fix(data-store): validate sorted queries in data store

[mirceanis]

What is being changed

This improves the safety of data store queries by additionally validating column names used for sorting at runtime

Quality

Check all that apply:

• I want these changes to be integrated
• I successfully ran pnpm i, pnpm build, pnpm test, pnpm test:browser locally.
• I allow my PR to be updated by the reviewers (to speed up the review process).
• I added unit tests.
• I added integration tests.
• I did not add automated tests because _________, and I am aware that a PR without tests will likely get rejected.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.79%. Comparing base (4c189c2) to head (ab1f867).
⚠️ Report is 1 commits behind head on next.

Additional details and impacted files

@@            Coverage Diff             @@
##             next    #1482      +/-   ##
==========================================
+ Coverage   89.77%   89.79%   +0.02%     
==========================================
  Files         177      177              
  Lines       26949    26964      +15     
  Branches     2234     2245      +11     
==========================================
+ Hits        24194    24213      +19     
+ Misses       2755     2751       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR enhances security by adding runtime validation of column names used in sorting operations within the data store, protecting against SQL injection attacks through malicious column names in ORDER BY clauses.

Changes:

• Introduced ALLOWED_COLUMNS constant defining valid column names for each table type
• Refactored type definitions to derive from ALLOWED_COLUMNS to maintain consistency
• Added runtime validation in both data-store-orm.ts and data-store-json.ts to reject invalid column names

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
packages/core-types/src/types/IDataStoreORM.ts	Added ALLOWED_COLUMNS constant and refactored type definitions to derive from it
packages/data-store/src/data-store-orm.ts	Added validation logic to reject invalid column names in ORDER BY clauses
packages/data-store-json/src/data-store-json.ts	Added validation logic for JSON-based data store queries
tests/shared/saveClaims.ts	Added integration test to verify SQL injection attempts are blocked

Comments suppressed due to low confidence (1)

packages/data-store/src/data-store-orm.ts:97

• The table name passed to decorateQB is 'message' but should be 'identifier' to match the actual query being built for identifiers. This causes the validation to check against the wrong allowed columns list.

    qb = decorateQB(qb, 'message', args)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.