orchid-orm 1.70.0 → 1.71.0

package/dist/migrations/index.js

@@ -1336,28 +1336,42 @@ const dropCheck = ({ changeTableAst: { drop }, changingColumns }, dbCheck, name)
 };
 const defaultRlsState = {
 	enable: false,
-	force: false
+	force: true
 };
 const normalizeRlsFlag = (value, defaultValue) => {
 	if (value === void 0) return defaultValue;
 	return value === true || value === "true" || value === "t";
 };
-const processTableRls = (ast, dbStructure, tables, currentSchema) => {
+const processTableRls = async (adapter, ast, dbStructure, tables, currentSchema, generatorIgnore) => {
 	const projectRlsDefaults = tables[0]?.internal.rls?.tableRlsDefaults;
+	const ignore = generatorIgnore;
+	const ignoredTableSet = toIgnoredTableSet(ignore?.tables, currentSchema);
+	const ignoredRlsTableSet = toIgnoredTableSet(ignore?.rls?.tables, currentSchema);
+	const ignoredPolicyMap = toIgnoredPolicyMap(ignore?.rls?.policies, currentSchema);
 	for (const table of tables) {
 		const tableRls = table.internal.tableRls;
 		if (!tableRls) continue;
 		const schemaName = table.q.schema ?? currentSchema;
+		const tableId = `${schemaName}.${table.table}`;
+		if (ignoredTableSet.has(tableId) || ignoredRlsTableSet.has(tableId)) continue;
 		const dbTable = dbStructure.tables.find((item) => item.schemaName === schemaName && item.name === table.table);
-		if (!dbTable) continue;
+		const ignoredPolicyNames = ignoredPolicyMap.get(tableId);
 		const codeRls = {
 			enable: normalizeRlsFlag(tableRls.enable ?? projectRlsDefaults?.enable, defaultRlsState.enable),
 			force: normalizeRlsFlag(tableRls.force ?? projectRlsDefaults?.force, defaultRlsState.force)
 		};
 		const dbRls = {
-			enable: normalizeRlsFlag(dbTable.rls?.enable, defaultRlsState.enable),
-			force: normalizeRlsFlag(dbTable.rls?.force, defaultRlsState.force)
+			enable: normalizeRlsFlag(dbTable?.rls?.enable, defaultRlsState.enable),
+			force: normalizeRlsFlag(dbTable?.rls?.force, false)
 		};
+		const policyExpressionComparisons = [];
+		const policyChanges = collectPolicyChanges(schemaName, table.table, normalizeCodePolicies(tableRls, ignoredPolicyNames), normalizeDbPolicies(dbTable?.rls?.policies, ignoredPolicyNames), policyExpressionComparisons, (0, rake_db.concatSchemaAndName)({
+			schema: schemaName,
+			name: table.table
+		}));
+		if (policyExpressionComparisons.length) await compareSqlExpressions(policyExpressionComparisons, adapter);
+		const disableFirst = !codeRls.enable && dbRls.enable;
+		if (!disableFirst) pushPolicyChanges(ast, policyChanges);
 		if (codeRls.enable !== dbRls.enable) ast.push({
 			type: "tableRls",
 			action: codeRls.enable ? "enable" : "disable",
@@ -1370,7 +1384,250 @@ const processTableRls = (ast, dbStructure, tables, currentSchema) => {
 			schema: schemaName,
 			table: table.table
 		});
+		if (disableFirst) pushPolicyChanges(ast, policyChanges);
+	}
+};
+const toIgnoredTableSet = (tables, currentSchema) => {
+	const ignored = /* @__PURE__ */ new Set();
+	if (!tables) return ignored;
+	for (const name of tables) {
+		const [schema = currentSchema, table] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, name);
+		ignored.add(`${schema}.${table}`);
+	}
+	return ignored;
+};
+const toIgnoredPolicyMap = (items, currentSchema) => {
+	const result = /* @__PURE__ */ new Map();
+	if (!items) return result;
+	for (const item of items) {
+		const [schema = currentSchema, table] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, item.table);
+		const key = `${schema}.${table}`;
+		let set = result.get(key);
+		if (!set) {
+			set = /* @__PURE__ */ new Set();
+			result.set(key, set);
+		}
+		for (const name of item.names) set.add(name);
+	}
+	return result;
+};
+const normalizeCodePolicies = (tableRls, ignoredPolicyNames) => {
+	const result = [];
+	const permit = tableRls.permit ?? [];
+	const restrict = tableRls.restrict ?? [];
+	for (const policy of permit) {
+		const normalized = normalizeCodePolicy("PERMISSIVE", policy);
+		if (normalized && !ignoredPolicyNames?.has(normalized.name)) result.push(normalized);
+	}
+	for (const policy of restrict) {
+		const normalized = normalizeCodePolicy("RESTRICTIVE", policy);
+		if (normalized && !ignoredPolicyNames?.has(normalized.name)) result.push(normalized);
 	}
+	return result;
+};
+const normalizeCodePolicy = (as, policy) => {
+	if (!policy?.name) return;
+	return {
+		name: policy.name,
+		as,
+		for: policy.for ?? "ALL",
+		to: normalizePolicyRoles(policy.to),
+		using: toSqlText(policy.using),
+		withCheck: toSqlText(policy.withCheck)
+	};
+};
+const normalizeDbPolicies = (policies, ignoredPolicyNames) => {
+	if (!policies) return [];
+	const result = [];
+	for (const policy of policies) {
+		if (ignoredPolicyNames?.has(policy.name)) continue;
+		result.push({
+			name: policy.name,
+			as: policy.mode,
+			for: policy.command,
+			to: normalizePolicyRoles(policy.roles),
+			using: policy.using,
+			withCheck: policy.withCheck
+		});
+	}
+	return result;
+};
+const normalizePolicyRoles = (roles) => {
+	const result = (Array.isArray(roles) ? roles : roles ? [roles] : ["public"]).map((role) => role.toLowerCase() === "public" ? "public" : role);
+	return result.length ? result : ["public"];
+};
+const toSqlText = (value) => {
+	if (!value) return;
+	return value.toSQL({ values: [] });
+};
+const collectPolicyChanges = (schema, table, codePolicies, dbPolicies, compareExpressions, source) => {
+	const changes = [];
+	const dbPolicyMap = /* @__PURE__ */ new Map();
+	for (const policy of dbPolicies) dbPolicyMap.set(policy.name, policy);
+	const codePolicyMap = /* @__PURE__ */ new Map();
+	for (const policy of codePolicies) codePolicyMap.set(policy.name, policy);
+	const unmatchedCodePolicies = [];
+	const unmatchedDbPolicies = [];
+	for (const policy of codePolicies) {
+		const dbPolicy = dbPolicyMap.get(policy.name);
+		if (!dbPolicy) {
+			unmatchedCodePolicies.push(policy);
+			continue;
+		}
+		const recreate = policy.as !== dbPolicy.as || policy.for !== dbPolicy.for;
+		const toChanged = !isSameStringArray(policy.to, dbPolicy.to);
+		const from = {};
+		const to = {};
+		const codeUsing = policy.using;
+		const dbUsing = dbPolicy.using;
+		const codeWithCheck = policy.withCheck;
+		const dbWithCheck = dbPolicy.withCheck;
+		const hasUsing = codeUsing !== void 0 || dbUsing !== void 0;
+		const hasWithCheck = codeWithCheck !== void 0 || dbWithCheck !== void 0;
+		if (toChanged) {
+			from.to = dbPolicy.to;
+			to.to = policy.to;
+		}
+		const usingCanCompare = codeUsing !== void 0 && dbUsing !== void 0;
+		const withCheckCanCompare = codeWithCheck !== void 0 && dbWithCheck !== void 0;
+		const applyExpressionDiff = (matched) => {
+			const usingChanged = usingCanCompare ? !matched : hasUsing && !usingCanCompare;
+			const withCheckChanged = withCheckCanCompare ? !matched : hasWithCheck && !withCheckCanCompare;
+			if (usingChanged) {
+				from.using = dbPolicy.using;
+				to.using = policy.using;
+			}
+			if (withCheckChanged) {
+				from.withCheck = dbPolicy.withCheck;
+				to.withCheck = policy.withCheck;
+			}
+			if (recreate) {
+				changes.push({
+					type: "changePolicy",
+					schema,
+					table,
+					name: policy.name,
+					from: {
+						as: dbPolicy.as,
+						for: dbPolicy.for,
+						to: dbPolicy.to,
+						using: dbPolicy.using,
+						withCheck: dbPolicy.withCheck
+					},
+					to: {
+						as: policy.as,
+						for: policy.for,
+						to: policy.to,
+						using: policy.using,
+						withCheck: policy.withCheck
+					}
+				});
+				return;
+			}
+			if (!Object.keys(from).length) return;
+			changes.push({
+				type: "changePolicy",
+				schema,
+				table,
+				name: policy.name,
+				from,
+				to
+			});
+		};
+		if (!hasUsing && !hasWithCheck) {
+			applyExpressionDiff(true);
+			continue;
+		}
+		const compare = [];
+		if (usingCanCompare) compare.push({
+			inDb: dbUsing,
+			inCode: [codeUsing]
+		});
+		if (withCheckCanCompare) compare.push({
+			inDb: dbWithCheck,
+			inCode: [codeWithCheck]
+		});
+		if (!compare.length) {
+			applyExpressionDiff(false);
+			continue;
+		}
+		compareExpressions.push({
+			source,
+			compare,
+			handle(i) {
+				applyExpressionDiff(i !== void 0);
+			}
+		});
+	}
+	for (const policy of dbPolicies) {
+		if (codePolicyMap.has(policy.name)) continue;
+		unmatchedDbPolicies.push(policy);
+	}
+	const pairedDbPolicyNames = /* @__PURE__ */ new Set();
+	const pairedCodePolicyNames = /* @__PURE__ */ new Set();
+	for (const policy of unmatchedCodePolicies) {
+		const renamedFrom = unmatchedDbPolicies.find((item) => !pairedDbPolicyNames.has(item.name) && item.as === policy.as && item.for === policy.for);
+		if (!renamedFrom) continue;
+		pairedDbPolicyNames.add(renamedFrom.name);
+		pairedCodePolicyNames.add(policy.name);
+		changes.push({
+			type: "changePolicy",
+			schema,
+			table,
+			name: renamedFrom.name,
+			from: {
+				name: renamedFrom.name,
+				to: renamedFrom.to,
+				using: renamedFrom.using,
+				withCheck: renamedFrom.withCheck
+			},
+			to: {
+				name: policy.name,
+				to: policy.to,
+				using: policy.using,
+				withCheck: policy.withCheck
+			}
+		});
+	}
+	for (const policy of unmatchedCodePolicies) {
+		if (pairedCodePolicyNames.has(policy.name)) continue;
+		changes.push({
+			type: "policy",
+			action: "create",
+			schema,
+			table,
+			name: policy.name,
+			as: policy.as,
+			for: policy.for,
+			to: policy.to,
+			using: policy.using,
+			withCheck: policy.withCheck
+		});
+	}
+	for (const policy of unmatchedDbPolicies) {
+		if (pairedDbPolicyNames.has(policy.name)) continue;
+		changes.push({
+			type: "policy",
+			action: "drop",
+			schema,
+			table,
+			name: policy.name,
+			as: policy.as,
+			for: policy.for,
+			to: policy.to,
+			using: policy.using,
+			withCheck: policy.withCheck
+		});
+	}
+	return changes;
+};
+const pushPolicyChanges = (ast, changes) => {
+	for (const change of changes) ast.push(change);
+};
+const isSameStringArray = (a, b) => {
+	if (a.length !== b.length) return false;
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return false;
+	return true;
 };
 const processTables = async (ast, domainsMap, adapter, dbStructure, config, { structureToAstCtx, codeItems: { tables }, currentSchema, internal: { generatorIgnore }, verifying }, pendingDbTypes) => {
 	const createTables = collectCreateTables(tables, dbStructure, currentSchema);
@@ -1385,7 +1642,7 @@ const processTables = async (ast, domainsMap, adapter, dbStructure, config, { st
 	await applyChangeTables(adapter, changeTables, structureToAstCtx, dbStructure, domainsMap, ast, currentSchema, config, compareSql, tableExpressions, verifying, pendingDbTypes);
 	processForeignKeys(config, ast, changeTables, currentSchema, tableShapes);
 	await Promise.all([applyCompareSql(compareSql, adapter), compareSqlExpressions(tableExpressions, adapter)]);
-	processTableRls(ast, dbStructure, tables, currentSchema);
+	await processTableRls(adapter, ast, dbStructure, tables, currentSchema, generatorIgnore);
 	for (const dbTable of dropTables) ast.push((0, rake_db.tableToAst)(structureToAstCtx, dbStructure, dbTable, "drop", domainsMap));
 };
 const collectCreateTables = (tables, dbStructure, currentSchema) => {
@@ -1745,7 +2002,7 @@ const privilegeConfigsMatch = (a, b, objectType, objectTypeToAllPrivileges) => {
 	if (b.privilege === "ALL" && a.isGrantable === b.isGrantable) return expectedPrivs.includes(a.privilege);
 	return false;
 };
-const normalizeRoleName = (name) => {
+const normalizeRoleName$1 = (name) => {
 	if (name.startsWith("\"") && name.endsWith("\"")) return name.slice(1, -1);
 	return name;
 };
@@ -1815,7 +2072,7 @@ const processDefaultPrivileges = (ast, dbStructure, { internal: { roles } }) =>
 	}
 	const found = /* @__PURE__ */ new Set();
 	for (const dbPrivilege of dbStructure.defaultPrivileges) {
-		const grantee = normalizeRoleName(dbPrivilege.grantee);
+		const grantee = normalizeRoleName$1(dbPrivilege.grantee);
 		if (grantee === "postgres") continue;
 		const key = `${grantee}.${dbPrivilege.schema}`;
 		const codePrivilege = codePrivileges.get(key);
@@ -1891,6 +2148,280 @@ const processDefaultPrivileges = (ast, dbStructure, { internal: { roles } }) =>
 		});
 	}
 };
+const targetKeys = [
+	"schemas",
+	"tables",
+	"sequences",
+	"routines",
+	"types",
+	"domains",
+	"databases"
+];
+const schemaWideTargetKeys = [
+	"allTablesIn",
+	"allSequencesIn",
+	"allRoutinesIn"
+];
+const supportedPrivileges = {
+	schemas: ["USAGE", "CREATE"],
+	tables: [
+		"SELECT",
+		"INSERT",
+		"UPDATE",
+		"DELETE",
+		"TRUNCATE",
+		"REFERENCES",
+		"TRIGGER",
+		"MAINTAIN"
+	],
+	sequences: [
+		"USAGE",
+		"SELECT",
+		"UPDATE"
+	],
+	routines: ["EXECUTE"],
+	types: ["USAGE"],
+	domains: ["USAGE"],
+	databases: [
+		"CREATE",
+		"CONNECT",
+		"TEMPORARY"
+	]
+};
+const schemaWideToConcreteTarget = {
+	allTablesIn: "tables",
+	allSequencesIn: "sequences",
+	allRoutinesIn: "routines"
+};
+const processGrants = (ast, dbStructure, params) => {
+	const { grants } = params.internal;
+	if (!grants || !dbStructure.grants) return;
+	const codeStates = collectCodeGrants(dbStructure, params).filter((grant) => !isIgnoredGrant(grant, params));
+	const dbStates = collectDbGrants(dbStructure, params.currentSchema).filter((grant) => !isIgnoredGrant(grant, params));
+	const managedTargets = getManagedGrantTargets(params);
+	for (const code of codeStates) {
+		const actual = dbStates.filter((db) => isSameGrantTarget(code, db));
+		addGrantAst(ast, "grant", code, missingPrivileges(code.grantablePrivileges, actual, "grantablePrivileges"), "grantablePrivileges");
+		addGrantAst(ast, "revoke", code, grantOptionsToRevoke(code.privileges, code.grantablePrivileges, actual), "grantablePrivileges");
+		addGrantAst(ast, "grant", code, missingPrivileges(code.privileges, actual, "privileges"), "privileges");
+	}
+	for (const actual of dbStates) {
+		const configured = codeStates.filter((code) => isSameGrantTarget(code, actual));
+		if (!shouldRevokeActualGrant(actual, configured, managedTargets)) continue;
+		const revokeGrant = getRevokeGrantState(actual, configured);
+		addGrantAst(ast, "revoke", revokeGrant, privilegesToRevoke(actual.privileges, configured), "privileges");
+		addGrantAst(ast, "revoke", revokeGrant, privilegesToRevoke(actual.grantablePrivileges, configured), "grantablePrivileges");
+	}
+};
+const getManagedGrantTargets = ({ codeItems, currentSchema }) => {
+	const targets = {
+		tables: /* @__PURE__ */ new Set(),
+		domains: /* @__PURE__ */ new Set(),
+		types: /* @__PURE__ */ new Set()
+	};
+	for (const table of codeItems.tables) targets.tables.add(`${table.q.schema ?? currentSchema}.${table.table}`);
+	for (const domain of codeItems.domains) targets.domains.add(`${domain.schemaName}.${domain.name}`);
+	for (const enumItem of codeItems.enums.values()) targets.types.add(`${enumItem.schema ?? currentSchema}.${enumItem.name}`);
+	return targets;
+};
+const shouldRevokeActualGrant = (actual, configured, managedTargets) => {
+	if (configured.length) return true;
+	if (actual.targetKey === "tables") return managedTargets.tables.has(actual.target);
+	if (actual.targetKey === "domains") return managedTargets.domains.has(actual.target);
+	if (actual.targetKey === "types") return managedTargets.types.has(actual.target);
+	return false;
+};
+const getRevokeGrantState = (actual, configured) => {
+	if (configured.some((grant) => grant.grantedBy)) return actual;
+	return {
+		...actual,
+		grantedBy: void 0
+	};
+};
+const collectCodeGrants = (dbStructure, { currentSchema, internal }) => {
+	const states = [];
+	for (const grant of internal.grants ?? []) {
+		for (const targetKey of targetKeys) {
+			const values = grant[targetKey];
+			if (!values?.length) continue;
+			addStates(states, withEffectiveGrantor(grant, internal), targetKey, values, currentSchema);
+		}
+		for (const targetKey of schemaWideTargetKeys) {
+			const values = grant[targetKey];
+			if (!values?.length) continue;
+			const concreteTargetKey = schemaWideToConcreteTarget[targetKey];
+			addStates(states, withEffectiveGrantor(grant, internal), concreteTargetKey, getSchemaWideTargets(dbStructure, concreteTargetKey, values), currentSchema);
+		}
+	}
+	return states;
+};
+const collectDbGrants = (dbStructure, currentSchema) => {
+	const states = [];
+	for (const grant of dbStructure.grants ?? []) for (const targetKey of targetKeys) {
+		const values = grant[targetKey];
+		if (!values?.length) continue;
+		addStates(states, grant, targetKey, values, currentSchema);
+	}
+	return states;
+};
+const withEffectiveGrantor = (grant, internal) => {
+	return {
+		...grant,
+		grantedBy: grant.grantedBy ?? internal.defaultGrantedBy
+	};
+};
+const isIgnoredGrant = (grant, { currentSchema, internal: { generatorIgnore } }) => {
+	const { grants } = generatorIgnore ?? {};
+	if (matchesSelector(grants?.roles, grant.to)) return true;
+	const names = getGrantTargetNames(grant, currentSchema);
+	if (matchesSelector(grants?.[grant.targetKey], names)) return true;
+	if (grant.targetKey === "tables" && names.schema && matchesSelector(grants?.allTablesIn, names.schema)) return true;
+	if (grant.targetKey === "sequences" && names.schema && matchesSelector(grants?.allSequencesIn, names.schema)) return true;
+	if (grant.targetKey === "routines" && names.schema && matchesSelector(grants?.allRoutinesIn, names.schema)) return true;
+	return isTopLevelIgnoredGrant(grant, names, generatorIgnore);
+};
+const isTopLevelIgnoredGrant = (grant, names, generatorIgnore) => {
+	if (grant.targetKey === "schemas") return !!generatorIgnore?.schemas?.includes(grant.target);
+	if (names.schema && generatorIgnore?.schemas?.includes(names.schema)) return true;
+	if (grant.targetKey === "tables") return isIgnoredByName(generatorIgnore?.tables, names);
+	if (grant.targetKey === "domains") return isIgnoredByName(generatorIgnore?.domains, names);
+	return false;
+};
+const getGrantTargetNames = (grant, currentSchema) => {
+	if (grant.targetKey === "schemas" || grant.targetKey === "databases") return {
+		name: grant.target,
+		qualified: grant.target
+	};
+	const [schema, name] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, grant.target);
+	return {
+		schema,
+		name,
+		qualified: schema ? `${schema}.${name}` : name
+	};
+};
+const isIgnoredByName = (ignored, names) => {
+	return !!ignored?.some((name) => name === names.qualified || name === names.name || (names.schema ? name === `${names.schema}.${names.name}` : false));
+};
+const matchesSelector = (selector, value) => {
+	if (!selector) return false;
+	const values = typeof value === "string" ? [value] : [
+		value.qualified,
+		value.name,
+		value.schema
+	].filter(isString);
+	return (Array.isArray(selector) ? selector : [selector]).some((item) => values.some((name) => typeof item === "string" ? item === name : item.test(name)));
+};
+const isString = (value) => {
+	return !!value;
+};
+const addStates = (states, grant, targetKey, values, currentSchema) => {
+	for (const to of grant.to) for (const value of values) {
+		const target = typeof value === "string" ? normalizeTarget(targetKey, value, currentSchema) : value.target;
+		addOrMergeState(states, {
+			targetKey,
+			target,
+			outputTarget: typeof value === "string" ? normalizeOutputTarget(target, currentSchema) : value.outputTarget,
+			to: normalizeRoleName(to),
+			grantedBy: grant.grantedBy ? normalizeRoleName(grant.grantedBy) : void 0,
+			privileges: expandPrivileges(targetKey, grant.privileges),
+			grantablePrivileges: expandPrivileges(targetKey, grant.grantablePrivileges)
+		});
+	}
+};
+const addOrMergeState = (states, state) => {
+	const existing = states.find((item) => isSameExactGrantTarget(item, state));
+	if (!existing) {
+		removeGrantableFromOrdinary(state);
+		states.push(state);
+		return;
+	}
+	for (const privilege of state.privileges) if (!existing.grantablePrivileges.has(privilege)) existing.privileges.add(privilege);
+	for (const privilege of state.grantablePrivileges) {
+		existing.grantablePrivileges.add(privilege);
+		existing.privileges.delete(privilege);
+	}
+};
+const removeGrantableFromOrdinary = (state) => {
+	for (const privilege of state.grantablePrivileges) state.privileges.delete(privilege);
+};
+const normalizeRoleName = (name) => {
+	return name.startsWith("\"") && name.endsWith("\"") ? name.slice(1, -1) : name;
+};
+const getSchemaWideTargets = (dbStructure, targetKey, schemas) => {
+	const selectedSchemas = new Set(schemas);
+	if (targetKey === "tables") return [...dbStructure.tables.map((table) => ({
+		target: `${table.schemaName}.${table.name}`,
+		outputTarget: `${table.schemaName}.${table.name}`
+	})), ...dbStructure.views.map((view) => ({
+		target: `${view.schemaName}.${view.name}`,
+		outputTarget: `${view.schemaName}.${view.name}`
+	}))].filter((item) => selectedSchemas.has(item.target.split(".")[0]));
+	if (targetKey === "sequences" || targetKey === "routines") return getSchemaWideGrantTargets(dbStructure, targetKey, selectedSchemas);
+	return [];
+};
+const getSchemaWideGrantTargets = (dbStructure, targetKey, selectedSchemas) => {
+	const targets = /* @__PURE__ */ new Map();
+	for (const grant of dbStructure.grants ?? []) for (const target of grant[targetKey] ?? []) {
+		const [schema] = target.split(".");
+		if (!selectedSchemas.has(schema)) continue;
+		targets.set(target, {
+			target,
+			outputTarget: target
+		});
+	}
+	return [...targets.values()];
+};
+const normalizeTarget = (targetKey, value, currentSchema) => {
+	if (targetKey === "schemas" || targetKey === "databases") return value;
+	const [schema, name] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, value);
+	return `${schema ?? currentSchema}.${name}`;
+};
+const normalizeOutputTarget = (target, currentSchema) => {
+	const [schema, name] = target.split(".");
+	if (!name) return target;
+	return schema === currentSchema ? name : target;
+};
+const expandPrivileges = (targetKey, privileges) => {
+	const set = /* @__PURE__ */ new Set();
+	for (const privilege of privileges ?? []) if (privilege === "ALL") for (const supported of supportedPrivileges[targetKey]) set.add(supported);
+	else set.add(privilege === "TEMP" ? "TEMPORARY" : privilege);
+	return set;
+};
+const isSameGrantTarget = (a, b) => {
+	return a.targetKey === b.targetKey && a.target === b.target && a.to === b.to && (!a.grantedBy || !b.grantedBy || a.grantedBy === b.grantedBy);
+};
+const isSameExactGrantTarget = (a, b) => {
+	return a.targetKey === b.targetKey && a.target === b.target && a.to === b.to && a.grantedBy === b.grantedBy;
+};
+const missingPrivileges = (expected, actual, key) => {
+	const result = [];
+	for (const privilege of expected) if (!actual.some((state) => state[key].has(privilege))) result.push(privilege);
+	return result;
+};
+const grantOptionsToRevoke = (expectedOrdinary, expectedGrantable, actual) => {
+	const result = [];
+	for (const privilege of expectedOrdinary) {
+		if (expectedGrantable.has(privilege)) continue;
+		if (actual.some((state) => state.grantablePrivileges.has(privilege))) result.push(privilege);
+	}
+	return result;
+};
+const privilegesToRevoke = (actual, configured) => {
+	const result = [];
+	for (const privilege of actual) if (!configured.some((state) => state.privileges.has(privilege) || state.grantablePrivileges.has(privilege))) result.push(privilege);
+	return result;
+};
+const addGrantAst = (ast, action, grant, privileges, privilegeKey) => {
+	if (!privileges.length) return;
+	ast.push({
+		type: "grant",
+		action,
+		to: [grant.to],
+		[grant.targetKey]: [grant.outputTarget],
+		[privilegeKey]: privileges,
+		grantedBy: grant.grantedBy
+	});
+};
 /**
 * This is needed to compare SQLs of table expressions.
 * Need to exclude table columns of pending types, such as enums or domains,
@@ -1909,6 +2440,7 @@ const composeMigration = async (adapter, config, ast, dbStructure, params) => {
 	const { structureToAstCtx, currentSchema } = params;
 	await processRoles(ast, dbStructure, params);
 	processDefaultPrivileges(ast, dbStructure, params);
+	processGrants(ast, dbStructure, params);
 	const domainsMap = (0, rake_db.makeDomainsMap)(structureToAstCtx, dbStructure);
 	await processSchemas(ast, dbStructure, params);
 	processExtensions(ast, dbStructure, params);
@@ -1919,7 +2451,7 @@ const composeMigration = async (adapter, config, ast, dbStructure, params) => {
 	return (0, rake_db.astToMigration)(currentSchema, config, ast);
 };
 const rollbackErr = /* @__PURE__ */ new Error("Rollback");
-const verifyMigration = async (adapter, config, migrationCode, generateMigrationParams, roles, defaultPrivileges) => {
+const verifyMigration = async (adapter, config, migrationCode, generateMigrationParams, roles, structureParams) => {
 	const migrationFn = new Function("change", migrationCode);
 	let code;
 	try {
@@ -1936,7 +2468,7 @@ const verifyMigration = async (adapter, config, migrationCode, generateMigration
 			const dbStructure = await (0, rake_db.introspectDbSchema)(trx, {
 				rls: generateMigrationParams.codeItems.tables.some((table) => !!table.internal.tableRls),
 				roles,
-				loadDefaultPrivileges: defaultPrivileges?.loadDefaultPrivileges
+				...structureParams
 			});
 			generateMigrationParams.verifying = true;
 			try {
@@ -2122,6 +2654,14 @@ const report = (ast, config, currentSchema) => {
 			if (parts.length) code.push(parts.join("\n"));
 			break;
 		}
+		case "grant": {
+			const parts = [];
+			const target = grantTargetToReport(a, currentSchema);
+			if (a.privileges?.length) parts.push(`${a.action === "grant" ? green("+ grant privileges") : red("- revoke privileges")} ${a.privileges.map(mapGrantPrivilege).join(", ")} on ${target} ${a.action === "grant" ? "to" : "from"} ${a.to.join(", ")}`);
+			if (a.grantablePrivileges?.length) parts.push(`${a.action === "grant" ? green("+ grant privileges") : red("- revoke privileges")} ${a.grantablePrivileges.map(mapGrantPrivilege).join(", ")} on ${target} with grant option ${a.action === "grant" ? "to" : "from"} ${a.to.join(", ")}`);
+			if (parts.length) code.push(parts.join("\n"));
+			break;
+		}
 		case "tableRls": {
 			const table = dbItemName({
 				schema: a.schema,
@@ -2131,6 +2671,28 @@ const report = (ast, config, currentSchema) => {
 			code.push(message);
 			break;
 		}
+		case "policy": {
+			const summary = formatPolicySummary(a, dbItemName({
+				schema: a.schema,
+				name: a.table
+			}, currentSchema));
+			const message = a.action === "create" ? `${green("+ create policy")} ${a.name}: ${summary}` : `${red("- drop policy")} ${a.name}: ${summary}`;
+			code.push(message);
+			break;
+		}
+		case "changePolicy": {
+			const table = dbItemName({
+				schema: a.schema,
+				name: a.table
+			}, currentSchema);
+			const fromName = a.from.name ?? a.name;
+			const toName = a.to.name ?? a.name;
+			const message = fromName === toName ? `${yellow("~ change policy")} ${a.name} on ${table}:` : `${yellow("~ rename policy")} ${fromName} ${yellow("=>")} ${toName} on ${table}:`;
+			const inner = [`${yellow("from")}: ${formatPolicyChangeDefinition(a.from)}`, `${yellow("to")}: ${formatPolicyChangeDefinition(a.to)}`];
+			code.push(message);
+			code.push(inner);
+			break;
+		}
 		default: (0, pqb_internal.exhaustive)(a);
 	}
 	const result = (0, pqb_internal.codeToString)(code, "", "  ");
@@ -2139,6 +2701,64 @@ const report = (ast, config, currentSchema) => {
 const dbItemName = ({ schema, name }, currentSchema) => {
 	return schema && schema !== currentSchema ? `${schema}.${name}` : name;
 };
+const grantTargetKeys = [
+	"schemas",
+	"tables",
+	"sequences",
+	"routines",
+	"types",
+	"domains",
+	"databases"
+];
+const mapGrantPrivilege = (privilege) => {
+	return privilege === "ALL" ? "ALL PRIVILEGES" : privilege;
+};
+const grantTargetToReport = (grant, currentSchema) => {
+	for (const key of grantTargetKeys) {
+		const targets = grant[key];
+		if (!targets?.length) continue;
+		return `${key} ${targets.map((target) => formatGrantTarget(key, target, currentSchema)).join(", ")}`;
+	}
+	return "unknown target";
+};
+const formatGrantTarget = (key, target, currentSchema) => {
+	if (key === "schemas" || key === "databases") return target;
+	const [schema, name] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, target);
+	return dbItemName({
+		schema,
+		name
+	}, currentSchema);
+};
+const formatPolicyRoles = (roles) => {
+	return roles?.length ? roles.join(", ") : "public";
+};
+const formatPolicyCommand = (command) => {
+	return (command ?? "ALL").toLowerCase();
+};
+const formatPolicyMode = (mode) => {
+	return mode === "PERMISSIVE" ? "permit" : "restrict";
+};
+const formatPolicySummary = (policy, table) => {
+	const parts = [
+		`${formatPolicyMode(policy.as)} access on ${table}`,
+		`to ${formatPolicyRoles(policy.to)}`,
+		`for ${formatPolicyCommand(policy.for)}`
+	];
+	if (policy.using) parts.push(`using (${policy.using})`);
+	if (policy.withCheck) parts.push(`with check (${policy.withCheck})`);
+	return parts.join(", ");
+};
+const formatPolicyChangeDefinition = (policy) => {
+	const parts = [];
+	if (policy.name) parts.push(`name ${policy.name}`);
+	if (policy.table) parts.push(`table ${policy.table}`);
+	if (policy.as) parts.push(`as ${policy.as.toLowerCase()}`);
+	if (policy.for) parts.push(`for ${policy.for.toLowerCase()}`);
+	if ("to" in policy) parts.push(`to ${formatPolicyRoles(policy.to)}`);
+	if ("using" in policy && policy.using) parts.push(`using (${policy.using})`);
+	if ("withCheck" in policy && policy.withCheck) parts.push(`with check (${policy.withCheck})`);
+	return parts.join(", ");
+};
 var AbortSignal = class extends Error {};
 const generate = async (adapters, config, args, afterPull) => {
 	let { dbPath } = config;
@@ -2154,17 +2774,25 @@ const generate = async (adapters, config, args, afterPull) => {
 	if (afterPull) adapters = [afterPull.adapter];
 	const db = await getDbFromConfig(config, dbPath);
 	const { columnTypes, internal } = db.$qb;
+	const structureParams = {
+		loadDefaultPrivileges: internal.roles?.some((role) => role.defaultPrivileges !== void 0) ?? false,
+		loadGrants: !!internal.grants || hasCodeTablesWithGrants(db)
+	};
 	const rolesDbStructureParam = internal.roles ? internal.managedRolesSql ? { whereSql: internal.managedRolesSql } : pqb_internal.emptyObject : void 0;
-	const { dbStructure } = await migrateAndPullStructures(adapters, config, db, rolesDbStructureParam, internal.roles ? { loadDefaultPrivileges: true } : void 0, afterPull);
+	const { dbStructure } = await migrateAndPullStructures(adapters, config, db, rolesDbStructureParam, structureParams, afterPull);
 	const [adapter] = adapters;
 	const adapterSchema = adapter.getSchema();
 	const currentSchema = (typeof adapterSchema === "function" ? adapterSchema() : adapterSchema) ?? "public";
 	const codeItems = await getActualItems(db, currentSchema, internal, columnTypes);
+	const effectiveGrants = getEffectiveGrants(internal.grants, codeItems);
 	const generateMigrationParams = {
 		structureToAstCtx: (0, rake_db.makeStructureToAstCtx)(config, currentSchema),
 		codeItems,
 		currentSchema,
-		internal
+		internal: {
+			...internal,
+			grants: effectiveGrants
+		}
 	};
 	const ast = [];
 	let migrationCode;
@@ -2178,7 +2806,7 @@ const generate = async (adapters, config, args, afterPull) => {
 		throw err;
 	}
 	if (migrationCode && !afterPull) {
-		const result = await verifyMigration(adapter, config, migrationCode, generateMigrationParams, rolesDbStructureParam, internal.roles ? { loadDefaultPrivileges: true } : void 0);
+		const result = await verifyMigration(adapter, config, migrationCode, generateMigrationParams, rolesDbStructureParam, structureParams);
 		if (result !== void 0) throw new Error(`Failed to verify generated migration: some of database changes were not applied properly. This is a bug, please open an issue, attach the following migration code:\n${migrationCode}${result === false ? "" : `\nAfter applying:\n${result}`}`);
 	}
 	const { logger } = config;
@@ -2207,7 +2835,7 @@ const getDbFromConfig = async (config, dbPath) => {
 	if (!db?.$qb) throw new Error(`Unable to import OrchidORM instance as ${config.dbExportedAs ?? "db"} from ${config.dbPath}`);
 	return db;
 };
-const migrateAndPullStructures = async (adapters, config, db, roles, defaultPrivileges, afterPull) => {
+const migrateAndPullStructures = async (adapters, config, db, roles, structureParams, afterPull) => {
 	if (afterPull) return { dbStructure: {
 		version: await (0, rake_db.getDbVersion)(adapters[0]),
 		schemas: [],
@@ -2226,7 +2854,8 @@ const migrateAndPullStructures = async (adapters, config, db, roles, defaultPriv
 	const dbStructures = await Promise.all(adapters.map((adapter) => (0, rake_db.introspectDbSchema)(adapter, {
 		rls: hasCodeTablesWithRls(db),
 		roles,
-		loadDefaultPrivileges: defaultPrivileges?.loadDefaultPrivileges
+		loadDefaultPrivileges: structureParams?.loadDefaultPrivileges,
+		loadGrants: structureParams?.loadGrants
 	})));
 	const dbStructure = dbStructures[0];
 	for (let i = 1; i < dbStructures.length; i++) compareDbStructures(dbStructure, dbStructures[i], i);
@@ -2239,6 +2868,30 @@ const hasCodeTablesWithRls = (db) => {
 	}
 	return false;
 };
+const hasCodeTablesWithGrants = (db) => {
+	for (const key in db) {
+		if (key[0] === "$") continue;
+		if (db[key].internal.tableGrants?.length) return true;
+	}
+	return false;
+};
+const getEffectiveGrants = (grants, codeItems) => {
+	const effectiveGrants = grants ? [...grants] : [];
+	for (const table of codeItems.tables) {
+		const tableGrants = table.internal.tableGrants;
+		if (!tableGrants?.length) continue;
+		const tableTarget = table.q.schema ? `${table.q.schema}.${table.table}` : table.table;
+		for (const grant of tableGrants) {
+			const internalGrant = {
+				...grant,
+				to: (0, pqb_internal.toArray)(grant.to),
+				tables: [tableTarget]
+			};
+			effectiveGrants.push(internalGrant);
+		}
+	}
+	return effectiveGrants.length ? effectiveGrants : void 0;
+};
 const compareDbStructures = (a, b, i, path) => {
 	let err;
 	if (typeof a !== typeof b) err = true;
@@ -2274,7 +2927,10 @@ const getActualItems = async (db, currentSchema, internal, columnTypes) => {
 		codeItems.tables.push({
 			table: table.table,
 			shape: table.shape,
-			internal: table.internal,
+			internal: {
+				...table.internal,
+				rls: internal.rls
+			},
 			q: { schema: (0, pqb_internal.getQuerySchema)(table) }
 		});
 		for (const key in table.relations) {
@@ -2319,8 +2975,27 @@ const getActualItems = async (db, currentSchema, internal, columnTypes) => {
 			for (const privilege of role.defaultPrivileges) if (privilege.schema) codeItems.schemas.add(privilege.schema);
 		}
 	}
+	if (internal.grants) for (const grant of internal.grants) addGrantSchemas(codeItems.schemas, currentSchema, grant);
 	return codeItems;
 };
+const addGrantSchemas = (schemas, currentSchema, grant) => {
+	for (const schema of [
+		...grant.schemas ?? [],
+		...grant.allTablesIn ?? [],
+		...grant.allSequencesIn ?? [],
+		...grant.allRoutinesIn ?? []
+	]) schemas.add(schema);
+	for (const target of [
+		...grant.tables ?? [],
+		...grant.sequences ?? [],
+		...grant.routines ?? [],
+		...grant.types ?? [],
+		...grant.domains ?? []
+	]) {
+		const [schema] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, target);
+		if (schema) schemas.add(schema);
+	}
+};
 const processEnumColumn = (column, currentSchema, codeItems) => {
 	const { enumName, options } = column;
 	const [schema, name] = (0, rake_db.getSchemaAndTableFromName)(currentSchema, enumName);