feat(admin-ui): surface anchor-coverage warnings and unify schema labels

Hoist the anchor-coverage query to PolicyEditPage so the side-nav and panel
share one cache; add a red count pill on the `Anchor coverage` section, a
top-of-page banner on other sections, and redesign the panel into per-table
cards. Introduce `effectiveSchemaName` as the single schema-label rule across
RelationshipsPanel, PolicyAnchorCoveragePanel, and the `?focus=` deep-link
matcher, rendering the upstream name in muted parens where helpful. Smooth
the anchor creation flow from the warning deep-link with auto-selected
viable relationships and inline empty-state guidance (switch to alias mode
or add a relationship without leaving the form). Extend the proxy's
AnchorCoverageTableEntry with `schema_upstream` to support alias-aware
labels.

Author: jumpbetweenrows

CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- **[Admin UI] Anchor-coverage warning is harder to miss and easier to act on** — `PolicyEditPage` now hoists the `useQuery(['policy-anchor-coverage'])` to the page level so the side-nav and the panel share one cache entry. The `Anchor coverage` section in the secondary nav now carries a red count pill (`SectionDef.indicator`) when the policy will silently deny on any table; a top-of-page red banner ("This row filter will silently deny on N tables") with a `Review` button appears on every section except the coverage section itself, and inherits the active section's max-width so it lines up with the form/content below. The coverage panel itself was redesigned: each broken table is its own card with bold header (data source + `schema.table`), per-column rows with a clearer reason line, and a tertiary `Add anchor →` button instead of a plain underline. The outer wrapper switched from red wash to a neutral white card so the per-table red still reads as the alarm without desensitizing.
+- **[Admin UI] Consistent schema-alias labeling across relationship/anchor surfaces** — new `effectiveSchemaName(schema_name, schema_alias)` helper in `src/utils/schemaLabel.ts` is now the single rule used by `RelationshipsPanel`, `PolicyAnchorCoveragePanel`, and the `?focus=` deep-link matcher: display the alias if set, raw upstream name otherwise. Dropdowns and selection contexts also render the upstream name in muted parens (`pg.orders  (postgres.orders)`) so admins can verify the mapping without bouncing to the discovery wizard. The anchor table's relationship cell now shows the full `child_schema.child_table.child_col → parent_schema.parent_table.parent_col` join path (the child side was previously missing), and the column header was renamed from `Via relationship` to `Resolves via` to honestly cover both the FK-walk and same-table-alias modes.
+- **[Admin UI] Anchor creation flow on deep-link from the policy warning** — when arriving via the `Add anchor →` link, the form now auto-selects the relationship if exactly one candidate's parent table contains the resolved column. Multiple viable candidates are sorted first in the dropdown and prefixed with `✓`. When the prefilled child table has zero relationships, the form replaces the previous one-line amber sentence with an empty-state guidance block: a "Switch to Same-table alias" button + an inline `FkSuggestionsList` filtered to the child table + a compact `InlineManualRelationshipForm` (parent table + columns) that auto-injects the new relationship into the anchor on success. The user no longer has to leave the anchor flow to fix the missing prerequisite.
+
+### Added
+
+- **[Proxy] `schema_upstream` field on the anchor-coverage response** — `AnchorCoverageTableEntry` now carries both `schema` (effective name, alias if set) and `schema_upstream` (raw upstream name). The admin UI uses this to render `pg.payments  (postgres.payments)` in the warning panel when an alias is in play, while continuing to deep-link by the effective name (which is what the proxy keys columns by at query time).
+- **[Admin UI] `SectionDef.indicator` slot on `SecondaryNav`** — sections can now carry an optional `{ tone: 'red' | 'yellow'; label: string; ariaLabel?: string }` indicator that renders as a small count pill on the right of the nav button. Currently consumed by `PolicyEditPage` for anchor coverage; the slot is generic so future sections can adopt it without further changes to the component.
+
 ## [0.17.0] - 2026-04-23
 
 ### Added

admin-ui/CLAUDE.md

@@ -17,8 +17,9 @@ Before building a new page or extending an existing one, read `admin-ui/DESIGN.m
 - `src/components/RoleMemberPanel.tsx` — Effective member list (direct + inherited with source badges), add/remove for direct members
 - `src/components/RoleInheritancePanel.tsx` — Parent/child role management with cycle detection feedback
 - `src/components/RoleAccessPanel.tsx` — Checkbox-based role access panel for datasource edit page
-- `src/components/PolicyAnchorCoveragePanel.tsx` — Edit-time silent-deny warning on `PolicyEditPage` for `row_filter` policies. Calls `GET /policies/{id}/anchor-coverage` (keyed on `(policyId, version)` so saves auto-refetch via the existing `['policy', policyId]` invalidation); hidden for non-row-filter types. Renders a green banner when every (assigned table × referenced column) resolves cleanly, or a red panel listing each broken `(table, column)` pair with a link to the datasource page where the missing anchor can be added. Rendered inside the `Anchor coverage` section of the policy edit page's T1 sidebar (omitted from the nav for non-row-filter policies).
-- `src/components/RelationshipsPanel.tsx` — Datasource edit page panel for admin-curated `table_relationship` + `column_anchor` CRUD. Surfaces live FK candidates from `GET /datasources/{id}/fk-suggestions` (already-added tuples greyed out) and the resolved-column → anchor designations that drive transitive row-filter resolution. The anchor form's "Resolve via" radio picks between **Relationship (FK walk)** — rendered via a dropdown of relationships scoped to the selected child table — and **Same-table alias** — rendered as a text input with a `<datalist>` populated from the child table's discovered columns. Long child→parent labels stack on two lines so Delete buttons stay reachable inside the narrow `max-w-2xl` page container. See `docs/security-vectors.md` vector 73 for the trust model.
+- `src/components/PolicyAnchorCoveragePanel.tsx` — Pure display component for the edit-time silent-deny warning on `PolicyEditPage`. Receives `data: PolicyAnchorCoverageResponse | undefined` as a prop (the query is hoisted to `PolicyEditPage` so the side-nav indicator and the panel share one cache entry). Renders a green banner when every (assigned table × referenced column) resolves cleanly, or a red panel listing each broken `(table, column)` pair grouped by `(data_source_name, schema.table)` as a card row with an `Add anchor →` button link to the datasource page. When the schema has an alias, shows the upstream raw name in muted parens next to the table label. Rendered inside the `Anchor coverage` section of the policy edit page's T1 sidebar (omitted from the nav for non-row-filter policies).
+- `src/components/RelationshipsPanel.tsx` — Datasource edit page panel for admin-curated `table_relationship` + `column_anchor` CRUD. Surfaces live FK candidates from `GET /datasources/{id}/fk-suggestions` (already-added tuples greyed out) and the resolved-column → anchor designations that drive transitive row-filter resolution. The anchor table's `Resolves via` column shows the full `child_schema.child_table.child_col → parent_schema.parent_table.parent_col` join path for relationship-mode anchors and the `alias → .col` shape for same-table-alias mode. The anchor form's "Resolve via" radio picks between **Relationship (FK walk)** — rendered via a dropdown of relationships scoped to the selected child table, with viable candidates (parent table contains the resolved column) sorted first and prefixed `✓`; auto-selected when there is exactly one viable candidate — and **Same-table alias** — rendered as a text input with a `<datalist>` populated from the child table's discovered columns. When the prefilled child table has zero relationships, the form shows an empty-state guidance block with two CTAs (Switch to Same-table alias / Add a relationship ↓); the latter expands an inline `FkSuggestionsList` filtered to the child table plus an `InlineManualRelationshipForm` mini-form, both of which auto-populate the anchor's `relationshipId` on success. Long child→parent labels stack on two lines so Delete buttons stay reachable inside the narrow `max-w-2xl` page container. See `docs/security-vectors.md` vector 73 for the trust model.
+- `src/utils/schemaLabel.ts` — `effectiveSchemaName(schema_name, schema_alias)` helper. **Convention: every admin-ui surface that displays a schema name uses the effective name (alias if set, else raw upstream).** This matches what policies and queries operate on (the proxy keys columns by the effective/df name in `resolution/graph.rs`) and what the policy target dropdowns already do via `useCatalogHints`. When a place needs to surface the raw upstream alongside (selection contexts like dropdowns, the anchor coverage warning), render `(schema_upstream.table)` muted next to the effective label. Used by `RelationshipsPanel.tsx`, `PolicyAnchorCoveragePanel.tsx`, and the `?focus=` deep-link matcher in `ColumnAnchorsSection`.
 - `src/api/catalog.ts` — API client for discovery catalog + `table_relationship` / `column_anchor` / FK suggestions (`listRelationships`, `createRelationship`, `deleteRelationship`, `listFkSuggestions`, `listColumnAnchors`, `createColumnAnchor`, `deleteColumnAnchor`)
 - `src/types/catalog.ts` — TypeScript interfaces for catalog + relationships (`TableRelationship`, `CreateTableRelationshipRequest`, `ColumnAnchor`, `CreateColumnAnchorRequest`, `FkSuggestion`)
 - `src/components/AuditTimeline.tsx` — Reusable admin audit timeline (used on role/user/policy/datasource detail pages)
@@ -47,7 +48,7 @@ Before building a new page or extending an existing one, read `admin-ui/DESIGN.m
 - `src/components/Layout.tsx` — App shell layout with sidebar navigation
 - `src/pages/PoliciesListPage.tsx` — Paginated policy list
 - `src/pages/PolicyCreatePage.tsx` — Policy creation page
-- `src/pages/PolicyEditPage.tsx` — T1 sidebar edit page. Sections: Details, Assignments, Anchor coverage (row_filter only), View as code, Activity. Danger zone offers typed-name delete with a "Disable instead" escape via `is_enabled`. Save keeps the user on the page (toast-only); 409 conflicts show an inline banner.
+- `src/pages/PolicyEditPage.tsx` — T1 sidebar edit page. Sections: Details, Assignments, Anchor coverage (row_filter only), View as code, Activity. Owns the `useQuery(['policy-anchor-coverage', policyId, version])` and passes the result down to `PolicyAnchorCoveragePanel`; `sectionsFor()` reads the broken-entry count and stamps a red count pill on the `Anchor coverage` nav item via `SectionDef.indicator`. Danger zone offers typed-name delete with a "Disable instead" escape via `is_enabled`. Save keeps the user on the page (toast-only); 409 conflicts show an inline banner.
 - `src/pages/QueryAuditPage.tsx` — Query audit log viewer
 - `src/test/test-utils.tsx` — `renderWithProviders` (QueryClient + AuthProvider + MemoryRouter)
 - `src/test/factories.ts` — `makeUser`, `makeDataSource`, `makeDataSourceType`, `makeDiscoveredSchema/Table/Column`, `makeDecisionFunction`, `makePolicy`, `makePolicyAssignment`

admin-ui/src/components/PolicyAnchorCoveragePanel.test.tsx

@@ -1,46 +1,43 @@
-import { describe, it, expect, vi, afterEach } from 'vitest'
-import { screen, waitFor } from '@testing-library/react'
+import { describe, it, expect } from 'vitest'
+import { screen } from '@testing-library/react'
 import { PolicyAnchorCoveragePanel } from './PolicyAnchorCoveragePanel'
 import { renderWithProviders } from '../test/test-utils'
-import * as policiesApi from '../api/policies'
 import type { PolicyAnchorCoverageResponse } from '../types/policy'
 
-afterEach(() => {
-  vi.restoreAllMocks()
-})
-
-function mockCoverage(coverage: PolicyAnchorCoverageResponse) {
-  vi.spyOn(policiesApi, 'getPolicyAnchorCoverage').mockResolvedValue(coverage)
-}
-
 describe('PolicyAnchorCoveragePanel', () => {
-  it('renders nothing for non-row-filter policies', () => {
-    const { container } = renderWithProviders(
-      <PolicyAnchorCoveragePanel
-        policyId="p-1"
-        policyType="column_mask"
-        version={1}
-      />,
-    )
+  it('shows a loading shim when data is undefined', () => {
+    renderWithProviders(<PolicyAnchorCoveragePanel data={undefined} />)
+    expect(document.body.textContent).toMatch(/checking anchor coverage/i)
+  })
+
+  it('renders nothing when there are zero assigned tables', () => {
+    const data: PolicyAnchorCoverageResponse = {
+      policy_id: 'p-1',
+      policy_type: 'row_filter',
+      coverage: [],
+    }
+    const { container } = renderWithProviders(<PolicyAnchorCoveragePanel data={data} />)
     expect(container.firstChild).toBeNull()
   })
 
-  it('shows green banner when all verdicts pass', async () => {
-    mockCoverage({
+  it('shows green banner when all verdicts pass', () => {
+    const data: PolicyAnchorCoverageResponse = {
       policy_id: 'p-1',
       policy_type: 'row_filter',
       coverage: [
         {
           data_source_id: 'ds-1',
           data_source_name: 'prod',
           schema: 'public',
+          schema_upstream: 'public',
           table: 'orders',
           verdicts: [{ kind: 'on_table', column: 'tenant' }],
         },
         {
           data_source_id: 'ds-1',
           data_source_name: 'prod',
           schema: 'public',
+          schema_upstream: 'public',
           table: 'payments',
           verdicts: [
             {
@@ -55,48 +52,43 @@ describe('PolicyAnchorCoveragePanel', () => {
           ],
         },
       ],
-    })
+    }
 
-    renderWithProviders(
-      <PolicyAnchorCoveragePanel policyId="p-1" policyType="row_filter" version={1} />,
-    )
+    renderWithProviders(<PolicyAnchorCoveragePanel data={data} />)
 
-    await waitFor(() =>
-      expect(screen.getByTestId('anchor-coverage-clean')).toBeInTheDocument(),
-    )
+    expect(screen.getByTestId('anchor-coverage-clean')).toBeInTheDocument()
     expect(document.body.textContent).toMatch(/2 tables resolve cleanly/i)
   })
 
-  it('shows red panel listing broken pairs with datasource link', async () => {
-    mockCoverage({
+  it('shows red panel listing broken pairs with datasource link', () => {
+    const data: PolicyAnchorCoverageResponse = {
       policy_id: 'p-1',
       policy_type: 'row_filter',
       coverage: [
         {
           data_source_id: 'ds-42',
           data_source_name: 'prod',
           schema: 'public',
+          schema_upstream: 'public',
           table: 'invoices',
           verdicts: [{ kind: 'missing_anchor', column: 'tenant' }],
         },
         {
           data_source_id: 'ds-42',
           data_source_name: 'prod',
           schema: 'public',
+          schema_upstream: 'public',
           table: 'orders',
           verdicts: [{ kind: 'on_table', column: 'tenant' }],
         },
       ],
-    })
+    }
 
-    renderWithProviders(
-      <PolicyAnchorCoveragePanel policyId="p-1" policyType="row_filter" version={3} />,
-    )
+    renderWithProviders(<PolicyAnchorCoveragePanel data={data} />)
 
-    await waitFor(() =>
-      expect(screen.getByTestId('anchor-coverage-broken')).toBeInTheDocument(),
-    )
-    expect(document.body.textContent).toMatch(/silently deny on 1 of 2 tables/i)
+    expect(screen.getByTestId('anchor-coverage-broken')).toBeInTheDocument()
+    expect(document.body.textContent).toMatch(/silently deny on 1 table/i)
+    expect(document.body.textContent).not.toMatch(/of 2/)
     expect(document.body.textContent).toMatch(/invoices/)
     expect(document.body.textContent).toMatch(/no anchor configured/i)
 
@@ -106,4 +98,58 @@ describe('PolicyAnchorCoveragePanel', () => {
       `/datasources/ds-42/edit?section=anchors&focus=${encodeURIComponent('public.invoices.tenant')}`,
     )
   })
+
+  it('shows the upstream schema in muted parens when an alias is set', () => {
+    const data: PolicyAnchorCoverageResponse = {
+      policy_id: 'p-1',
+      policy_type: 'row_filter',
+      coverage: [
+        {
+          data_source_id: 'ds-99',
+          data_source_name: 'staging',
+          schema: 'pg',
+          schema_upstream: 'postgres',
+          table: 'payments',
+          verdicts: [{ kind: 'missing_anchor', column: 'tenant_id' }],
+        },
+      ],
+    }
+
+    renderWithProviders(<PolicyAnchorCoveragePanel data={data} />)
+
+    expect(document.body.textContent).toMatch(/pg\.payments/)
+    expect(document.body.textContent).toMatch(/\(postgres\.payments\)/)
+
+    const link = screen.getByRole('link', { name: /add anchor/i })
+    expect(link).toHaveAttribute(
+      'href',
+      `/datasources/ds-99/edit?section=anchors&focus=${encodeURIComponent('pg.payments.tenant_id')}`,
+    )
+  })
+
+  it('reports alias-target verdicts as their dedicated message', () => {
+    const data: PolicyAnchorCoverageResponse = {
+      policy_id: 'p-1',
+      policy_type: 'row_filter',
+      coverage: [
+        {
+          data_source_id: 'ds-1',
+          data_source_name: 'prod',
+          schema: 'public',
+          schema_upstream: 'public',
+          table: 'orders',
+          verdicts: [
+            {
+              kind: 'missing_column_on_alias_target',
+              column: 'tenant_id',
+              actual_column_name: 'org_id',
+            },
+          ],
+        },
+      ],
+    }
+    renderWithProviders(<PolicyAnchorCoveragePanel data={data} />)
+    expect(document.body.textContent).toMatch(/alias points at missing column/i)
+    expect(document.body.textContent).toMatch(/org_id/)
+  })
 })