workload-replay: harden and AST-anonymize captured workloads

[jasonhernandez]

Squash of the workload-anonymize-* stack (#36745, #36746, #36749, #36797, #36799, #36801) into one reviewable change against main. Those drafts are superseded by this PR.

bin/mz-workload-anonymize scrubs identifiers and literals from captured workloads so they can be shared. It relied on text-regex substitution, which both leaked sensitive data and corrupted SQL. This reworks the SQL rewriting onto Materialize's own parsed AST and hardens the surrounding tool.

New crate src/sql-anonymize (mz-sql-anonymize)

Reads {mapping, rename_identifiers, redact_literals, statements} and rewrites each statement on the AST via VisitMut:

• Renames identifiers as whole tokens, reaching object/cluster/type references — the Raw AstInfo associated types, whose generic visitors are no-ops — by overriding visit_item_name_mut & friends. No substring corruption, no in-string rewrites, no word-boundary/case guesswork (Mz identifiers are case-sensitive, so exact match is correct).
• Redacts query literals (strings, numbers, hex, intervals) → '<REDACTED>'.
• Preserves config literals (CREATE CLUSTER/CLUSTER REPLICA/ALTER CLUSTER, SET/RESET/SET TRANSACTION/ALTER SYSTEM) — sizes, timeouts — that replay needs and aren't sensitive.

Anonymizer (Python)

Sends all cluster/DDL/query SQL through the helper, and:

• still scrubs DDL create_sql literals with a blanket regex, because option strings (broker addresses, hosts) are typed AST fields neither the visitor nor the engine's redacted Display treats as literals;
• applies the structural identifier mapping (column types, child schema/db, query routing) directly — not SQL;
• rebuilds source-child dict keys from mapped database/schema names (these previously leaked the originals);
• requires the parser by default (--require-parser); falls back to regex, with a warning, only when the binary is unavailable or a statement doesn't parse.

Safety net

A verify pass re-scans output for surviving original identifiers (in any string, including structural keys) and non-placeholder literals — exempting reserved format keys and preserved config statements — and refuses to write if anything leaks. Output now requires an explicit -o/--in-place instead of silently overwriting the input.

Validation (production capture)

Metric	regex prototype	this PR (AST)
Anonymized queries that fail to re-parse	65 / 565 (12%)	0 / 623
Identifier leaks	—	0 (only the transaction_id format key)
Query numeric literals remaining	leaked	0
Cluster SIZE / SET timeout	—	preserved

Tests

8 Rust unit tests (token-level rename, qualified refs, no substring/in-string corruption, query-literal redaction incl. numbers, cluster/SET preservation, parse-failure → null) + 22 Python tests (end-to-end anonymization, leak regressions, subsource-key fix, verify guards, require-parser gate, regex fallback). The DDL-option-string limitation (broker addresses handled by the regex, not the AST) is documented in the README and code.

🤖 Generated with Claude Code