refactor: ship SQL pre-validation in shadow mode, defer other fixes

Reduces PR scope to telemetry-only based on deep analysis: the broader
fixes (prompt rules, warehouse_test guidance, apply_patch retry, read
file-not-found cache, altimate_core_validate auto-pull) were speculative
against an 8-machine / 1-day telemetry sample.

This PR now ships only what's needed to measure whether pre-execution
SQL validation is worth it:

- Keep: sql_pre_validation telemetry event + preValidateSql function
- Change: pre-validation runs fire-and-forget (shadow mode) — emits
  telemetry with outcome=skipped|passed|blocked|error but never blocks
  sql_execute. Zero user-facing latency impact.
- Revert: read.ts, apply_patch.ts, warehouse-test.ts, altimate-core-validate.ts,
  anthropic.txt system prompt changes — to be re-evaluated as separate
  PRs once real telemetry data validates need.

After 2 weeks of shadow telemetry, we can decide whether the blocking
behavior is worth the latency and false-positive risk.

Author: anandgupta42

packages/opencode/src/altimate/tools/altimate-core-validate.ts

@@ -2,9 +2,6 @@ import z from "zod"
 import { Tool } from "../../tool/tool"
 import { Dispatcher } from "../native"
 import type { Telemetry } from "../telemetry"
-// altimate_change start — auto-pull schema from cache when not provided
-import { getCache } from "../native/schema/cache"
-// altimate_change end
 
 export const AltimateCoreValidateTool = Tool.define("altimate_core_validate", {
   description:
@@ -15,20 +12,11 @@ export const AltimateCoreValidateTool = Tool.define("altimate_core_validate", {
     schema_context: z.record(z.string(), z.any()).optional().describe("Inline schema definition"),
   }),
   async execute(args, ctx) {
-    let hasSchema = !!(args.schema_path || (args.schema_context && Object.keys(args.schema_context).length > 0))
-    // altimate_change start — auto-pull schema from cache when not provided
-    if (!hasSchema) {
-      const cachedSchema = await tryGetSchemaFromCache()
-      if (cachedSchema) {
-        args = { ...args, schema_context: cachedSchema }
-        hasSchema = true
-      }
-    }
-    // altimate_change end
+    const hasSchema = !!(args.schema_path || (args.schema_context && Object.keys(args.schema_context).length > 0))
     const noSchema = !hasSchema
     if (noSchema) {
       const error =
-        "No schema provided. Provide schema_context or schema_path so table/column references can be resolved. Tip: run schema_index first to cache your warehouse schema."
+        "No schema provided. Provide schema_context or schema_path so table/column references can be resolved."
       return {
         title: "Validate: NO SCHEMA",
         metadata: { success: false, valid: false, has_schema: false, error },
@@ -89,41 +77,6 @@ function classifyValidationError(message: string): string {
   return "validation_error"
 }
 
-// altimate_change start — auto-pull schema from cache when not provided
-const CACHE_TTL_MS = 24 * 60 * 60 * 1000
-
-async function tryGetSchemaFromCache(): Promise<Record<string, any> | null> {
-  try {
-    const cache = await getCache()
-    const status = cache.cacheStatus()
-    const warehouse = status.warehouses[0]
-    if (!warehouse?.last_indexed) return null
-
-    const cacheAge = Date.now() - new Date(warehouse.last_indexed).getTime()
-    if (cacheAge > CACHE_TTL_MS) return null
-
-    const columns = cache.listColumns(warehouse.name, 10_000)
-    if (columns.length === 0) return null
-
-    const schemaContext: Record<string, any> = {}
-    for (const col of columns) {
-      const tableName = col.schema_name ? `${col.schema_name}.${col.table}` : col.table
-      if (!schemaContext[tableName]) {
-        schemaContext[tableName] = []
-      }
-      schemaContext[tableName].push({
-        name: col.name,
-        type: col.data_type || "VARCHAR",
-        nullable: col.nullable,
-      })
-    }
-    return schemaContext
-  } catch {
-    return null
-  }
-}
-// altimate_change end
-
 function formatValidate(data: Record<string, any>): string {
   if (data.error) return `Error: ${data.error}`
   if (data.valid) return "SQL is valid."

packages/opencode/src/altimate/tools/sql-execute.ts

@@ -37,15 +37,12 @@ export const SqlExecuteTool = Tool.define("sql_execute", {
     }
     // altimate_change end
 
-    // altimate_change start — pre-execution SQL validation via cached schema
-    const preValidation = await preValidateSql(args.query, args.warehouse)
-    if (preValidation.blocked) {
-      return {
-        title: "SQL: VALIDATION ERROR",
-        metadata: { rowCount: 0, truncated: false, error: preValidation.error },
-        output: preValidation.error!,
-      }
-    }
+    // altimate_change start — shadow-mode pre-execution SQL validation
+    // Runs validation against cached schema and emits sql_pre_validation telemetry,
+    // but does NOT block execution. Used to measure catch rate before deciding
+    // whether to enable blocking in a future release. Fire-and-forget so it
+    // doesn't add latency to the sql_execute hot path.
+    preValidateSql(args.query, args.warehouse).catch(() => {})
     // altimate_change end
 
     try {

packages/opencode/src/altimate/tools/warehouse-test.ts

@@ -20,14 +20,10 @@ export const WarehouseTestTool = Tool.define("warehouse_test", {
         }
       }
 
-      // altimate_change start — actionable error guidance for common auth failures
-      const errorDetail = result.error ?? "Unknown error"
-      const guidance = getConnectionGuidance(errorDetail)
-      // altimate_change end
       return {
         title: `Connection '${args.name}': FAILED`,
         metadata: { connected: false },
-        output: `Failed to connect to warehouse '${args.name}'.\nError: ${errorDetail}${guidance}`,
+        output: `Failed to connect to warehouse '${args.name}'.\nError: ${result.error ?? "Unknown error"}`,
       }
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e)
@@ -39,36 +35,3 @@ export const WarehouseTestTool = Tool.define("warehouse_test", {
     }
   },
 })
-
-// altimate_change start — actionable error guidance for common auth failures
-function getConnectionGuidance(error: string): string {
-  const lower = error.toLowerCase()
-
-  if (lower.includes("password") && (lower.includes("incorrect") || lower.includes("authentication failed"))) {
-    return "\n\nHow to fix: Check the password in your connection config. Verify the username has access from your current IP address. Use `warehouse_remove` then `warehouse_add` to re-enter credentials."
-  }
-  if (lower.includes("password must be a string") || lower.includes("scram")) {
-    return "\n\nHow to fix: The password field is missing or not a string. Check your connection config — the password may be empty or set to a non-string value. Use `warehouse_remove` then `warehouse_add` to re-configure."
-  }
-  if (lower.includes("private key") || lower.includes("decrypt")) {
-    return "\n\nHow to fix: Key pair authentication failed. Verify: (1) the key file is PEM/PKCS#8 format, (2) the passphrase is correct, (3) the key has not expired, (4) the public key is registered in your warehouse."
-  }
-  if (lower.includes("missing") && lower.includes("password")) {
-    return "\n\nHow to fix: No password was provided. Use `warehouse_remove` then `warehouse_add` to configure credentials. For Snowflake, you can also use key pair or SSO authentication."
-  }
-  if (lower.includes("browser") && lower.includes("timed out")) {
-    return "\n\nHow to fix: SSO browser authentication timed out. Ensure your default browser opened the auth page. If running in a headless environment, switch to password or key pair authentication instead."
-  }
-  if (lower.includes("not installed") || lower.includes("cannot find module")) {
-    return "\n\nHow to fix: The database driver is not installed. Run `npm install` with the appropriate driver package for your database type."
-  }
-  if (lower.includes("econnrefused") || lower.includes("enotfound")) {
-    return "\n\nHow to fix: Cannot reach the database server. Check: (1) the hostname and port are correct, (2) the server is running, (3) any firewalls or VPNs are configured to allow the connection."
-  }
-  if (lower.includes("schema") && (lower.includes("does not exist") || lower.includes("not authorized"))) {
-    return "\n\nHow to fix: The specified schema does not exist or your user lacks access. Check: (1) the schema name is spelled correctly, (2) your user/role has USAGE privilege on the schema."
-  }
-
-  return ""
-}
-// altimate_change end

packages/opencode/src/session/prompt/anthropic.txt

@@ -69,27 +69,9 @@ I've found some existing telemetry code. Let me mark the first todo as in_progre
 
 # Doing tasks
 The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
--
+- 
 - Use the TodoWrite tool to plan the task if required
 
-<!-- altimate_change start — bias toward action, reduce over-questioning, enforce read-before-edit -->
-# Agent behavior rules
-
-## Act first, ask later
-- Start working immediately. Do NOT ask clarifying questions unless the request is genuinely ambiguous with multiple incompatible interpretations.
-- If you can make a reasonable assumption, make it and state what you assumed. The user can correct you.
-- Prefer taking a small action (scan the project, read a file, check the schema) over asking the user what to do.
-
-## Always read before editing
-- NEVER call edit, write, or apply_patch on a file you have not read in the current session.
-- If apply_patch fails with "Failed to find expected lines", re-read the file immediately and generate a new patch from the fresh content. Do NOT retry the same patch.
-- After a file_not_found error on a specific path, do NOT attempt to read that same path again. Move on or ask the user.
-
-## Limit retries
-- If a tool call fails twice on the same input, do NOT retry a third time. Instead, explain what went wrong and try an alternative approach.
-- If apply_patch or edit fails on the same file twice, re-read the file, then try once more with fresh content. If that also fails, stop and report the issue.
-<!-- altimate_change end -->
-
 - Tool results and user messages may include <system-reminder> tags. <system-reminder> tags contain useful information and reminders. They are automatically added by the system, and bear no direct relation to the specific tool results or user messages in which they appear.
 
 

packages/opencode/src/tool/apply_patch.ts

@@ -100,30 +100,13 @@ export const ApplyPatchTool = Tool.define("apply_patch", {
           const oldContent = await fs.readFile(filePath, "utf-8")
           let newContent = oldContent
 
-          // altimate_change start — retry patch application with re-read on mismatch
           // Apply the update chunks to get new content
           try {
             const fileUpdate = Patch.deriveNewContentsFromChunks(filePath, hunk.chunks)
             newContent = fileUpdate.content
           } catch (error) {
-            // Re-read the file and retry once — the file may have changed since the LLM last saw it
-            const freshContent = await fs.readFile(filePath, "utf-8")
-            if (freshContent !== oldContent) {
-              try {
-                const retryUpdate = Patch.deriveNewContentsFromChunks(filePath, hunk.chunks)
-                newContent = retryUpdate.content
-              } catch (retryError) {
-                throw new Error(
-                  `apply_patch verification failed: ${retryError}\n\nThe file has been modified since you last read it. Please re-read the file and generate a new patch.`,
-                )
-              }
-            } else {
-              throw new Error(
-                `apply_patch verification failed: ${error}\n\nThe expected lines were not found in the file. Please re-read the file and generate a new patch based on its current contents.`,
-              )
-            }
+            throw new Error(`apply_patch verification failed: ${error}`)
           }
-          // altimate_change end
 
           const diff = trimDiff(createTwoFilesPatch(filePath, filePath, oldContent, newContent))
 

packages/opencode/src/tool/read.ts

@@ -12,11 +12,6 @@ import { assertExternalDirectory } from "./external-directory"
 import { InstructionPrompt } from "../session/instruction"
 import { Filesystem } from "../util/filesystem"
 
-// altimate_change start — cache file-not-found paths to prevent retry loops
-const _notFoundCache = new Set<string>()
-const NOT_FOUND_CACHE_MAX = 500
-// altimate_change end
-
 const DEFAULT_READ_LIMIT = 2000
 const MAX_LINE_LENGTH = 2000
 const MAX_LINE_SUFFIX = `... (line truncated to ${MAX_LINE_LENGTH} chars)`
@@ -55,17 +50,6 @@ export const ReadTool = Tool.define("read", {
     })
 
     if (!stat) {
-      // altimate_change start — cache file-not-found to prevent retry loops
-      if (_notFoundCache.has(filepath)) {
-        throw new Error(
-          `File not found: ${filepath}\n\nThis path was already checked and does not exist. Do NOT retry. Use a different path or ask the user for the correct location.`,
-        )
-      }
-      if (_notFoundCache.size < NOT_FOUND_CACHE_MAX) {
-        _notFoundCache.add(filepath)
-      }
-      // altimate_change end
-
       const dir = path.dirname(filepath)
       const base = path.basename(filepath)