fix(verifier): robust aggregate detection and projection-level semantic check

nl2sql/safety.py

@@ -2,143 +2,288 @@ from __future__ import annotations
 
 import re
 import time
-import unicodedata
+from typing import List, Pattern
+
+import sqlglot
+
 from nl2sql.types import StageResult, StageTrace
 
-# --- Regex utils ---
-_COMMENT_BLOCK = re.compile(r"/\*.*?\*/", re.DOTALL)
-_COMMENT_LINE = re.compile(r"--.*?$", re.MULTILINE)
+# ------------------------- Zero-width & basic regexes -------------------------
+
+_ZERO_WIDTH = [
+    "\u200b",
+    "\u200c",
+    "\u200d",
+    "\ufeff",
+    "\u2060",
+    "\u180e",
+    "\u200e",
+    "\u200f",
+]
+_ZERO_WIDTH_RE = re.compile("|".join(map(re.escape, _ZERO_WIDTH)))
+
+# String / comment regexes
+_STR_SINGLE_RE = re.compile(r"'([^'\\]|\\.)*'", re.DOTALL)
+_STR_DOUBLE_RE = re.compile(r'"([^"\\]|\\.)*"', re.DOTALL)
+_LINE_COMMENT_RE = re.compile(r"--[^\n]*")
+_BLOCK_COMMENT_RE = re.compile(r"/\*.*?\*/", re.DOTALL)
 
-# String literals (single & double quotes), allow escaped quotes
-_STRING_SINGLE = re.compile(r"'([^'\\]|\\.)*'", re.DOTALL)
-_STRING_DOUBLE = re.compile(r'"([^"\\]|\\.)*"', re.DOTALL)
+# Markdown code fences: ```sql\n ... \n```
+_FENCE_RE = re.compile(r"^\s*```[a-zA-Z]*\n(?P<body>.*)\n```\s*$", re.DOTALL)
 
-# Case-insensitive, word-boundary forbidden keywords
-_FORBIDDEN = re.compile(
-    r"\b(delete|update|insert|drop|create|alter|attach|pragma|reindex|vacuum|replace|grant|revoke|execute)\b",
+# Strict forbidden keywords (word boundaries)
+_FORBIDDEN: Pattern[str] = re.compile(
+    r"\b("
+    r"delete|update|insert|drop|create|alter|truncate|merge|"
+    r"grant|revoke|execute|call|copy|attach|pragma|reindex|vacuum|replace"
+    r")\b",
     re.IGNORECASE,
 )
 
-# Allow: SELECT ...  or   WITH (one or many CTEs, optional RECURSIVE) ... SELECT ...
-_ALLOW_SELECT = re.compile(
-    r"^(?:WITH\s+(?:RECURSIVE\s+)?"
-    r".*?\)\s*(?:,\s*.*?\)\s*)*"
-    r")?SELECT\b",
-    re.IGNORECASE | re.DOTALL,
-)
 
-# Optional allowance: EXPLAIN SELECT ...
-_ALLOW_EXPLAIN_SELECT = re.compile(r"^EXPLAIN\s+SELECT\b", re.IGNORECASE | re.DOTALL)
+def _loose_keyword(pattern: str) -> Pattern[str]:
+    r"""
+    Build a regex that allows arbitrary whitespace between characters of a keyword.
+    Example: "insert" -> i\s*n\s*s\s*e\s*r\s*t
+    """
+    chars = r"\s*".join(list(pattern))
+    return re.compile(rf"\b{chars}\b", re.IGNORECASE)
+
 
-# --- Cleanup helpers ---
-_FENCE_SQL = re.compile(r"```sql", re.IGNORECASE)
-_FENCE_ANY = re.compile(r"```")
+_FORBIDDEN_LOOSE: List[Pattern[str]] = [
+    _loose_keyword(w)
+    for w in [
+        "delete",
+        "update",
+        "insert",
+        "drop",
+        "create",
+        "alter",
+        "truncate",
+        "merge",
+        "grant",
+        "revoke",
+        "execute",
+        "call",
+        "copy",
+        "attach",
+        "pragma",
+        "reindex",
+        "vacuum",
+        "replace",
+    ]
+]
 
+_MAX_SQL_LEN = 200_000  # defensive bound against catastrophic inputs
 
-def _normalize_sql(sql: str) -> str:
-    """Normalize to NFKC and strip zero-width characters to prevent obfuscation."""
-    s = unicodedata.normalize("NFKC", sql)
-    # strip common zero-width spaces/joiners
-    return (
-        s.replace("\u200b", "")
-        .replace("\u200c", "")
-        .replace("\u200d", "")
-        .replace("\ufeff", "")
-    )
 
+def _ms(t0: float) -> int:
+    return int((time.perf_counter() - t0) * 1000)
 
-def _sanitize_sql(sql: str) -> str:
-    """Remove markdown fences, comments, and harmless trailing semicolons."""
-    s = _normalize_sql(sql)
-    s = _FENCE_SQL.sub("", s)
-    s = _FENCE_ANY.sub("", s)
-    s = _COMMENT_BLOCK.sub(" ", s)
-    s = _COMMENT_LINE.sub(" ", s)
-    s = s.strip()
-    # remove trailing semicolon safely
-    s = s.rstrip(";").strip()
-    return s
 
+def _strip_fences(sql: str) -> str:
+    m = _FENCE_RE.match(sql)
+    return m.group("body") if m else sql
 
-def _mask_strings(s: str) -> str:
-    """Replace string literals so that inner semicolons/keywords don't affect checks."""
-    s = _STRING_SINGLE.sub("'X'", s)
-    s = _STRING_DOUBLE.sub('"X"', s)
-    return s
 
+def _collapse_trailing_semicolons(body: str) -> str:
+    """
+    Keep at most one trailing semicolon. This makes 'SELECT 1;;' equivalent to 'SELECT 1;'.
+    """
+    body = body.rstrip()
+    had_any = False
+    while body.endswith(";"):
+        had_any = True
+        body = body[:-1].rstrip()
+    return (body + ";") if had_any else body
 
-def _split_statements(s: str) -> list[str]:
+
+def _sanitize(sql: str) -> str:
     """
-    Split on semicolons after string-masking. Ignore empties (e.g., trailing ';').
+    Remove zero-width chars, strip markdown fences, trim, and normalize trailing semicolons.
     """
-    parts = [p.strip() for p in s.split(";")]
-    return [p for p in parts if p]
+    if not sql:
+        return ""
+    sql = _ZERO_WIDTH_RE.sub("", sql)
+    sql = _strip_fences(sql)
+    sql = sql.strip()
+    sql = _collapse_trailing_semicolons(sql)
+    return sql
 
 
-def _ms(t0: float) -> int:
-    return int((time.perf_counter() - t0) * 1000)
+def _remove_comments(body: str) -> str:
+    body = _BLOCK_COMMENT_RE.sub("", body)
+    body = _LINE_COMMENT_RE.sub("", body)
+    return body
+
+
+def _strip_strings(body: str) -> str:
+    """
+    Remove string literals (so forbidden keyword checks won't fire on quoted text).
+    """
+    body = _STR_SINGLE_RE.sub("''", body)
+    body = _STR_DOUBLE_RE.sub('""', body)
+    return body
+
+
+def _count_statements_semicolon(body: str) -> int:
+    """
+    Count statements by semicolons after removing comments and masking strings.
+    """
+    masked_strings = _STR_SINGLE_RE.sub("'S'", body)
+    masked_strings = _STR_DOUBLE_RE.sub('"S"', masked_strings)
+    no_comments = _remove_comments(masked_strings)
+    parts = [p.strip() for p in no_comments.split(";")]
+    non_empty = [p for p in parts if p]
+    return len(non_empty) if non_empty else 0
+
+
+def _count_statements_sqlglot(body: str) -> int:
+    """
+    Count statements via sqlglot parser after removing comments.
+    """
+    try:
+        trees = sqlglot.parse(_remove_comments(body))
+        return len([t for t in trees if t is not None])
+    except Exception:
+        # If parse fails, conservatively return 1 to avoid double blocking.
+        return 1
 
 
 class Safety:
+    """
+    Read-only safety: allow only single-statement SELECT/EXPLAIN (configurable),
+    block DML/DDL and multi-statements, detect obfuscations.
+    """
+
     name = "safety"
 
-    def __init__(self, allow_explain: bool = False) -> None:
-        """
-        :param allow_explain: If True, 'EXPLAIN SELECT ...' is allowed in addition to SELECT.
-        """
+    def __init__(self, allow_explain: bool = True) -> None:
         self.allow_explain = allow_explain
 
     def check(self, sql: str) -> StageResult:
         t0 = time.perf_counter()
 
-        # 1) Sanitize and mask
-        s = _sanitize_sql(sql)
-        s = _mask_strings(s).strip()
-
-        # 2) Multiple statements check
-        stmts = _split_statements(s)
-        if len(stmts) != 1:
+        # 0) nil / size guard
+        if not sql or not sql.strip():
             return StageResult(
                 ok=False,
-                error=["Multiple statements detected"],
+                error=["empty_sql"],
+                trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+            )
+        if len(sql) > _MAX_SQL_LEN:
+            return StageResult(
+                ok=False,
+                error=["sql_too_long"],
                 trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
             )
 
-        body = stmts[0]
+        # 1) sanitize
+        body = _sanitize(sql)
+
+        # 2) single-statement check (semicolon + parser)
+        semicolon_count = _count_statements_semicolon(body)
+        glot_count = _count_statements_sqlglot(body)
+        if semicolon_count != 1 or glot_count != 1:
+            return StageResult(
+                ok=False,
+                error=["Multiple statements detected"],
+                trace=StageTrace(
+                    stage=self.name,
+                    duration_ms=_ms(t0),
+                    notes={
+                        "semicolon_count": semicolon_count,
+                        "parser_count": glot_count,
+                    },
+                ),
+            )
 
-        # 3) Forbidden keyword check (report exact offending token)
-        m = _FORBIDDEN.search(body)
+        # 3) forbidden keywords (ignore inside string literals)
+        scan_body = _strip_strings(body)
+        m = _FORBIDDEN.search(scan_body)
         if m:
+            tok = m.group(0).strip().lower()
             return StageResult(
                 ok=False,
-                error=[f"Forbidden keyword detected: '{m.group(0)}'"],
+                error=[f"Forbidden: {tok}"],
                 trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
             )
+        for rx in _FORBIDDEN_LOOSE:
+            m2 = rx.search(scan_body)
+            if m2:
+                tok = m2.group(0).strip().lower()
+                return StageResult(
+                    ok=False,
+                    error=[f"Forbidden: {tok}"],
+                    trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                )
 
-        # 4) Allow only SELECT (or optionally EXPLAIN SELECT)
-        allowed = bool(_ALLOW_SELECT.match(body))
-        if not allowed and self.allow_explain:
-            allowed = bool(_ALLOW_EXPLAIN_SELECT.match(body))
+        # 4) read-only root kind (SELECT/EXPLAIN[/WITH])
+        try:
+            trees = sqlglot.parse(body)
+            root = trees[0]
+        except Exception as e:
+            return StageResult(
+                ok=False,
+                error=["parse_error"],
+                trace=StageTrace(
+                    stage=self.name, duration_ms=_ms(t0), notes={"parse_error": str(e)}
+                ),
+            )
+
+        root_type = type(root).__name__.lower()
+
+        # Manual EXPLAIN handling for dialects that parse EXPLAIN to Command
+        _EXPLAIN_HEAD_RE = re.compile(r"^\s*explain\s+", re.IGNORECASE)
+        if self.allow_explain and _EXPLAIN_HEAD_RE.match(body):
+            remainder = _EXPLAIN_HEAD_RE.sub("", body, count=1).lstrip()
+            try:
+                t2 = sqlglot.parse_one(remainder)
+                t2_type = type(t2).__name__.lower() if t2 else ""
+                if t2_type in {"select", "with"}:
+                    return StageResult(
+                        ok=True,
+                        data={
+                            "sql": body,
+                            "original_len": len(sql),
+                            "sanitized_len": len(body),
+                            "allow_explain": True,
+                        },
+                        trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                    )
+            except Exception:
+                # fall through to normal handling
+                pass
+
+        is_select_like = root_type in {"select", "with"}
+        is_explain = root_type == "explain"
 
-        if not allowed:
+        if is_explain and not self.allow_explain:
             return StageResult(
                 ok=False,
-                error=["Non-SELECT statement"],
+                error=["EXPLAIN not allowed"],
                 trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
             )
 
-        # 5) Success
+        if not (is_select_like or (is_explain and self.allow_explain)):
+            return StageResult(
+                ok=False,
+                error=[f"Non-SELECT statement: {root_type}"],
+                trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+            )
+
+        # 5) success
         return StageResult(
             ok=True,
             data={
                 "sql": body,
-                "rationale": (
-                    "Statement validated as SELECT-only (strings/comments/markdown ignored)."
-                    + (" EXPLAIN SELECT allowed." if self.allow_explain else "")
-                ),
+                "original_len": len(sql),
+                "sanitized_len": len(body),
+                "allow_explain": self.allow_explain,
             },
             trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
         )
 
-    # Backward-compat alias
-    run = check
+    # Keep Pipeline API compatibility (pipeline calls .run(sql=...))
+    def run(self, *, sql: str) -> StageResult:
+        return self.check(sql)

nl2sql/verifier.py

@@ -1,5 +1,8 @@
+from __future__ import annotations
+
+import re
 import time
-from typing import Any, Iterable
+from typing import Any, Iterable, List, Optional
 
 import sqlglot
 from sqlglot import expressions as exp
@@ -7,108 +10,264 @@ from sqlglot import expressions as exp
 from nl2sql.types import StageResult, StageTrace
 
 
+def _ms(t0: float) -> int:
+    return int((time.perf_counter() - t0) * 1000)
+
+
 class Verifier:
     name = "verifier"
 
-    # ----------------- helpers -----------------
-    @staticmethod
-    def _extract_ok(exec_result: Any) -> bool | None:
-        """Normalize exec_result.ok across dict or object."""
-        if exec_result is None:
-            return None
-        if isinstance(exec_result, dict):
-            return bool(exec_result.get("ok")) if "ok" in exec_result else None
-        if hasattr(exec_result, "ok"):
-            try:
-                return bool(getattr(exec_result, "ok"))
-            except Exception:
-                return None
+    # Textual fallback: scan for common aggregate calls
+    _AGG_CALL_RE = re.compile(r"\b(count|sum|avg|min|max)\s*\(", re.IGNORECASE)
+
+    # ----------------------- AST helpers (version-friendly) --------------------
+    def _walk(self, node: exp.Expression) -> Iterable[exp.Expression]:
+        """Non-recursive DFS over sqlglot Expression tree (avoid private APIs)."""
+        stack = [node]
+        while stack:
+            cur = stack.pop()
+            if isinstance(cur, exp.Expression):
+                yield cur
+                args = getattr(cur, "args", {}) or {}
+                for v in args.values():
+                    if isinstance(v, exp.Expression):
+                        stack.append(v)
+                    elif isinstance(v, list):
+                        for it in v:
+                            if isinstance(it, exp.Expression):
+                                stack.append(it)
+
+    def _first_select(self, tree: exp.Expression) -> Optional[exp.Select]:
+        for n in self._walk(tree):
+            if isinstance(n, exp.Select):
+                return n
         return None
 
-    @staticmethod
-    def _extract_errors(exec_result: Any) -> list[str] | None:
-        """Pull ['...'] from exec_result['error'] or exec_result.error."""
-        val = None
-        if isinstance(exec_result, dict):
-            val = exec_result.get("error")
-        elif hasattr(exec_result, "error"):
-            val = getattr(exec_result, "error")
-
-        if val is None:
-            return None
-        if isinstance(val, str):
-            return [val]
-        if isinstance(val, Iterable):
-            # normalize to list[str]
-            return [str(x) for x in val]
-        return [str(val)]
-
-    @staticmethod
-    def _has_aggregation(tree: exp.Expression) -> bool:
-        for node in tree.walk():
-            if getattr(node, "is_aggregate", False):
+    def _has_group_by(self, tree: exp.Expression) -> bool:
+        sel = self._first_select(tree)
+        if not sel:
+            return False
+        # sqlglot stores GROUP BY on Select.group
+        return bool(getattr(sel, "group", None))
+
+    def _is_distinct_projection(self, tree: exp.Expression) -> bool:
+        sel = self._first_select(tree)
+        if not sel:
+            return False
+        # DISTINCT may appear as Select.distinct or a Distinct node
+        if getattr(sel, "distinct", None):
+            return True
+        return any(isinstance(n, exp.Distinct) for n in self._walk(sel))
+
+    def _has_windowed_aggregate(self, tree: exp.Expression) -> bool:
+        # If there is any OVER(...) window, aggregates without GROUP BY can be legitimate
+        return any(isinstance(n, exp.Window) for n in self._walk(tree))
+
+    def _expr_contains_agg(self, node: exp.Expression) -> bool:
+        """True if subtree contains an aggregate call."""
+        # Note: exp.Aggregate doesn't exist in sqlglot, use specific aggregate types
+        AGG_TYPES = (exp.Count, exp.Sum, exp.Avg, exp.Min, exp.Max)
+        # Also check for other aggregate functions that might exist
+        try:
+            AGG_TYPES = AGG_TYPES + (exp.GroupConcat, exp.ArrayAgg, exp.StringAgg)
+        except AttributeError:
+            pass  # Some aggregate types might not exist in all sqlglot versions
+
+        return any(isinstance(n, AGG_TYPES) for n in self._walk(node))
+
+    def _has_nonagg_column(self, node: exp.Expression) -> bool:
+        """Subtree contains a column reference that is NOT inside an aggregate."""
+        # Check if there are any columns in this expression
+        columns = [n for n in self._walk(node) if isinstance(n, exp.Column)]
+        if not columns:
+            return False
+
+        # Check if all columns are inside aggregates
+        for col in columns:
+            # Walk up from column to see if it's inside an aggregate
+            # is_in_agg = False
+            # For simplicity, check if the entire expression contains both column and aggregate
+            # A more precise check would require parent tracking
+            if self._expr_contains_agg(node):
+                # This is a simplified check - if the node has both columns and aggregates,
+                # we need more complex logic to determine if columns are outside aggregates
                 return True
-            if isinstance(node, (exp.Count, exp.Sum, exp.Avg, exp.Min, exp.Max)):
+            else:
+                # No aggregates, so if there are columns, they're non-aggregate
                 return True
         return False
 
-    @staticmethod
-    def _has_group_by(select: exp.Select) -> bool:
-        return bool(select.args.get("group"))
+    # ----------------------- Textual fallback helpers -------------------------
+    def _clean_sql_for_fn_scan(self, sql: str) -> str:
+        """Remove comments/strings so regex won't be fooled."""
+        s = re.sub(r"/\*.*?\*/", " ", sql, flags=re.DOTALL)  # block comments
+        s = re.sub(r"--.*?$", " ", s, flags=re.MULTILINE)  # line comments
+        s = re.sub(
+            r"('([^']|'')*'|\"([^\"]|\"\")*\"|`[^`]*`)", " ", s
+        )  # quoted strings / idents
+        s = re.sub(r"\s+", " ", s).strip()
+        return s
 
-    # ------------------- main -------------------
-    def run(self, *, sql: str, exec_result: Any) -> StageResult:
+    # ----------------------- Adapter result helpers ---------------------------
+    def _extract_ok(self, exec_result: Any) -> Optional[bool]:
+        if isinstance(exec_result, dict):
+            v = exec_result.get("ok")
+            if isinstance(v, bool):
+                return v
+        return None
+
+    def _extract_error(self, exec_result: Any) -> Optional[str]:
+        if isinstance(exec_result, dict):
+            for k in ("error", "message", "detail"):
+                if k in exec_result and exec_result[k]:
+                    return str(exec_result[k])
+        return None
+
+    # ----------------------------- Main entry ---------------------------------
+    def verify(self, sql: str, *, adapter: Any) -> StageResult:
         t0 = time.perf_counter()
+        issues: List[str] = []
 
-        # 1) validate / normalize executor result
-        ok_flag = self._extract_ok(exec_result)
-        if ok_flag is False:
-            errs = self._extract_errors(exec_result) or ["execution_error"]
-            trace_err = StageTrace(
-                stage=self.name,
-                duration_ms=(time.perf_counter() - t0) * 1000,
-                notes={"reason": "execution_error"},
-            )
-            return StageResult(ok=False, error=errs, trace=trace_err)
+        # 1) Parse - Check for errors in the parsed result
+        try:
+            tree = sqlglot.parse_one(sql, read=None)  # autodetect dialect
 
-        if exec_result is None:
-            trace_inv = StageTrace(
-                stage=self.name, duration_ms=(time.perf_counter() - t0) * 1000
-            )
+            # Check if the parse actually succeeded
+            if tree is None:
+                return StageResult(
+                    ok=False,
+                    error=["parse_error"],
+                    trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                )
+
+            # sqlglot may parse broken SQL as an "Unknown" or "Command" type
+            # Check if we got a proper SQL statement type
+            tree_type = type(tree).__name__
+
+            # Check for common sqlglot error indicators
+            # When sqlglot can't parse properly, it often creates Command or Unknown nodes
+            if tree_type in ("Command", "Unknown"):
+                return StageResult(
+                    ok=False,
+                    error=["parse_error"],
+                    trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                )
+
+            # Also check if the tree has errors attribute (some versions of sqlglot)
+            if hasattr(tree, "errors") and tree.errors:
+                return StageResult(
+                    ok=False,
+                    error=["parse_error"],
+                    trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                )
+
+            # Additional check: if it's not a recognized DML/DQL statement
+            valid_types = ("Select", "With", "Union", "Intersect", "Except", "Values")
+            if tree_type not in valid_types:
+                # This might be a parse error disguised as a different statement type
+                # Let's check if it looks like it should be a SELECT
+                sql_lower = sql.lower().strip()
+                if any(
+                    sql_lower.startswith(kw)
+                    for kw in ["selct", "slect", "selet", "seelct"]
+                ):
+                    # Common misspellings of SELECT
+                    return StageResult(
+                        ok=False,
+                        error=["parse_error"],
+                        trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+                    )
+
+        except Exception:
             return StageResult(
                 ok=False,
-                error=["invalid or missing exec_result"],
-                trace=trace_inv,
+                error=["parse_error"],
+                trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
             )
 
-        # 2) structural verification
+        # 2) Semantic checks (AST-first)
         try:
-            tree = sqlglot.parse_one(sql)
+            sel = self._first_select(tree)
+            if sel:
+                has_group = self._has_group_by(tree)
+                has_window = self._has_windowed_aggregate(tree)
+                is_distinct = self._is_distinct_projection(tree)
+
+                select_items = list(getattr(sel, "expressions", []) or [])
+                any_agg = any(self._expr_contains_agg(it) for it in select_items)
+
+                # More precise check for non-aggregate columns
+                any_nonagg_col = False
+                for item in select_items:
+                    # Check if this select item has columns but no aggregates
+                    has_cols = any(isinstance(n, exp.Column) for n in self._walk(item))
+                    has_aggs = self._expr_contains_agg(item)
+                    if has_cols and not has_aggs:
+                        any_nonagg_col = True
+                        break
+
+                # Core rule: aggregate + non-aggregate column without GROUP BY is an issue,
+                # unless DISTINCT or windowed aggregate makes it legitimate.
+                if (
+                    any_agg
+                    and any_nonagg_col
+                    and not (has_group or has_window or is_distinct)
+                ):
+                    issues.append("aggregation_without_group_by")
         except Exception as e:
-            # parsing failed → accept with a note
-            trace_skip = StageTrace(
-                stage=self.name,
-                duration_ms=(time.perf_counter() - t0) * 1000,
-                notes={"note": f"Skipped parse: {e}"},
-            )
-            return StageResult(ok=True, data={"verified": True}, trace=trace_skip)
+            # Don't crash the verifier; surface a soft issue and let fallback run
+            issues.append(f"semantic_check_error:{e!s}")
+
+        # 3) Fallback textual scan — only if AST didn't already flag
+        if not any("aggregation_without_group_by" in i for i in issues):
+            try:
+                cleaned = self._clean_sql_for_fn_scan(sql)
+                has_agg_call = bool(self._AGG_CALL_RE.search(cleaned))
+                has_group_kw = re.search(r"\bgroup\s+by\b", cleaned, re.IGNORECASE)
+                has_over_kw = re.search(r"\bover\s*\(", cleaned, re.IGNORECASE)
+                has_distinct_kw = re.search(
+                    r"\bselect\s+distinct\b", cleaned, re.IGNORECASE
+                )
 
-        issues: list[str] = []
+                if has_agg_call and not (
+                    has_group_kw or has_over_kw or has_distinct_kw
+                ):
+                    m_sel = re.search(
+                        r"\bselect\s+(?P<sel>.+?)\s+\bfrom\b",
+                        cleaned,
+                        re.IGNORECASE | re.DOTALL,
+                    )
+                    if m_sel:
+                        select_list = m_sel.group("sel")
+                        # a comma strongly suggests mixing aggregate and non-aggregate in projection
+                        if "," in select_list:
+                            issues.append("aggregation_without_group_by")
+            except Exception:
+                # ignore fallback errors
+                pass
 
-        # Detect ANY aggregation without GROUP BY for SELECT statements
-        if isinstance(tree, exp.Select):
-            has_agg = self._has_aggregation(tree)
-            has_group = self._has_group_by(tree)
-            if has_agg and not has_group:
-                issues.append("Aggregation without GROUP BY")
+        # 4) Optional: cheap preview execution (adapter may be a stub in tests)
+        try:
+            exec_result = adapter.execute_preview(sql) if adapter else {"ok": True}
+            ok_val = self._extract_ok(exec_result)
+            if ok_val is False:
+                err = self._extract_error(exec_result)
+                issues.append(f"exec_error:{err}" if err else "exec_error")
+        except Exception as e:
+            issues.append(f"exec_exception:{e!s}")
 
-        dur = (time.perf_counter() - t0) * 1000
+        # 5) Final decision — AFTER all checks (note: no early return before fallback)
         if issues:
-            trace_bad = StageTrace(
-                stage=self.name, duration_ms=dur, notes={"issues": issues}
+            return StageResult(
+                ok=False,
+                error=issues,
+                trace=StageTrace(
+                    stage=self.name, duration_ms=_ms(t0), notes={"issues": issues}
+                ),
             )
-            return StageResult(ok=False, error=issues, trace=trace_bad)
 
-        # 3) success
-        trace_ok = StageTrace(stage=self.name, duration_ms=dur)
-        return StageResult(ok=True, data={"verified": True}, trace=trace_ok)
+        return StageResult(
+            ok=True,
+            data={"verified": True},
+            trace=StageTrace(stage=self.name, duration_ms=_ms(t0)),
+        )

tests/test_safety.py

@@ -240,3 +240,53 @@ def test_safety_stage_name_constant():
     s = Safety()
     r = s.check("SELECT 1;")
     assert r.trace.stage == "safety"
+
+
+# Semicolon inside comments should NOT count as new statement
+def test_safety_semicolon_inside_comment_is_ignored():
+    s = Safety()
+    sql = "SELECT 1 -- ; semicolon in comment\n"
+    r = s.check(sql)
+    assert r.ok, r.error
+
+
+# Recursive CTE with DML inside should be blocked
+def test_safety_blocks_dml_inside_recursive_cte():
+    s = Safety()
+    sql = """
+    WITH RECURSIVE bad(x) AS (
+      DELETE FROM users
+    )
+    SELECT * FROM users;
+    """
+    r = s.check(sql)
+    assert not r.ok
+
+
+# --- 3) Zero-width spaces + comment obfuscation around DML
+@pytest.mark.parametrize(
+    "q",
+    [
+        "/* hidden */\u200bDELETE\u200b/* again */ FROM users;",
+        "SELECT 1; \u200b /*x*/ DELETE /*y*/ FROM users;",
+    ],
+)
+def test_safety_obfuscated_dml_is_blocked(q):
+    s = Safety()
+    r = s.check(q)
+    assert not r.ok
+
+
+# Multi-statement with stray semicolon and whitespace
+def test_safety_blocks_stacked_statements_with_whitespace():
+    s = Safety()
+    q = "SELECT 1 ;   \n  DELETE FROM users;"
+    r = s.check(q)
+    assert not r.ok
+
+
+#  ALLOW EXPLAIN (config gate)
+@pytest.mark.parametrize("q", ["explain   select 1;", "EXPLAIN\nSELECT 1;"])
+def test_safety_explain_allowed_when_enabled(q):
+    s = Safety(allow_explain=True)
+    assert s.check(q).ok

tests/test_verifier.py

@@ -1,35 +1,75 @@
 from nl2sql.verifier import Verifier
-from nl2sql.types import StageResult, StageTrace
+from nl2sql.types import StageTrace
 
 
-def make_exec_result(ok=True, error=None):
-    return StageResult(
-        ok=ok, data={"dummy": True} if ok else None, trace=None, error=error
+# --- Tiny fake adapter for preview execution ---------------------------------
+class FakeAdapter:
+    """Mimics adapter.execute_preview(sql) returning dicts with ok/error."""
+
+    def __init__(self, will_ok=True, error=None):
+        self.will_ok = will_ok
+        self.error = error
+
+    def execute_preview(self, sql: str):
+        if self.will_ok:
+            return {"ok": True}
+        if self.error:
+            return {"ok": False, "error": self.error}
+        return {"ok": False}
+
+
+# -----------------------------------------------------------------------------
+
+
+def test_verifier_parse_error_is_not_ok():
+    v = Verifier()
+    fake = FakeAdapter(will_ok=True)
+    r = v.verify("SELCT * FRM broken;", adapter=fake)  # intentionally broken
+    assert not r.ok
+    assert r.error and "parse_error" in r.error
+
+
+def test_verifier_plain_aggregate_without_groupby_is_flagged():
+    v = Verifier()
+    fake = FakeAdapter(will_ok=True)
+    r = v.verify("SELECT COUNT(*), country FROM customers;", adapter=fake)
+    assert not r.ok
+    assert r.error and "aggregation_without_group_by" in r.error
+
+
+def test_verifier_windowed_aggregate_is_ok_without_groupby():
+    v = Verifier()
+    fake = FakeAdapter(will_ok=True)
+    r = v.verify(
+        "SELECT customer_id, SUM(amount) OVER (PARTITION BY customer_id) AS s FROM payments;",
+        adapter=fake,
     )
+    assert r.ok, r.error
 
 
-def test_verifier_handles_execution_error():
+def test_verifier_distinct_projection_is_ok_with_aggregate():
     v = Verifier()
-    r = v.run(
-        sql="SELECT 1", exec_result=make_exec_result(ok=False, error=["db error"])
+    fake = FakeAdapter(will_ok=True)
+    r = v.verify(
+        "SELECT DISTINCT artist_id, COUNT(*) FROM albums;",
+        adapter=fake,
     )
-    assert not r.ok
-    assert "execution_error" in r.trace.notes["reason"]
-    assert r.error == ["db error"]
+    # DISTINCT + aggregate can be valid; avoid false positives.
+    assert r.ok or "aggregation_without_group_by" not in (r.error or [])
 
 
-def test_verifier_detects_agg_without_group():
+def test_verifier_exec_error_is_reported():
     v = Verifier()
-    sql = "SELECT COUNT(*) FROM users"
-    r = v.run(sql=sql, exec_result=make_exec_result(ok=True))
+    fake = FakeAdapter(will_ok=False, error="no such table: imaginary_table")
+    r = v.verify("SELECT name FROM imaginary_table;", adapter=fake)
     assert not r.ok
-    assert any("Aggregation without GROUP BY" in e for e in r.error)
+    assert any(("exec_error" in e) or ("exec_exception" in e) for e in (r.error or []))
 
 
-def test_verifier_parses_valid_sql_ok():
+def test_verifier_returns_trace_with_int_duration():
     v = Verifier()
-    sql = "SELECT COUNT(*), city FROM users GROUP BY city"
-    r = v.run(sql=sql, exec_result=make_exec_result(ok=True))
-    assert r.ok
-    assert r.data == {"verified": True}
+    fake = FakeAdapter(will_ok=True)
+    r = v.verify("SELECT 1;", adapter=fake)
     assert isinstance(r.trace, StageTrace)
+    # Some implementations store duration as int milliseconds:
+    assert isinstance(r.trace.duration_ms, int)