@xubylele/schema-forge 1.11.0 → 1.12.1

package/dist/api.js

@@ -34,6 +34,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 function parseSchema(source) {
   const lines = source.split("\n");
   const tables = {};
+  const policyList = [];
   let currentLine = 0;
   const validBaseColumnTypes = /* @__PURE__ */ new Set([
     "uuid",
@@ -258,6 +259,85 @@ function parseSchema(source) {
     }
     return column;
   }
+  function parsePolicyBlock(startLine) {
+    const firstLine = cleanLine(lines[startLine]);
+    const declMatch = firstLine.match(/^policy\s+"([^"]*)"\s+on\s+(\w+)\s*$/);
+    if (!declMatch) {
+      throw new Error(`Line ${startLine + 1}: Invalid policy declaration. Expected: policy "<name>" on <table>`);
+    }
+    const policyName = declMatch[1];
+    const tableIdent = declMatch[2];
+    validateIdentifier(tableIdent, startLine + 1, "table");
+    let command;
+    let using;
+    let withCheck;
+    let toRoles;
+    let lineIdx = startLine + 1;
+    while (lineIdx < lines.length) {
+      const cleaned = cleanLine(lines[lineIdx]);
+      if (!cleaned) {
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("for ")) {
+        const rest = cleaned.slice(4).trim().toLowerCase();
+        const parts = rest.split(/\s+/);
+        const cmd = parts[0];
+        if (!POLICY_COMMANDS.includes(cmd)) {
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, delete, or all`);
+        }
+        if (command !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
+        }
+        command = cmd;
+        if (parts.length > 1 && parts[1] === "to" && parts.length > 2) {
+          toRoles = parts.slice(2);
+        }
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("to ")) {
+        if (toRoles !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'to' in policy`);
+        }
+        const roles = cleaned.slice(3).trim().split(/\s+/).filter(Boolean);
+        if (roles.length > 0) {
+          toRoles = roles;
+        }
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("using ")) {
+        if (using !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'using' in policy`);
+        }
+        using = cleaned.slice(6).trim();
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("with check ")) {
+        if (withCheck !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'with check' in policy`);
+        }
+        withCheck = cleaned.slice(11).trim();
+        lineIdx++;
+        continue;
+      }
+      break;
+    }
+    if (command === void 0) {
+      throw new Error(`Line ${startLine + 1}: Policy is missing 'for <command>'`);
+    }
+    const policy = {
+      name: policyName,
+      table: tableIdent,
+      command,
+      ...using !== void 0 && { using },
+      ...withCheck !== void 0 && { withCheck },
+      ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
+    };
+    return { policy, nextLineIndex: lineIdx };
+  }
   function parseTableBlock(startLine) {
     const firstLine = cleanLine(lines[startLine]);
     const match = firstLine.match(/^table\s+(\w+)\s*\{\s*$/);
@@ -301,6 +381,7 @@ function parseSchema(source) {
     };
     return lineIdx;
   }
+  const policyDeclRegex = /^policy\s+"([^"]*)"\s+on\s+\w+/;
   while (currentLine < lines.length) {
     const cleaned = cleanLine(lines[currentLine]);
     if (!cleaned) {
@@ -309,16 +390,31 @@ function parseSchema(source) {
     }
     if (cleaned.startsWith("table ")) {
       currentLine = parseTableBlock(currentLine);
+      currentLine++;
+    } else if (policyDeclRegex.test(cleaned)) {
+      const { policy, nextLineIndex } = parsePolicyBlock(currentLine);
+      policyList.push({ policy, startLine: currentLine + 1 });
+      currentLine = nextLineIndex;
     } else {
-      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table definition.`);
+      throw new Error(`Line ${currentLine + 1}: Unexpected content '${cleaned}'. Expected table or policy definition.`);
+    }
+  }
+  for (const { policy, startLine } of policyList) {
+    if (!tables[policy.table]) {
+      throw new Error(`Line ${startLine}: Policy "${policy.name}" references undefined table "${policy.table}"`);
     }
-    currentLine++;
+    if (!tables[policy.table].policies) {
+      tables[policy.table].policies = [];
+    }
+    tables[policy.table].policies.push(policy);
   }
   return { tables };
 }
+var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
+    POLICY_COMMANDS = ["select", "insert", "update", "delete", "all"];
   }
 });
 
@@ -498,6 +594,22 @@ function resolveSchemaPrimaryKey(table) {
 function normalizeNullable(nullable) {
   return nullable ?? true;
 }
+function normalizePolicyExpression(s) {
+  return (s ?? "").trim().replace(/\s+/g, " ");
+}
+function policyEquals(oldP, newP) {
+  if (oldP.command !== newP.command)
+    return false;
+  if (normalizePolicyExpression(oldP.using) !== normalizePolicyExpression(newP.using))
+    return false;
+  if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
+    return false;
+  const oldTo = (oldP.to ?? []).slice().sort().join(",");
+  const newTo = (newP.to ?? []).slice().sort().join(",");
+  if (oldTo !== newTo)
+    return false;
+  return true;
+}
 function diffSchemas(oldState, newSchema) {
   const operations = [];
   const oldTableNames = getTableNamesFromState(oldState);
@@ -674,6 +786,37 @@ function diffSchemas(oldState, newSchema) {
       }
     }
   }
+  const oldPolicyNamesByTable = (t) => new Set(Object.keys(t.policies ?? {}));
+  const newPolicyListByTable = (t) => t.policies ?? [];
+  for (const tableName of commonTableNames) {
+    const newTable = newSchema.tables[tableName];
+    const oldTable = oldState.tables[tableName];
+    if (!newTable || !oldTable)
+      continue;
+    const oldPolicyNames = oldPolicyNamesByTable(oldTable);
+    const newPolicies = newPolicyListByTable(newTable);
+    const newPolicyNames = new Set(newPolicies.map((p) => p.name));
+    const sortedNewPolicyNames = Array.from(newPolicyNames).sort((a, b) => a.localeCompare(b));
+    const sortedOldPolicyNames = Array.from(oldPolicyNames).sort((a, b) => a.localeCompare(b));
+    for (const policyName of sortedNewPolicyNames) {
+      const policy = newPolicies.find((p) => p.name === policyName);
+      if (!policy)
+        continue;
+      if (!oldPolicyNames.has(policyName)) {
+        operations.push({ kind: "create_policy", tableName, policy });
+      } else {
+        const oldP = oldTable.policies?.[policyName];
+        if (oldP && !policyEquals(oldP, policy)) {
+          operations.push({ kind: "modify_policy", tableName, policyName, policy });
+        }
+      }
+    }
+    for (const policyName of sortedOldPolicyNames) {
+      if (!newPolicyNames.has(policyName)) {
+        operations.push({ kind: "drop_policy", tableName, policyName });
+      }
+    }
+  }
   for (const tableName of sortedOldTableNames) {
     if (!newTableNames.has(tableName)) {
       operations.push({
@@ -774,6 +917,7 @@ function validateSchema(schema) {
     const table = schema.tables[tableName];
     validateTableColumns(tableName, table, schema.tables);
   }
+  validatePolicies(schema);
 }
 function validateDuplicateTables(schema) {
   const tableNames = Object.keys(schema.tables);
@@ -829,10 +973,37 @@ function validateTableColumns(tableName, table, allTables) {
     }
   }
 }
-var VALID_BASE_COLUMN_TYPES;
+function validatePolicies(schema) {
+  for (const tableName in schema.tables) {
+    const table = schema.tables[tableName];
+    if (!table.policies?.length)
+      continue;
+    for (const policy of table.policies) {
+      if (!schema.tables[policy.table]) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
+      }
+      if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, delete, or all`);
+      }
+      const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
+      const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
+      if (!hasUsing && !hasWithCheck) {
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": must have at least one of "using" or "with check"`);
+      }
+    }
+  }
+}
+var VALID_POLICY_COMMANDS, VALID_BASE_COLUMN_TYPES;
 var init_validator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/validator.js"() {
     "use strict";
+    VALID_POLICY_COMMANDS = [
+      "select",
+      "insert",
+      "update",
+      "delete",
+      "all"
+    ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
       "varchar",
@@ -926,6 +1097,12 @@ function classifyOperation(operation) {
       return "DESTRUCTIVE";
     case "add_primary_key_constraint":
       return "SAFE";
+    case "create_policy":
+      return "SAFE";
+    case "drop_policy":
+      return "DESTRUCTIVE";
+    case "modify_policy":
+      return "WARNING";
     default:
       const _exhaustive = operation;
       return _exhaustive;
@@ -1048,6 +1225,22 @@ function checkOperationSafety(operation) {
         message: "Primary key constraint removed",
         operationKind: operation.kind
       };
+    case "drop_policy":
+      return {
+        safetyLevel,
+        code: "DROP_POLICY",
+        table: operation.tableName,
+        message: "Policy removed",
+        operationKind: operation.kind
+      };
+    case "modify_policy":
+      return {
+        safetyLevel,
+        code: "MODIFY_POLICY",
+        table: operation.tableName,
+        message: "Policy expression changed",
+        operationKind: operation.kind
+      };
     default:
       return null;
   }
@@ -1222,9 +1415,21 @@ async function schemaToState(schema) {
         ...column.foreignKey !== void 0 && { foreignKey: column.foreignKey }
       };
     }
+    let policies;
+    if (table.policies?.length) {
+      policies = {};
+      for (const p of table.policies) {
+        policies[p.name] = {
+          command: p.command,
+          ...p.using !== void 0 && { using: p.using },
+          ...p.withCheck !== void 0 && { withCheck: p.withCheck }
+        };
+      }
+    }
     tables[tableName] = {
       columns,
-      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn }
+      ...primaryKeyColumn !== null && { primaryKey: primaryKeyColumn },
+      ...policies !== void 0 && { policies }
     };
   }
   return {
@@ -1259,9 +1464,20 @@ var init_state_manager = __esm({
 });
 
 // node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js
+function generateEnableRls(tableName) {
+  return `ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`;
+}
 function generateSql(diff2, provider, sqlConfig) {
   const statements = [];
+  const enabledRlsTables = /* @__PURE__ */ new Set();
   for (const operation of diff2.operations) {
+    if (operation.kind === "create_policy" || operation.kind === "modify_policy") {
+      const tableName = operation.tableName;
+      if (!enabledRlsTables.has(tableName)) {
+        statements.push(generateEnableRls(tableName));
+        enabledRlsTables.add(tableName);
+      }
+    }
     const sql = generateOperation(operation, provider, sqlConfig);
     if (sql) {
       statements.push(sql);
@@ -1291,6 +1507,12 @@ function generateOperation(operation, provider, sqlConfig) {
       return generateDropPrimaryKeyConstraint(operation.tableName);
     case "add_primary_key_constraint":
       return generateAddPrimaryKeyConstraint(operation.tableName, operation.columnName);
+    case "create_policy":
+      return generateCreatePolicy(operation.tableName, operation.policy);
+    case "drop_policy":
+      return generateDropPolicy(operation.tableName, operation.policyName);
+    case "modify_policy":
+      return generateModifyPolicy(operation.tableName, operation.policyName, operation.policy);
   }
 }
 function generateCreateTable(table, provider, sqlConfig) {
@@ -1371,6 +1593,28 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   }
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
+function generateCreatePolicy(tableName, policy) {
+  const command = policy.command === "all" ? "ALL" : policy.command.toUpperCase();
+  const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    parts.push(`TO ${policy.to.join(", ")}`);
+  }
+  if (policy.using !== void 0 && policy.using !== "") {
+    parts.push(`USING (${policy.using})`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    parts.push(`WITH CHECK (${policy.withCheck})`);
+  }
+  return parts.join(" ") + ";";
+}
+function generateDropPolicy(tableName, policyName) {
+  return `DROP POLICY "${policyName}" ON ${tableName};`;
+}
+function generateModifyPolicy(tableName, policyName, policy) {
+  const drop = generateDropPolicy(tableName, policyName);
+  const create = generateCreatePolicy(tableName, policy);
+  return drop + "\n\n" + create;
+}
 var init_sql_generator = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/generator/sql-generator.js"() {
     "use strict";
@@ -1924,6 +2168,100 @@ function parseDropTable(stmt) {
     table: normalizeIdentifier(match[1])
   };
 }
+function parseEnableRls(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const match = s.match(/^alter\s+table\s+(\S+)\s+enable\s+row\s+level\s+security\s*;?$/i);
+  if (!match) {
+    return null;
+  }
+  return {
+    kind: "ENABLE_RLS",
+    table: normalizeIdentifier(match[1])
+  };
+}
+function extractBalancedParen(s, start) {
+  if (start < 0 || s[start] !== "(") {
+    return null;
+  }
+  let depth = 1;
+  let i = start + 1;
+  while (i < s.length && depth > 0) {
+    const c = s[i];
+    if (c === "'" && (i === 0 || s[i - 1] !== "\\")) {
+      i++;
+      while (i < s.length && (s[i] !== "'" || s[i - 1] === "\\")) {
+        i++;
+      }
+      i++;
+      continue;
+    }
+    if (c === "(") {
+      depth++;
+    } else if (c === ")") {
+      depth--;
+    }
+    i++;
+  }
+  if (depth !== 0) {
+    return null;
+  }
+  return { content: s.slice(start + 1, i - 1).trim(), endIndex: i };
+}
+function parseCreatePolicy(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const quotedMatch = s.match(/^create\s+policy\s+"([^"]+)"\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const unquotedMatch = quotedMatch ? null : s.match(/^create\s+policy\s+(\S+)\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const match = quotedMatch ?? unquotedMatch;
+  if (!match) {
+    return null;
+  }
+  const name = match[1];
+  const table = normalizeIdentifier(match[2]);
+  const command = match[3].toLowerCase();
+  let rest = s.slice(match[0].length).trim();
+  let toRoles;
+  const toMatch = rest.match(/^\s*to\s+/i) ?? rest.match(/\s+to\s+/i);
+  if (toMatch) {
+    const toIdx = toMatch.index;
+    const afterTo = rest.slice(toIdx + toMatch[0].length);
+    const usingStart = afterTo.toLowerCase().indexOf(" using (");
+    const withCheckStart = afterTo.toLowerCase().indexOf(" with check (");
+    const end = usingStart >= 0 && withCheckStart >= 0 ? Math.min(usingStart, withCheckStart) : usingStart >= 0 ? usingStart : withCheckStart >= 0 ? withCheckStart : afterTo.length;
+    const toPart = afterTo.slice(0, end).trim();
+    if (toPart) {
+      toRoles = toPart.split(/[\s,]+/).map((r) => r.trim()).filter(Boolean);
+    }
+    rest = rest.slice(0, toIdx) + rest.slice(toIdx + toMatch[0].length + end);
+  }
+  let using;
+  let withCheck;
+  const usingIdx = rest.toLowerCase().indexOf("using (");
+  if (usingIdx !== -1) {
+    const openParen = rest.indexOf("(", usingIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      using = parsed.content;
+      rest = rest.slice(parsed.endIndex).trim();
+    }
+  }
+  const withCheckIdx = rest.toLowerCase().indexOf("with check (");
+  if (withCheckIdx !== -1) {
+    const openParen = rest.indexOf("(", withCheckIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      withCheck = parsed.content;
+    }
+  }
+  return {
+    kind: "CREATE_POLICY",
+    table,
+    name,
+    command,
+    ...using !== void 0 && using !== "" && { using },
+    ...withCheck !== void 0 && withCheck !== "" && { withCheck },
+    ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
+  };
+}
 function parseMigrationSql(sql) {
   const statements = splitSqlStatements(sql);
   const ops = [];
@@ -1975,7 +2313,9 @@ var init_parse_migration = __esm({
       parseSetDropDefault,
       parseAddDropConstraint,
       parseDropColumn,
-      parseDropTable
+      parseDropTable,
+      parseEnableRls,
+      parseCreatePolicy
     ];
   }
 });
@@ -2149,6 +2489,31 @@ function applySqlOps(ops) {
         delete tables[op.table];
         break;
       }
+      case "ENABLE_RLS": {
+        getOrCreateTable(tables, op.table);
+        break;
+      }
+      case "CREATE_POLICY": {
+        const table = getOrCreateTable(tables, op.table);
+        if (!table.policies) {
+          table.policies = [];
+        }
+        const policy = {
+          name: op.name,
+          table: op.table,
+          command: op.command,
+          ...op.using !== void 0 && { using: op.using },
+          ...op.withCheck !== void 0 && { withCheck: op.withCheck },
+          ...op.to !== void 0 && op.to.length > 0 && { to: op.to }
+        };
+        const existing = table.policies.findIndex((p) => p.name === op.name);
+        if (existing >= 0) {
+          table.policies[existing] = policy;
+        } else {
+          table.policies.push(policy);
+        }
+        break;
+      }
     }
   }
   const schema = { tables };
@@ -2177,17 +2542,39 @@ function renderColumn(column) {
   }
   return `  ${parts.join(" ")}`;
 }
+function renderPolicy(policy) {
+  const lines = [
+    `policy "${policy.name}" on ${policy.table}`,
+    `for ${policy.command}`
+  ];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    lines.push(`to ${policy.to.join(" ")}`);
+  }
+  if (policy.using !== void 0 && policy.using !== "") {
+    lines.push(`using ${policy.using}`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    lines.push(`with check ${policy.withCheck}`);
+  }
+  return lines.join("\n");
+}
 function schemaToDsl(schema) {
   const tableNames = Object.keys(schema.tables).sort((left, right) => left.localeCompare(right));
-  const blocks = tableNames.map((tableName) => {
+  const blocks = [];
+  for (const tableName of tableNames) {
     const table = schema.tables[tableName];
-    const lines = [`table ${table.name} {`];
+    const tableLines = [`table ${table.name} {`];
     for (const column of table.columns) {
-      lines.push(renderColumn(column));
+      tableLines.push(renderColumn(column));
     }
-    lines.push("}");
-    return lines.join("\n");
-  });
+    tableLines.push("}");
+    blocks.push(tableLines.join("\n"));
+    if (table.policies?.length) {
+      for (const policy of table.policies) {
+        blocks.push(renderPolicy(policy));
+      }
+    }
+  }
   if (blocks.length === 0) {
     return "# SchemaForge schema definition\n";
   }
@@ -2680,9 +3067,11 @@ __export(dist_exports, {
   parseAddDropConstraint: () => parseAddDropConstraint,
   parseAlterColumnType: () => parseAlterColumnType,
   parseAlterTableAddColumn: () => parseAlterTableAddColumn,
+  parseCreatePolicy: () => parseCreatePolicy,
   parseCreateTable: () => parseCreateTable,
   parseDropColumn: () => parseDropColumn,
   parseDropTable: () => parseDropTable,
+  parseEnableRls: () => parseEnableRls,
   parseMigrationSql: () => parseMigrationSql,
   parseSchema: () => parseSchema,
   parseSetDropDefault: () => parseSetDropDefault,
@@ -2941,13 +3330,9 @@ async function withPostgresQueryExecutor(connectionString, run) {
 
 // src/utils/exitCodes.ts
 var EXIT_CODES = {
-  /** Successful operation */
   SUCCESS: 0,
-  /** Validation error (invalid DSL syntax, config errors, missing files, etc.) */
   VALIDATION_ERROR: 1,
-  /** Drift detected - Reserved for future use when comparing actual DB state vs schema */
   DRIFT_DETECTED: 2,
-  /** Destructive operation detected in CI environment without --force */
   CI_DESTRUCTIVE: 3
 };
 function shouldFailCIDestructive(isCIEnvironment, hasDestructiveFindings2, isForceEnabled) {