Semantic view tools bypass permission middleware; if/elif logic error in validators

[calmcivica]

Semantic view tools bypass permission middleware; if/elif logic error in validators

Three related bugs in the SQL permission validation system:

1. validate_semantic_view_tool exists in semantic_manager/tools.py but is never imported or called from CheckQueryType middleware in server_utils.py. All semantic tools (list_semantic_views, query_semantic_view, etc.) bypass configured sql_statement_permissions entirely.

2. Both validate_semantic_view_tool and validate_object_tool use if where elif is needed, breaking the intended guard when both allow/disallow lists are empty. Compare with validate_sql_type in query_manager/tools.py which uses the correct elif chain.

3. write_semantic_view_query f-string interpolates where_clause and order_by directly into SQL without validation, unlike identifiers which use bind variables.

Steps to Reproduce

1. Configure sql_statement_permissions with empty allow/disallow lists (should block everything)
2. Call list_semantic_views -- succeeds when it should be blocked
3. Call create_object -- correctly blocked by middleware

Relevant Code

server_utils.py -- no semantic handler:

if tool_name.lower() == "run_snowflake_query" ...:
    statement_type, valid = validate_sql_type(...)
elif tool_name.lower().startswith("create") or tool_name.lower().startswith("drop"):
    statement_type, valid = validate_object_tool(...)
# semantic tools fall through here
else:
    valid = True

semantic_manager/tools.py and object_manager/tools.py -- if should be elif:

if len(sql_allow_list) == 0 and len(sql_disallow_list) == 0:
    valid = False
if func_type in sql_allow_list:    # should be elif
    valid = True

semantic_manager/tools.py -- unvalidated interpolation:

if where_clause:
    statement += f" WHERE {where_clause}"