fix(#211): whitelist allowed columns in updateTrack — prevent SQL injection via column names

[Radexito]

Summary

• Adds ALLOWED_TRACK_COLUMNS whitelist (35 columns) to trackRepository.js
• updateTrack() now filters Object.keys(data) through the whitelist before interpolating into the SQL SET clause — unknown keys are logged and dropped
• Prevents a potential SQL-injection-via-column-name attack through the update-track IPC channel (e.g. from a compromised renderer context)

Root cause

updateTrack() built dynamic SQL using Object.keys(data) directly: ```js
const set = fields.map(f => ${f} = @${f}).join(', ')

If an attacker could call `window.api.updateTrack()` with arbitrary keys, they could inject SQL via identifier names.

All other query paths already use parameterized values (`?` / `@name`) — only column names were vulnerable. The search bar is entirely client-side (no SQL).

## Test plan

- [ ] Run `npm test` — all existing tests pass
- [ ] Manually update a track field (BPM, title, rating) — still works
- [ ] Verify that an unknown key in `updateTrack` produces a console warning and is ignored (no crash)

Closes #211

🤖 Generated with [Claude Code](https://claude.com/claude-code)