chore(workspace): gate dead-code with knip production mode (#196)

* refactor(workspace): relocate @ktx/llm source into packages/cli/src/llm

* refactor(workspace): rewrite @ktx/llm imports to relative paths

* refactor(workspace): fold internal packages into cli

* chore(workspace): gate dead-code with knip production mode

Turn on production-mode knip plus an autofix run in pre-commit and the
`pnpm dead-code` script, document the `/** @internal */` convention for
test-only exports in AGENTS.md, annotate test-only exports across the
CLI with that JSDoc, and drop dead exports/wrappers the new gate
surfaced (e.g. `cli-project.ts`, `lookerRuntimeSourceToFileAdapterSource`,
`createLocalScanEnrichmentProvidersFromConfig`,
`PGLITE_OWNER_PROCESS_BACKEND_CAPABILITIES`, stale type re-exports).
Replace the loose `ignoreIssues` allowlist in `knip.json` with explicit
production entries so cross-package barrel leaks are caught.

* refactor(cli): delete internal barrel index.ts files

The 34 `index.ts` re-export barrels inside `packages/cli/src/` were
holdovers from the pre-fold multi-workspace structure. Post-fold-in they
served no production purpose: external consumers go through the single
package main entry, and in-repo callers mostly imported through them
only because the path was short. Internally, knip flagged most barrel
re-exports as production-dead (only reached via tests).

This change:
- Deletes every internal barrel except `packages/cli/src/index.ts`
  (the published package entry).
- Rewrites ~270 source/test files to import each name directly from
  the file that defines it.
- Moves `tools/warehouse-verification/index.ts` to
  `create-warehouse-verification-tools.ts` (the function it defined
  locally) and updates its single consumer.
- Renames `search/backend-conformance.ts` → `.test-utils.ts` to match
  the existing test-helper file convention.
- Deletes 13 dead test-only chains (dbt-descriptions/*,
  live-database/extracted-schema, live-database/structural-sync,
  relationship-* feedback/review chain) plus their tests and a
  cascading orphan integration test.
- Updates test mocks that pointed at deleted barrel paths
  (notion-client, connector barrels in scan/local-scan-connectors
  tests) to mock the source files instead.
- Points the maintainer benchmark script
  (`scripts/relationship-benchmark-report.mjs`) at source files
  instead of `dist/context/scan/index.js`.
- Drops the barrel `!` entries from `knip.json`; adds explicit
  production entries only for the benchmark code reached via dist by
  the maintainer script.

Net: 413 files changed, ~1.2k insertions, ~9.4k deletions.

`pnpm run dead-code` (Biome + knip default + knip production) and
`pnpm run type-check` are clean; 2277 tests pass.

* refactor(workspace): rename @ktx/cli to @kaelio/ktx and pack it directly

Promote the CLI workspace package to the public name `@kaelio/ktx` and
drop the separate `scripts/build-public-npm-package.mjs` wrapper. The
CLI package is now publishable in place (`publishConfig.access: public`,
`provenance: true`), so artifact packing uses `pnpm pack` against
`packages/cli/` instead of assembling a parallel package tree.

Updates all workspace filter invocations, docs, tests, and release
readiness checks to reference the new package name, and folds the
tarball-name helper into `scripts/public-npm-release-metadata.mjs`.

* docs: align "agent clients" and "data agents" terminology

Replace "client agents" with "agent clients" and "database agents" with
"data agents" across AGENTS.md, README.md, the docs-site copy, and the
matching setup-agents test description, matching the canonical
vocabulary in docs/terminology.md.

Also moves packages/cli/tsconfig.json's tsBuildInfoFile from
node_modules/.cache/ to dist/.tsbuildinfo so incremental builds survive
node_modules reinstalls.

* refactor(release): single source of truth for package version

Make packages/cli/package.json the single source of truth for the
@kaelio/ktx version. publicNpmPackageVersion() now reads it directly,
so artifact filenames, release-readiness checks, and the Python wheel
version all derive from one field. The duplicate
release-policy.json.publicNpmPackageVersion is removed.

Previously the two fields could drift: tarballs were named
kaelio-ktx-0.4.1.tgz while internally containing
@kaelio/ktx@0.0.0-private.

- update-public-release-version.mjs rewrites both Python pyproject.toml
  files (ktx-daemon, ktx-sl) alongside the npm package.jsons,
  normalizing the version for PEP 440 (e.g. 0.1.0-rc.2 -> 0.1.0rc2).
- semantic-release-config.cjs adds the two pyproject.toml files to
  @semantic-release/git assets so the release commit back to main
  carries every version source in lockstep.
- The six "?? '0.0.0-private'" fallback literals across the CLI are
  replaced with "?? getKtxCliPackageInfo().version", and
  createDefaultKtxMcpServer makes its version arg required.
- docs/release.md describes the actual commit-back model: the dev tree
  always reflects the most recent release; no sentinel pin to
  maintain.

Verified: pnpm run artifacts:build now produces
kaelio-ktx-0.4.1.tgz and kaelio_ktx-0.4.1-py3-none-any.whl with
@kaelio/ktx@0.4.1 inside. Full type-check, dead-code, and
2287 vitests + 173 script tests pass.

* refactor(cli): inject embedding provider resolution and detect sentence-transformers runtime

Make resolveProjectEmbeddingProvider and runtimeIo injectable in ingest and
scan command entrypoints so tests can stub them, and teach
resolvePublicIngestRuntimeRequirements to flag the local-embeddings runtime
feature when ktx.yaml selects sentence-transformers.

* chore(cli): mark buildLocalStatsStatus and LocalStatsStatus as @internal

Both symbols are consumed only by status-project.test.ts. Annotating with
/** @internal */ keeps knip's production-mode check clean without changing
runtime behavior.

* fix(cli): use real package metadata in print-command-tree

The stubbed package name embedded a forbidden product identifier that
tripped the boundary check in CI. Read the metadata from package.json
instead — keeps the rendered tree unchanged and removes a duplicate
source of truth.

* feat(cli): show embedding coverage in `ktx status`, drop duplicate disk counts

Inline `(N embedded)` next to the Wiki scope counts and Semantic-layer
source counts, computed with `SUM(embedding_json IS NOT NULL)` over
`knowledge_pages` and `local_sl_sources`. Rename the "Knowledge" label to
"Wiki" (canonical per `docs/terminology.md`) and rename the matching
`localStats.knowledgePages` field to `localStats.wikiPages`.

Drop `wiki=N md` and `semantic-layer=N yaml` from the Disk row — those
duplicated the per-surface rows above. Disk now reports only actual byte
usage (db, cache, raw-sources). The unused `wikiGlobalMarkdownCount` /
`semanticLayerYamlCount` fields, the `isMarkdownEntry` / `isYamlEntry`
helpers, and the `filter` arg on `summarizeDir` are removed.

packages/cli/src/context/memory/memory-runtime-assets.test.ts

@@ -0,0 +1,198 @@
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { describe, expect, it } from 'vitest';
+import { PromptService } from '../../context/prompts/prompt.service.js';
+import { SkillsRegistryService } from '../../context/skills/skills-registry.service.js';
+import { DEFAULT_SKILL_NAMES, promptNameFor } from '../../context/memory/capture-signals.js';
+import type { MemoryAgentSourceType } from '../../context/memory/types.js';
+
+const promptsDir = fileURLToPath(new URL('../../prompts', import.meta.url));
+const skillsDir = fileURLToPath(new URL('../../skills', import.meta.url));
+const memorySourceTypes: MemoryAgentSourceType[] = ['research', 'external_ingest', 'backfill'];
+const expectedSkillHeadings: Record<string, string> = {
+  wiki_capture: '# Wiki Capture',
+  sl: '# Semantic Layer',
+  sl_capture: '# Semantic Layer',
+};
+const expectedAdapterSkillHeadings: Record<string, string> = {
+  historic_sql_patterns: '# Historic SQL Patterns',
+  historic_sql_table_digest: '# Historic SQL Table Digest',
+  live_database_ingest: '# Live Database Ingest',
+  looker_ingest: '# Looker Runtime Ingest',
+  lookml_ingest: '# LookML to KTX Semantic Layer',
+  metabase_ingest: '# Metabase to KTX Semantic Layer',
+  metricflow_ingest: '# MetricFlow to KTX Semantic Layer',
+};
+const verificationWriterSkills = [
+  'notion_synthesize',
+  'dbt_ingest',
+  'lookml_ingest',
+  'looker_ingest',
+  'metabase_ingest',
+  'metricflow_ingest',
+  'live_database_ingest',
+  'historic_sql_table_digest',
+  'historic_sql_patterns',
+  'wiki_capture',
+  'sl_capture',
+] as const;
+
+function forbiddenProductPattern() {
+  return new RegExp([['Kae', 'lio'].join(''), ['kae', 'lio'].join(''), ['KAE', 'LIO_'].join('')].join('|'));
+}
+
+function sqlExecutionCallBlocks(body: string): string[] {
+  const blocks: string[] = [];
+  const marker = 'sql_execution({';
+  let offset = 0;
+
+  while (offset < body.length) {
+    const start = body.indexOf(marker, offset);
+    if (start === -1) {
+      break;
+    }
+    const end = body.indexOf('})', start + marker.length);
+    blocks.push(body.slice(start, end === -1 ? start + marker.length : end + 2));
+    offset = start + marker.length;
+  }
+
+  return blocks;
+}
+
+describe('memory runtime assets', () => {
+  it('packages every memory-agent base prompt referenced by promptNameFor()', async () => {
+    const prompts = new PromptService({ promptsDir, partials: [] });
+
+    for (const sourceType of memorySourceTypes) {
+      const promptName = promptNameFor(sourceType);
+      const prompt = await prompts.loadPrompt(promptName);
+
+      expect(prompt).toContain('<role>');
+      expect(prompt).toContain('<workflow>');
+      expect(prompt).not.toMatch(forbiddenProductPattern());
+    }
+  });
+
+  it('packages the default memory capture skills referenced by DEFAULT_SKILL_NAMES', async () => {
+    const registry = new SkillsRegistryService({ skillsDir });
+    const skills = await registry.listSkills([...DEFAULT_SKILL_NAMES], 'memory_agent');
+
+    expect(skills.map((skill) => skill.name).sort()).toEqual(['sl', 'sl_capture', 'wiki_capture']);
+
+    for (const skill of skills) {
+      const body = await readFile(join(skill.path, 'SKILL.md'), 'utf-8');
+      const expectedHeading = expectedSkillHeadings[skill.name];
+      expect(expectedHeading).toBeDefined();
+      expect(body).toContain(expectedHeading);
+      expect(body).not.toMatch(forbiddenProductPattern());
+    }
+  });
+
+  it('keeps memory-only capture skills hidden from research callers', async () => {
+    const registry = new SkillsRegistryService({ skillsDir });
+    const skills = await registry.listSkills([...DEFAULT_SKILL_NAMES], 'research');
+
+    expect(skills.map((skill) => skill.name)).toEqual(['sl']);
+  });
+
+  it('packages ingest adapter skills referenced by bundled adapters', async () => {
+    const registry = new SkillsRegistryService({ skillsDir });
+    const skillNames = Object.keys(expectedAdapterSkillHeadings);
+    const skills = await registry.listSkills(skillNames, 'memory_agent');
+
+    expect(skills.map((skill) => skill.name).sort()).toEqual([...skillNames].sort());
+
+    for (const skill of skills) {
+      const body = await readFile(join(skill.path, 'SKILL.md'), 'utf-8');
+      expect(body).toContain(expectedAdapterSkillHeadings[skill.name]);
+      expect(body).not.toMatch(forbiddenProductPattern());
+    }
+  });
+
+  it('ships Looker runtime ingest guidance for warehouse target SL writes', async () => {
+    const body = await readFile(join(skillsDir, 'looker_ingest', 'SKILL.md'), 'utf-8');
+
+    expect(body).toContain('targetWarehouseConnectionId');
+    expect(body).toContain('targetTable.ok === true');
+    expect(body).toContain('targetTable.canonicalTable');
+    expect(body).toContain('source_tables preflight');
+    expect(body).toContain('emit_unmapped_fallback');
+    expect(body).toContain('no_connection_mapping');
+    expect(body).not.toContain('a standalone SL source only when raw evidence contains enough table or SQL structure');
+  });
+
+  it('ships Metabase guidance that avoids invalid joins for SQL-only card outputs', async () => {
+    const body = await readFile(join(skillsDir, 'metabase_ingest', 'SKILL.md'), 'utf-8');
+
+    expect(body).toContain('Do not declare a KTX join just because the card SQL joins that table internally');
+    expect(body).toContain('only when the card output exposes a local key that matches the target source grain');
+    expect(body).toContain('If `sl_discover` resolves the table, it is not outside the manifest');
+    expect(body).toContain('reason: "parse_error"');
+    expect(body).not.toContain('Tables outside the manifest');
+    expect(body).not.toContain('reason: "metabase_sql_untranslated"');
+  });
+
+  it('ships Notion guidance for physical-table fallbacks and duplicate wiki reconciliation', async () => {
+    const body = await readFile(join(skillsDir, 'notion_synthesize', 'SKILL.md'), 'utf-8');
+
+    expect(body).toContain('Notion `dataSourceCount` counts Notion databases/data sources only');
+    expect(body).toContain('Search existing wiki pages for the same `tables:` or `sl_refs:` frontmatter');
+    expect(body).toContain('no_physical_table');
+  });
+
+  it('packages LookML connection-mismatch SL gate guidance', async () => {
+    const body = await readFile(join(skillsDir, 'lookml_ingest', 'SKILL.md'), 'utf-8');
+
+    expect(body).toContain('[LOOKML SL WRITES DISALLOWED]');
+    expect(body).toContain('lookml_connection_mismatch');
+    expect(body).toContain('Do not call `sl_write_source` or `sl_edit_source`');
+    expect(body).toContain('LookML writes target the run connection directly');
+  });
+
+  it('ships identifier verification protocol in every synthesis writer skill', async () => {
+    for (const skillName of verificationWriterSkills) {
+      const body = await readFile(join(skillsDir, skillName, 'SKILL.md'), 'utf-8');
+      expect(body).toContain('## Identifier Verification Protocol');
+      expect(body).toMatch(/discover_data|entity_details/);
+    }
+  });
+
+  it('does not ship stale warehouse verification tool names or fictional identifiers', async () => {
+    for (const skillName of verificationWriterSkills) {
+      const body = await readFile(join(skillsDir, skillName, 'SKILL.md'), 'utf-8');
+      expect(body).not.toContain('orbit_analytics.customer');
+      expect(body).not.toContain('wiki_sl_search');
+      expect(body).not.toContain('sl_describe_table');
+    }
+  });
+
+  it('ships only the KTX connectionId sql_execution call shape in writer guidance', async () => {
+    const shared = await readFile(join(skillsDir, '_shared', 'identifier-verification.md'), 'utf-8');
+    const bodies = [{ name: '_shared/identifier-verification.md', body: shared }];
+
+    expect(shared).toContain('sql_execution({connectionId, sql: "SELECT DISTINCT');
+    expect(shared).toContain('sql_execution({connectionId, sql: "SELECT 1 FROM');
+
+    for (const skillName of verificationWriterSkills) {
+      const body = await readFile(join(skillsDir, skillName, 'SKILL.md'), 'utf-8');
+      bodies.push({ name: `${skillName}/SKILL.md`, body });
+      expect(body).toContain('sql_execution({connectionId');
+      expect(body).not.toContain('sql_execution({ sql');
+      expect(body).not.toContain('session shape');
+      expect(body).not.toContain('connection is already pinned by the ingest session');
+    }
+
+    for (const { name, body } of bodies) {
+      const calls = sqlExecutionCallBlocks(body);
+      expect(calls.length, `${name} should contain sql_execution guidance`).toBeGreaterThan(0);
+      expect(
+        calls.filter((call) => !call.includes('connectionId')),
+        `${name} has sql_execution calls without connectionId`,
+      ).toEqual([]);
+      expect(body, `${name} has a connectionless multiline sql_execution call`).not.toMatch(
+        /sql_execution\(\{\s*sql\s*:/,
+      );
+    }
+  });
+});