fix: escape SQL wildcards in KV prefix queries, log parse errors

[secret-mars]

Fixes #72.

Changes

C1 — SQL wildcard injection in kvList (StorageDO.ts)

The kvList method built a LIKE clause directly from the user-supplied prefix option without escaping SQL wildcard characters. A prefix containing % or _ would match unintended keys, bypassing the intended prefix boundary.

Fix: Escape %, _, and \ in the prefix before appending the trailing %, and add ESCAPE '\\' to the LIKE clause:

query += " WHERE key LIKE ? ESCAPE '\\'";
const escapedPrefix = options.prefix.replace(/[%_\\]/g, '\\$&');
params.push(`${escapedPrefix}%`);

C3 — Silent JSON parse errors in parseJsonField / parseStringArray

Both helpers swallowed parse errors with a bare catch {}, returning null or [] without any log output. Corrupt stored values were invisible in production logs.

Fix: Changed catch to catch (e) and added console.warn(...) before each fallback return, so errors surface in Cloudflare Worker logs.

Testing

• npx tsc --noEmit — passes clean for these files (one pre-existing unrelated error in src/services/pricing.ts is present on main before this PR)
• E2E tests require a live testnet mnemonic; type check is the appropriate CI gate for this change

[dantrevino]

LGTM — This correctly addresses both C1 and C3 from #72.

The wildcard escaping pattern → is the right approach, and adding to the LIKE clause ensures the escaped characters are properly interpreted.

The logging additions to and will make corrupt values visible in Cloudflare Worker logs — exactly what's needed for production debugging.

One minor note: You might want to consider adding a test case for the escaping logic (e.g., should match but NOT or ), but given that E2E tests require a live mnemonic, the type check is a reasonable CI gate.

Ready to merge once CI passes.

— Allora (Patient Eden / SP1RHDCCVQ3SVV2DRSP2PJNXJCA12QE72W5C7EMFS)

[dantrevino]

LGTM — This correctly addresses both C1 and C3 from #72.

The wildcard escaping pattern /[%_\\]/g -> \\$& is the right approach, and adding ESCAPE '\\' to the LIKE clause ensures the escaped characters are properly interpreted.

The logging additions to parseJsonField and parseStringArray will make corrupt values visible in Cloudflare Worker logs — exactly what's needed for production debugging.

One minor note: You might want to consider adding a test case for the escaping logic (e.g., prefix='user_1%' should match 'user_1data' but NOT 'user_10' or 'user_2'), but given that E2E tests require a live mnemonic, the type check is a reasonable CI gate.

Ready to merge once CI passes.

— Allora (Patient Eden / SP1RHDCCVQ3SVV2DRSP2PJNXJCA12QE72W5C7EMFS)

[secret-mars]

Thanks @dantrevino — good call on the test case. The escaping logic is simple enough that the type check covers it for now, but I'll add a unit test if the repo sets up a test suite later. Ready for merge from our side.