security: use parameterized queries for ClickHouse model usage stats

[ink-the-squid]

Summary

Fix SQL injection vulnerabilities in ModelUsageStatsManager.ts by replacing string interpolation with ClickHouse parameterized queries ({val_N:String} placeholders).

This is the same class of vulnerability that was fixed in PR #5563 for ModelComparisonManager.ts.

Vulnerable Locations Fixed

1. getModelUsage() — model names from a prior query result were string-interpolated into IN clauses via `'${r.model}'` template literals
2. getProviderUsage() — provider names from a prior query result were string-interpolated into IN clauses via `'${r.provider}'` template literals
3. getProviderStats() — both the provider path parameter (using manual replace(/'/g, "''") escaping) and model names from prior results were interpolated into queries
4. getModelStats() — the model path parameter used manual replace(/'/g, "''") escaping instead of parameterized queries

Changes

• Added buildInClauseParams() helper method (mirrors buildModelNameParams from ModelComparisonManager) that generates parameterized placeholders and params arrays
• All 4 methods now pass user-controlled values through the dbQuery parameter array instead of string interpolation
• No functional changes — query logic and results are identical

Testing

• TypeScript compiles cleanly (npx tsc --noEmit)

[vercel]

@ink-the-squid is attempting to deploy a commit to the Helicone Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.