fix: handle .format() {{ }} escapes in Python string extractor

The lazy `\{.*?\}` substitution greedily-from-left ate `{{key}` from
`{{key}}`, leaving a stray `}` and breaking the SQL parse. Any query
that referenced JSON-like literals (`'{{tag}}'`) or simply documented
braces in a comment would be silently dropped.

Pre-escape `{{`/`}}` with sentinel bytes (`\u{0001}` / `\u{0002}`)
before the regex, then restore them as literal `{`/`}`. Single
placeholders `{x}` continue to substitute as `1`.

3 tests cover single placeholder (no regression), the bare
double-brace literal, and a mix of escapes adjacent to a real
placeholder.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

sqlshield/src/finder/python.rs

@@ -26,11 +26,18 @@ pub fn extract_query_string_from_node(node: &tree_sitter::Node, code: &[u8]) ->
         }
     }
 
-    // If it isn't an fstring, but has interpolations to be formatted with .format later
-    // tree_sitter will not store the interpolation node and the code above won't clean it
-    content_as_string = INTERPOLATION_RE
-        .replace_all(&content_as_string, "1")
-        .to_string();
+    // For `.format()`-style strings tree-sitter doesn't yield interpolation
+    // nodes, so we sweep `{...}` placeholders here. `.format()` uses `{{`
+    // and `}}` as literal braces — pre-escape them with sentinel bytes so
+    // the lazy regex doesn't eat the doubled-up form (which would leave a
+    // stray `}` and break the SQL parse), then restore single braces after.
+    const ESC_OPEN: char = '\u{0001}';
+    const ESC_CLOSE: char = '\u{0002}';
+    let escaped = content_as_string
+        .replace("{{", &ESC_OPEN.to_string())
+        .replace("}}", &ESC_CLOSE.to_string());
+    let substituted = INTERPOLATION_RE.replace_all(&escaped, "1");
+    let restored = substituted.replace(ESC_OPEN, "{").replace(ESC_CLOSE, "}");
 
-    Some(content_as_string)
+    Some(restored)
 }

sqlshield/tests/python_interpolation.rs

@@ -0,0 +1,51 @@
+//! Python string-template extraction edge cases — escaped braces in
+//! `.format()` and f-strings.
+
+use sqlshield::finder::find_queries_in_code;
+
+fn extract(source: &str) -> Vec<Vec<sqlparser::ast::Statement>> {
+    find_queries_in_code(source.as_bytes(), "py")
+        .unwrap()
+        .into_iter()
+        .map(|q| q.statements)
+        .collect()
+}
+
+#[test]
+fn single_placeholder_is_replaced_with_literal_one() {
+    // Existing behavior: `{x}` substitutes for a value-position placeholder.
+    let source = r#"q = "SELECT name FROM users WHERE id = {x}".format(x=1)"#;
+    let queries = extract(source);
+    assert_eq!(queries.len(), 1);
+    // The query should parse and contain the substituted `1`.
+    let rendered = queries[0][0].to_string();
+    assert!(
+        rendered.contains("id = 1"),
+        "expected substitution; got: {rendered}"
+    );
+}
+
+#[test]
+fn double_brace_is_preserved_as_literal_brace() {
+    // `.format()` uses `{{` for a literal `{`. Without escape handling, the
+    // greedy regex eats `{{key}` and leaves a stray `}`, breaking the parse.
+    let source = r#"q = "SELECT * FROM users WHERE config = '{{key}}'".format()"#;
+    let queries = extract(source);
+    assert_eq!(queries.len(), 1, "query should parse cleanly");
+    let rendered = queries[0][0].to_string();
+    assert!(
+        rendered.contains("'{key}'"),
+        "double-brace should round-trip to single brace; got: {rendered}"
+    );
+}
+
+#[test]
+fn mixed_escapes_and_placeholders() {
+    // `{{literal}}` next to `{real}`: literal preserved, real substituted.
+    let source = r#"q = "SELECT * FROM users WHERE meta = '{{tag}}' AND id = {x}".format(x=1)"#;
+    let queries = extract(source);
+    assert_eq!(queries.len(), 1);
+    let rendered = queries[0][0].to_string();
+    assert!(rendered.contains("'{tag}'"));
+    assert!(rendered.contains("id = 1"));
+}