feat: Go and JavaScript/TypeScript SQL extractors

Adds tree-sitter-backed extractors for `.go`, `.js`, `.ts`, and `.tsx`
files, mirroring the existing `.py` / `.rs` finders.

- `finder/go.rs`: interpreted strings (`"…"`) and raw strings (`` `…` ``).
  `fmt`-style verbs (`%s`, `%d`, …) get swapped for `1` so format
  arguments don't break SQL parsing; `%%` stays as a literal `%`.
- `finder/javascript.rs`: single/double-quoted `string` literals and
  backtick `template_string` literals. Template substitutions
  (`${...}`) become `1`. Used for `.js`, `.ts`, and `.tsx`; the
  TypeScript grammar exposes the same string-literal node kinds, so
  only the language pointer differs per extension.
- `finder/mod.rs`: `SUPPORTED_CODE_FILE_EXTENSIONS` extended to
  `["py","rs","go","ts","tsx","js"]`; dispatch wired.
- LSP and VS Code extension cover the new extensions for diagnostics
  and activation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

Cargo.lock

@@ -18,8 +18,13 @@
 - Output formats: text + JSON; split exit codes; `--stdin` mode.
 - `.sqlshield.toml` configuration with CLI override layering.
 - Parallel file walker (rayon) with default ignore list.
+- Language extractors: `.py`, `.rs`, `.go`, `.js`, `.ts`, `.tsx` —
+  string literals, raw / template strings, and language-specific
+  placeholder forms (Python f-strings / `.format()`, Go `fmt` verbs,
+  JS template substitutions).
 - Language Server (`sqlshield-lsp`) for inline editor diagnostics
-  in `.py` / `.rs` / `.sql`; auto-reload on schema-file changes.
+  across every supported source extension; auto-reload on schema-file
+  changes.
 - First-party VS Code extension (`editors/vscode`) wrapping
   `sqlshield-lsp` over stdio.
 - Live database introspection (`sqlshield-introspect`, exposed via
@@ -32,7 +37,7 @@
 - **MySQL live introspection** — pending: `mysql_common` uses unstable
   Rust features that haven't reached the project's pinned toolchain.
   A toolchain bump or a different sync driver would unblock this.
-- **More language extractors** — Go, TypeScript, Java string literals.
+- **More language extractors** — Java, C#, PHP, Ruby string literals.
   Each is a small `finder/<lang>.rs` module + tree-sitter grammar.
 
 ## Not planned

ROADMAP.md

@@ -28,6 +28,11 @@
     "onLanguage:sql",
     "onLanguage:python",
     "onLanguage:rust",
+    "onLanguage:go",
+    "onLanguage:javascript",
+    "onLanguage:javascriptreact",
+    "onLanguage:typescript",
+    "onLanguage:typescriptreact",
     "workspaceContains:**/.sqlshield.toml",
     "workspaceContains:**/schema.sql"
   ],

editors/vscode/package.json

@@ -45,6 +45,11 @@ async function start(_context: ExtensionContext): Promise<void> {
       { scheme: "file", language: "sql" },
       { scheme: "file", language: "python" },
       { scheme: "file", language: "rust" },
+      { scheme: "file", language: "go" },
+      { scheme: "file", language: "javascript" },
+      { scheme: "file", language: "javascriptreact" },
+      { scheme: "file", language: "typescript" },
+      { scheme: "file", language: "typescriptreact" },
     ],
     synchronize: {
       fileEvents: workspace.createFileSystemWatcher("**/.sqlshield.toml"),

editors/vscode/src/extension.ts

@@ -256,7 +256,7 @@ fn compute_diagnostics(text: &str, file_ext: &str, state: &LoadedState) -> Vec<D
                 }
             }
         }
-        "py" | "rs" => {
+        "py" | "rs" | "go" | "ts" | "tsx" | "js" => {
             let dialect = state.dialect.as_sqlparser();
             match sqlshield::finder::find_queries_in_code_with_dialect(
                 text.as_bytes(),

sqlshield-lsp/src/server.rs

@@ -17,8 +17,11 @@ regex = "1.10.3"
 sqlparser = { version = "0.43.1", features = ["visitor"] }
 thiserror = "1.0"
 tree-sitter = "0.20.10"
+tree-sitter-go = "0.20.0"
+tree-sitter-javascript = "0.20.4"
 tree-sitter-python = "0.20.4"
 tree-sitter-rust = "0.20.4"
+tree-sitter-typescript = "0.20.5"
 walkdir = "2.4.0"
 
 [dev-dependencies]

sqlshield/Cargo.toml

@@ -0,0 +1,89 @@
+//! Extract SQL string literals from Go source.
+//!
+//! Go has two string literal forms:
+//!
+//! * Interpreted strings (`"…"`) — backslash escapes apply (`\"`, `\n`, …).
+//!   Tree-sitter labels these `interpreted_string_literal`.
+//! * Raw strings (`` `…` ``) — no escape processing; backtick is the only
+//!   forbidden character. Tree-sitter labels these `raw_string_literal`.
+//!
+//! Go has no built-in interpolation, but `fmt.Sprintf` and friends use
+//! `%s` / `%d` / etc. placeholders embedded inside ordinary strings.
+//! Replace those with `1` so the parsed SQL still tokenizes — same trick
+//! used by the Python finder for `{}` placeholders.
+
+use std::sync::LazyLock;
+
+use regex::Regex;
+
+/// Match the common `fmt`-style verbs (`%s`, `%d`, `%v`, `%q`, …) that
+/// appear in `fmt.Sprintf("SELECT %s FROM …", col)`. `%%` is the literal-`%`
+/// escape and is preserved.
+static FORMAT_VERB_RE: LazyLock<Regex> = LazyLock::new(|| {
+    Regex::new(r"%[+\-# 0]*\d*(?:\.\d+)?[vTtbcdoOqxXUeEfFgGspw]").expect("static regex is valid")
+});
+
+pub fn extract_query_string_from_node(node: &tree_sitter::Node, code: &[u8]) -> Option<String> {
+    let decoded = match node.kind() {
+        "interpreted_string_literal" => {
+            let inner = inner_text(node, code, '"', '"')?;
+            decode_go_escapes(inner)
+        }
+        "raw_string_literal" => inner_text(node, code, '`', '`')?.to_string(),
+        _ => return None,
+    };
+
+    // Preserve `%%` as a sentinel so the verb pass doesn't see a stray `%`.
+    const ESC_PCT: char = '\u{0001}';
+    let escaped = decoded.replace("%%", &ESC_PCT.to_string());
+    let substituted = FORMAT_VERB_RE.replace_all(&escaped, "1");
+    Some(substituted.replace(ESC_PCT, "%"))
+}
+
+fn inner_text<'a>(
+    node: &tree_sitter::Node,
+    code: &'a [u8],
+    open: char,
+    close: char,
+) -> Option<&'a str> {
+    let raw = &code[node.start_byte()..node.end_byte()];
+    let text = std::str::from_utf8(raw).ok()?;
+    let first = text.find(open)?;
+    let last = text.rfind(close)?;
+    if first >= last {
+        return None;
+    }
+    Some(&text[first + 1..last])
+}
+
+fn decode_go_escapes(s: &str) -> String {
+    let mut out = String::with_capacity(s.len());
+    let mut chars = s.chars();
+    while let Some(c) = chars.next() {
+        if c != '\\' {
+            out.push(c);
+            continue;
+        }
+        match chars.next() {
+            Some('"') => out.push('"'),
+            Some('\\') => out.push('\\'),
+            Some('\'') => out.push('\''),
+            Some('n') => out.push('\n'),
+            Some('t') => out.push('\t'),
+            Some('r') => out.push('\r'),
+            Some('a') | Some('b') | Some('f') | Some('v') | Some('0') => {
+                // Drop these control escapes; keeping a literal byte is
+                // pointless for SQL, and they never carry semantic meaning
+                // inside a query string.
+            }
+            // `\xNN`, `\uNNNN`, `\UNNNNNNNN`, octal — keep the literal
+            // text. Half-decoding adds risk without value for linting.
+            Some(other) => {
+                out.push('\\');
+                out.push(other);
+            }
+            None => out.push('\\'),
+        }
+    }
+    out
+}

sqlshield/src/finder/go.rs

@@ -0,0 +1,122 @@
+//! Extract SQL string literals from JavaScript and TypeScript source.
+//!
+//! Both grammars expose the same string-literal shapes:
+//!
+//! * `string` — single- or double-quoted, with backslash escapes.
+//! * `template_string` — backtick-quoted; may contain `${...}`
+//!   `template_substitution` children.
+//!
+//! For template strings we follow the Python finder's pattern: each
+//! `template_substitution` becomes a literal `1`, which keeps the SQL
+//! parsable when substitutions stand in for static values.
+
+pub fn extract_query_string_from_node(node: &tree_sitter::Node, code: &[u8]) -> Option<String> {
+    match node.kind() {
+        // string_inner_text already decodes any escape_sequence children;
+        // its output is the final SQL text.
+        "string" => string_inner_text(node, code),
+        "template_string" => Some(extract_template(node, code)),
+        _ => None,
+    }
+}
+
+/// Get the text between the quotes of a `string` node. Tree-sitter's JS
+/// grammar emits `string_fragment` children for the raw content, so prefer
+/// concatenating those when present; fall back to slicing between the outer
+/// quote characters otherwise.
+fn string_inner_text(node: &tree_sitter::Node, code: &[u8]) -> Option<String> {
+    let mut cursor = node.walk();
+    let mut content = String::new();
+    let mut found_fragment = false;
+    for child in node.children(&mut cursor) {
+        match child.kind() {
+            "string_fragment" => {
+                found_fragment = true;
+                content.push_str(&String::from_utf8_lossy(
+                    &code[child.start_byte()..child.end_byte()],
+                ));
+            }
+            "escape_sequence" => {
+                found_fragment = true;
+                let raw = &code[child.start_byte()..child.end_byte()];
+                let text = std::str::from_utf8(raw).ok()?;
+                // Decode the single escape inline so the caller's pass is a
+                // no-op for whatever we produce here.
+                content.push_str(&decode_js_escapes(text));
+            }
+            _ => {}
+        }
+    }
+    if found_fragment {
+        return Some(content);
+    }
+    // Empty string or older grammar shape: slice between the outer quotes.
+    let raw = &code[node.start_byte()..node.end_byte()];
+    let text = std::str::from_utf8(raw).ok()?;
+    let bytes = text.as_bytes();
+    let quote = bytes.first().copied()?;
+    if quote != b'"' && quote != b'\'' {
+        return None;
+    }
+    let first = text.find(quote as char)?;
+    let last = text.rfind(quote as char)?;
+    if first >= last {
+        return None;
+    }
+    Some(text[first + 1..last].to_string())
+}
+
+fn extract_template(node: &tree_sitter::Node, code: &[u8]) -> String {
+    let mut cursor = node.walk();
+    let mut out = String::new();
+    for child in node.children(&mut cursor) {
+        match child.kind() {
+            "string_fragment" => {
+                out.push_str(&String::from_utf8_lossy(
+                    &code[child.start_byte()..child.end_byte()],
+                ));
+            }
+            "escape_sequence" => {
+                let raw = &code[child.start_byte()..child.end_byte()];
+                if let Ok(text) = std::str::from_utf8(raw) {
+                    out.push_str(&decode_js_escapes(text));
+                }
+            }
+            "template_substitution" => {
+                // Replace ${...} with `1` — same trick as the Python finder.
+                out.push('1');
+            }
+            _ => {}
+        }
+    }
+    out
+}
+
+fn decode_js_escapes(s: &str) -> String {
+    let mut out = String::with_capacity(s.len());
+    let mut chars = s.chars();
+    while let Some(c) = chars.next() {
+        if c != '\\' {
+            out.push(c);
+            continue;
+        }
+        match chars.next() {
+            Some('"') => out.push('"'),
+            Some('\'') => out.push('\''),
+            Some('`') => out.push('`'),
+            Some('\\') => out.push('\\'),
+            Some('n') => out.push('\n'),
+            Some('t') => out.push('\t'),
+            Some('r') => out.push('\r'),
+            Some('0') => out.push('\0'),
+            // `\b`, `\f`, `\v`, `\xNN`, `\uNNNN`, `\u{...}`, octal: keep
+            // literal text. Half-decoding adds risk without payoff.
+            Some(other) => {
+                out.push('\\');
+                out.push(other);
+            }
+            None => out.push('\\'),
+        }
+    }
+    out
+}

sqlshield/src/finder/javascript.rs

@@ -1,5 +1,7 @@
 //! Locates SQL strings inside source files by walking a tree-sitter AST.
 
+mod go;
+mod javascript;
 mod python;
 mod rust;
 
@@ -13,7 +15,7 @@ pub struct QueryInCode {
     pub statements: Vec<sqlparser::ast::Statement>,
 }
 
-pub const SUPPORTED_CODE_FILE_EXTENSIONS: [&str; 2] = ["py", "rs"];
+pub const SUPPORTED_CODE_FILE_EXTENSIONS: [&str; 6] = ["py", "rs", "go", "ts", "tsx", "js"];
 
 pub fn find_queries_in_file(file_path: &Path) -> Result<Vec<QueryInCode>> {
     let dialect = sqlparser::dialect::GenericDialect {};
@@ -59,6 +61,25 @@ pub fn find_queries_in_code_with_dialect(
                 tree_sitter_rust::language(),
                 rust::extract_query_string_from_node,
             ),
+            "go" => (
+                tree_sitter_go::language(),
+                go::extract_query_string_from_node,
+            ),
+            "js" => (
+                tree_sitter_javascript::language(),
+                javascript::extract_query_string_from_node,
+            ),
+            // TypeScript and TSX share node kinds with JavaScript for the
+            // string-literal shapes we care about, so the extractor is the
+            // same; only the grammar changes.
+            "ts" => (
+                tree_sitter_typescript::language_typescript(),
+                javascript::extract_query_string_from_node,
+            ),
+            "tsx" => (
+                tree_sitter_typescript::language_tsx(),
+                javascript::extract_query_string_from_node,
+            ),
             other => return Err(SqlShieldError::UnsupportedFileExtension(other.to_string())),
         };