Fix pkg/eos_postgres FuzzEnvironmentDSN false-positive so the unit lane can go green

[CodeMonkeyCybersecurity]

Summary

The unit lane currently fails in pkg/eos_postgres on FuzzEnvironmentDSN/seed#6, which treats an invalid control-character URL parse error as a possible command-injection failure.

Evidence

• npm run ci:unit --silent fails in pkg/eos_postgres.
• The failing seed reports: Possible command injection in DSN handling: cannot parse ... invalid control character in URL.
• The observed behavior is a parser rejection, not command execution.

Why this matters

• It is an unrelated blocker for the #291-#294 patch set.
• It weakens trust in the fuzz suite by producing false positives instead of actionable security findings.

Proposed work

1. Revisit the fuzz oracle in postgres_fuzz_test.go and distinguish parser rejection from actual execution or interpolation.
2. Add regression tests for newline/control-character DSNs and shell-metacharacter DSNs.
3. Ensure the failure condition is tied to observable dangerous behavior, not just the presence of suspicious input.
4. Keep the seed corpus so future regressions remain reproducible.

Acceptance criteria

• go test ./pkg/eos_postgres passes.
• npm run ci:unit --silent no longer fails on this seed.
• The fuzz oracle documents what counts as a real security regression versus expected input rejection.