rake-db 2.34.1 → 2.35.0

package/dist/index.js

@@ -1166,13 +1166,12 @@ const astToQuery$1 = (ast) => {
 		if (options?.recursive) sql.push("RECURSIVE");
 		sql.push(`VIEW ${sqlName}`);
 		if (options?.columns) sql.push(`(${options.columns.map((column) => `"${column}"`).join(", ")})`);
-		if (options?.with) {
-			const list = [];
-			if (options.with.checkOption) list.push(`check_option = ${(0, pqb_internal.singleQuote)(options.with.checkOption)}`);
-			if (options.with.securityBarrier) list.push(`security_barrier = true`);
-			if (options.with.securityInvoker) list.push(`security_invoker = true`);
-			sql.push(`WITH ( ${list.join(", ")} )`);
-		}
+		const withOptions = options?.with;
+		const list = [];
+		if (withOptions?.checkOption) list.push(`check_option = ${(0, pqb_internal.singleQuote)(withOptions.checkOption)}`);
+		if (withOptions?.securityBarrier) list.push(`security_barrier = true`);
+		if (withOptions?.securityInvoker !== false) list.push(`security_invoker = true`);
+		if (list.length) sql.push(`WITH ( ${list.join(", ")} )`);
 		sql.push(`AS (${ast.sql.toSQL({ values })})`);
 	} else {
 		sql.push("DROP VIEW");
@@ -1373,12 +1372,12 @@ const objectConfigToSql = (ast, config, action) => {
 		const objectType = key;
 		if (!value) continue;
 		const { privileges, grantablePrivileges } = value;
-		if (privileges?.length) queries.push(buildQuery(ast, objectType, privileges, false, action));
-		if (grantablePrivileges?.length) queries.push(buildQuery(ast, objectType, grantablePrivileges, true, action));
+		if (privileges?.length) queries.push(buildQuery$1(ast, objectType, privileges, false, action));
+		if (grantablePrivileges?.length) queries.push(buildQuery$1(ast, objectType, grantablePrivileges, true, action));
 	}
 	return queries;
 };
-const buildQuery = (ast, objectType, privileges, grantable, action) => {
+const buildQuery$1 = (ast, objectType, privileges, grantable, action) => {
 	const parts = ["ALTER DEFAULT PRIVILEGES"];
 	if (ast.owner) parts.push(`FOR ROLE "${ast.owner}"`);
 	if (ast.schema) parts.push(`IN SCHEMA "${ast.schema}"`);
@@ -1405,6 +1404,204 @@ const enableOrDisableRls = (migration, up, tableName) => {
 const forceOrNoForceRls = (migration, up, tableName) => {
 	return setRls(migration, tableName, up ? "force" : "noForce");
 };
+const quotedRoles = (roles) => {
+	if (!roles) return;
+	const arr = Array.isArray(roles) ? roles : [roles];
+	if (!arr.length) return;
+	return arr.map(pqb_internal.quoteIdentifier).join(", ");
+};
+const normalizeRoles = (roles) => {
+	if (!roles) return;
+	return Array.isArray(roles) ? roles : [roles];
+};
+const rolesEqual = (a, b) => {
+	const left = normalizeRoles(a);
+	const right = normalizeRoles(b);
+	return JSON.stringify(left) === JSON.stringify(right);
+};
+const rawSql = (_migration, sql, values) => sql.toSQL({ values });
+const createPolicySql = (migration, tableName, policyName, params) => {
+	const [schema, table] = getSchemaAndTableFromName(migration.adapter.getSchema(), tableName);
+	const values = [];
+	const rolesSql = quotedRoles(params.to);
+	let usingSql;
+	let withCheckSql;
+	if (params.for === "SELECT" || params.for === "DELETE") usingSql = rawSql(migration, params.using, values);
+	else if (params.for === "INSERT") withCheckSql = rawSql(migration, params.withCheck, values);
+	else {
+		if (!params.withCheck) throw new Error("WITH CHECK is required for ALL and UPDATE policies");
+		usingSql = rawSql(migration, params.using, values);
+		withCheckSql = rawSql(migration, params.withCheck, values);
+	}
+	return {
+		text: `CREATE POLICY ${(0, pqb_internal.quoteIdentifier)(policyName)}
+ON ${quoteTable(schema, table)}
+AS ${params.as}
+FOR ${params.for ?? "ALL"}${rolesSql ? `
+TO ${rolesSql}` : ""}${usingSql ? `
+USING (${usingSql})` : ""}${withCheckSql ? `
+WITH CHECK (${withCheckSql})` : ""}`,
+		values
+	};
+};
+const dropPolicySql = (migration, tableName, policyName) => {
+	const [schema, table] = getSchemaAndTableFromName(migration.adapter.getSchema(), tableName);
+	return `DROP POLICY ${(0, pqb_internal.quoteIdentifier)(policyName)} ON ${quoteTable(schema, table)}`;
+};
+const createOrDropPolicy = async (migration, up, tableName, policyName, params) => {
+	if (up) {
+		const { text, values } = createPolicySql(migration, tableName, policyName, params);
+		await migration.adapter.arrays(text, values);
+	} else await migration.adapter.arrays(dropPolicySql(migration, tableName, policyName));
+};
+const isRecreateDefinition = (value) => {
+	return "as" in value || "for" in value || "table" in value;
+};
+const changePolicyInPlace = async (migration, tableName, policyName, from, to) => {
+	const [schema, table] = getSchemaAndTableFromName(migration.adapter.getSchema(), tableName);
+	const quotedTable = quoteTable(schema, table);
+	let currentName = from.name ?? policyName;
+	const targetName = to.name ?? policyName;
+	if (currentName !== targetName) {
+		await migration.adapter.arrays(`ALTER POLICY ${(0, pqb_internal.quoteIdentifier)(currentName)}
+ON ${quotedTable}
+RENAME TO ${(0, pqb_internal.quoteIdentifier)(targetName)}`);
+		currentName = targetName;
+	}
+	if ("to" in from && "to" in to && !rolesEqual(from.to, to.to)) await migration.adapter.arrays(`ALTER POLICY ${(0, pqb_internal.quoteIdentifier)(currentName)}
+ON ${quotedTable}
+TO ${quotedRoles(to.to) ?? "PUBLIC"}`);
+	if ("using" in from && "using" in to && from.using && to.using) {
+		const fromUsing = rawSql(migration, from.using, []);
+		const toUsingValues = [];
+		const toUsing = rawSql(migration, to.using, toUsingValues);
+		if (fromUsing !== toUsing) await migration.adapter.arrays(`ALTER POLICY ${(0, pqb_internal.quoteIdentifier)(currentName)}
+ON ${quotedTable}
+USING (${toUsing})`, toUsingValues);
+	}
+	if ("withCheck" in from && "withCheck" in to && from.withCheck && to.withCheck) {
+		const fromWithCheck = rawSql(migration, from.withCheck, []);
+		const toWithCheckValues = [];
+		const toWithCheck = rawSql(migration, to.withCheck, toWithCheckValues);
+		if (fromWithCheck !== toWithCheck) await migration.adapter.arrays(`ALTER POLICY ${(0, pqb_internal.quoteIdentifier)(currentName)}
+ON ${quotedTable}
+WITH CHECK (${toWithCheck})`, toWithCheckValues);
+	}
+};
+const recreatePolicy = async (migration, tableName, policyName, from, to) => {
+	const fromTable = from.table ?? tableName;
+	const fromName = from.name ?? policyName;
+	await migration.adapter.arrays(dropPolicySql(migration, fromTable, fromName));
+	const { text, values } = createPolicySql(migration, to.table ?? tableName, to.name ?? policyName, to);
+	await migration.adapter.arrays(text, values);
+};
+const changePolicy = async (migration, up, tableName, policyName, params) => {
+	const from = up ? params.from : params.to;
+	const to = up ? params.to : params.from;
+	if (isRecreateDefinition(from) || isRecreateDefinition(to)) await recreatePolicy(migration, tableName, policyName, from, to);
+	else await changePolicyInPlace(migration, tableName, policyName, from, to);
+};
+const dropOrCreatePolicy = (migration, up, tableName, policyName, params) => {
+	return createOrDropPolicy(migration, !up, tableName, policyName, params);
+};
+const concreteTargetKeyToSql = {
+	tables: "TABLE",
+	sequences: "SEQUENCE",
+	routines: "ROUTINE",
+	types: "TYPE",
+	domains: "DOMAIN"
+};
+const schemaWideTargetKeyToSql = {
+	allTablesIn: "ALL TABLES IN SCHEMA",
+	allSequencesIn: "ALL SEQUENCES IN SCHEMA",
+	allRoutinesIn: "ALL ROUTINES IN SCHEMA"
+};
+const schemaOrDatabaseTargetKeyToSql = {
+	schemas: "SCHEMA",
+	databases: "DATABASE"
+};
+const specialRoleSpecs = new Set([
+	"PUBLIC",
+	"CURRENT_ROLE",
+	"CURRENT_USER",
+	"SESSION_USER"
+]);
+const changeGrant = async (migration, up, params) => {
+	const sql = privilegeToSql(migration, {
+		...params,
+		to: typeof params.to === "string" ? [params.to] : params.to,
+		action: up ? "grant" : "revoke"
+	});
+	if (sql.length) await migration.adapter.arrays(sql.join(";\n"));
+};
+const privilegeToSql = (migration, ast) => {
+	const queries = [];
+	const isRevoke = ast.action === "revoke";
+	const currentSchema = migration.adapter.getSchema();
+	for (const key of [
+		"tables",
+		"sequences",
+		"routines",
+		"types",
+		"domains"
+	]) {
+		const targetNames = ast[key];
+		if (!targetNames?.length) continue;
+		const privileges = ast.privileges;
+		const grantablePrivileges = ast.grantablePrivileges;
+		const quotedTargets = targetNames.map((name) => {
+			const [schema, objName] = getSchemaAndTableFromName(currentSchema, name);
+			if (schema) return `"${schema}"."${objName}"`;
+			return `"${objName}"`;
+		});
+		addTargetQueries(queries, ast, `ON ${concreteTargetKeyToSql[key]} ${quotedTargets.join(", ")}`, privileges, grantablePrivileges, isRevoke);
+	}
+	for (const key of [
+		"allTablesIn",
+		"allSequencesIn",
+		"allRoutinesIn"
+	]) {
+		const targetNames = ast[key];
+		if (!targetNames?.length) continue;
+		const targetList = targetNames.map((name) => `"${name}"`);
+		const privileges = ast.privileges;
+		const grantablePrivileges = ast.grantablePrivileges;
+		addTargetQueries(queries, ast, `ON ${schemaWideTargetKeyToSql[key]} ${targetList.join(", ")}`, privileges, grantablePrivileges, isRevoke);
+	}
+	for (const key of ["schemas", "databases"]) {
+		const targetNames = ast[key];
+		if (!targetNames?.length) continue;
+		const targetList = targetNames.map((name) => `"${name}"`);
+		const privileges = ast.privileges;
+		const grantablePrivileges = ast.grantablePrivileges;
+		addTargetQueries(queries, ast, `ON ${schemaOrDatabaseTargetKeyToSql[key]} ${targetList.join(", ")}`, privileges, grantablePrivileges, isRevoke);
+	}
+	return queries;
+};
+const addTargetQueries = (queries, ast, targetSql, privileges, grantablePrivileges, isRevoke) => {
+	if (privileges?.length) queries.push(buildQuery(ast, privileges, targetSql, false, isRevoke));
+	if (grantablePrivileges?.length) queries.push(buildQuery(ast, grantablePrivileges, targetSql, !isRevoke, isRevoke));
+};
+const buildQuery = (ast, privileges, targetSql, grantable, isRevoke) => {
+	const parts = [];
+	if (isRevoke) {
+		parts.push("REVOKE");
+		if (grantable) parts.push("GRANT OPTION FOR");
+	} else parts.push("GRANT");
+	const privilegeList = privileges.map((p) => p === "ALL" ? "ALL PRIVILEGES" : p === "TEMP" ? "TEMPORARY" : p).join(", ");
+	parts.push(privilegeList);
+	parts.push(targetSql);
+	if (isRevoke) parts.push("FROM");
+	else parts.push("TO");
+	parts.push(ast.to.map(formatRoleSpec).join(", "));
+	if (ast.grantedBy) parts.push("GRANTED BY", `"${ast.grantedBy}"`);
+	if (isRevoke && ast.revokeMode) parts.push(ast.revokeMode);
+	if (!isRevoke && grantable) parts.push("WITH GRANT OPTION");
+	return parts.join(" ");
+};
+const formatRoleSpec = (role) => {
+	return specialRoleSpecs.has(role) ? role : `"${role}"`;
+};
 /**
 * Creates a new `db` instance that is an instance of `pqb` with mixed in migration methods from the `Migration` class.
 * It overrides `query` and `array` db adapter methods to intercept SQL for the logging.
@@ -2278,6 +2475,21 @@ var Migration = class {
 	noForceRls(tableName) {
 		return forceOrNoForceRls(this, !this.up, tableName);
 	}
+	createPolicy(tableName, policyName, params) {
+		return createOrDropPolicy(this, this.up, tableName, policyName, params);
+	}
+	dropPolicy(tableName, policyName, params) {
+		return dropOrCreatePolicy(this, this.up, tableName, policyName, params);
+	}
+	changePolicy(tableName, policyName, params) {
+		return changePolicy(this, this.up, tableName, policyName, params);
+	}
+	grant(params) {
+		return changeGrant(this, this.up, params);
+	}
+	revoke(params) {
+		return changeGrant(this, !this.up, params);
+	}
 };
 const wrapWithEnhancingError = async (text, values, promise) => {
 	try {
@@ -3622,6 +3834,38 @@ const astToGenerateItem = (config, ast, currentSchema) => {
 			deps.push(schema, `${schema}.${ast.table}`);
 			break;
 		}
+		case "policy": {
+			const defaultSchema = ast.schema ?? currentSchema;
+			const [tableSchema = defaultSchema, tableName] = getSchemaAndTableFromName(defaultSchema, ast.table);
+			deps.push(tableSchema, `${tableSchema}.${tableName}`);
+			pushPolicyRoleDeps(deps, ast.to);
+			if (ast.action === "create") add.push(`policy:${ast.name}`);
+			else drop.push(`policy:${ast.name}`);
+			break;
+		}
+		case "changePolicy": {
+			const defaultSchema = ast.schema ?? currentSchema;
+			const [tableSchema = defaultSchema, tableName] = getSchemaAndTableFromName(defaultSchema, ast.table);
+			deps.push(tableSchema, `${tableSchema}.${tableName}`);
+			const fromTable = ast.from.table ? ast.from.table : tableName;
+			const fromName = ast.from.name ? ast.from.name : ast.name;
+			const toTable = ast.to.table ? ast.to.table : tableName;
+			const toName = ast.to.name ? ast.to.name : ast.name;
+			const [fromSchema = tableSchema, fromTableName] = getSchemaAndTableFromName(tableSchema, fromTable);
+			const [toSchema = tableSchema, toTableName] = getSchemaAndTableFromName(tableSchema, toTable);
+			deps.push(fromSchema, `${fromSchema}.${fromTableName}`);
+			deps.push(toSchema, `${toSchema}.${toTableName}`);
+			if (fromName !== toName) {
+				drop.push(`policy:${fromName}`);
+				add.push(`policy:${toName}`);
+			}
+			pushPolicyRoleDeps(deps, ast.from.to);
+			pushPolicyRoleDeps(deps, ast.to.to);
+			break;
+		}
+		case "grant":
+			pushGrantDeps(currentSchema, deps, ast);
+			break;
 		default: (0, pqb_internal.exhaustive)(ast);
 	}
 	return {
@@ -3685,6 +3929,39 @@ const analyzeTableData = (config, currentSchema, schema, table, keys, deps, data
 		}
 	}
 };
+const pushPolicyRoleDeps = (deps, roles) => {
+	if (!roles) return;
+	deps.push(...roles.map((role) => `role:${role}`));
+};
+const grantConcreteTargetKeys = [
+	"tables",
+	"sequences",
+	"routines",
+	"types",
+	"domains"
+];
+const grantSchemaWideTargetKeys = [
+	"allTablesIn",
+	"allSequencesIn",
+	"allRoutinesIn"
+];
+const pushGrantDeps = (currentSchema, deps, ast) => {
+	deps.push(...ast.to.map((role) => `role:${role}`));
+	if (ast.grantedBy) deps.push(`role:${ast.grantedBy}`);
+	if (ast.schemas) deps.push(...ast.schemas);
+	for (const key of grantSchemaWideTargetKeys) {
+		const schemas = ast[key];
+		if (schemas) deps.push(...schemas);
+	}
+	for (const key of grantConcreteTargetKeys) {
+		const targets = ast[key];
+		if (!targets) continue;
+		for (const target of targets) {
+			const [schema = currentSchema, name] = getSchemaAndTableFromName(currentSchema, target);
+			deps.push(schema, `${schema}.${name}`);
+		}
+	}
+};
 const astToMigration = (currentSchema, config, asts) => {
 	const items = astToGenerateItems(config, asts, currentSchema);
 	const toBeAdded = /* @__PURE__ */ new Set();
@@ -4094,8 +4371,91 @@ const astEncoders = {
 			name: ast.table
 		}, currentSchema);
 		return `await db.${ast.action === "enable" ? "enableRls" : ast.action === "disable" ? "disableRls" : ast.action === "force" ? "forceRls" : "noForceRls"}(${table});`;
+	},
+	policy(ast, _config, currentSchema) {
+		const table = quoteSchemaTable({
+			schema: ast.schema,
+			name: ast.table
+		}, currentSchema);
+		return [
+			`await db.${ast.action}Policy(${table}, ${(0, pqb_internal.singleQuote)(ast.name)}, {`,
+			policyDefinitionToCode(ast),
+			"});"
+		];
+	},
+	changePolicy(ast, _config, currentSchema) {
+		return [
+			`await db.changePolicy(${quoteSchemaTable({
+				schema: ast.schema,
+				name: ast.table
+			}, currentSchema)}, ${(0, pqb_internal.singleQuote)(ast.name)}, {`,
+			[
+				"from: {",
+				policyChangeDefinitionToCode(ast.from),
+				"},",
+				"to: {",
+				policyChangeDefinitionToCode(ast.to),
+				"},"
+			],
+			"});"
+		];
+	},
+	grant(ast) {
+		const props = [];
+		props.push(`to: [${ast.to.map(pqb_internal.singleQuote).join(", ")}],`);
+		for (const key of grantTargetKeys) {
+			const values = ast[key];
+			if (values?.length) props.push(`${key}: [${values.map(pqb_internal.singleQuote).join(", ")}],`);
+		}
+		if (ast.privileges?.length) props.push(`privileges: [${ast.privileges.map(pqb_internal.singleQuote).join(", ")}],`);
+		if (ast.grantablePrivileges?.length) props.push(`grantablePrivileges: [${ast.grantablePrivileges.map(pqb_internal.singleQuote).join(", ")}],`);
+		if (ast.grantedBy) props.push(`grantedBy: ${(0, pqb_internal.singleQuote)(ast.grantedBy)},`);
+		if (ast.revokeMode) props.push(`revokeMode: ${(0, pqb_internal.singleQuote)(ast.revokeMode)},`);
+		return [
+			`await db.${ast.action}({`,
+			props,
+			"});"
+		];
 	}
 };
+const grantTargetKeys = [
+	"schemas",
+	"tables",
+	"sequences",
+	"routines",
+	"types",
+	"domains",
+	"databases",
+	"allTablesIn",
+	"allSequencesIn",
+	"allRoutinesIn"
+];
+const policyDefinitionToCode = (policy) => {
+	const code = [`as: ${(0, pqb_internal.singleQuote)(policy.as)},`];
+	if (policy.for) code.push(`for: ${(0, pqb_internal.singleQuote)(policy.for)},`);
+	if (policy.to?.length) code.push(`to: [${policy.to.map(pqb_internal.singleQuote).join(", ")}],`);
+	if (policy.using) code.push(`using: ${rawSqlStringToCode(policy.using)},`);
+	if (policy.withCheck) code.push(`withCheck: ${rawSqlStringToCode(policy.withCheck)},`);
+	return code;
+};
+const policyChangeDefinitionToCode = (policy) => {
+	const code = [];
+	if ("table" in policy && policy.table) code.push(`table: ${(0, pqb_internal.singleQuote)(policy.table)},`);
+	if (policy.name) code.push(`name: ${(0, pqb_internal.singleQuote)(policy.name)},`);
+	if (isPolicyRecreateDefinition(policy)) code.push(...policyDefinitionToCode(policy));
+	else {
+		if (policy.to?.length) code.push(`to: [${policy.to.map(pqb_internal.singleQuote).join(", ")}],`);
+		if (policy.using) code.push(`using: ${rawSqlStringToCode(policy.using)},`);
+		if (policy.withCheck) code.push(`withCheck: ${rawSqlStringToCode(policy.withCheck)},`);
+	}
+	return code;
+};
+const isPolicyRecreateDefinition = (policy) => {
+	return policy.as !== void 0 || policy.for !== void 0 || policy.table !== void 0;
+};
+const rawSqlStringToCode = (sql) => {
+	return `db.sql${(0, pqb_internal.backtickQuote)(sql)}`;
+};
 const roleParams = (name, ast, compare, to) => {
 	const params = [];
 	for (const key of [
@@ -4557,7 +4917,154 @@ const defaultPrivilegesSql = `SELECT COALESCE(json_agg(t.*), '[]') FROM (
   JOIN LATERAL aclexplode(d.defaclacl) ae ON true
   GROUP BY "grantor", "grantee", "schema", "object"
 ) t`;
-const sql = (version, params) => `SELECT (${schemasSql}) AS "schemas", ${jsonAgg(tablesSql(params?.rls), "tables")}, ${jsonAgg(viewsSql, "views")}, ${jsonAgg(indexesSql, "indexes")}, ${jsonAgg(constraintsSql, "constraints")}, ${jsonAgg(triggersSql, "triggers")}, ${jsonAgg(extensionsSql, "extensions")}, ${jsonAgg(enumsSql, "enums")}, ${jsonAgg(domainsSql, "domains")}, ${jsonAgg(collationsSql(version), "collations")}${params?.roles ? `, (${roleSql(params.roles)}) AS "roles"` : ""}${params?.loadDefaultPrivileges ? `, (${defaultPrivilegesSql}) AS "defaultPrivileges"` : ""}`;
+const grantsSql = `SELECT COALESCE(json_agg(t.* ORDER BY t."target", t."schema", t."name", t."grantee", t."grantor"), '[]') FROM (
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    n.nspname "schema",
+    c.relname "name",
+    'tables' "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_class c
+  JOIN pg_namespace n ON n.oid = c.relnamespace
+  JOIN LATERAL aclexplode(coalesce(c.relacl, acldefault('r', c.relowner))) ae ON true
+  WHERE c.relkind IN ('r', 'p')
+    AND ${filterSchema("n.nspname")}
+    AND ae.grantee <> c.relowner
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+
+  UNION ALL
+
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    n.nspname "schema",
+    c.relname "name",
+    'sequences' "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_class c
+  JOIN pg_namespace n ON n.oid = c.relnamespace
+  JOIN LATERAL aclexplode(coalesce(c.relacl, acldefault('S', c.relowner))) ae ON true
+  WHERE c.relkind = 'S'
+    AND ${filterSchema("n.nspname")}
+    AND ae.grantee <> c.relowner
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+
+  UNION ALL
+
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    n.nspname "schema",
+    p.proname "name",
+    'routines' "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_proc p
+  JOIN pg_namespace n ON n.oid = p.pronamespace
+  JOIN LATERAL aclexplode(coalesce(p.proacl, acldefault('f', p.proowner))) ae ON true
+  WHERE ${filterSchema("n.nspname")}
+    AND ae.grantee <> p.proowner
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+
+  UNION ALL
+
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    n.nspname "schema",
+    t.typname "name",
+    CASE WHEN t.typtype = 'd' THEN 'domains' ELSE 'types' END "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_type t
+  JOIN pg_namespace n ON n.oid = t.typnamespace
+  JOIN LATERAL aclexplode(coalesce(t.typacl, acldefault('T', t.typowner))) ae ON true
+  WHERE t.typtype IN ('c', 'd', 'e', 'm', 'r')
+    AND ${filterSchema("n.nspname")}
+    AND ae.grantee <> t.typowner
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+
+  UNION ALL
+
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    NULL "schema",
+    n.nspname "name",
+    'schemas' "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_namespace n
+  JOIN LATERAL aclexplode(coalesce(n.nspacl, acldefault('n', n.nspowner))) ae ON true
+  WHERE ${filterSchema("n.nspname")}
+    AND ae.grantee <> n.nspowner
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+
+  UNION ALL
+
+  SELECT
+    (ae.grantor)::regrole "grantor",
+    CASE
+      WHEN ae.grantee = 0 THEN 'PUBLIC'
+      ELSE (ae.grantee)::regrole::text
+    END "grantee",
+    NULL "schema",
+    d.datname "name",
+    'databases' "target",
+    array_agg(ae.privilege_type ORDER BY ae.privilege_type) "privileges",
+    array_agg(ae.is_grantable ORDER BY ae.privilege_type) "isGrantables"
+  FROM pg_database d
+  JOIN LATERAL aclexplode(coalesce(d.datacl, acldefault('d', d.datdba))) ae ON true
+  WHERE NOT d.datistemplate
+    AND ae.grantee <> d.datdba
+  GROUP BY "grantor", "grantee", "schema", "name", "target"
+) t`;
+const policiesSql = `SELECT
+  n.nspname AS "schemaName",
+  c.relname AS "tableName",
+  p.polname AS "name",
+  CASE WHEN p.polpermissive
+    THEN 'PERMISSIVE'
+    ELSE 'RESTRICTIVE'
+  END AS "mode",
+  CASE p.polcmd
+    WHEN '*' THEN 'ALL'
+    WHEN 'r' THEN 'SELECT'
+    WHEN 'a' THEN 'INSERT'
+    WHEN 'w' THEN 'UPDATE'
+    WHEN 'd' THEN 'DELETE'
+  END AS "command",
+  ARRAY(
+    SELECT COALESCE(r.rolname, 'public')
+    FROM unnest(p.polroles) roleOid
+    LEFT JOIN pg_roles r ON r.oid = roleOid
+    ORDER BY roleOid = 0 DESC, COALESCE(r.rolname, 'public')
+  ) AS "roles",
+  pg_get_expr(p.polqual, p.polrelid) AS "using",
+  pg_get_expr(p.polwithcheck, p.polrelid) AS "withCheck"
+FROM pg_policy p
+JOIN pg_class c ON c.oid = p.polrelid
+JOIN pg_namespace n ON n.oid = c.relnamespace
+ORDER BY n.nspname, c.relname, p.polname`;
+const sql = (version, params) => `SELECT (${schemasSql}) AS "schemas", ${jsonAgg(tablesSql(params?.rls), "tables")}, ${jsonAgg(viewsSql, "views")}, ${jsonAgg(indexesSql, "indexes")}, ${jsonAgg(constraintsSql, "constraints")}, ${jsonAgg(triggersSql, "triggers")}, ${jsonAgg(extensionsSql, "extensions")}, ${jsonAgg(enumsSql, "enums")}, ${jsonAgg(domainsSql, "domains")}, ${jsonAgg(collationsSql(version), "collations")}${params?.roles ? `, (${roleSql(params.roles)}) AS "roles"` : ""}${params?.loadDefaultPrivileges ? `, (${defaultPrivilegesSql}) AS "defaultPrivileges"` : ""}${params?.loadGrants ? `, (${grantsSql}) AS "grants"` : ""}${params?.rls ? `, ${jsonAgg(policiesSql, "policies")}` : ""}`;
 async function getDbVersion(db) {
 	const { rows: [{ version: versionString }] } = await db.query("SELECT version()");
 	return +versionString.match(/\d+/)[0];
@@ -4633,9 +5140,36 @@ async function introspectDbSchema(db, params) {
 			}));
 		}
 	}
+	if (raw.policies) {
+		const policiesByTable = raw.policies.reduce((acc, policy) => {
+			nullsToUndefined(policy);
+			const key = `${policy.schemaName}.${policy.tableName}`;
+			const existing = acc.get(key);
+			const mappedPolicy = {
+				schemaName: policy.schemaName,
+				tableName: policy.tableName,
+				name: policy.name,
+				mode: policy.mode,
+				command: policy.command,
+				roles: policy.roles,
+				using: policy.using,
+				withCheck: policy.withCheck
+			};
+			if (existing) existing.push(mappedPolicy);
+			else acc.set(key, [mappedPolicy]);
+			return acc;
+		}, /* @__PURE__ */ new Map());
+		for (const table of raw.tables) {
+			if (!table.rls) continue;
+			table.rls.policies = policiesByTable.get(`${table.schemaName}.${table.name}`) ?? [];
+		}
+	}
+	const grants = raw.grants?.map(mapRawGrant);
+	const { policies: _policies, grants: _grants, ...structureWithoutPolicies } = raw;
 	return {
 		version,
-		...raw,
+		...structureWithoutPolicies,
+		grants,
 		defaultPrivileges: raw.defaultPrivileges && [...raw.defaultPrivileges.reduce((acc, privilege) => {
 			nullsToUndefined(privilege);
 			const key = `${privilege.grantor}.${privilege.grantee}.${privilege.schema}`;
@@ -4660,6 +5194,20 @@ async function introspectDbSchema(db, params) {
 		}, /* @__PURE__ */ new Map()).values()]
 	};
 }
+const mapRawGrant = (raw) => {
+	nullsToUndefined(raw);
+	const privileges = [];
+	const grantablePrivileges = [];
+	for (let i = 0; i < raw.privileges.length; i++) (raw.isGrantables[i] ? grantablePrivileges : privileges).push(raw.privileges[i]);
+	const grant = {
+		to: [raw.grantee],
+		grantedBy: raw.grantor,
+		[raw.target]: raw.schema ? [`${raw.schema}.${raw.name}`] : [raw.name]
+	};
+	if (privileges.length) grant.privileges = privileges;
+	if (grantablePrivileges.length) grant.grantablePrivileges = grantablePrivileges;
+	return grant;
+};
 const nullsToUndefined = (obj) => {
 	for (const key in obj) if (obj[key] === null) obj[key] = void 0;
 };
@@ -4684,7 +5232,7 @@ const makeStructureToAstCtx = (config, currentSchema) => ({
 });
 const structureToAst = async (ctx, adapter, config) => {
 	const ast = [];
-	const data = await introspectDbSchema(adapter);
+	const data = await introspectDbSchema(adapter, { rls: true });
 	for (const name of data.schemas) {
 		if (name === "public") continue;
 		ast.push({
@@ -4704,6 +5252,18 @@ const structureToAst = async (ctx, adapter, config) => {
 	for (const table of data.tables) {
 		if (table.name === migrationsTable && table.schemaName === migrationsSchema) continue;
 		ast.push(tableToAst(ctx, data, table, "create", domains));
+		for (const policy of table.rls?.policies || []) ast.push({
+			type: "policy",
+			action: "create",
+			schema: table.schemaName === ctx.currentSchema ? void 0 : table.schemaName,
+			table: table.name,
+			name: policy.name,
+			as: policy.mode,
+			for: policy.command,
+			to: policy.roles,
+			using: policy.using,
+			withCheck: policy.withCheck
+		});
 		if (table.rls?.enable) ast.push({
 			type: "tableRls",
 			action: "enable",