fix: preserve nested function calls in RLS policy expressions (#377) (#378)

normalizeExpressionParentheses had a regex that incorrectly matched
nested function calls like unnest(get_user_assigned_projects()) as
redundantly-wrapped single function calls, stripping the outer parens
and merging tokens into invalid SQL (unnestget_user_assigned_projects()).

Remove the broken regex. The parenthesized form that pg_get_expr returns
(e.g., (current_setting(...))::integer) is valid SQL and needs no
unwrapping.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tianzhou

ir/normalize.go

@@ -819,28 +819,7 @@ func normalizeExpressionParentheses(expr string) string {
 		expr = fmt.Sprintf("(%s)", expr)
 	}
 
-	// Step 2: Remove unnecessary parentheses around function calls within the expression
-	// Specifically targets patterns like (function_name(...)) -> function_name(...)
-	// This pattern looks for:
-	// \( - opening parenthesis
-	// ([a-zA-Z_][a-zA-Z0-9_]*) - function name (captured)
-	// \( - opening parenthesis for function call
-	// ([^)]*) - function arguments (captured, non-greedy to avoid matching nested parens)
-	// \) - closing parenthesis for function call
-	// \) - closing parenthesis around the whole function
-	functionParensRegex := regexp.MustCompile(`\(([a-zA-Z_][a-zA-Z0-9_]*\([^)]*\))\)`)
-
-	// Replace (function(...)) with function(...)
-	// Keep applying until no more matches to handle nested cases
-	for {
-		original := expr
-		expr = functionParensRegex.ReplaceAllString(expr, "$1")
-		if expr == original {
-			break
-		}
-	}
-
-	// Step 3: Normalize redundant type casts in function arguments
+	// Step 2: Normalize redundant type casts in function arguments
 	// Pattern: 'text'::text -> 'text' (removing redundant text cast from literals)
 	// IMPORTANT: Do NOT match when followed by [] (array cast is semantically significant)
 	// e.g., '{nested,key}'::text[] must be preserved as-is

ir/normalize_test.go

@@ -321,6 +321,75 @@ func TestStripSchemaFromReturnType(t *testing.T) {
 	}
 }
 
+func TestNormalizeExpressionParentheses(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "simple expression gets wrapped",
+			input:    "tenant_id = 1",
+			expected: "(tenant_id = 1)",
+		},
+		{
+			name:     "already parenthesized",
+			input:    "(tenant_id = 1)",
+			expected: "(tenant_id = 1)",
+		},
+		{
+			name:     "nested function call preserved",
+			input:    "(id IN ( SELECT unnest(get_user_assigned_projects()) AS unnest))",
+			expected: "(id IN ( SELECT unnest(get_user_assigned_projects()) AS unnest))",
+		},
+		{
+			name:     "simple function call preserved",
+			input:    "(has_scope('admin'))",
+			expected: "(has_scope('admin'))",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := normalizeExpressionParentheses(tt.input)
+			if result != tt.expected {
+				t.Errorf("normalizeExpressionParentheses(%q) = %q, want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestNormalizePolicyExpression(t *testing.T) {
+	tests := []struct {
+		name        string
+		expr        string
+		tableSchema string
+		expected    string
+	}{
+		{
+			name:        "nested function call in policy expression",
+			expr:        "(id IN ( SELECT unnest(get_user_assigned_projects()) AS unnest))",
+			tableSchema: "public",
+			expected:    "(id IN ( SELECT unnest(get_user_assigned_projects()) AS unnest))",
+		},
+		{
+			name:        "schema-qualified nested function call",
+			expr:        "(id IN ( SELECT unnest(public.get_user_assigned_projects()) AS unnest))",
+			tableSchema: "public",
+			expected:    "(id IN ( SELECT unnest(get_user_assigned_projects()) AS unnest))",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := normalizePolicyExpression(tt.expr, tt.tableSchema)
+			if result != tt.expected {
+				t.Errorf("normalizePolicyExpression(%q, %q) = %q, want %q", tt.expr, tt.tableSchema, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestNormalizeCheckClause(t *testing.T) {
 	tests := []struct {
 		name     string

testdata/diff/create_policy/add_policy/diff.sql

@@ -1,7 +1,7 @@
 ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
 CREATE POLICY orders_user_access ON orders FOR SELECT TO PUBLIC USING (user_id IN ( SELECT users.id FROM users));
-CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);
 CREATE POLICY admin_only ON users FOR DELETE TO PUBLIC USING (is_admin());
 CREATE POLICY "my-policy" ON users FOR INSERT TO PUBLIC WITH CHECK ((role)::text = 'user');
 CREATE POLICY "select" ON users FOR SELECT TO PUBLIC USING (true);
-CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);

testdata/diff/create_policy/add_policy/plan.json

@@ -21,7 +21,7 @@
           "path": "public.orders.orders_user_access"
         },
         {
-          "sql": "CREATE POLICY \"UserPolicy\" ON users TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);",
+          "sql": "CREATE POLICY \"UserPolicy\" ON users TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);",
           "type": "table.policy",
           "operation": "create",
           "path": "public.users.UserPolicy"
@@ -45,7 +45,7 @@
           "path": "public.users.select"
         },
         {
-          "sql": "CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);",
+          "sql": "CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);",
           "type": "table.policy",
           "operation": "create",
           "path": "public.users.user_tenant_isolation"

testdata/diff/create_policy/add_policy/plan.sql

@@ -2,12 +2,12 @@ ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
 
 CREATE POLICY orders_user_access ON orders FOR SELECT TO PUBLIC USING (user_id IN ( SELECT users.id FROM users));
 
-CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);
 
 CREATE POLICY admin_only ON users FOR DELETE TO PUBLIC USING (is_admin());
 
 CREATE POLICY "my-policy" ON users FOR INSERT TO PUBLIC WITH CHECK ((role)::text = 'user');
 
 CREATE POLICY "select" ON users FOR SELECT TO PUBLIC USING (true);
 
-CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);

testdata/diff/create_policy/add_policy/plan.txt

@@ -21,12 +21,12 @@ ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
 
 CREATE POLICY orders_user_access ON orders FOR SELECT TO PUBLIC USING (user_id IN ( SELECT users.id FROM users));
 
-CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY "UserPolicy" ON users TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);
 
 CREATE POLICY admin_only ON users FOR DELETE TO PUBLIC USING (is_admin());
 
 CREATE POLICY "my-policy" ON users FOR INSERT TO PUBLIC WITH CHECK ((role)::text = 'user');
 
 CREATE POLICY "select" ON users FOR SELECT TO PUBLIC USING (true);
 
-CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = current_setting('app.current_tenant')::integer);
+CREATE POLICY user_tenant_isolation ON users FOR UPDATE TO PUBLIC USING (tenant_id = (current_setting('app.current_tenant'))::integer);

testdata/diff/create_policy/alter_policy_roles/plan.json

@@ -3,7 +3,7 @@
   "pgschema_version": "1.8.0",
   "created_at": "1970-01-01T00:00:00Z",
   "source_fingerprint": {
-    "hash": "a24989791c9ba13d2d21f70cd0405e0e509c55341872b552ab87a0c79d238ddd"
+    "hash": "a5fcd005530df97b095b020e1a8c2fb12333baf056c3a2318bc34f2157893877"
   },
   "groups": [
     {

testdata/diff/create_policy/alter_policy_using/plan.json

@@ -3,7 +3,7 @@
   "pgschema_version": "1.8.0",
   "created_at": "1970-01-01T00:00:00Z",
   "source_fingerprint": {
-    "hash": "e7aac12e5d350ee9d014b756c838017ddd0c17180b7baa33300f4a773c4c89b1"
+    "hash": "b23d70f93fe88b9bfcf8d05f46e3faa60d54cf469813e2ead871e9c9d9231ab7"
   },
   "groups": [
     {

testdata/diff/create_policy/disable_rls/plan.json

@@ -3,7 +3,7 @@
   "pgschema_version": "1.8.0",
   "created_at": "1970-01-01T00:00:00Z",
   "source_fingerprint": {
-    "hash": "a24989791c9ba13d2d21f70cd0405e0e509c55341872b552ab87a0c79d238ddd"
+    "hash": "a5fcd005530df97b095b020e1a8c2fb12333baf056c3a2318bc34f2157893877"
   },
   "groups": [
     {

testdata/diff/create_policy/drop_policy/plan.json

@@ -3,7 +3,7 @@
   "pgschema_version": "1.8.0",
   "created_at": "1970-01-01T00:00:00Z",
   "source_fingerprint": {
-    "hash": "a24989791c9ba13d2d21f70cd0405e0e509c55341872b552ab87a0c79d238ddd"
+    "hash": "a5fcd005530df97b095b020e1a8c2fb12333baf056c3a2318bc34f2157893877"
   },
   "groups": [
     {