added db guard changes to prevent deletion

scripts/validate-test-db-target.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${TEST_DATABASE_URL:-}" ]]; then
+  echo "TEST_DATABASE_URL is required."
+  exit 1
+fi
+
+EXPECTED_PROD_DB_NAME="${EXPECTED_PROD_DB_NAME:-skymoney}"
+PROTECTED_DB_NAMES="${PROTECTED_DB_NAMES:-$EXPECTED_PROD_DB_NAME,postgres,template0,template1}"
+REQUIRE_TEST_DB_NAME="${REQUIRE_TEST_DB_NAME:-1}"
+
+extract_db() {
+  local url="$1"
+  sed -E 's#^[a-zA-Z][a-zA-Z0-9+.-]*://[^/]+/([^?]+).*$#\1#' <<< "$url"
+}
+
+TEST_DB_NAME="$(extract_db "$TEST_DATABASE_URL")"
+if [[ "$TEST_DB_NAME" == "$TEST_DATABASE_URL" || -z "$TEST_DB_NAME" ]]; then
+  echo "Unable to parse TEST_DATABASE_URL database name."
+  exit 1
+fi
+
+if [[ -n "${DATABASE_URL:-}" && "$TEST_DATABASE_URL" == "$DATABASE_URL" ]]; then
+  echo "TEST_DATABASE_URL must not equal DATABASE_URL."
+  exit 1
+fi
+
+IFS=',' read -r -a protected <<< "$PROTECTED_DB_NAMES"
+for name in "${protected[@]}"; do
+  trimmed="$(echo "$name" | xargs)"
+  if [[ -n "$trimmed" && "$TEST_DB_NAME" == "$trimmed" ]]; then
+    echo "Refusing to run DB security tests against protected database '$TEST_DB_NAME'."
+    echo "Set TEST_DATABASE_URL to a dedicated test database (for example: skymoney_test)."
+    exit 1
+  fi
+done
+
+if [[ "$REQUIRE_TEST_DB_NAME" == "1" ]]; then
+  if ! [[ "$TEST_DB_NAME" =~ (test|ci|sandbox|staging|shadow|tmp) ]]; then
+    echo "Refusing TEST_DATABASE_URL db '$TEST_DB_NAME': name must include test/ci/sandbox/staging/shadow/tmp."
+    echo "If intentional, set REQUIRE_TEST_DB_NAME=0 for this run."
+    exit 1
+  fi
+fi
+
+echo "TEST_DATABASE_URL target check passed (db=$TEST_DB_NAME)."