docs: add W014 to CHANGELOG and README, bump key numbers to 41/26

Author: Pawansingh3889

CHANGELOG.md

@@ -12,6 +12,13 @@ a deprecation window (see `GOVERNANCE.md` § Scope discipline).
 
 ### Added
 
+- **W014 `case-without-else`** - warns when a `CASE ... END` block has
+  no `ELSE` branch, so unmatched rows return `NULL`. Walks the
+  statement token-by-token tracking nesting, so an outer `CASE` with no
+  `ELSE` still fires even when an inner `CASE` does have one. Fires per
+  unmatched block. Suggests adding `ELSE NULL` for explicitness.
+  Contributed by [@hellozzm](https://github.com/hellozzm)
+  ([#32](https://github.com/Pawansingh3889/sql-guard/pull/32)).
 - **W015 `join-function-on-column`** - warns when a function wraps a
   column inside a `JOIN ... ON` predicate, the JOIN-side companion to W003.
   `JOIN customers c ON UPPER(o.email) = UPPER(c.email)` defeats every

README.md

@@ -24,7 +24,7 @@ One bad SQL query can delete production data, expose customer records, or bring
 
 | | |
 |---|---|
-| Rules | 41 (10 errors, 26 warnings, 5 Python-source) |
+| Rules | 42 (10 errors, 27 warnings, 5 Python-source) |
 | Tests | 152 |
 | Coverage | 86% |
 | Scan speed | 0.08s across 200 files |
@@ -43,7 +43,7 @@ print(result.summary()) # "1 error, 0 warnings in 1 statement"
 
 ---
 
-Fast, rule-based SQL linter. 41 rules (36 SQL + 5 Python), including SQL Server-focused rules for T-SQL shops. Inline disable, project config, git-changed-only mode, and SARIF output for GitHub Code Scanning. 500+ monthly downloads on PyPI.
+Fast, rule-based SQL linter. 42 rules (37 SQL + 5 Python), including SQL Server-focused rules for T-SQL shops. Inline disable, project config, git-changed-only mode, and SARIF output for GitHub Code Scanning. 500+ monthly downloads on PyPI.
 
 Catches dangerous SQL before it reaches production -- DELETE without WHERE, UPDATE without WHERE, SQL injection patterns, SELECT *, and 20 more. Runs as a **CLI tool**, **pre-commit hook**, and **GitHub Action**.
 
@@ -227,6 +227,7 @@ sql-sop list-rules                       # show every registered rule
 | W009 | `missing-semicolon` | Statement not terminated with `;` |
 | W010 | `commented-out-code` | `-- SELECT * FROM old_table` -- use version control |
 | W013 | `window-missing-partition` | `OVER ()` -- unpredictable results and unclear intent |
+| W014 | `case-without-else` | `CASE WHEN ... THEN ... END` -- unmatched rows return NULL |
 | W015 | `join-function-on-column` | `JOIN customers c ON UPPER(o.email) = UPPER(c.email)` -- kills index seek |
 | W016 | `not-in-with-subquery` | `WHERE id NOT IN (SELECT ...)` -- silently returns 0 rows on NULL 
 | W017 | `leading-wildcard-like` | `WHERE name LIKE '%smith'` -- non-SARGable, full scan |

sql_guard/rules/warnings.py

@@ -491,6 +491,13 @@ class CaseWithoutElse(Rule):
     ``NULL`` for any row that doesn't match a ``WHEN`` condition.
     Often the author assumes the conditions are exhaustive when they
     aren't, or downstream code can't handle NULLs.
+
+    Walks ``CASE`` / ``ELSE`` / ``END`` tokens with a depth-aware stack
+    so a nested-but-complete ``CASE`` doesn't mask an outer one that
+    lacks ``ELSE``. Each ``CASE`` block is judged on its own ``ELSE``
+    count. Standalone ``END`` tokens (for example ``BEGIN ... END``
+    blocks in T-SQL) are ignored when no matching ``CASE`` is on the
+    stack.
     """
 
     id = "W014"
@@ -499,20 +506,36 @@ class CaseWithoutElse(Rule):
     description = "CASE without ELSE returns NULL for unmatched rows"
     multiline = True
 
-    _case = Rule._compile(r"\bCASE\b")
-    _end = Rule._compile(r"\bEND\b")
-    _else = Rule._compile(r"\bELSE\b")
+    _case_keyword = Rule._compile(r"\b(CASE|END|ELSE)\b")
 
     def check_statement(self, statement: str, start_line: int, file: str) -> Finding | None:
-        if self._case.search(statement) and self._end.search(statement) and not self._else.search(statement):
-            return Finding(
-                rule_id=self.id,
-                severity=self.severity,
-                file=file,
-                line=start_line,
-                message="CASE without ELSE -- unmatched rows return NULL",
-                suggestion="Add an explicit ELSE clause, even if it's ELSE NULL for clarity",
-            )
+        # Walk CASE/ELSE/END tokens with a depth-aware stack. Each CASE
+        # pushes an entry; ELSE marks the current entry; END pops and
+        # decides. Nested CASEs are judged independently, so an outer
+        # CASE with no ELSE still fires even if an inner one has ELSE.
+        stack: list[bool] = []  # one entry per open CASE; True if ELSE seen
+        for match in self._case_keyword.finditer(statement):
+            word = match.group(1).upper()
+            if word == "CASE":
+                stack.append(False)
+            elif word == "ELSE":
+                if stack:
+                    stack[-1] = True
+            elif word == "END":
+                if not stack:
+                    # END with no matching CASE -- e.g. a T-SQL BEGIN/END
+                    # block. Skip rather than false-fire.
+                    continue
+                had_else = stack.pop()
+                if not had_else:
+                    return Finding(
+                        rule_id=self.id,
+                        severity=self.severity,
+                        file=file,
+                        line=start_line,
+                        message="CASE without ELSE -- unmatched rows return NULL",
+                        suggestion="Add an explicit ELSE clause, even if it's ELSE NULL for clarity",
+                    )
         return None
 
 

tests/test_rules.py

@@ -213,6 +213,33 @@ def test_w014_case_with_else_ok(self, tmp_path) -> None:
         w014 = [f for f in result.findings if f.rule_id == "W014"]
         assert not w014
 
+    def test_w014_outer_case_without_else_fires_when_inner_has_else(
+        self, tmp_path
+    ) -> None:
+        # Issue #4 specifically called out the nested case: an outer
+        # CASE with no ELSE must still fire even when an inner CASE
+        # does have one.
+        from sql_guard.rules.warnings import CaseWithoutElse
+
+        rule = CaseWithoutElse()
+        nested = (
+            "SELECT CASE\n"
+            "  WHEN x THEN CASE WHEN y THEN 1 ELSE 2 END\n"
+            "  WHEN z THEN 3\n"
+            "END FROM t;"
+        )
+        finding = rule.check_statement(nested, 1, "test.sql")
+        assert finding is not None
+        assert finding.rule_id == "W014"
+
+    def test_w014_does_not_fire_on_begin_end_block(self) -> None:
+        # T-SQL BEGIN/END blocks should not trip the rule on their own.
+        from sql_guard.rules.warnings import CaseWithoutElse
+
+        rule = CaseWithoutElse()
+        proc = "BEGIN\n  SELECT 1;\nEND;"
+        assert rule.check_statement(proc, 1, "test.sql") is None
+
 
 # ---------------------------------------------------------------------------
 # Clean file