fix: harden SQL identifier handling across adapters

[raphael-intugle]

Description

Harden SQL identifier handling across the affected adapters and DataProduct metadata assembly to prevent identifier-based SQL injection and stop dropping PII flags during field detail generation.

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 Code style update (formatting, renaming)
• ♻️ Refactoring (no functional changes)
• ⚡ Performance improvement
• ✅ Test update
• 🔧 Configuration change
• 🏗️ Infrastructure/build change

Related Issue(s)

Fixes #216

Changes Made

• added shared SQL safety helpers for identifier-path quoting, literal escaping, and PII tag detection
• hardened identifier interpolation in the BigQuery, Databricks, Postgres, SQL Server, Oracle, and Snowflake adapters
• updated DataProduct field-detail generation to quote sql_code safely and derive is_pii from manifest tags instead of hardcoding False
• added focused regression tests for malicious identifier inputs and updated the Databricks FQN expectation to assert safe quoting

Testing

Test Configuration

• Python Version: 3.12.3
• OS: Linux
• LLM Provider (if applicable): N/A

Test Cases

• Unit tests pass locally
• Manual testing completed
• Tested with sample datasets

Test Commands

PYTHONPATH=src .venv/bin/pytest tests/adapters/test_bigquery_adapter.py tests/adapters/test_databricks_adapter.py tests/adapters/test_snowflake_adapter.py tests/adapters/test_sql_identifier_safety.py
.venv/bin/ruff check src/intugle/adapters/utils.py src/intugle/data_product.py src/intugle/adapters/types/bigquery/bigquery.py src/intugle/adapters/types/databricks/databricks.py src/intugle/adapters/types/oracle/oracle.py src/intugle/adapters/types/postgres/postgres.py src/intugle/adapters/types/snowflake/snowflake.py src/intugle/adapters/types/sqlserver/sqlserver.py tests/adapters/test_databricks_adapter.py tests/adapters/test_sql_identifier_safety.py

Screenshots/Examples

# Example: malicious identifiers are now safely quoted instead of interpolated raw
adapter._get_fqn('users"; DROP TABLE accounts; --')

Checklist

• My code follows the code style of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or linter errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have updated the relevant notebooks (if applicable)
• I have checked my code and corrected any misspellings

Documentation Updates

• README.md updated
• Docstrings added/updated
• Documentation site updated (if needed)
• Notebook examples updated (if applicable)
• CHANGELOG updated (if applicable)

Breaking Changes

• This PR introduces breaking changes
• Migration guide provided (if applicable)

Performance Impact

• Performance benchmarks run
• No significant performance impact
• Performance improvement:
• Performance regression:

Additional Context

This PR intentionally excludes unrelated local workspace changes such as .gitignore and .codex/.

Deployment Notes

No special deployment steps required.