Document repository issues from codebase review (analysis-only)

[Copilot]

Problem: Reviewed the full repo to surface existing issues; no functional changes were applied.

Key findings:

• Dependency gap: CLI defaults to openai, but the base install lacks the openai package, causing immediate ImportError on first run.
• HTML injection risk: generate_html_report writes unescaped user/LLM content into HTML output, enabling XSS if inputs are malicious.
• Execution/prompt mismatch: Prompt enforces PostgreSQL syntax while execution tests use SQLite, increasing failure likelihood for dialect-specific SQL.
• Schema parsing loss: Table-level PRIMARY KEY (...) constraints are ignored in SchemaLoader.from_ddl, dropping PK metadata.
• Structural comparison limitations: Regex-based parser misses CTEs/subqueries/window functions used in bundled queries, leading to misleading structural scores.

Illustrative snippet (unescaped HTML output):

def generate_html_report(report) -> str:
    html = f"""...
        <td>{r.question_id}</td>
        <td>{question_short}</td>
        <td>{status}</td>
        <td>{r.latency_ms:.0f}ms</td>
    ...

Original prompt

read the whole repo & give what issues you are seeing in this repo

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.