v0.42.31.0 feat(links): open link_source provenance + link-add/link-rm/link-sources (#1941)

[garrytan]

What & why

Closes the two ergonomics gaps from #1941 that forced a typed-citation-graph edge-writer to live downstream of gbrain instead of as a gbrain command. Filed by a downstream agent building a citation-graph ingester.

Gap 1 — provenance + CLI. engine.addLink/removeLink already accepted linkType/linkSource, but the ops didn't expose them, and there was no link-add/link-rm command. Now gbrain link/unlink take --link-source/--link-type, with link-add/link-rm aliases, plus a new gbrain link-sources to discover provenances.

Gap 2 — closed allowlist. link_source was a closed IN(...) CHECK; a new provenance like citation-graph was rejected, so derivers stamped manual and lost the distinction from hand-entered edges. Now it's an open kebab-case format gate (^[a-z][a-z0-9]*(-[a-z0-9]+)*$, ≤64 chars) — no migration per deriver.

Changes

• Migration v114 relaxes the link_source CHECK (3 inline schemas + migration). Postgres uses NOT VALID + VALIDATE (transaction:false); PGLite plain DROP+ADD. Existing built-ins all satisfy the regex, so the constraint swap never fails on existing data.
• add_link/remove_link expose --link-source/--link-type. Op-layer guard rejects the reconciliation-managed built-ins (markdown/frontmatter/mentions/wikilink-resolved) and defaults omitted provenance to manual (was the misleading engine default markdown).
• cliHints.aliases mechanism (collision-guarded at startup; alias-aware --help) registers link-add/link-rm; fixes a pre-existing --type→--link-type help typo.
• list_link_sources read op + listLinkSources({sourceId?,sourceIds?}) on both engines (deterministic order, federated-scope aware), added to the minion read allowlist.

Test plan

• New test/link-source-namespaced-regex.test.ts: regex/length boundaries, upgrade-path constraint swap on existing data, op guard + manual default, remove_link filters, list_link_sources scalar+federated scoping, alias resolution/collision/help.
• Updated parity, brain-allowlist, and the mentions-migration test (fixed the now-valid inferred assertion).
• Local: typecheck clean; affected + merge-adjacent suites green (391 tests across the link/migration/op/cli/engine files); end-to-end CLI smoke (link-add → link-sources → guarded rejects → provenance-filtered link-rm). Full parallel suite runs in CI.

Reviews

• /plan-eng-review (clean) + codex outside-voice on the plan: 13 findings, all absorbed (strict-kebab regex, 64-cap, managed-built-in guard, lock-friendly migration, federated scoping, deterministic order, doc/help fixes).
• Adversarial pass on the implementation diff: Claude subagent + codex both clear — no correctness bugs in this change.

Also fixed: supervisor queue-singleton (follow-up to #1849)

The adversarial pass flagged two correctness bugs in the v0.42.29.0 supervisor-singleton work (src/core/minions/supervisor.ts). Fixed in this PR:

• supervisorLockId keyed on a config-derived DB identity (:305), but the lock row already lives inside the target database. Two supervisors on the same physical DB via different-but-equivalent URLs (pooler vs direct port, host alias, trailing params) computed different ids and both acquired the "singleton" lock. Now keyed on the queue alone; the database half of the mutex is physical. Removed the now-dead currentDbIdentity().
• Stranded pidfile (:501): the process.on('exit') cleanup listener was installed after the DB-lock acquire, so the LOCK_HELD early-exit left this process's pidfile behind to block the next start. The listener is now installed first.

Regression test pins the listener-before-lock ordering and the queue-only lock-id invariant; KEY_FILES.md and the v0.42.31.0 CHANGELOG updated.