Add CREATE/ALTER SECURITY POLICY statement support

- Add SecurityPolicyStatement, SecurityPolicyOption, SecurityPredicateAction AST types
- Implement parseCreateSecurityPolicyStatement and parseAlterSecurityPolicyStatement
- Add marshaling functions with correct ActionType handling (AlterState, AlterReplication, AlterPredicates)
- Handle comma-separated predicate actions and NOT FOR REPLICATION clauses
- Enable CreateAlterSecurityPolicyStatementTests130

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kyleconroy

ast/security_policy_statement.go

@@ -0,0 +1,45 @@
+package ast
+
+// CreateSecurityPolicyStatement represents CREATE SECURITY POLICY
+type CreateSecurityPolicyStatement struct {
+	Name                     *SchemaObjectName
+	NotForReplication        bool
+	SecurityPolicyOptions    []*SecurityPolicyOption
+	SecurityPredicateActions []*SecurityPredicateAction
+	ActionType               string // "Create"
+}
+
+func (s *CreateSecurityPolicyStatement) node()      {}
+func (s *CreateSecurityPolicyStatement) statement() {}
+
+// AlterSecurityPolicyStatement represents ALTER SECURITY POLICY
+type AlterSecurityPolicyStatement struct {
+	Name                       *SchemaObjectName
+	NotForReplication          bool
+	NotForReplicationModified  bool // tracks if NOT FOR REPLICATION was changed
+	SecurityPolicyOptions      []*SecurityPolicyOption
+	SecurityPredicateActions   []*SecurityPredicateAction
+	ActionType                 string // "Alter"
+}
+
+func (s *AlterSecurityPolicyStatement) node()      {}
+func (s *AlterSecurityPolicyStatement) statement() {}
+
+// SecurityPolicyOption represents an option like STATE=ON, SCHEMABINDING=OFF
+type SecurityPolicyOption struct {
+	OptionKind  string // "State" or "SchemaBinding"
+	OptionState string // "On" or "Off"
+}
+
+func (o *SecurityPolicyOption) node() {}
+
+// SecurityPredicateAction represents ADD/DROP/ALTER FILTER/BLOCK PREDICATE
+type SecurityPredicateAction struct {
+	ActionType                  string // "Create", "Drop", "Alter"
+	SecurityPredicateType       string // "Filter" or "Block"
+	FunctionCall                *FunctionCall
+	TargetObjectName            *SchemaObjectName
+	SecurityPredicateOperation  string // "All", "AfterInsert", "AfterUpdate", "BeforeUpdate", "BeforeDelete"
+}
+
+func (a *SecurityPredicateAction) node() {}

parser/marshal.go

@@ -521,6 +521,10 @@ func statementToJSON(stmt ast.Statement) jsonNode {
 		return createPartitionFunctionStatementToJSON(s)
 	case *ast.CreateEventNotificationStatement:
 		return createEventNotificationStatementToJSON(s)
+	case *ast.CreateSecurityPolicyStatement:
+		return createSecurityPolicyStatementToJSON(s)
+	case *ast.AlterSecurityPolicyStatement:
+		return alterSecurityPolicyStatementToJSON(s)
 	case *ast.AlterIndexStatement:
 		return alterIndexStatementToJSON(s)
 	case *ast.DropDatabaseStatement:
@@ -20324,3 +20328,89 @@ func openRowsetColumnDefinitionToJSON(col *ast.OpenRowsetColumnDefinition) jsonN
 	}
 	return node
 }
+
+func createSecurityPolicyStatementToJSON(s *ast.CreateSecurityPolicyStatement) jsonNode {
+	node := jsonNode{
+		"$type":             "CreateSecurityPolicyStatement",
+		"NotForReplication": s.NotForReplication,
+		"ActionType":        s.ActionType,
+	}
+	if s.Name != nil {
+		node["Name"] = schemaObjectNameToJSON(s.Name)
+	}
+	if len(s.SecurityPolicyOptions) > 0 {
+		opts := make([]jsonNode, len(s.SecurityPolicyOptions))
+		for i, opt := range s.SecurityPolicyOptions {
+			opts[i] = securityPolicyOptionToJSON(opt)
+		}
+		node["SecurityPolicyOptions"] = opts
+	}
+	if len(s.SecurityPredicateActions) > 0 {
+		actions := make([]jsonNode, len(s.SecurityPredicateActions))
+		for i, action := range s.SecurityPredicateActions {
+			actions[i] = securityPredicateActionToJSON(action)
+		}
+		node["SecurityPredicateActions"] = actions
+	}
+	return node
+}
+
+func alterSecurityPolicyStatementToJSON(s *ast.AlterSecurityPolicyStatement) jsonNode {
+	// Determine ActionType based on statement contents
+	actionType := "Alter"
+	if len(s.SecurityPredicateActions) > 0 {
+		actionType = "AlterPredicates"
+	} else if len(s.SecurityPolicyOptions) > 0 {
+		actionType = "AlterState"
+	} else if s.NotForReplicationModified {
+		actionType = "AlterReplication"
+	}
+
+	node := jsonNode{
+		"$type":             "AlterSecurityPolicyStatement",
+		"NotForReplication": s.NotForReplication,
+		"ActionType":        actionType,
+	}
+	if s.Name != nil {
+		node["Name"] = schemaObjectNameToJSON(s.Name)
+	}
+	if len(s.SecurityPolicyOptions) > 0 {
+		opts := make([]jsonNode, len(s.SecurityPolicyOptions))
+		for i, opt := range s.SecurityPolicyOptions {
+			opts[i] = securityPolicyOptionToJSON(opt)
+		}
+		node["SecurityPolicyOptions"] = opts
+	}
+	if len(s.SecurityPredicateActions) > 0 {
+		actions := make([]jsonNode, len(s.SecurityPredicateActions))
+		for i, action := range s.SecurityPredicateActions {
+			actions[i] = securityPredicateActionToJSON(action)
+		}
+		node["SecurityPredicateActions"] = actions
+	}
+	return node
+}
+
+func securityPolicyOptionToJSON(opt *ast.SecurityPolicyOption) jsonNode {
+	return jsonNode{
+		"$type":       "SecurityPolicyOption",
+		"OptionKind":  opt.OptionKind,
+		"OptionState": opt.OptionState,
+	}
+}
+
+func securityPredicateActionToJSON(action *ast.SecurityPredicateAction) jsonNode {
+	node := jsonNode{
+		"$type":                        "SecurityPredicateAction",
+		"ActionType":                   action.ActionType,
+		"SecurityPredicateType":        action.SecurityPredicateType,
+		"SecurityPredicateOperation":   action.SecurityPredicateOperation,
+	}
+	if action.FunctionCall != nil {
+		node["FunctionCall"] = scalarExpressionToJSON(action.FunctionCall)
+	}
+	if action.TargetObjectName != nil {
+		node["TargetObjectName"] = schemaObjectNameToJSON(action.TargetObjectName)
+	}
+	return node
+}