Rewrite coverage map as source-centric view

Previously showed field-level coverage (rule fields vs parser fields).
Now shows per-dataSource.name coverage: is a parser loaded for each
active ingest source?

- New ActiveSource DB model stores live sources from SDL
- New POST /api/coverage/sync-sources endpoint runs PowerQuery to fetch
  current dataSource.names and their event counts, stores in DB
- GET /api/coverage/map now returns per-source status:
    covered       = a loaded parser matches this source name
    parser_needed = source is ingesting but no parser is loaded
- Parser matching uses fuzzy substring (handles "palo"→"Palo Alto Networks Firewall")
- Coverage table shows: source name, 7d event count, status, matched parser + field count, STAR rules
- Frontend: new "Sync Live Sources" button, updated stats cards, updated filter tabs
- Removed field-level view (was confusing — parser_needed on a field ≠ missing parser for a source)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/db.py

@@ -30,6 +30,14 @@ class ParserField(Base):
     field_type = Column(String)
 
 
+class ActiveSource(Base):
+    __tablename__ = "active_sources"
+    id = Column(Integer, primary_key=True)
+    source_name = Column(String, unique=True, index=True)
+    event_count = Column(Integer, default=0)
+    synced_at = Column(DateTime, default=datetime.utcnow)
+
+
 class IngestSnapshot(Base):
     __tablename__ = "ingest_snapshots"
     id = Column(Integer, primary_key=True)