I want to make sure I'm doing this safely and that my SQL query isn't editable by the client.

const getTools: () => Promise<z.infer<typeof toolSchema>[]> = unstable_cache(
  async () => {
    try {
      const response = await turso.execute("SELECT * FROM tools");
      const validatedTools = response.rows.map((row) => toolSchema.parse(row));
      return validatedTools;
    } catch (error) {
      return [];
    }
  },
  ["tools"],
  { revalidate: 3600, tags: ["tools"] },
);

export default async function Home() {
  const tools = await getTools();

  return (
    <main className="flex w-full flex-col items-center gap-24 px-4 pb-24 pt-24 md:px-[10vw]">
...

This is my /app/page.tsx landing page where I want to fetch a list of tools and then map over them in the jsx to display them. Anyone who visits the site, signed in or not, needs to be able to see these tools which is why I'm not protecting it behind auth.

Considering the tool list wont change often is this generally how I should go about this? Im using a sqlite/turso db connection exported from /lib/db.ts and validating the data with zod.

I dont have a complete understanding of this and based on the next docs it seems like this query is done at build and on each request where its executed on the server and hydrated before getting sent to the client? Can someone please help me and let me know if I'm doing this safely/correctly based on what I'm trying to achieve? Thanks