[opencode] VULN-117372 Fix SQL injection vulnerability in durable-chat-template

[kale-stew]

Description

Fixes #VULN-117372

Have tested changes with a deployed version of the DO template: https://durable-chat-template.kylieski.workers.dev

Description from OpenCode:

This change fixes a SQL injection vulnerability in the durable-chat-template. The saveMessage method was building SQL queries using string interpolation, which is dangerous because user-provided values (like message.user or message.content) were being inserted directly into the query string.

Before:

this.ctx.storage.sql.exec(
  `INSERT INTO messages (id, user, role, content) VALUES ('${message.id}', '${message.user}', ...)`
);

After:

this.ctx.storage.sql.exec(
  `INSERT INTO messages (id, user, role, content) VALUES (?, ?, ?, ?) ...`,
  message.id,
  message.user,
  message.role,
  message.content,
);

Using parameterized queries (? placeholders) ensures user input is properly escaped and can never be interpreted as SQL commands.

[github-actions]

Preview link not generated: you must be on a branch, not on a fork.
Collaborators may enable previews for this pull request by attaching the allow preview label.
If you are already a collaborator, please create a branch rather than forking.