Improve SQL Prompt Robustness and Query Safety Guardrails

[Zay-M3]

This PR improves the SQL generation and execution flow by tightening instructions given to the LLM and reinforcing runtime query validation. The goal is to reduce unsafe outputs, make SQL generation more deterministic, and ensure only read-only queries are executed.

What Changed

Prompt hardening in prompt.py
Clarified that schema context is the single source of truth. Enforced stricter output format: SQL only, no markdown, no comments, no extra text. Strengthened constraints to allow only SELECT queries and explicitly block DML/DDL operations. Added conservative behavior guidance for ambiguous questions. Execution guardrails in sqlquerys.py
Kept SQL sanitization and validation as a second protection layer after prompt generation. Enforced non-empty query validation.
Prevented multi-statement execution.
Required SELECT-first queries.
Blocked forbidden keywords like INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE, and REPLACE.

Summary by CodeRabbit

• Bug Fixes

  • Enhanced query validation to catch empty queries, multiple statements, and forbidden SQL operations.
  • Improved SQL parsing with better comment and whitespace handling.

• New Features

  • Added database type support for more tailored SQL generation.
  • Expanded query generation instructions for improved reliability and consistency.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Two modules were enhanced: SQL query validation now includes stricter syntax checks, comment removal, and whitespace normalization while modifying transaction behavior, and prompt generation was expanded to accept a database type parameter with restructured instructions.

Changes

Cohort / File(s)	Summary
SQL Query Validation naturalsql/sql/sqlquerys.py	Enhanced clean_sql to remove single-line and multi-line comments, collapse whitespace, and improved execute_query validation with stricter empty/semicolon/keyword checks. Removed automatic commit for non-result queries.
Prompt Generation naturalsql/utils/prompt.py	Added db_type parameter to build_prompt function and reformulated prompt with structured "MANDATORY INSTRUCTIONS" section specifying SQL generation requirements and constraints.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through SQL springs,
Cleaning comments, whitespace things,
With database types now in hand,
Prompts are structured, carefully planned!
✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: improving SQL prompt robustness and adding query safety guardrails, which directly matches the changes made to prompt.py and sqlquerys.py.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}