- Add allowedTestTables map containing all known database tables
- Add validateTableName() function that panics if table name is not
in the whitelist
- Call validateTableName() before all fmt.Sprintf("DELETE FROM %s")
and fmt.Sprintf("TRUNCATE TABLE %s CASCADE") statements
- Prevents potential SQL injection via table name interpolation,
even though the risk is low (test-only code, table names come from
hardcoded lists or DB introspection)
Addresses audit finding: A03 (Injection) — minor risk in test utilities.
Co-authored-by: Cursor <cursoragent@cursor.com>
