ajitpratap0
diff --git a/‎CHANGELOG.md‎
Lines changed: 10 additions & 144 deletions b/‎CHANGELOG.md‎
Lines changed: 10 additions & 144 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 59 additions & 2 deletions b/‎CLAUDE.md‎
Lines changed: 59 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 104 additions & 1 deletion b/‎README.md‎
Lines changed: 104 additions & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 2 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 2 additions & 0 deletions
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- **GROUPING SETS, ROLLUP, CUBE** (SQL-99 T431): Complete grouping operations support for advanced aggregations
+- **MERGE Statements** (SQL:2003 F312): Full MERGE support with WHEN MATCHED/NOT MATCHED clauses
+- **Materialized Views**: CREATE, DROP, REFRESH MATERIALIZED VIEW support
+- **Table Partitioning**: PARTITION BY RANGE, LIST, HASH support
+- **SQL Injection Detection**: Built-in security scanner (`pkg/sql/security`) for pattern detection
+- **Expression Operators**: BETWEEN, IN, LIKE, IS NULL with full expression support
+- **Subquery Support**: Scalar, table, correlated, EXISTS subqueries
+- **NULLS FIRST/LAST**: ORDER BY null ordering (SQL-99 F851)
+
 ## [1.5.1] - 2025-11-15 - Phases 2-3 Test Coverage Completion
 
 ### 🎯 Phase 3 Complete: Token and Tokenizer Coverage Enhancement
@@ -452,120 +462,6 @@ This substantial test coverage increase provides strong confidence in the AST pa
 - ✅ Comprehensive test coverage for all new features
 - ✅ Zero performance regression while adding major features
 
-## [1.2.0] - 2025-09-04 - Phase 2: Advanced SQL Features
-
-### ✅ Major Features Implemented
-- **Complete Common Table Expression (CTE) support**: Simple and recursive CTEs with full SQL-92 compliance
-- **Set operations**: UNION, UNION ALL, EXCEPT, INTERSECT with proper left-associative parsing
-- **Multiple CTE definitions**: Comma-separated CTEs in single query with column specifications
-- **CTE Integration**: Full compatibility with all statement types (SELECT, INSERT, UPDATE, DELETE)
-- **Enhanced parser architecture**: New parsing functions for WITH statements and set operations
-
-### 🚀 Performance & Quality
-- **946K+ sustained operations/second** (30s load testing) - production grade performance
-- **1.25M+ operations/second** peak throughput with concurrent processing
-- **<1μs latency** for complex queries with CTEs and set operations
-- **Zero performance regression** from Phase 1 - all existing functionality maintained
-- **Race-free implementation** - comprehensive concurrent testing validates thread safety
-- **Memory efficient** - object pooling preserved with 60-80% memory reduction
-
-### 🎯 SQL Standards Compliance
-- **~70% SQL-92 compliance** achieved (up from ~40% in Phase 1)
-- **Advanced SQL features**: WITH clause, RECURSIVE support, set operations
-- **Complex query compositions**: CTEs combined with set operations in single queries
-- **Proper operator precedence**: Left-associative parsing for chained set operations
-
-### 🔧 Technical Implementation
-- **parseWithStatement()** - Complete WITH clause parsing with recursive support
-- **parseSelectWithSetOperations()** - Set operations parsing with proper precedence  
-- **parseCommonTableExpr()** - Individual CTE parsing with column specifications
-- **parseMainStatementAfterWith()** - Post-CTE statement routing with full integration
-- **Enhanced AST structures** - Complete integration with existing AST framework
-
-### 📊 Comprehensive Testing
-- **24+ test functions** total (9 new Phase 2 tests added)
-- **4 comprehensive CTE tests**: Simple CTE, Recursive CTE, Multiple CTEs, Column specs
-- **5 comprehensive set operation tests**: All operations, chaining, CTE combinations
-- **100% test pass rate** with race detection enabled
-- **Extensive error case coverage** with contextual error messages
-
-### 📚 Documentation Updates
-- **Enhanced Go package documentation** with Phase 2 examples and API references
-- **Comprehensive README updates** with CTE and set operations examples
-- **Updated performance benchmarks** reflecting Phase 2 capabilities
-- **Complete API documentation** for all new parsing functions
-
-### 🔄 Backward Compatibility
-- **100% backward compatible** - all existing functionality preserved
-- **API stability** - no breaking changes to public interfaces
-- **Legacy test compatibility** - all Phase 1 and prior tests continue passing
-- **Performance maintained** - no degradation in existing query parsing performance
-
-### Goals Achieved
-- ✅ ~70% SQL-92 compliance milestone reached
-- ✅ Production-grade CTE implementation with recursive support
-- ✅ Complete set operations support with proper precedence
-- ✅ Enhanced error handling with contextual messages
-- ✅ Comprehensive test coverage for all new features
-- ✅ Zero performance regression while adding major features
-
-## [1.2.0] - 2025-09-04 - Phase 2: Advanced SQL Features
-
-### ✅ Major Features Implemented
-- **Complete Common Table Expression (CTE) support**: Simple and recursive CTEs with full SQL-92 compliance
-- **Set operations**: UNION, UNION ALL, EXCEPT, INTERSECT with proper left-associative parsing
-- **Multiple CTE definitions**: Comma-separated CTEs in single query with column specifications
-- **CTE Integration**: Full compatibility with all statement types (SELECT, INSERT, UPDATE, DELETE)
-- **Enhanced parser architecture**: New parsing functions for WITH statements and set operations
-
-### 🚀 Performance & Quality
-- **946K+ sustained operations/second** (30s load testing) - production grade performance
-- **1.25M+ operations/second** peak throughput with concurrent processing
-- **<1μs latency** for complex queries with CTEs and set operations
-- **Zero performance regression** from Phase 1 - all existing functionality maintained
-- **Race-free implementation** - comprehensive concurrent testing validates thread safety
-- **Memory efficient** - object pooling preserved with 60-80% memory reduction
-
-### 🎯 SQL Standards Compliance
-- **~70% SQL-92 compliance** achieved (up from ~40% in Phase 1)
-- **Advanced SQL features**: WITH clause, RECURSIVE support, set operations
-- **Complex query compositions**: CTEs combined with set operations in single queries
-- **Proper operator precedence**: Left-associative parsing for chained set operations
-
-### 🔧 Technical Implementation
-- **parseWithStatement()** - Complete WITH clause parsing with recursive support
-- **parseSelectWithSetOperations()** - Set operations parsing with proper precedence  
-- **parseCommonTableExpr()** - Individual CTE parsing with column specifications
-- **parseMainStatementAfterWith()** - Post-CTE statement routing with full integration
-- **Enhanced AST structures** - Complete integration with existing AST framework
-
-### 📊 Comprehensive Testing
-- **24+ test functions** total (9 new Phase 2 tests added)
-- **4 comprehensive CTE tests**: Simple CTE, Recursive CTE, Multiple CTEs, Column specs
-- **5 comprehensive set operation tests**: All operations, chaining, CTE combinations
-- **100% test pass rate** with race detection enabled
-- **Extensive error case coverage** with contextual error messages
-
-### 📚 Documentation Updates
-- **Enhanced Go package documentation** with Phase 2 examples and API references
-- **Comprehensive README updates** with CTE and set operations examples
-- **Updated performance benchmarks** reflecting Phase 2 capabilities
-- **Complete API documentation** for all new parsing functions
-
-### 🔄 Backward Compatibility
-- **100% backward compatible** - all existing functionality preserved
-- **API stability** - no breaking changes to public interfaces
-- **Legacy test compatibility** - all Phase 1 and prior tests continue passing
-- **Performance maintained** - no degradation in existing query parsing performance
-
-### Goals Achieved
-- ✅ ~70% SQL-92 compliance milestone reached
-- ✅ Production-grade CTE implementation with recursive support
-- ✅ Complete set operations support with proper precedence
-- ✅ Enhanced error handling with contextual messages
-- ✅ Comprehensive test coverage for all new features
-- ✅ Zero performance regression while adding major features
-
 ## [1.1.0] - 2025-01-03 - Phase 1: Core SQL Enhancements
 
 ### ✅ Implemented Features  
@@ -586,36 +482,6 @@ This substantial test coverage increase provides strong confidence in the AST pa
 - Unified AST structure
 - Consistent error system with context and hints
 
-## [1.2.0] - (Planned Q4 2024) - Phase 2: Advanced Features
-
-### Planned Features
-- Window functions (OVER, PARTITION BY, RANK, LAG/LEAD)
-- Transaction control statements (BEGIN/COMMIT/ROLLBACK)
-- Views and materialized views support
-- Stored procedure parsing (basic)
-- Streaming parser API for large files
-- AST transformation framework
-
-### Goals
-- Achieve 85% SQL-99 compliance
-- Streaming support for queries >10MB
-- Query transformation and optimization capabilities
-
-## [2.0.0] - (Planned Q1 2025) - Phase 3: Dialect Specialization
-
-### Planned Features
-- PostgreSQL-specific features (arrays, JSONB, custom types)
-- MySQL-specific syntax and functions
-- SQL Server T-SQL extensions
-- Oracle PL/SQL basics
-- SQLite pragmas and special syntax
-- Dialect auto-detection
-
-### Goals
-- Multi-dialect parser with configuration
-- 95% dialect-specific compliance
-- Auto-detection with 99% accuracy
-
 ## [1.0.2] - 2025-08-23
 
 ### Added
 
@@ -6,7 +6,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 GoSQLX is a **production-ready**, **race-free**, high-performance SQL parsing SDK for Go that provides lexing, parsing, and AST generation with zero-copy optimizations. The library is designed for enterprise use with comprehensive object pooling for memory efficiency.
 
-### **Production Status**: ✅ **VALIDATED FOR PRODUCTION DEPLOYMENT** (v1.4.0)
+### **Production Status**: ✅ **VALIDATED FOR PRODUCTION DEPLOYMENT** (v1.5.1+)
 - **Thread Safety**: Confirmed race-free through comprehensive concurrent testing
 - **Performance**: 1.38M+ operations/second sustained, up to 1.5M peak with memory-efficient object pooling
 - **International**: Full Unicode support for global SQL processing
@@ -26,6 +26,7 @@ GoSQLX is a **production-ready**, **race-free**, high-performance SQL parsing SD
 - **Models** (`pkg/models/`): Core data structures (tokens, spans, locations, errors) - 100% test coverage
 - **Errors** (`pkg/errors/`): Structured error handling system with error codes and position tracking
 - **Metrics** (`pkg/metrics/`): Production performance monitoring and observability
+- **Security** (`pkg/sql/security/`): SQL injection detection with pattern scanning and severity classification
 - **CLI** (`cmd/gosqlx/`): Production-ready command-line tool for SQL validation, formatting, and analysis
 
 ### Object Pooling Architecture
@@ -435,7 +436,63 @@ These mistakes have been made before - avoid them:
 - ✅ Allows for comprehensive testing and validation before tagging
 - ✅ Enables rollback if critical issues are found before release
 
-## Current SQL Feature Support (v1.4.0)
+## Current SQL Feature Support (v1.5.1+)
+
+### GROUPING SETS, ROLLUP, CUBE (SQL-99 T431) - Complete ✅
+```sql
+-- GROUPING SETS - explicit grouping combinations
+SELECT region, product, SUM(sales)
+FROM orders
+GROUP BY GROUPING SETS ((region), (product), (region, product), ());
+
+-- ROLLUP - hierarchical subtotals
+SELECT year, quarter, month, SUM(revenue)
+FROM sales
+GROUP BY ROLLUP (year, quarter, month);
+
+-- CUBE - all possible combinations
+SELECT region, product, SUM(amount)
+FROM sales
+GROUP BY CUBE (region, product);
+```
+
+### MERGE Statements (SQL:2003 F312) - Complete ✅
+```sql
+MERGE INTO target_table t
+USING source_table s ON t.id = s.id
+WHEN MATCHED THEN
+    UPDATE SET t.name = s.name, t.value = s.value
+WHEN NOT MATCHED THEN
+    INSERT (id, name, value) VALUES (s.id, s.name, s.value);
+```
+
+### Materialized Views - Complete ✅
+```sql
+CREATE MATERIALIZED VIEW sales_summary AS
+SELECT region, SUM(amount) as total FROM sales GROUP BY region;
+
+REFRESH MATERIALIZED VIEW CONCURRENTLY sales_summary;
+
+DROP MATERIALIZED VIEW IF EXISTS sales_summary;
+```
+
+### Expression Operators (BETWEEN, IN, LIKE, IS NULL) - Complete ✅
+```sql
+-- BETWEEN with expressions
+SELECT * FROM orders WHERE amount BETWEEN 100 AND 500;
+
+-- IN with subquery
+SELECT * FROM users WHERE id IN (SELECT user_id FROM admins);
+
+-- LIKE with pattern matching
+SELECT * FROM products WHERE name LIKE '%widget%';
+
+-- IS NULL / IS NOT NULL
+SELECT * FROM users WHERE deleted_at IS NULL;
+
+-- NULLS FIRST/LAST ordering (SQL-99 F851)
+SELECT * FROM users ORDER BY last_login DESC NULLS LAST;
+```
 
 ### Window Functions (Phase 2.5) - Complete ✅
 ```sql
 
@@ -49,6 +49,11 @@ GoSQLX is a high-performance SQL parsing library designed for production use. It
 - **🔗 Complete JOIN Support**: All JOIN types (INNER/LEFT/RIGHT/FULL OUTER/CROSS/NATURAL) with proper tree logic
 - **🔄 Advanced SQL Features**: CTEs with RECURSIVE support, Set Operations (UNION/EXCEPT/INTERSECT)
 - **🪟 Window Functions**: Complete SQL-99 window function support with OVER clause, PARTITION BY, ORDER BY, frame specifications
+- **🔄 MERGE Statements**: Full SQL:2003 MERGE support with WHEN MATCHED/NOT MATCHED clauses
+- **📊 Grouping Operations**: GROUPING SETS, ROLLUP, CUBE (SQL-99 T431)
+- **🗃️ Materialized Views**: CREATE, DROP, REFRESH MATERIALIZED VIEW support
+- **📋 Table Partitioning**: PARTITION BY RANGE, LIST, HASH support
+- **🔐 SQL Injection Detection**: Built-in security scanner (`pkg/sql/security`) for injection pattern detection
 - **🌍 Unicode Support**: Complete UTF-8 support for international SQL
 - **🔧 Multi-Dialect**: PostgreSQL, MySQL, SQL Server, Oracle, SQLite
 - **📊 Zero-Copy**: Direct byte slice operations, **<1μs latency**
@@ -391,14 +396,112 @@ if selectStmt, ok := ast.Statements[0].(*ast.SelectStatement); ok {
 ```
 
 **Supported JOIN Types:**
+
 - ✅ `INNER JOIN` - Standard inner joins
-- ✅ `LEFT JOIN` / `LEFT OUTER JOIN` - Left outer joins  
+- ✅ `LEFT JOIN` / `LEFT OUTER JOIN` - Left outer joins
 - ✅ `RIGHT JOIN` / `RIGHT OUTER JOIN` - Right outer joins
 - ✅ `FULL JOIN` / `FULL OUTER JOIN` - Full outer joins
 - ✅ `CROSS JOIN` - Cartesian product joins
 - ✅ `NATURAL JOIN` - Natural joins (implicit ON clause)
 - ✅ `USING (column)` - Single-column using clause
 
+### 🆕 Advanced SQL Features (v1.4+)
+
+#### MERGE Statements (SQL:2003 F312)
+
+```go
+sql := `
+    MERGE INTO target_table t
+    USING source_table s ON t.id = s.id
+    WHEN MATCHED THEN
+        UPDATE SET t.name = s.name, t.value = s.value
+    WHEN NOT MATCHED THEN
+        INSERT (id, name, value) VALUES (s.id, s.name, s.value)
+`
+ast, err := gosqlx.Parse(sql)
+```
+
+#### GROUPING SETS, ROLLUP, CUBE (SQL-99 T431)
+
+```go
+// GROUPING SETS - explicit grouping combinations
+sql := `SELECT region, product, SUM(sales)
+        FROM orders
+        GROUP BY GROUPING SETS ((region), (product), (region, product), ())`
+
+// ROLLUP - hierarchical subtotals
+sql := `SELECT year, quarter, month, SUM(revenue)
+        FROM sales
+        GROUP BY ROLLUP (year, quarter, month)`
+
+// CUBE - all possible combinations
+sql := `SELECT region, product, SUM(amount)
+        FROM sales
+        GROUP BY CUBE (region, product)`
+```
+
+#### Materialized Views
+
+```go
+// Create materialized view
+sql := `CREATE MATERIALIZED VIEW sales_summary AS
+        SELECT region, SUM(amount) as total
+        FROM sales GROUP BY region`
+
+// Refresh materialized view
+sql := `REFRESH MATERIALIZED VIEW CONCURRENTLY sales_summary`
+
+// Drop materialized view
+sql := `DROP MATERIALIZED VIEW IF EXISTS sales_summary`
+```
+
+#### SQL Injection Detection
+
+```go
+import "github.com/ajitpratap0/GoSQLX/pkg/sql/security"
+
+// Create scanner
+scanner := security.NewScanner()
+
+// Scan for injection patterns
+result := scanner.Scan(ast)
+
+if result.HasCritical() {
+    fmt.Printf("Found %d critical issues!\n", result.CriticalCount)
+    for _, finding := range result.Findings {
+        fmt.Printf("  [%s] %s: %s\n",
+            finding.Severity, finding.Pattern, finding.Description)
+    }
+}
+
+// Detected patterns include:
+// - Tautology (1=1, 'a'='a')
+// - UNION-based injection
+// - Time-based blind (SLEEP, WAITFOR DELAY)
+// - Comment bypass (--, /**/)
+// - Stacked queries
+// - Dangerous functions (xp_cmdshell, LOAD_FILE)
+```
+
+#### Expression Operators (BETWEEN, IN, LIKE, IS NULL)
+
+```go
+// BETWEEN with expressions
+sql := `SELECT * FROM orders WHERE amount BETWEEN 100 AND 500`
+
+// IN with subquery
+sql := `SELECT * FROM users WHERE id IN (SELECT user_id FROM admins)`
+
+// LIKE with pattern matching
+sql := `SELECT * FROM products WHERE name LIKE '%widget%'`
+
+// IS NULL / IS NOT NULL
+sql := `SELECT * FROM users WHERE deleted_at IS NULL`
+
+// NULLS FIRST/LAST ordering (SQL-99 F851)
+sql := `SELECT * FROM users ORDER BY last_login DESC NULLS LAST`
+```
+
 ## 💻 Examples
 
 ### Multi-Dialect Support
 
@@ -1,5 +1,7 @@
 # Security Policy
 
+> **Note**: This file covers security policies and vulnerability reporting. For comprehensive security analysis, threat modeling, and the SQL injection detection API, see [docs/SECURITY.md](docs/SECURITY.md).
+
 ## Supported Versions
 
 We release patches for security vulnerabilities. Currently supported versions: