VS Code extension for pgrls — the static analyzer for Postgres Row-Level Security. Surfaces pgrls lint findings as diagnostics in the Problems panel, with hover documentation per rule.

1. Install pgrls itself (the Python CLI):

   pip install pgrls

2. Install this extension from the VS Code marketplace.

3. Open a workspace that has a Postgres database. Configure the connection:

   • Set pgrls.databaseUrl in your VS Code settings, or
   • Export DATABASE_URL in your shell, or
   • Add [database].url to a pgrls.toml file at the workspace root.

Run pgrls: Lint database from the command palette (Cmd+Shift+P / Ctrl+Shift+P). Findings appear in the Problems panel with severity (error / warning / info), the rule ID as the diagnostic code, and a link to the canonical rule reference. A status-bar item shows the live finding count ($(shield) pgrls: 3 errors, 1 warning); click it to re-lint.

Enable pgrls.lintOnSave in settings to re-run automatically whenever a .sql, .plpgsql, or pgrls.toml file is saved.

When a finding's rule is mechanically auto-fixable, the Problems-panel lightbulb offers two Quick-Fix actions:

• Preview fixes (dry-run) — runs pgrls fix and opens the remediation SQL in a new editor. Nothing touches the database. If there's nothing to remediate, it shows a notification instead.
• Apply fixes to database… — always dry-runs first and prints the SQL to the pgrls output channel, then asks to confirm. The confirmation spells out that the target is whatever pgrls resolves from pgrls.databaseUrl → $DATABASE_URL → pgrls.toml (not necessarily a local dev DB), and that pgrls re-checks the live schema at apply time — so the applied statements may differ from the preview if the database changed in between. On confirm it runs pgrls fix --apply in a single all-or-nothing transaction, then re-lints.

Hovering on any rule ID (SEC003, DIFF_DROP_POLICY, etc.) in any open file shows the rule's title, severity, and whether it's auto-fixable inline (pulled once per session from pgrls explain --format json), plus a link to the full reference. Falls back to a plain reference link when pgrls isn't on PATH or the ID is a DIFF_* rule (those live in AGENTS.md, not the lint catalog the hover caches).

• Live-database linter. pgrls inspects a real Postgres database, not source text. So findings have no source-file anchor — they surface against the workspace's pgrls.toml (where the rule's allowlist lives) or a virtual URI. A future iteration may map findings to .sql migration files when those files define the offending policy.
• Pgrls must be on PATH. The extension shells out via child_process; it does not bundle the Python runtime. Set pgrls.executable if your pgrls install lives in a virtualenv.

MIT. See LICENSE.

• pgrls itself — the CLI this extension wraps
• Rule reference — every rule with rationale, example, and fix