pgplex · tianzhou · Dec 21, 2025 · Dec 21, 2025 · Dec 21, 2025
diff --git a/internal/diff/diff.go b/internal/diff/diff.go
@@ -353,7 +353,8 @@ type policyDiff struct {
 // rlsChange represents enabling/disabling Row Level Security on a table
 type rlsChange struct {
 	Table   *ir.Table
-	Enabled bool // true to enable, false to disable
+	Enabled *bool // nil = no change, true = enable, false = disable
+	Forced  *bool // nil = no change, true = force, false = no force
 }
 
 // GenerateMigration compares two IR schemas and returns the SQL differences

diff --git a/internal/diff/policy.go b/internal/diff/policy.go
@@ -33,27 +33,50 @@ func generateCreatePoliciesSQL(policies []*ir.RLSPolicy, targetSchema string, co
 	}
 }
 
-// generateRLSChangesSQL generates RLS enable/disable statements
+// generateRLSChangesSQL generates RLS enable/disable and force statements
 func generateRLSChangesSQL(changes []*rlsChange, targetSchema string, collector *diffCollector) {
 	for _, change := range changes {
-		var sql string
 		tableName := qualifyEntityName(change.Table.Schema, change.Table.Name, targetSchema)
-		if change.Enabled {
-			sql = fmt.Sprintf("ALTER TABLE %s ENABLE ROW LEVEL SECURITY;", tableName)
-		} else {
-			sql = fmt.Sprintf("ALTER TABLE %s DISABLE ROW LEVEL SECURITY;", tableName)
-		}
 
-		// Create context for this statement
-		context := &diffContext{
-			Type:                DiffTypeTableRLS,
-			Operation:           DiffOperationAlter,
-			Path:                fmt.Sprintf("%s.%s", change.Table.Schema, change.Table.Name),
-			Source:              change,
-			CanRunInTransaction: true,
+		// Handle ENABLE/DISABLE changes
+		if change.Enabled != nil {
+			var sql string
+			if *change.Enabled {
+				sql = fmt.Sprintf("ALTER TABLE %s ENABLE ROW LEVEL SECURITY;", tableName)
+			} else {
+				sql = fmt.Sprintf("ALTER TABLE %s DISABLE ROW LEVEL SECURITY;", tableName)
+			}
+
+			context := &diffContext{
+				Type:                DiffTypeTableRLS,
+				Operation:           DiffOperationAlter,
+				Path:                fmt.Sprintf("%s.%s", change.Table.Schema, change.Table.Name),
+				Source:              change,
+				CanRunInTransaction: true,
+			}
+
+			collector.collect(context, sql)
 		}
 
-		collector.collect(context, sql)
+		// Handle FORCE/NO FORCE changes
+		if change.Forced != nil {
+			var sql string
+			if *change.Forced {
+				sql = fmt.Sprintf("ALTER TABLE %s FORCE ROW LEVEL SECURITY;", tableName)
+			} else {
+				sql = fmt.Sprintf("ALTER TABLE %s NO FORCE ROW LEVEL SECURITY;", tableName)
+			}
+
+			context := &diffContext{
+				Type:                DiffTypeTableRLS,
+				Operation:           DiffOperationAlter,
+				Path:                fmt.Sprintf("%s.%s", change.Table.Schema, change.Table.Name),
+				Source:              change,
+				CanRunInTransaction: true,
+			}
+
+			collector.collect(context, sql)
+		}
 	}
 }
 

diff --git a/internal/diff/table.go b/internal/diff/table.go
@@ -271,12 +271,20 @@ func diffTables(oldTable, newTable *ir.Table, targetSchema string) *tableDiff {
 		}
 	}
 
-	// Check for RLS enable/disable changes
-	if oldTable.RLSEnabled != newTable.RLSEnabled {
-		diff.RLSChanges = append(diff.RLSChanges, &rlsChange{
-			Table:   newTable,
-			Enabled: newTable.RLSEnabled,
-		})
+	// Check for RLS enable/disable and force changes
+	if oldTable.RLSEnabled != newTable.RLSEnabled || oldTable.RLSForced != newTable.RLSForced {
+		change := &rlsChange{
+			Table: newTable,
+		}
+		if oldTable.RLSEnabled != newTable.RLSEnabled {
+			change.Enabled = &newTable.RLSEnabled
+		}
+		// Only track FORCE changes if RLS is not being disabled
+		// (disabling RLS implicitly clears FORCE, making NO FORCE redundant)
+		if oldTable.RLSForced != newTable.RLSForced && newTable.RLSEnabled {
+			change.Forced = &newTable.RLSForced
+		}
+		diff.RLSChanges = append(diff.RLSChanges, change)
 	}
 
 	// Check for table comment changes
@@ -417,9 +425,18 @@ func generateCreateTablesSQL(
 		}
 		generateCreateIndexesSQL(indexes, targetSchema, collector)
 
-		// Handle RLS enable changes (before creating policies) - only for diff scenarios
-		if table.RLSEnabled {
-			rlsChanges := []*rlsChange{{Table: table, Enabled: true}}
+		// Handle RLS enable/force changes (before creating policies) - only for diff scenarios
+		if table.RLSEnabled || table.RLSForced {
+			change := &rlsChange{Table: table}
+			if table.RLSEnabled {
+				enabled := true
+				change.Enabled = &enabled
+			}
+			if table.RLSForced {
+				forced := true
+				change.Forced = &forced
+			}
+			rlsChanges := []*rlsChange{change}
 			generateRLSChangesSQL(rlsChanges, targetSchema, collector)
 		}
 
@@ -894,24 +911,50 @@ func (td *tableDiff) generateAlterTableStatements(targetSchema string, collector
 	// Handle RLS changes
 	for _, rlsChange := range td.RLSChanges {
 		tableName := getTableNameWithSchema(td.Table.Schema, td.Table.Name, targetSchema)
-		var sql string
-		var operation DiffOperation
-		if rlsChange.Enabled {
-			sql = fmt.Sprintf("ALTER TABLE %s ENABLE ROW LEVEL SECURITY;", tableName)
-			operation = DiffOperationCreate
-		} else {
-			sql = fmt.Sprintf("ALTER TABLE %s DISABLE ROW LEVEL SECURITY;", tableName)
-			operation = DiffOperationDrop
+
+		// Handle ENABLE/DISABLE changes
+		if rlsChange.Enabled != nil {
+			var sql string
+			var operation DiffOperation
+			if *rlsChange.Enabled {
+				sql = fmt.Sprintf("ALTER TABLE %s ENABLE ROW LEVEL SECURITY;", tableName)
+				operation = DiffOperationCreate
+			} else {
+				sql = fmt.Sprintf("ALTER TABLE %s DISABLE ROW LEVEL SECURITY;", tableName)
+				operation = DiffOperationDrop
+			}
+
+			context := &diffContext{
+				Type:                DiffTypeTableRLS,
+				Operation:           operation,
+				Path:                fmt.Sprintf("%s.%s", td.Table.Schema, td.Table.Name),
+				Source:              rlsChange,
+				CanRunInTransaction: true,
+			}
+			collector.collect(context, sql)
 		}
 
-		context := &diffContext{
-			Type:                DiffTypeTableRLS,
-			Operation:           operation,
-			Path:                fmt.Sprintf("%s.%s", td.Table.Schema, td.Table.Name),
-			Source:              rlsChange,
-			CanRunInTransaction: true,
+		// Handle FORCE/NO FORCE changes
+		if rlsChange.Forced != nil {
+			var sql string
+			var operation DiffOperation
+			if *rlsChange.Forced {
+				sql = fmt.Sprintf("ALTER TABLE %s FORCE ROW LEVEL SECURITY;", tableName)
+				operation = DiffOperationAlter
+			} else {
+				sql = fmt.Sprintf("ALTER TABLE %s NO FORCE ROW LEVEL SECURITY;", tableName)
+				operation = DiffOperationAlter
+			}
+
+			context := &diffContext{
+				Type:                DiffTypeTableRLS,
+				Operation:           operation,
+				Path:                fmt.Sprintf("%s.%s", td.Table.Schema, td.Table.Name),
+				Source:              rlsChange,
+				CanRunInTransaction: true,
+			}
+			collector.collect(context, sql)
 		}
-		collector.collect(context, sql)
 	}
 
 	// Drop policies - already sorted by the Diff operation

diff --git a/ir/inspector.go b/ir/inspector.go
@@ -1518,25 +1518,18 @@ func (i *Inspector) decodeTriggerLevel(tgtype int16) TriggerLevel {
 
 func (i *Inspector) buildRLSPolicies(ctx context.Context, schema *IR, targetSchema string) error {
 	// Get RLS enabled tables for the target schema
-	rlsTables, err := i.queries.GetRLSTablesForSchema(ctx, sql.NullString{String: targetSchema, Valid: true})
+	rlsTables, err := i.queries.GetRLSTablesForSchema(ctx, targetSchema)
 	if err != nil {
 		return err
 	}
 
-	// Mark tables as RLS enabled
+	// Mark tables as RLS enabled/forced
 	for _, rlsTable := range rlsTables {
-		schemaName := ""
-		if rlsTable.Schemaname.Valid {
-			schemaName = rlsTable.Schemaname.String
-		}
-		tableName := ""
-		if rlsTable.Tablename.Valid {
-			tableName = rlsTable.Tablename.String
-		}
-
-		dbSchema := schema.getOrCreateSchema(schemaName)
-		if table, exists := dbSchema.Tables[tableName]; exists {
+		dbSchema := schema.getOrCreateSchema(rlsTable.Schemaname)
+		if table, exists := dbSchema.Tables[rlsTable.Tablename]; exists {
+			// Query filters by rowsecurity = true, so this is always true
 			table.RLSEnabled = true
+			table.RLSForced = rlsTable.Rowforced
 		}
 	}
 

diff --git a/ir/ir.go b/ir/ir.go
@@ -50,6 +50,7 @@ type Table struct {
 	Indexes           map[string]*Index      `json:"indexes"`     // index_name -> Index
 	Triggers          map[string]*Trigger    `json:"triggers"`    // trigger_name -> Trigger
 	RLSEnabled        bool                   `json:"rls_enabled"`
+	RLSForced         bool                   `json:"rls_forced"`
 	Policies          map[string]*RLSPolicy  `json:"policies"` // policy_name -> RLSPolicy
 	Dependencies      []TableDependency      `json:"dependencies"`
 	Comment           string                 `json:"comment,omitempty"`

diff --git a/ir/queries/queries.sql b/ir/queries/queries.sql
@@ -674,16 +674,20 @@ ORDER BY vtu.view_schema, vtu.view_name, vtu.table_schema, vtu.table_name;
 
 -- GetRLSTables retrieves tables with row level security enabled
 -- name: GetRLSTables :many
-SELECT 
-    schemaname,
-    tablename
-FROM pg_tables
-WHERE 
-    schemaname NOT IN ('information_schema', 'pg_catalog', 'pg_toast')
-    AND schemaname NOT LIKE 'pg_temp_%'
-    AND schemaname NOT LIKE 'pg_toast_temp_%'
-    AND rowsecurity = true
-ORDER BY schemaname, tablename;
+SELECT
+    n.nspname AS schemaname,
+    c.relname AS tablename,
+    c.relrowsecurity AS rowsecurity,
+    c.relforcerowsecurity AS rowforced
+FROM pg_catalog.pg_class c
+JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
+WHERE
+    n.nspname NOT IN ('information_schema', 'pg_catalog', 'pg_toast')
+    AND n.nspname NOT LIKE 'pg_temp_%'
+    AND n.nspname NOT LIKE 'pg_toast_temp_%'
+    AND c.relkind = 'r'
+    AND c.relrowsecurity = true
+ORDER BY n.nspname, c.relname;
 
 -- GetRLSPolicies retrieves all row level security policies
 -- name: GetRLSPolicies :many
@@ -705,14 +709,18 @@ ORDER BY schemaname, tablename, policyname;
 
 -- GetRLSTablesForSchema retrieves tables with row level security enabled for a specific schema
 -- name: GetRLSTablesForSchema :many
-SELECT 
-    schemaname,
-    tablename
-FROM pg_tables
-WHERE 
-    schemaname = $1
-    AND rowsecurity = true
-ORDER BY schemaname, tablename;
+SELECT
+    n.nspname AS schemaname,
+    c.relname AS tablename,
+    c.relrowsecurity AS rowsecurity,
+    c.relforcerowsecurity AS rowforced
+FROM pg_catalog.pg_class c
+JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
+WHERE
+    n.nspname = $1
+    AND c.relkind = 'r'
+    AND c.relrowsecurity = true
+ORDER BY n.nspname, c.relname;
 
 -- GetRLSPoliciesForSchema retrieves all row level security policies for a specific schema
 -- name: GetRLSPoliciesForSchema :many

diff --git a/ir/queries/queries.sql.go b/ir/queries/queries.sql.go