fix: address bot review feedback for psql

- Fix prototype pollution in parser: use Object.create(null) for variables
- Fix -f flag: update getSqlToExecute to handle file input correctly
- Add 25 unit tests covering all functionality

Author: gitstart

src/commands/psql/connection.ts

@@ -28,12 +28,20 @@ export function buildConnectionOptions(
 
 /**
  * Get SQL to execute from options
+ * Returns empty string only if no SQL source is available (no -c, no -f, no stdin)
  */
 export function getSqlToExecute(options: PsqlOptions, stdin: string): string {
+  // -c takes precedence
   if (options.command) {
     return options.command;
   }
 
+  // -f will be read later, return placeholder
+  if (options.file) {
+    return "FILE"; // Non-empty placeholder to pass validation
+  }
+
+  // Check stdin
   if (stdin.trim()) {
     return stdin.trim();
   }

src/commands/psql/parser.ts

@@ -29,7 +29,7 @@ export function parseArgs(args: string[]): PsqlOptions | ExecResult {
     tuplesOnly: false,
     quiet: false,
     singleTransaction: false,
-    variables: {},
+    variables: Object.create(null) as Record<string, string>,
   };
 
   let i = 0;