Source Data API improvements

[srenatus]

PUT /v1/sources/{name}/data/{path} could use some guard rails

It's relatively simple to PUT data bits that lead to configurations that OCP can't build a bundle from anymore because of data merge conflicts. The PUT requests themselves will succeed, but subsequent builds fail:

% curl -H "Authorization: bearer sesame" "http://127.0.0.1:8282/v1/sources/git-policies/data/foo/bar" -XPUT -d '{"a": "A"}'
{}
% curl -H "Authorization: bearer sesame" "http://127.0.0.1:8282/v1/sources/git-policies/data/foo/bar/a" -XPUT -d '"b"'
{}

⏬ Logs:

{
  "time": "2025-10-16T08:11:26.005218+02:00",
  "level": "WARN",
  "msg": "failed to build a bundle \"hello-world\": build: load error: 1 error occurred during loading: git-policies/foo/bar/data.json: merge error"
}

It would seem nicer if the second PUT request was denied. ⚡

GET /v1/sources/{name}/data/{path} is unexpected for OPA users

Also, after you've pushed to /v1/sources/source-a/data/foo/bar, a typical OPA user would expect GET /v1/sources/source-a/data/foo to return something like {"bar": ...}, not {}.

Discoverability

Related to the previous point about GET, it's difficult to query the current state of the source data when you don't already know where it got written to. There's no way to list the data paths that have been provided, for example.