🚨 Severity: CRITICAL
💡 Vulnerability: The contains and remove methods in streamrip/db.py used **items (kwargs) and directly used those dictionary keys in dynamic SQL condition string formatting. The contains method attempted validation but relied on assert, which is bypassed entirely when Python runs with optimization (-O). The remove method lacked validation completely. This opened the door for SQL injection where an attacker could pass arbitrary conditions via arbitrary keys in the unpacked kwargs.
🎯 Impact: If these methods were called with externally controlled or unsanitized keys passed as **kwargs, it would result in arbitrary SQL execution, leading to data deletion or extraction.
🔧 Fix: Removed the assert statement in contains and added explicit validation logic using if not ...: raise ValueError(...). Additionally, added this same rigorous validation to the remove method to prevent SQL injection when interpolating the dictionary keys into the DELETE command string.
✅ Verification: Run PYTHONPATH=. poetry run pytest tests and ensure the database queries properly enforce the structure keys.

PR created automatically by Jules for task 18369353087076288712 started by @davidjuarezdev