;
+    tables[policy.table].policies.push(policy);
   }
   return { tables };
 }
+var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
+    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
   }
 });
 
@@ -498,6 +576,18 @@ function resolveSchemaPrimaryKey(table) {
 function normalizeNullable(nullable) {
   return nullable ?? true;
 }
+function normalizePolicyExpression(s) {
+  return (s ?? "").trim().replace(/\s+/g, " ");
+}
+function policyEquals(oldP, newP) {
+  if (oldP.command !== newP.command)
+    return false;
+  if (normalizePolicyExpression(oldP.using) !== normalizePolicyExpression(newP.using))
+    return false;
+  if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
+    return false;
+  return true;
+}
 function diffSchemas(oldState, newSchema) {
   const operations = [];
   const oldTableNames = getTableNamesFromState(oldState);
@@ -674,6 +764,37 @@ function diffSchemas(oldState, newSchema) {
       }
     }
   }
+  const oldPolicyNamesByTable = (t) => new Set(Object.keys(t.policies ?? {}));
+  const newPolicyListByTable = (t) => t.policies ?? [];
+  for (const tableName of commonTableNames) {
+    const newTable = newSchema.tables[tableName];
+    const oldTable = oldState.tables[tableName];
+    if (!newTable || !oldTable)
+      continue;
+    const oldPolicyNames = oldPolicyNamesByTable(oldTable);
+    const newPolicies = newPolicyListByTable(newTable);
+    const newPolicyNames = new Set(newPolicies.map((p) => p.name));
+    const sortedNewPolicyNames = Array.from(newPolicyNames).sort((a, b) => a.localeCompare(b));
+    const sortedOldPolicyNames = Array.from(oldPolicyNames).sort((a, b) => a.localeCompare(b));
+    for (const policyName of sortedNewPolicyNames) {
+      const policy = newPolicies.find((p) => p.name === policyName);
+      if (!policy)
+        continue;
+      if (!oldPolicyNames.has(policyName)) {
+        operations.push({ kind: "create_policy", tableName, policy });
+      } else {
+        const oldP = oldTable.policies?.[policyName];
+        if (oldP && !policyEquals(oldP, policy)) {
+          operations.push({ kind: "modify_policy", tableName, policyName, policy });
+        }
+      }
+    }
+    for (const policyName of sortedOldPolicyNames) {
+      if (!newPolicyNames.has(policyName)) {
+        operations.push({ kind: "drop_policy", tableName, policyName });
+      }
+    }
+  }
   for (const tableName of sortedOldTableNames) {
     if (!newTableNames.has(tableName)) {
       operations.push({
@@ -774,6 +895,7 @@ function validateSchema(schema) {
     const table = schema.tables[tableName];
     validateTableColumns(tableName, table, schema.tables);
   }
+  validatePolicies(schema);
 }
 function validateDuplicateTables(schema) {
   const tableNames = Object.keys(schema.tables);
@@ -829,10 +951,36 @@ function validateTableColumns(tableName, table, allTables) {
     }
   }
 }
-var VALID_BASE_COLUMN_TYPES;
+function validatePolicies(schema) {
+  for (const tableName in schema.tables) {
+    const table = schema.tables[tableName];
+    if (!table.policies?.length)
+      continue;
+    for (const policy of table.policies) {
+      if (!schema.tables[policy.table]) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
+      }
+      if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+      }
+      const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
+      const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
+      if (!hasUsing && !hasWithCheck) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": must have at least one of "using" or "with check"`);
+      }
+    }
+  }
+}
+var VALID_POLICY_COMMANDS, VALID_BASE_COLUMN_TYPES;
 var init_validator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/validator.js"() {
     "use strict";
+    VALID_POLICY_COMMANDS = [
+      "select",
+      "insert",
+      "update",
+      "delete"
+    ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
       "varchar",
@@ -926,6 +1074,12 @@ function classifyOperation(operation) {
       return "DESTRUCTIVE";
     case "add_primary_key_constraint":
       return "SAFE";
+    case "create_policy":
+      return "SAFE";
+    case "drop_policy":
+      return "DESTRUCTIVE";
+    case "modify_policy":
+      return "WARNING";
     default:
       const _exhaustive = operation;
       return _exhaustive;
@@ -1048,6 +1202,22 @@ function checkOperationSafety(operation) {
         message: "Primary key constraint removed",
         operationKind: operation.kind
       };
+    case "drop_policy":
+      return {
+        safetyLevel,
+        code: "DROP_POLICY",
+        table: operation.tableName,
+        message: "Policy removed",
+        operationKind: operation.kind
+      };
+    case "modify_policy":
+      return {
+        safetyLevel,
+        code: "MODIFY_POLICY",
+        table: operation.tableName,
+        message: "Policy expression changed",
+        operationKind: operation.kind
+      };
     default:
       return null;
   }
@@ -1222,9 +1392,21 @@ async function schemaToState(schema) {
         ...column.foreignKey !== void 0 && { foreignKey: column.foreignKey }
       };
     }
+    let policies;
+    if (table.policies?.length) {
+      policies = {};
+      for (const p of table.policies) {
+        policies[p.name] = {
+          command: p.command,
+          ...p.using !== void 0 && { using: p.using },
+          ...p.withCheck !== void 0 && { withCheck: p.withCheck }
+        };
+      }
+    }
     tables[tableName] = {
       columns,
-      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn }
+      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn },
+      ...policies !== void 0 && { policies }
     };
   }
   return {
@@ -1259,9 +1441,20 @@ var init_state_manager = __esm({
 });
 
 // node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js
+function generateEnableRls(tableName) {
+  return `ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`;
+}
 function generateSql(diff, provider, sqlConfig) {
   const statements = [];
+  const enabledRlsTables = /* @__PURE__ */ new Set();
   for (const operation of diff.operations) {
+    if (operation.kind === "create_policy" || operation.kind === "modify_policy") {
+      const tableName = operation.tableName;
+      if (!enabledRlsTables.has(tableName)) {
+        statements.push(generateEnableRls(tableName));
+        enabledRlsTables.add(tableName);
+      }
+    }
     const sql = generateOperation(operation, provider, sqlConfig);
     if (sql) {
       statements.push(sql);
@@ -1291,6 +1484,12 @@ function generateOperation(operation, provider, sqlConfig) {
       return generateDropPrimaryKeyConstraint(operation.tableName);
     case "add_primary_key_constraint":
       return generateAddPrimaryKeyConstraint(operation.tableName, operation.columnName);
+    case "create_policy":
+      return generateCreatePolicy(operation.tableName, operation.policy);
+    case "drop_policy":
+      return generateDropPolicy(operation.tableName, operation.policyName);
+    case "modify_policy":
+      return generateModifyPolicy(operation.tableName, operation.policyName, operation.policy);
   }
 }
 function generateCreateTable(table, provider, sqlConfig) {
@@ -1371,6 +1570,25 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   }
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
+function generateCreatePolicy(tableName, policy) {
+  const command = policy.command.toUpperCase();
+  const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.using !== void 0 && policy.using !== "") {
+    parts.push(`USING (${policy.using})`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    parts.push(`WITH CHECK (${policy.withCheck})`);
+  }
+  return parts.join(" ") + ";";
+}
+function generateDropPolicy(tableName, policyName) {
+  return `DROP POLICY "${policyName}" ON ${tableName};`;
+}
+function generateModifyPolicy(tableName, policyName, policy) {
+  const drop = generateDropPolicy(tableName, policyName);
+  const create = generateCreatePolicy(tableName, policy);
+  return drop + "\n\n" + create;
+}
 var init_sql_generator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js"() {
     "use strict";
@@ -2733,7 +2951,7 @@ var import_commander8 = require("commander");
 // package.json
 var package_default = {
   name: "@xubylele/schema-forge",
-  version: "1.11.0",
+  version: "1.12.0",
   description: "Universal migration generator from schema DSL",
   main: "dist/cli.js",
   type: "commonjs",
@@ -2787,13 +3005,14 @@ var package_default = {
     boxen: "^8.0.1",
     chalk: "^5.6.2",
     commander: "^14.0.3",
-    pg: "^8.19.0"
+    pg: "^8.19.0",
+    "update-notifier": "^7.3.1"
   },
   devDependencies: {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.3.1",
+    "@xubylele/schema-forge-core": "^1.4.0",
     testcontainers: "^11.8.1",
     "ts-node": "^10.9.2",
     tsup: "^8.5.1",
@@ -2882,13 +3101,9 @@ function getStatePath(root, config) {
 
 // src/utils/exitCodes.ts
 var EXIT_CODES = {
-  /** Successful operation */
   SUCCESS: 0,
-  /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
   VALIDATION_ERROR: 1,
-  /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
   DRIFT_DETECTED: 2,
-  /** Destructive operation detected in CI environment without --force */
   CI_DESTRUCTIVE: 3
 };
 function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {
@@ -3739,6 +3954,35 @@ function getCliMetaPath() {
 function getReleaseUrl(version) {
   return `https://github.com/xubylele/schema-forge/releases/tag/v${version}`;
 }
+function extractChangelogSection(changelogText, version) {
+  const heading = `## ${version}`;
+  const idx = changelogText.indexOf(heading);
+  if (idx === -1) {
+    return null;
+  }
+  const start = idx + heading.length;
+  const rest = changelogText.slice(start);
+  const nextHeading = rest.indexOf("\n## ");
+  const section = nextHeading === -1 ? rest : rest.slice(0, nextHeading);
+  return section.trim() || null;
+}
+async function fetchChangelogForVersion(version) {
+  const urls = [
+    `https://raw.githubusercontent.com/xubylele/schema-forge/v${version}/CHANGELOG.md`,
+    "https://raw.githubusercontent.com/xubylele/schema-forge/main/CHANGELOG.md"
+  ];
+  for (const url of urls) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+      if (!res.ok) continue;
+      const text = await res.text();
+      const section = extractChangelogSection(text, version);
+      if (section) return section;
+    } catch {
+    }
+  }
+  return null;
+}
 function shouldShowWhatsNew(argv) {
   if (argv.length === 0) {
     return false;
@@ -3758,7 +4002,14 @@ async function showWhatsNewIfUpdated(currentVersion, argv) {
     if (meta.lastSeenVersion === currentVersion) {
       return;
     }
-    info(`What's new in schema-forge v${currentVersion}: ${getReleaseUrl(currentVersion)}`);
+    const section = await fetchChangelogForVersion(currentVersion);
+    if (section) {
+      info(`What's new in schema-forge v${currentVersion}:`);
+      info(section);
+      info(`Release: ${getReleaseUrl(currentVersion)}`);
+    } else {
+      info(`What's new in schema-forge v${currentVersion}: ${getReleaseUrl(currentVersion)}`);
+    }
     await writeJsonFile(metaPath, { lastSeenVersion: currentVersion });
   } catch {
   }
@@ -3857,10 +4108,21 @@ program.command("validate").description("Detect destructive or risky schema chan
     await handleError(error2);
   }
 });
+function shouldCheckForUpdate(argv) {
+  if (process.env.CI === "true") {
+    return false;
+  }
+  const onlyHelpOrVersion = argv.length === 0 || argv.length === 1 && ["--help", "-h", "--version", "-V"].includes(argv[0]);
+  return !onlyHelpOrVersion;
+}
 async function main() {
   const argv = process.argv.slice(2);
   await seedLastSeenVersion(package_default.version);
   await showWhatsNewIfUpdated(package_default.version, argv);
+  if (shouldCheckForUpdate(argv)) {
+    import("update-notifier").then((m) => m.default({ pkg: package_default, shouldNotifyInNpmScript: false }).notify()).catch(() => {
+    });
+  }
   program.parse(process.argv);
   if (!argv.length) {
     program.outputHelp();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xubylele/schema-forge",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "description": "Universal migration generator from schema DSL",
   "main": "dist/cli.js",
   "type": "commonjs",
@@ -54,13 +54,14 @@
     "boxen": "^8.0.1",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
-    "pg": "^8.19.0"
+    "pg": "^8.19.0",
+    "update-notifier": "^7.3.1"
   },
   "devDependencies": {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.3.1",
+    "@xubylele/schema-forge-core": "^1.4.0",
     "testcontainers": "^11.8.1",
     "ts-node": "^10.9.2",
     "tsup": "^8.5.1",