v0.1.5 — fix(security): replace sql.raw() with parameterized sql.join() in getLastAutomationRuns

Release v0.1.5: Security Patch — Parameterized SQL in getLastAutomationRuns

What changed

Replaced sql.raw() with sql.join() in the getLastAutomationRuns query to eliminate manual SQL string escaping
Each source value is now emitted as its own bound parameter instead of being interpolated into the query string

Why it matters

Manual SQL escaping is fragile and sets a dangerous precedent. While the current code path has no injection risk (sources are hardcoded), this pattern is unsafe by construction. Parameterized queries are the only reliable SQL injection defense — they eliminate the possibility of string interpolation attacks entirely.

Technical notes

No schema changes or functional impact
Generated SQL changes from unparameterized ARRAY['val1','val2'] to parameterized ARRAY[$2,$3]
Consistent with secure patterns already used in bulk-order-sql.ts and notification.ts

Release Notes

PR #411 was merged successfully (squash merge, SHA 199c3901182d24984264187ca13eac7e0405ef50), but the GitHub release could not be created because tag v0.1.5 already exists in the repository.

What happened

✅ PR #411 (fix(security): replace sql.raw() with parameterized sql.join() in getLastAutomationRuns) — squash-merged into main.
❌ Release v0.1.5 — creation failed with GitHub error: tag_name already_exists.

What to do next

A release (or at least a tag) named v0.1.5 already exists. You have a few options:

Use the next patch version — if this is truly a new release, create it as v0.1.6 (or whatever the correct next version is).
Edit the existing release — if v0.1.5 was a draft or partial release, update it manually via the GitHub Releases UI to include these notes.
Delete the existing tag — if v0.1.5 was mistakenly created, delete it and re-run this release workflow.

Please confirm which version tag to use and I can retry the release creation.