@xubylele/schema-forge 1.12.0 → 1.12.1

package/README.md

@@ -14,7 +14,7 @@ A modern CLI tool for database schema management with a clean DSL and automatic
 - **Postgres/Supabase** - Currently supports PostgreSQL and Supabase
 - **Constraint Diffing** - Detects UNIQUE and PRIMARY KEY changes with deterministic constraint names
 - **Live PostgreSQL Introspection** - Extract normalized schema directly from `information_schema`
-- **Policy (RLS) support** - Define Row Level Security policies in the DSL; invalid policies produce clear CLI errors during validation
+- **Policy (RLS) support** - Define Row Level Security policies in the DSL: `for select|insert|update|delete|all`, optional `to role1 role2` (e.g. `anon`, `authenticated`). Invalid policies produce clear CLI errors during validation. See [RLS policy patterns](https://github.com/xubylele/schema-forge-core/blob/main/docs/rls-policy-patterns.md) for user-owned rows, public read/authenticated write, and multi-tenant examples.
 
 ## Installation
 
@@ -325,7 +325,7 @@ Live `--json` output returns a structured `DriftReport`:
 
 Validation checks include:
 
-- **Policy validation** – Each policy must reference an existing table, use a valid command (`select` / `insert` / `update` / `delete`), and have at least one of `using` or `with check`. Invalid policies cause validation to fail with a clear error (exit code 1).
+- **Policy validation** – Each policy must reference an existing table, use a valid command (`select` / `insert` / `update` / `delete` / `all`), and have at least one of `using` or `with check`. Invalid policies cause validation to fail with a clear error (exit code 1).
 - Dropped tables (`DROP_TABLE`, error)
 - Dropped columns (`DROP_COLUMN`, error)
 - Column type changes (`ALTER_COLUMN_TYPE`, warning/error based on compatibility heuristics)
@@ -584,9 +584,22 @@ using auth.uid() = id
 ```
 
 - **First line:** `policy "<name>" on <table>`
-- **Continuation:** `for <command>` (required; one of `select`, `insert`, `update`, `delete`), optional `using <expr>`, optional `with check <expr>`
+- **Continuation:** `for <command>` (required): `select`, `insert`, `update`, `delete`, or `all` (applies to all commands). Optional `to role1 role2` (e.g. `to anon authenticated`). Optional `using <expr>` and `with check <expr>`.
 
-Invalid policies (missing table, invalid command, or no expressions) fail `schema-forge validate` with a clear error message.
+Example with `for all` and `to`:
+
+```sql
+policy "Own rows" on profiles
+for all
+using auth.uid() = id
+with check auth.uid() = id
+
+policy "Public read" on items
+for select to anon authenticated
+using true
+```
+
+Invalid policies (missing table, invalid command, or no expressions) fail `schema-forge validate` with a clear error message. For common patterns (user-owned rows, public read / authenticated write, multi-tenant), see [RLS policy patterns](https://github.com/xubylele/schema-forge-core/blob/main/docs/rls-policy-patterns.md) in the core package.
 
 ### Examples
 

package/dist/api.js

@@ -271,6 +271,7 @@ function parseSchema(source) {
     let command;
     let using;
     let withCheck;
+    let toRoles;
     let lineIdx = startLine + 1;
     while (lineIdx < lines.length) {
       const cleaned = cleanLine(lines[lineIdx]);
@@ -279,14 +280,30 @@ function parseSchema(source) {
         continue;
       }
       if (cleaned.startsWith("for ")) {
-        const cmd = cleaned.slice(4).trim().toLowerCase();
+        const rest = cleaned.slice(4).trim().toLowerCase();
+        const parts = rest.split(/\s+/);
+        const cmd = parts[0];
         if (!POLICY_COMMANDS.includes(cmd)) {
-          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, delete, or all`);
         }
         if (command !== void 0) {
           throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
         }
         command = cmd;
+        if (parts.length > 1 && parts[1] === "to" && parts.length > 2) {
+          toRoles = parts.slice(2);
+        }
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("to ")) {
+        if (toRoles !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'to' in policy`);
+        }
+        const roles = cleaned.slice(3).trim().split(/\s+/).filter(Boolean);
+        if (roles.length > 0) {
+          toRoles = roles;
+        }
         lineIdx++;
         continue;
       }
@@ -316,7 +333,8 @@ function parseSchema(source) {
       table: tableIdent,
       command,
       ...using !== void 0 && { using },
-      ...withCheck !== void 0 && { withCheck }
+      ...withCheck !== void 0 && { withCheck },
+      ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
     };
     return { policy, nextLineIndex: lineIdx };
   }
@@ -396,7 +414,7 @@ var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
-    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
+    POLICY_COMMANDS = ["select", "insert", "update", "delete", "all"];
   }
 });
 
@@ -586,6 +604,10 @@ function policyEquals(oldP, newP) {
     return false;
   if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
     return false;
+  const oldTo = (oldP.to ?? []).slice().sort().join(",");
+  const newTo = (newP.to ?? []).slice().sort().join(",");
+  if (oldTo !== newTo)
+    return false;
   return true;
 }
 function diffSchemas(oldState, newSchema) {
@@ -961,7 +983,7 @@ function validatePolicies(schema) {
         throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
       }
       if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
-        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, delete, or all`);
       }
       const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
       const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
@@ -979,7 +1001,8 @@ var init_validator = __esm({
       "select",
       "insert",
       "update",
-      "delete"
+      "delete",
+      "all"
     ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
@@ -1571,8 +1594,11 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
 function generateCreatePolicy(tableName, policy) {
-  const command = policy.command.toUpperCase();
+  const command = policy.command === "all" ? "ALL" : policy.command.toUpperCase();
   const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    parts.push(`TO ${policy.to.join(", ")}`);
+  }
   if (policy.using !== void 0 && policy.using !== "") {
     parts.push(`USING (${policy.using})`);
   }
@@ -2142,6 +2168,100 @@ function parseDropTable(stmt) {
     table: normalizeIdentifier(match[1])
   };
 }
+function parseEnableRls(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const match = s.match(/^alter\s+table\s+(\S+)\s+enable\s+row\s+level\s+security\s*;?$/i);
+  if (!match) {
+    return null;
+  }
+  return {
+    kind: "ENABLE_RLS",
+    table: normalizeIdentifier(match[1])
+  };
+}
+function extractBalancedParen(s, start) {
+  if (start < 0 || s[start] !== "(") {
+    return null;
+  }
+  let depth = 1;
+  let i = start + 1;
+  while (i < s.length && depth > 0) {
+    const c = s[i];
+    if (c === "'" && (i === 0 || s[i - 1] !== "\\")) {
+      i++;
+      while (i < s.length && (s[i] !== "'" || s[i - 1] === "\\")) {
+        i++;
+      }
+      i++;
+      continue;
+    }
+    if (c === "(") {
+      depth++;
+    } else if (c === ")") {
+      depth--;
+    }
+    i++;
+  }
+  if (depth !== 0) {
+    return null;
+  }
+  return { content: s.slice(start + 1, i - 1).trim(), endIndex: i };
+}
+function parseCreatePolicy(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const quotedMatch = s.match(/^create\s+policy\s+"([^"]+)"\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const unquotedMatch = quotedMatch ? null : s.match(/^create\s+policy\s+(\S+)\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const match = quotedMatch ?? unquotedMatch;
+  if (!match) {
+    return null;
+  }
+  const name = match[1];
+  const table = normalizeIdentifier(match[2]);
+  const command = match[3].toLowerCase();
+  let rest = s.slice(match[0].length).trim();
+  let toRoles;
+  const toMatch = rest.match(/^\s*to\s+/i) ?? rest.match(/\s+to\s+/i);
+  if (toMatch) {
+    const toIdx = toMatch.index;
+    const afterTo = rest.slice(toIdx + toMatch[0].length);
+    const usingStart = afterTo.toLowerCase().indexOf(" using (");
+    const withCheckStart = afterTo.toLowerCase().indexOf(" with check (");
+    const end = usingStart >= 0 && withCheckStart >= 0 ? Math.min(usingStart, withCheckStart) : usingStart >= 0 ? usingStart : withCheckStart >= 0 ? withCheckStart : afterTo.length;
+    const toPart = afterTo.slice(0, end).trim();
+    if (toPart) {
+      toRoles = toPart.split(/[\s,]+/).map((r) => r.trim()).filter(Boolean);
+    }
+    rest = rest.slice(0, toIdx) + rest.slice(toIdx + toMatch[0].length + end);
+  }
+  let using;
+  let withCheck;
+  const usingIdx = rest.toLowerCase().indexOf("using (");
+  if (usingIdx !== -1) {
+    const openParen = rest.indexOf("(", usingIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      using = parsed.content;
+      rest = rest.slice(parsed.endIndex).trim();
+    }
+  }
+  const withCheckIdx = rest.toLowerCase().indexOf("with check (");
+  if (withCheckIdx !== -1) {
+    const openParen = rest.indexOf("(", withCheckIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      withCheck = parsed.content;
+    }
+  }
+  return {
+    kind: "CREATE_POLICY",
+    table,
+    name,
+    command,
+    ...using !== void 0 && using !== "" && { using },
+    ...withCheck !== void 0 && withCheck !== "" && { withCheck },
+    ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
+  };
+}
 function parseMigrationSql(sql) {
   const statements = splitSqlStatements(sql);
   const ops = [];
@@ -2193,7 +2313,9 @@ var init_parse_migration = __esm({
       parseSetDropDefault,
       parseAddDropConstraint,
       parseDropColumn,
-      parseDropTable
+      parseDropTable,
+      parseEnableRls,
+      parseCreatePolicy
     ];
   }
 });
@@ -2367,6 +2489,31 @@ function applySqlOps(ops) {
         delete tables[op.table];
         break;
       }
+      case "ENABLE_RLS": {
+        getOrCreateTable(tables, op.table);
+        break;
+      }
+      case "CREATE_POLICY": {
+        const table = getOrCreateTable(tables, op.table);
+        if (!table.policies) {
+          table.policies = [];
+        }
+        const policy = {
+          name: op.name,
+          table: op.table,
+          command: op.command,
+          ...op.using !== void 0 && { using: op.using },
+          ...op.withCheck !== void 0 && { withCheck: op.withCheck },
+          ...op.to !== void 0 && op.to.length > 0 && { to: op.to }
+        };
+        const existing = table.policies.findIndex((p) => p.name === op.name);
+        if (existing >= 0) {
+          table.policies[existing] = policy;
+        } else {
+          table.policies.push(policy);
+        }
+        break;
+      }
     }
   }
   const schema = { tables };
@@ -2395,17 +2542,39 @@ function renderColumn(column) {
   }
   return `  ${parts.join(" ")}`;
 }
+function renderPolicy(policy) {
+  const lines = [
+    `policy "${policy.name}" on ${policy.table}`,
+    `for ${policy.command}`
+  ];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    lines.push(`to ${policy.to.join(" ")}`);
+  }
+  if (policy.using !== void 0 && policy.using !== "") {
+    lines.push(`using ${policy.using}`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    lines.push(`with check ${policy.withCheck}`);
+  }
+  return lines.join("\n");
+}
 function schemaToDsl(schema) {
   const tableNames = Object.keys(schema.tables).sort((left, right) => left.localeCompare(right));
-  const blocks = tableNames.map((tableName) => {
+  const blocks = [];
+  for (const tableName of tableNames) {
     const table = schema.tables[tableName];
-    const lines = [`table ${table.name} {`];
+    const tableLines = [`table ${table.name} {`];
     for (const column of table.columns) {
-      lines.push(renderColumn(column));
+      tableLines.push(renderColumn(column));
     }
-    lines.push("}");
-    return lines.join("\n");
-  });
+    tableLines.push("}");
+    blocks.push(tableLines.join("\n"));
+    if (table.policies?.length) {
+      for (const policy of table.policies) {
+        blocks.push(renderPolicy(policy));
+      }
+    }
+  }
   if (blocks.length === 0) {
     return "# SchemaForge schema definition\n";
   }
@@ -2898,9 +3067,11 @@ __export(dist_exports, {
   parseAddDropConstraint: () => parseAddDropConstraint,
   parseAlterColumnType: () => parseAlterColumnType,
   parseAlterTableAddColumn: () => parseAlterTableAddColumn,
+  parseCreatePolicy: () => parseCreatePolicy,
   parseCreateTable: () => parseCreateTable,
   parseDropColumn: () => parseDropColumn,
   parseDropTable: () => parseDropTable,
+  parseEnableRls: () => parseEnableRls,
   parseMigrationSql: () => parseMigrationSql,
   parseSchema: () => parseSchema,
   parseSetDropDefault: () => parseSetDropDefault,

package/dist/cli.js

@@ -271,6 +271,7 @@ function parseSchema(source) {
     let command;
     let using;
     let withCheck;
+    let toRoles;
     let lineIdx = startLine + 1;
     while (lineIdx < lines.length) {
       const cleaned = cleanLine(lines[lineIdx]);
@@ -279,14 +280,30 @@ function parseSchema(source) {
         continue;
       }
       if (cleaned.startsWith("for ")) {
-        const cmd = cleaned.slice(4).trim().toLowerCase();
+        const rest = cleaned.slice(4).trim().toLowerCase();
+        const parts = rest.split(/\s+/);
+        const cmd = parts[0];
         if (!POLICY_COMMANDS.includes(cmd)) {
-          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, or delete`);
+          throw new Error(`Line ${lineIdx + 1}: Invalid policy command '${cmd}'. Expected: select, insert, update, delete, or all`);
         }
         if (command !== void 0) {
           throw new Error(`Line ${lineIdx + 1}: Duplicate 'for' in policy`);
         }
         command = cmd;
+        if (parts.length > 1 && parts[1] === "to" && parts.length > 2) {
+          toRoles = parts.slice(2);
+        }
+        lineIdx++;
+        continue;
+      }
+      if (cleaned.startsWith("to ")) {
+        if (toRoles !== void 0) {
+          throw new Error(`Line ${lineIdx + 1}: Duplicate 'to' in policy`);
+        }
+        const roles = cleaned.slice(3).trim().split(/\s+/).filter(Boolean);
+        if (roles.length > 0) {
+          toRoles = roles;
+        }
         lineIdx++;
         continue;
       }
@@ -316,7 +333,8 @@ function parseSchema(source) {
       table: tableIdent,
       command,
       ...using !== void 0 && { using },
-      ...withCheck !== void 0 && { withCheck }
+      ...withCheck !== void 0 && { withCheck },
+      ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
     };
     return { policy, nextLineIndex: lineIdx };
   }
@@ -396,7 +414,7 @@ var POLICY_COMMANDS;
 var init_parser = __esm({
   "node_modules/@xubylele/schema-forge-core/dist/core/parser.js"() {
     "use strict";
-    POLICY_COMMANDS = ["select", "insert", "update", "delete"];
+    POLICY_COMMANDS = ["select", "insert", "update", "delete", "all"];
   }
 });
 
@@ -586,6 +604,10 @@ function policyEquals(oldP, newP) {
     return false;
   if (normalizePolicyExpression(oldP.withCheck) !== normalizePolicyExpression(newP.withCheck))
     return false;
+  const oldTo = (oldP.to ?? []).slice().sort().join(",");
+  const newTo = (newP.to ?? []).slice().sort().join(",");
+  if (oldTo !== newTo)
+    return false;
   return true;
 }
 function diffSchemas(oldState, newSchema) {
@@ -961,7 +983,7 @@ function validatePolicies(schema) {
         throw new Error(`Policy "${policy.name}" on table "${tableName}": referenced table "${policy.table}" does not exist`);
       }
       if (!VALID_POLICY_COMMANDS.includes(policy.command)) {
-        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, or delete`);
+        throw new Error(`Policy "${policy.name}" on table "${tableName}": invalid command "${policy.command}". Expected: select, insert, update, delete, or all`);
       }
       const hasUsing = policy.using !== void 0 && String(policy.using).trim() !== "";
       const hasWithCheck = policy.withCheck !== void 0 && String(policy.withCheck).trim() !== "";
@@ -979,7 +1001,8 @@ var init_validator = __esm({
       "select",
       "insert",
       "update",
-      "delete"
+      "delete",
+      "all"
     ];
     VALID_BASE_COLUMN_TYPES = [
       "uuid",
@@ -1571,8 +1594,11 @@ function generateAlterColumnNullability(tableName, columnName, toNullable) {
   return `ALTER TABLE ${tableName} ALTER COLUMN ${columnName} SET NOT NULL;`;
 }
 function generateCreatePolicy(tableName, policy) {
-  const command = policy.command.toUpperCase();
+  const command = policy.command === "all" ? "ALL" : policy.command.toUpperCase();
   const parts = [`CREATE POLICY "${policy.name}" ON ${tableName} FOR ${command}`];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    parts.push(`TO ${policy.to.join(", ")}`);
+  }
   if (policy.using !== void 0 && policy.using !== "") {
     parts.push(`USING (${policy.using})`);
   }
@@ -2142,6 +2168,100 @@ function parseDropTable(stmt) {
     table: normalizeIdentifier(match[1])
   };
 }
+function parseEnableRls(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const match = s.match(/^alter\s+table\s+(\S+)\s+enable\s+row\s+level\s+security\s*;?$/i);
+  if (!match) {
+    return null;
+  }
+  return {
+    kind: "ENABLE_RLS",
+    table: normalizeIdentifier(match[1])
+  };
+}
+function extractBalancedParen(s, start) {
+  if (start < 0 || s[start] !== "(") {
+    return null;
+  }
+  let depth = 1;
+  let i = start + 1;
+  while (i < s.length && depth > 0) {
+    const c = s[i];
+    if (c === "'" && (i === 0 || s[i - 1] !== "\\")) {
+      i++;
+      while (i < s.length && (s[i] !== "'" || s[i - 1] === "\\")) {
+        i++;
+      }
+      i++;
+      continue;
+    }
+    if (c === "(") {
+      depth++;
+    } else if (c === ")") {
+      depth--;
+    }
+    i++;
+  }
+  if (depth !== 0) {
+    return null;
+  }
+  return { content: s.slice(start + 1, i - 1).trim(), endIndex: i };
+}
+function parseCreatePolicy(stmt) {
+  const s = stmt.replace(/\s+/g, " ").trim();
+  const quotedMatch = s.match(/^create\s+policy\s+"([^"]+)"\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const unquotedMatch = quotedMatch ? null : s.match(/^create\s+policy\s+(\S+)\s+on\s+(\S+)\s+for\s+(all|select|insert|update|delete)/i);
+  const match = quotedMatch ?? unquotedMatch;
+  if (!match) {
+    return null;
+  }
+  const name = match[1];
+  const table = normalizeIdentifier(match[2]);
+  const command = match[3].toLowerCase();
+  let rest = s.slice(match[0].length).trim();
+  let toRoles;
+  const toMatch = rest.match(/^\s*to\s+/i) ?? rest.match(/\s+to\s+/i);
+  if (toMatch) {
+    const toIdx = toMatch.index;
+    const afterTo = rest.slice(toIdx + toMatch[0].length);
+    const usingStart = afterTo.toLowerCase().indexOf(" using (");
+    const withCheckStart = afterTo.toLowerCase().indexOf(" with check (");
+    const end = usingStart >= 0 && withCheckStart >= 0 ? Math.min(usingStart, withCheckStart) : usingStart >= 0 ? usingStart : withCheckStart >= 0 ? withCheckStart : afterTo.length;
+    const toPart = afterTo.slice(0, end).trim();
+    if (toPart) {
+      toRoles = toPart.split(/[\s,]+/).map((r) => r.trim()).filter(Boolean);
+    }
+    rest = rest.slice(0, toIdx) + rest.slice(toIdx + toMatch[0].length + end);
+  }
+  let using;
+  let withCheck;
+  const usingIdx = rest.toLowerCase().indexOf("using (");
+  if (usingIdx !== -1) {
+    const openParen = rest.indexOf("(", usingIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      using = parsed.content;
+      rest = rest.slice(parsed.endIndex).trim();
+    }
+  }
+  const withCheckIdx = rest.toLowerCase().indexOf("with check (");
+  if (withCheckIdx !== -1) {
+    const openParen = rest.indexOf("(", withCheckIdx);
+    const parsed = extractBalancedParen(rest, openParen);
+    if (parsed) {
+      withCheck = parsed.content;
+    }
+  }
+  return {
+    kind: "CREATE_POLICY",
+    table,
+    name,
+    command,
+    ...using !== void 0 && using !== "" && { using },
+    ...withCheck !== void 0 && withCheck !== "" && { withCheck },
+    ...toRoles !== void 0 && toRoles.length > 0 && { to: toRoles }
+  };
+}
 function parseMigrationSql(sql) {
   const statements = splitSqlStatements(sql);
   const ops = [];
@@ -2193,7 +2313,9 @@ var init_parse_migration = __esm({
       parseSetDropDefault,
       parseAddDropConstraint,
       parseDropColumn,
-      parseDropTable
+      parseDropTable,
+      parseEnableRls,
+      parseCreatePolicy
     ];
   }
 });
@@ -2367,6 +2489,31 @@ function applySqlOps(ops) {
         delete tables[op.table];
         break;
       }
+      case "ENABLE_RLS": {
+        getOrCreateTable(tables, op.table);
+        break;
+      }
+      case "CREATE_POLICY": {
+        const table = getOrCreateTable(tables, op.table);
+        if (!table.policies) {
+          table.policies = [];
+        }
+        const policy = {
+          name: op.name,
+          table: op.table,
+          command: op.command,
+          ...op.using !== void 0 && { using: op.using },
+          ...op.withCheck !== void 0 && { withCheck: op.withCheck },
+          ...op.to !== void 0 && op.to.length > 0 && { to: op.to }
+        };
+        const existing = table.policies.findIndex((p) => p.name === op.name);
+        if (existing >= 0) {
+          table.policies[existing] = policy;
+        } else {
+          table.policies.push(policy);
+        }
+        break;
+      }
     }
   }
   const schema = { tables };
@@ -2395,17 +2542,39 @@ function renderColumn(column) {
   }
   return `  ${parts.join(" ")}`;
 }
+function renderPolicy(policy) {
+  const lines = [
+    `policy "${policy.name}" on ${policy.table}`,
+    `for ${policy.command}`
+  ];
+  if (policy.to !== void 0 && policy.to.length > 0) {
+    lines.push(`to ${policy.to.join(" ")}`);
+  }
+  if (policy.using !== void 0 && policy.using !== "") {
+    lines.push(`using ${policy.using}`);
+  }
+  if (policy.withCheck !== void 0 && policy.withCheck !== "") {
+    lines.push(`with check ${policy.withCheck}`);
+  }
+  return lines.join("\n");
+}
 function schemaToDsl(schema) {
   const tableNames = Object.keys(schema.tables).sort((left, right) => left.localeCompare(right));
-  const blocks = tableNames.map((tableName) => {
+  const blocks = [];
+  for (const tableName of tableNames) {
     const table = schema.tables[tableName];
-    const lines = [`table ${table.name} {`];
+    const tableLines = [`table ${table.name} {`];
     for (const column of table.columns) {
-      lines.push(renderColumn(column));
+      tableLines.push(renderColumn(column));
     }
-    lines.push("}");
-    return lines.join("\n");
-  });
+    tableLines.push("}");
+    blocks.push(tableLines.join("\n"));
+    if (table.policies?.length) {
+      for (const policy of table.policies) {
+        blocks.push(renderPolicy(policy));
+      }
+    }
+  }
   if (blocks.length === 0) {
     return "# SchemaForge schema definition\n";
   }
@@ -2898,9 +3067,11 @@ __export(dist_exports, {
   parseAddDropConstraint: () => parseAddDropConstraint,
   parseAlterColumnType: () => parseAlterColumnType,
   parseAlterTableAddColumn: () => parseAlterTableAddColumn,
+  parseCreatePolicy: () => parseCreatePolicy,
   parseCreateTable: () => parseCreateTable,
   parseDropColumn: () => parseDropColumn,
   parseDropTable: () => parseDropTable,
+  parseEnableRls: () => parseEnableRls,
   parseMigrationSql: () => parseMigrationSql,
   parseSchema: () => parseSchema,
   parseSetDropDefault: () => parseSetDropDefault,
@@ -2951,7 +3122,7 @@ var import_commander8 = require("commander");
 // package.json
 var package_default = {
   name: "@xubylele/schema-forge",
-  version: "1.12.0",
+  version: "1.12.1",
   description: "Universal migration generator from schema DSL",
   main: "dist/cli.js",
   type: "commonjs",
@@ -3012,7 +3183,7 @@ var package_default = {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.4.0",
+    "@xubylele/schema-forge-core": "^1.5.0",
     testcontainers: "^11.8.1",
     "ts-node": "^10.9.2",
     tsup: "^8.5.1",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xubylele/schema-forge",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "description": "Universal migration generator from schema DSL",
   "main": "dist/cli.js",
   "type": "commonjs",
@@ -61,7 +61,7 @@
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.2.3",
     "@types/pg": "^8.18.0",
-    "@xubylele/schema-forge-core": "^1.4.0",
+    "@xubylele/schema-forge-core": "^1.5.0",
     "testcontainers": "^11.8.1",
     "ts-node": "^10.9.2",
     "tsup": "^8.5.1",