refactor: harden D1 database operations and optimize memory management (#263)

[ojaswa072]

Summary

Resolves #263. This PR implements a comprehensive hardening of the database layer. While the initial audit was focused on SQL injection, the refactor addresses deeper architectural risks related to the Pyodide/D1 bridge and Worker environment stability.

Key Changes

• Standardized JsProxy lifecycle: All D1 results (.first(), .all(), and .run()) now consistently call .to_py() followed by .destroy(). This ensures that JavaScript proxy objects are explicitly garbage-collected, preventing memory bloat in the Worker isolate.
• Unified Chaining Pattern: Refactored functions to use the .prepare().bind().run() inline chaining pattern. This ensures the statement context is preserved across the bridge boundary and improves code readability.
• Execution Reliability: upsert_pr and other write operations now capture and handle the .run() result, ensuring that silent D1 failures (like constraint violations) can be properly tracked.
• Security Hardening: Removed the dir(env) debug log from get_db. This prevents the potential exposure of sensitive binding names and secret keys in production logs.

Verification Results

• Verified local D1 operations with wrangler dev
• Confirmed JsProxy destruction logic via memory usage monitoring
• Validated that all queries still use parameter binding (?) exclusively

[github-actions]

🍃 PR Readiness Check

Check the readiness of this PR on Leaf:
👉 Open on Leaf

Leaf reviews pull requests for operational readiness, security risks, and production-impacting changes before they ship.