Complete PromQL escaping across all 150+ interpolation sites, add statement_timeout

Continuation of the quality framework application:

Reporter (postgres_reports.py):
- Apply _escape_promql_label() to ALL 150+ PromQL label interpolation
  sites across 20+ functions (A003, A004, A007, H001, H002, H004, D004,
  F001, F004, F005, G001, K-series, M-series, N001)
- Add _esc alias at function scope for every method that builds PromQL
- Make _escape_promql_label defensive with str() coercion for edge cases

Flask backend (app.py):
- Apply escape_promql_label() to remaining 2 filter-building sites
  (table metrics and table size detail endpoints)

CLI (init.ts):
- Add connectionTimeoutMillis: 10_000 to connectWithSslFallback()
  (central connection function used by checkup, prepare-db, etc.)
- Add SET statement_timeout = '30s' after connection to prevent
  runaway queries across all CLI database operations

All 429 reporter tests pass with no regressions.

https://claude.ai/code/session_01TKKnEc2Yn2zM64bwCJ2UaX

Author: claude

cli/lib/init.ts

@@ -127,8 +127,10 @@ export async function connectWithSslFallback(
   verbose?: boolean
 ): Promise<{ client: PgClient; usedSsl: boolean }> {
   const tryConnect = async (config: PgClientConfig): Promise<PgClient> => {
-    const client = new ClientClass(config);
+    const client = new ClientClass({ ...config, connectionTimeoutMillis: 10_000 } as any);
     await client.connect();
+    // Set a default statement timeout to prevent runaway queries
+    await client.query("SET statement_timeout = '30s'");
     return client;
   };
 

monitoring_flask_backend/app.py

@@ -703,20 +703,21 @@ def get_btree_bloat_csv():
         tblname = request.args.get('tblname')
         idxname = request.args.get('idxname')
 
-        # Build label filters
+        # Build label filters (escape values to prevent PromQL injection)
+        _esc = escape_promql_label
         filters = []
         if cluster_name:
-            filters.append(f'cluster="{cluster_name}"')
+            filters.append(f'cluster="{_esc(cluster_name)}"')
         if node_name:
-            filters.append(f'node_name="{node_name}"')
+            filters.append(f'node_name="{_esc(node_name)}"')
         if schemaname:
-            filters.append(f'schemaname="{schemaname}"')
+            filters.append(f'schemaname="{_esc(schemaname)}"')
         if tblname:
-            filters.append(f'tblname="{tblname}"')
+            filters.append(f'tblname="{_esc(tblname)}"')
         if idxname:
-            filters.append(f'idxname="{idxname}"')
+            filters.append(f'idxname="{_esc(idxname)}"')
         if db_name:
-            filters.append(f'datname="{db_name}"')
+            filters.append(f'datname="{_esc(db_name)}"')
 
         filter_str = '{' + ','.join(filters) + '}' if filters else ''
 
@@ -841,19 +842,20 @@ def get_table_info_csv():
             except ValueError:
                 end_dt = datetime.fromisoformat(time_end.replace('Z', '+00:00'))
 
-        # Build label filters
+        # Build label filters (escape values to prevent PromQL injection)
+        _esc = escape_promql_label
         filters = []
         if cluster_name:
-            filters.append(f'cluster="{cluster_name}"')
+            filters.append(f'cluster="{_esc(cluster_name)}"')
         if node_name:
-            filters.append(f'node_name="{node_name}"')
+            filters.append(f'node_name="{_esc(node_name)}"')
         if schemaname:
             # Support regex pattern matching with =~
-            filters.append(f'schemaname=~"{schemaname}"')
+            filters.append(f'schemaname=~"{_esc(schemaname)}"')
         if tblname:
-            filters.append(f'tblname="{tblname}"')
+            filters.append(f'tblname="{_esc(tblname)}"')
         if db_name:
-            filters.append(f'datname="{db_name}"')
+            filters.append(f'datname="{_esc(db_name)}"')
 
         filter_str = '{' + ','.join(filters) + '}' if filters else ''