fix: prevent SurrealDB injection via order_by and unparameterized queries

- Add allowlist validation for order_by param in notebooks endpoint
- Parameterize session_id query in source_chat router
- Add regex validation in base.py get_all() order_by parameter
- Convert async_migrate bump/lower_version to parameterized queries

open_notebook/database/async_migrate.py

@@ -223,7 +223,8 @@ async def bump_version() -> None:
     new_version = current_version + 1
 
     await repo_query(
-        f"CREATE _sbl_migrations:{new_version} SET version = {new_version}, applied_at = time::now();",
+        "CREATE type::thing('_sbl_migrations', $version) SET version = $version, applied_at = time::now();",
+        {"version": new_version},
     )
 
 
@@ -231,4 +232,7 @@ async def lower_version() -> None:
     """Lower the version by removing the latest entry from migrations table."""
     current_version = await get_latest_version()
     if current_version > 0:
-        await repo_query(f"DELETE _sbl_migrations:{current_version};")
+        await repo_query(
+            "DELETE type::thing('_sbl_migrations', $version);",
+            {"version": current_version},
+        )