fix(sync): load source once in sync_apply, pass to sync_check to close TOCTOU window

[Tet-9]

Fixes #217

What

sync_apply called _load_source(source_path) directly and then passed
source_path into sync_check, which called _load_source a second time
internally. This meant the validation and write phases operated on two
separate _SyncSource instances.

For bundle sources this opened a TOCTOU window: a bundle replaced on disk
between the two _load_source calls would pass sync_check (validating
the first snapshot) but write from the second, unvalidated load. It also
caused redundant I/O: directory sources were walked twice and bundle
tarballs were opened three times per sync_apply call.

Fix

• sync_check now accepts an optional _src: _SyncSource | None = None
  parameter. When supplied, it skips _load_source and uses the
  pre-loaded instance directly.
• sync_apply loads the source once and passes it into sync_check via
  _src=src, so both the check and write phases share the same validated
  snapshot.

Tests added

• test_sync_apply_loads_source_exactly_once_for_kb — asserts
  _load_source is called exactly once during sync_apply for a KB
  directory source.
• test_sync_apply_loads_bundle_source_exactly_once — same assertion for
  a bundle source.
• test_sync_check_accepts_preloaded_src — asserts sync_check uses a
  pre-loaded _SyncSource when supplied via _src.

Checklist

• make check passes (ruff + mypy + pytest, 554 passed)
• CHANGELOG.md updated under [Unreleased]
• No new dependencies
• Targets test branch

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b481cc63-dc33-4bf2-9f3f-009f02a4eeba

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Tet-9]

@plind-junior , review this when you are chanced

[plind-junior]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

Reviewed commit: dffebd563b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Tet-9]

@plind-junior , you may review this now as well