feat(validate): add --queries flag for fleet-wide CQL parsing (closes #11)

[willwebster5]

Summary

Closes #11. Closes the gap between talonctl validate (schema-only) and talonctl validate-query (one template at a time) by adding a CI-friendly fleet-wide CQL parser, and cleans up misleading "Unknown error" messaging in NGSIEMClient.

• New talonctl validate --queries / -Q flag: after schema validation passes, parses every CQL query across detections, saved searches, and dashboards against NGSIEM in parallel. Requires credentials; hard-fails with a friendly message if missing.
• New talonctl.core.query_collection module (QueryRef dataclass + collect_queries_from_templates dispatcher) that centralises per-resource-type query-field knowledge.
• New DeploymentOrchestrator.validate_queries() reuses the existing ThreadPoolExecutor pattern.
• QueryValidationResult grew an optional location field so output anchors at the exact widget / filter path (e.g. at: widgets.top_ips.queryString).
• NGSIEMClient.test_query_syntax and execute_query no longer emit "Unknown error" fallbacks. Errors now read LogScale rejected query (status=<N>, no detail returned by API) when the upstream API returns nothing structured, or pass payload through verbatim when present.
• Drive-by fixes surfaced during review: detection field precedence (filter > query) aligned across plan path, validate-query, and the new collector; formatter wording neutralised away from FQL/deployment framing; dead "Unknown error" fallback removed from validate-query.

Plan/apply-path detection query validation (_validate_detection_queries) is intentionally unchanged — broadening it to saved searches and dashboards is a tracked follow-up.

Test plan

Offline (run in CI):

• pytest tests/ -q → 636 passed
• ruff check src/ tests/ → clean
• New unit tests cover: query collector per-resource-type extraction + snippet truncation; NGSIEMClient error-message honesty (list/string/empty payloads); validate_queries() all-valid / one-invalid / per-query-exception / empty-fleet / filter-propagation; CLI --queries short-circuit on schema errors, credentials-missing path via real load_credentials stub, -Q short flag, location rendering in output.

Live API (to run on a work machine before merging — see local docs/superpowers/plans/2026-04-21-validate-cql-parity-live-tests.md):

• talonctl validate --queries on a clean fleet → exit 0
• Known-broken detection (!test(field, /x/i)) → exit 1 with at: search.filter
• Broken dashboard widget → at: widgets.<id>.queryString
• Broken saved search → at: queryString
• Missing credentials → documented message and exit 1
• -Q short flag parity
• Confirm body.errors payload shape (record a sample if the API ever does return detail)