fix: read semantic sources safely (#284)

* fix: read semantic sources safely * test: retarget reindex per-scope error case to a broken manifest Reading a broken standalone source was made non-fatal in de1f1a8d (it is surfaced for repair instead of throwing), so the reindex per-scope error test no longer captured an error. Point it at a corrupt manifest shard, which is the remaining fatal read failure the per-scope catch must isolate, and assert the captured error names the offending file. * fix(sl): decouple semantic-layer file names from warehouse naming rules The in-file `name:` field is now the sole source identity; the filename is a derived label that never participates in identity. This removes the "Unsafe semantic-layer source name" failure class entirely: any warehouse identifier (Snowflake's uppercase SIGNED_UP, EVENT$LOG, dotted names) can be read, overlaid, edited, and deleted. - New `source-files.ts`: one total filename derivation (safe lowercase names verbatim; otherwise slug + sha256-hash suffix, immune to case-insensitive-filesystem collisions) and one by-name file resolver. - Reads resolve by name everywhere; the path-from-name fast path and `assertSafeSourceName` are gone. - Writes resolve-then-write: rewrites land on the file that declares the name (human renames survive); new sources get a derived filename; a derived path occupied by a different source fails instead of clobbering. - `readSourceFile` returns null for missing files instead of forcing every caller to launder IO errors; `deleteSource` distinguishes manifest-backed sources from not-found instead of silently succeeding. - `sl_write_source` accepts verbatim warehouse identifiers (snake_case is now a recommendation for new sources) and rejects sourceName/source.name mismatches; `sl_edit_source` rejects name-changing edits. - Ingest projection commits, gate-repair allowlists, and touched-source derivation use resolved paths / in-file names instead of interpolating `<connId>/<name>.yaml`. - Collapsed the five parallel path derivations and duplicated path-token helpers onto the shared module; dropped dead service methods. * fix(sl): resolve sources by declared name end-to-end and gate warehouse SQL with the parser-backed validator - Key broken/renamed semantic-layer files by their recoverable in-file name (slSourceNameForFile) so mid-edit sources stay reachable under their real identity in reads, listings, and search - Derive finalization touched sources from composed-source diffs and recover deleted files' declared names from the pre-change commit instead of parsing hash-derived filenames - Resolve revert/rollback paths against history (listFilesAtCommit) so human-renamed files are restored where they lived at preHead - Validate ingest sql_execution through the daemon's sqlglot validateReadOnly in the connection's dialect, sharing one driver-to-dialect map (sql-analysis/dialect.ts) across MCP and ingest - Harden the local read-only SQL backstop: accept leading comments, reject smuggled second statements, and strip trailing semicolons/comments before row-limit wrapping
2026-06-22 08:38:08 +02:00 · 2026-06-10 14:06:13 +02:00 · 2026-06-10 14:06:13 +02:00 · f3f893bf01
commit f3f893bf01
parent 853f39a7c3
51 changed files with 1797 additions and 476 deletions
--- a/packages/cli/src/context/sl/tools/sl-write-source.tool.ts
+++ b/packages/cli/src/context/sl/tools/sl-write-source.tool.ts
@ -22,8 +22,12 @@ const slWriteSourceInputSchema = z.object({
  connectionId: slToolConnectionIdSchema.describe('Data source connection ID'),
  sourceName: z
    .string()
-    .regex(/^[a-z0-9][a-z0-9_]*$/, 'Source name must be snake_case (lowercase alphanumeric and underscores)')
-    .describe('Name of the source to create, edit, or delete'),
+    .min(1)
+    .describe(
+      "Name of the source to create, edit, or delete. Must equal the source's `name:`. Use the verbatim " +
+        'warehouse identifier when overlaying a manifest source (e.g. SIGNED_UP); snake_case is recommended ' +
+        'for new standalone sources.',
+    ),
  source: sourceInputSchema
    .optional()
    .describe(
@ -152,6 +156,17 @@ Do NOT join back to a table that the SQL already aggregates from if the grain co
      );
    }

+    // The in-file `name:` is the source's identity; the file is written under
+    // source.name while the orphan/shadow checks key on sourceName — a mismatch
+    // would validate one source and save another.
+    if (input.source.name !== sourceName) {
+      return this.buildOutput(
+        false,
+        [`source.name "${input.source.name}" does not match sourceName "${sourceName}" — they must be identical.`],
+        sourceName,
+      );
+    }
+
    return this.writeFullSource(
      connectionId,
      input.source,
@ -253,12 +268,8 @@ Do NOT join back to a table that the SQL already aggregates from if the grain co
    connectionId: string,
    sourceName: string,
  ): Promise<string | null> {
-    try {
-      const { content } = await service.readSourceFile(connectionId, sourceName);
-      return content;
-    } catch {
-      return null;
-    }
+    const file = await service.readSourceFile(connectionId, sourceName);
+    return file?.content ?? null;
  }

  private async rejectOrphanOverlay(