fix: read semantic sources safely (#284)

* fix: read semantic sources safely

* test: retarget reindex per-scope error case to a broken manifest

Reading a broken standalone source was made non-fatal in de1f1a8d (it is
surfaced for repair instead of throwing), so the reindex per-scope error
test no longer captured an error. Point it at a corrupt manifest shard,
which is the remaining fatal read failure the per-scope catch must
isolate, and assert the captured error names the offending file.

* fix(sl): decouple semantic-layer file names from warehouse naming rules

The in-file `name:` field is now the sole source identity; the filename is
a derived label that never participates in identity. This removes the
"Unsafe semantic-layer source name" failure class entirely: any warehouse
identifier (Snowflake's uppercase SIGNED_UP, EVENT$LOG, dotted names) can
be read, overlaid, edited, and deleted.

- New `source-files.ts`: one total filename derivation (safe lowercase
  names verbatim; otherwise slug + sha256-hash suffix, immune to
  case-insensitive-filesystem collisions) and one by-name file resolver.
- Reads resolve by name everywhere; the path-from-name fast path and
  `assertSafeSourceName` are gone.
- Writes resolve-then-write: rewrites land on the file that declares the
  name (human renames survive); new sources get a derived filename; a
  derived path occupied by a different source fails instead of clobbering.
- `readSourceFile` returns null for missing files instead of forcing every
  caller to launder IO errors; `deleteSource` distinguishes manifest-backed
  sources from not-found instead of silently succeeding.
- `sl_write_source` accepts verbatim warehouse identifiers (snake_case is
  now a recommendation for new sources) and rejects sourceName/source.name
  mismatches; `sl_edit_source` rejects name-changing edits.
- Ingest projection commits, gate-repair allowlists, and touched-source
  derivation use resolved paths / in-file names instead of interpolating
  `<connId>/<name>.yaml`.
- Collapsed the five parallel path derivations and duplicated path-token
  helpers onto the shared module; dropped dead service methods.

* fix(sl): resolve sources by declared name end-to-end and gate warehouse SQL with the parser-backed validator

- Key broken/renamed semantic-layer files by their recoverable in-file
  name (slSourceNameForFile) so mid-edit sources stay reachable under
  their real identity in reads, listings, and search
- Derive finalization touched sources from composed-source diffs and
  recover deleted files' declared names from the pre-change commit
  instead of parsing hash-derived filenames
- Resolve revert/rollback paths against history (listFilesAtCommit) so
  human-renamed files are restored where they lived at preHead
- Validate ingest sql_execution through the daemon's sqlglot
  validateReadOnly in the connection's dialect, sharing one
  driver-to-dialect map (sql-analysis/dialect.ts) across MCP and ingest
- Harden the local read-only SQL backstop: accept leading comments,
  reject smuggled second statements, and strip trailing
  semicolons/comments before row-limit wrapping

packages/cli/test/context/sl/tools/sl-write-source.tool.test.ts

@@ -13,7 +13,7 @@ function makeTool(overrides: Partial<Record<string, any>> = {}) {
     validateWithProposedSource: vi.fn().mockResolvedValue({ errors: [], warnings: [] }),
     writeSource: vi.fn().mockResolvedValue({ commitHash: 'c1' }),
     deleteSource: vi.fn().mockResolvedValue(undefined),
-    readSourceFile: vi.fn().mockRejectedValue(new Error('not found')),
+    readSourceFile: vi.fn().mockResolvedValue(null),
     ...overrides.semanticLayerService,
   };
   const slSearchService = {
@@ -66,7 +66,7 @@ describe('SlWriteSourceTool — session gating', () => {
         deleteSource: vi.fn().mockResolvedValue(undefined),
         listManifestSourceNames: vi.fn().mockResolvedValue([]),
         isManifestBacked: vi.fn().mockResolvedValue(false),
-        readSourceFile: vi.fn().mockRejectedValue(new Error('not found')),
+        readSourceFile: vi.fn().mockResolvedValue(null),
         findManifestEntryByTableRef: vi.fn().mockResolvedValue(null),
       } as any,
       wikiService: {} as any,
@@ -248,7 +248,7 @@ describe('SlWriteSourceTool — session gating', () => {
         deleteSource: vi.fn().mockResolvedValue(undefined),
         listManifestSourceNames: vi.fn().mockResolvedValue(['mart_account_segments']),
         isManifestBacked: vi.fn().mockResolvedValue(false),
-        readSourceFile: vi.fn().mockRejectedValue(new Error('not found')),
+        readSourceFile: vi.fn().mockResolvedValue(null),
         findManifestEntryByTableRef: vi.fn().mockResolvedValue(null),
       } as any,
     });
@@ -377,3 +377,36 @@ describe('SlWriteSourceTool — standalone shadow guard', () => {
     expect(result.markdown).toMatch(/shadows an existing manifest entry|already exists/i);
   });
 });
+
+describe('SlWriteSourceTool — source name identity', () => {
+  it('accepts verbatim warehouse identifiers as sourceName', () => {
+    const { tool } = makeTool();
+    const base = { connectionId: '11111111-1111-1111-1111-111111111111' };
+    expect(tool.inputSchema.safeParse({ ...base, sourceName: 'SIGNED_UP' }).success).toBe(true);
+    expect(tool.inputSchema.safeParse({ ...base, sourceName: 'EVENT$LOG' }).success).toBe(true);
+    expect(tool.inputSchema.safeParse({ ...base, sourceName: 'orders' }).success).toBe(true);
+    expect(tool.inputSchema.safeParse({ ...base, sourceName: '' }).success).toBe(false);
+  });
+
+  it('rejects a source whose name does not match sourceName', async () => {
+    const { tool, semanticLayerService } = makeTool();
+    const result = await tool.call(
+      {
+        connectionId: '11111111-1111-1111-1111-111111111111',
+        sourceName: 'orders',
+        source: {
+          name: 'other_orders',
+          sql: 'select 1 as id',
+          grain: ['id'],
+          columns: [{ name: 'id', type: 'string' }],
+          measures: [],
+          joins: [],
+        } as any,
+      } as any,
+      baseContext,
+    );
+    expect(result.structured.success).toBe(false);
+    expect(result.markdown).toMatch(/does not match sourceName/);
+    expect(semanticLayerService.writeSource).not.toHaveBeenCalled();
+  });
+});