Handle permissions for follower correctly

[yaananth]

Why

We noticed failure at https://github.com/github/warehouse-config/actions/runs/19678778678/job/56367139412

   Failed to write to read-only follower database 'DDoSNeuralAnalysis' as it is write-protected. Please refer to the documentation for operations supported on a follower.) (Execution failed for command 
      .set database DDoSNeuralAnalysis viewers ("aadgroup=cf90f4b8-2651-48be-b6d9-3c076849debc;398a6654-997b-47e9-b12b-9515b896b4de","aadapp=21ac0ed3-1d1e-4aa6-b055-d375182a8f3d;398a6654-997b-47e9-b12b-9515b896b4de","aadgroup=e7dba5a3-a6cd-4452-8a0a-855a1b9f4c65;398a6654-997b-47e9-b12b-9515b896b4de","aadgroup=bb571a7a-0243-491a-afa7-49129ff09c76;72f988bf-86f1-41af-91ab-2d7cd011db47","aadgroup=257c7994-3f26-40fe-8ca8-e589d5d9ebf2;398a6654-997b-47e9-b12b-9515b896b4de","aadgroup=be518605-37ba-4597-a631-22e3c0d910ce;398a6654-997b-47e9-b12b-9515b896b4de","aadgroup=891cc616-f881-4bb0-93ee-7d7e42d913a7;398a6654-997b-47e9-b12b-9515b896b4de","aadapp=e749b031-de9c-465d-ac12-760b31f8e228;33e01921-4d64-4f8c-a055-5bdaffd5e33d","aadapp=909e8a8e-4e29-46bd-ac69-68eea7148fb0;72f988bf-86f1-41af-91ab-2d7cd011db47","aadapp=aa19cb66-76b4-4fcf-b3ce-1355ff107e41;398a6654-997b-47e9-b12b-9515b896b4de","aadgroup=f2c127f3-0a6a-4d8d-b623-8f74f452d2df;398a6654-997b-47e9-b12b-9515b896b4de","aadapp=5ec11934-789e-460d-86b5-d87bd72ce514;398a6654-997b-47e9-b12b-9515b896b4de","aadapp=64decea3-723a-4fbf-b2ec-9faaf852cfdc;398a6654-997b-47e9-b12b-9515b896b4de") 
       with reason
      Failed to write to read-only follower database 'DDoSNeuralAnalysis' as it is write-protected. Please refer to the documentation for operations supported on a follower.)
       ---> System.Exception: Execution failed for command 
      .set database DDoSNeuralAnalysis admins ("aadapp=4ea9d490-addd-48cd-baa2-a28a1079b71f;398a6654-997b-47e9-b12b-9515b896b4de","aadapp=e1a137a4-ea8c-4dd4-8928-e3344549ffa3;398a6654-997b-47e9-b12b-9515b896b4de") 
       with reason
      Failed to write to read-only follower database 'DDoSNeuralAnalysis' as it is write-protected. Please refer to the documentation for operations supported on a follower.

Summary

• Fix follower rollouts that failed with “write-protected follower database” by using documented follower commands.
• Quote database names in follower metadata queries so names with spaces/dots/hyphens work.
• Emit follower permission changes with follower-safe add/drop commands; apply principals-modification-kind first.
• Preserve leader metadata when diffing so repeated deployments stay idempotent.

Before

• Metadata: .show follower database My-DB (unquoted) — fails on special names.
• Permissions: .set database <db> admins/viewers (…) — rejected on followers; clearing roles emitted (none).

After

• Metadata: .show follower database ['My-DB'].
• Permissions: .alter follower database <db> principals-modification-kind = <kind> then:
  • removals: .drop follower database <db> admins|viewers ("…")
  • additions: .add follower database <db> admins|viewers ("…") ['leader']
    Works on read-only followers and correctly clears or sets principals.