fix: pre-release review — 7 surgical fixes

[jamestexas]

Summary

Pre-release audit found 7 issues (3 blockers, 4 should-fix). All resolved in this PR:

1. SQL injection in daemon query path (P0) — symbol parameter sanitized before interpolation into SQL sent over UDS
2. VFS handler hides graph nodes named "context"/"location" (P0) — Resolver now falls through when Match succeeds but Stat returns nil
3. release.yml repository_dispatch never creates a release (P0) — Condition now checks client_payload.tag
4. WritableGraph.ListChildren selects name instead of id (P1) — Fixed to match SQLiteGraph
5. lazyGraph.cleanup never called (P1) — Added graphRegistry.Close(), deferred in runServe
6. Managed leyline daemon orphaned on exit (P1) — Signal handler for SIGTERM/SIGINT
7. Unbounded batch read_file (P1) — Capped at 100 paths

Beads: mache-5c416f, mache-5c4c3b, mache-5c5366, mache-5c5a44, mache-5c6836, mache-5c6f1b, mache-5c76b3

Changes since v0.5.6 (24 commits)

• feat: Elixir tree-sitter support (feat: add Elixir tree-sitter support #99)
• feat: BDR hierarchy + beads schemas (feat: BDR beads schema + generic markdown schema #97, feat: BDR hierarchy schema for decade/thread/bead projection #98)
• feat(ci): release workflow with ley-line fat binary (feat(ci): release builds fat binary from ley-line artifacts #96)
• feat: overnight agent fixes — engine, lattice, writeback, vfs (feat: overnight agent fixes — 27 commits across engine, lattice, writeback, vfs #95)
• docs: README rewrite (docs: rewrite README for humans #93, docs(readme): ACI framing — topology is the point #94)
• fix: correctness debt — 4 surgical bug fixes (fix: correctness debt — 4 surgical bug fixes #92)
• feat: UDS LSP query + auto-enrichment (feat(serve): UDS socket client + auto-enrichment for LSP tools #88, fix(serve): query LSP data from daemon via UDS #91)
• perf: Louvain community detection pre-computed degrees (perf(graph): pre-compute degrees in Louvain community detection #89)
• feat: location virtual file (feat: expose location virtual file for source-origin orientation #87)
• fix: lazy ListRoots (fix(serve): lazy ListRoots with timeout #86)
• feat: --path flag, MCP sidecar lifecycle (feat(serve): --path flag, MCP sidecar lifecycle, loopback validation #85)
• feat: Streamable HTTP default transport (feat: default MCP transport to Streamable HTTP #84)
• refactor: VHandler chain + Streamable HTTP (refactor: VHandler chain + Streamable HTTP transport #83)
• feat: LSP defs/refs all schemas + Rust/Terraform presets (feat: add lsp_defs/refs to all schemas + Rust/Terraform presets #82)
• feat: schema-driven LSP materialization (feat: schema-driven LSP materialization with file_sets and include #81)
• feat: consume leyline LSP tables (feat: consume leyline LSP tables for hover, diagnostics, and MCP tools #80)
• feat: GraphCache write-through (feat: add GraphCache — write-through MemoryStore with SQLite persistence #79)
• feat: MCP project config, multi-editor install (feat: MCP project config, multi-editor install, cache scaling #78)
• feat: agent field report fixes + live graph (feat: agent field report fixes + live graph (#72) #73)
• feat: public tree-sitter validation API (feat: expose tree-sitter validation as public API #71)
• build(deps): golang.org/x/sys 0.41→0.42 (build(deps): bump golang.org/x/sys from 0.41.0 to 0.42.0 #90)

Test plan

• task build — compiles clean
• task test — all tests pass
• CI passes
• Verify VFS fallthrough with a Go project containing a context package

🤖 Generated with Claude Code