chore(workspace): gate dead-code with knip production mode (#196)

* refactor(workspace): relocate @ktx/llm source into packages/cli/src/llm

* refactor(workspace): rewrite @ktx/llm imports to relative paths

* refactor(workspace): fold internal packages into cli

* chore(workspace): gate dead-code with knip production mode

Turn on production-mode knip plus an autofix run in pre-commit and the
`pnpm dead-code` script, document the `/** @internal */` convention for
test-only exports in AGENTS.md, annotate test-only exports across the
CLI with that JSDoc, and drop dead exports/wrappers the new gate
surfaced (e.g. `cli-project.ts`, `lookerRuntimeSourceToFileAdapterSource`,
`createLocalScanEnrichmentProvidersFromConfig`,
`PGLITE_OWNER_PROCESS_BACKEND_CAPABILITIES`, stale type re-exports).
Replace the loose `ignoreIssues` allowlist in `knip.json` with explicit
production entries so cross-package barrel leaks are caught.

* refactor(cli): delete internal barrel index.ts files

The 34 `index.ts` re-export barrels inside `packages/cli/src/` were
holdovers from the pre-fold multi-workspace structure. Post-fold-in they
served no production purpose: external consumers go through the single
package main entry, and in-repo callers mostly imported through them
only because the path was short. Internally, knip flagged most barrel
re-exports as production-dead (only reached via tests).

This change:
- Deletes every internal barrel except `packages/cli/src/index.ts`
  (the published package entry).
- Rewrites ~270 source/test files to import each name directly from
  the file that defines it.
- Moves `tools/warehouse-verification/index.ts` to
  `create-warehouse-verification-tools.ts` (the function it defined
  locally) and updates its single consumer.
- Renames `search/backend-conformance.ts` → `.test-utils.ts` to match
  the existing test-helper file convention.
- Deletes 13 dead test-only chains (dbt-descriptions/*,
  live-database/extracted-schema, live-database/structural-sync,
  relationship-* feedback/review chain) plus their tests and a
  cascading orphan integration test.
- Updates test mocks that pointed at deleted barrel paths
  (notion-client, connector barrels in scan/local-scan-connectors
  tests) to mock the source files instead.
- Points the maintainer benchmark script
  (`scripts/relationship-benchmark-report.mjs`) at source files
  instead of `dist/context/scan/index.js`.
- Drops the barrel `!` entries from `knip.json`; adds explicit
  production entries only for the benchmark code reached via dist by
  the maintainer script.

Net: 413 files changed, ~1.2k insertions, ~9.4k deletions.

`pnpm run dead-code` (Biome + knip default + knip production) and
`pnpm run type-check` are clean; 2277 tests pass.

* refactor(workspace): rename @ktx/cli to @kaelio/ktx and pack it directly

Promote the CLI workspace package to the public name `@kaelio/ktx` and
drop the separate `scripts/build-public-npm-package.mjs` wrapper. The
CLI package is now publishable in place (`publishConfig.access: public`,
`provenance: true`), so artifact packing uses `pnpm pack` against
`packages/cli/` instead of assembling a parallel package tree.

Updates all workspace filter invocations, docs, tests, and release
readiness checks to reference the new package name, and folds the
tarball-name helper into `scripts/public-npm-release-metadata.mjs`.

* docs: align "agent clients" and "data agents" terminology

Replace "client agents" with "agent clients" and "database agents" with
"data agents" across AGENTS.md, README.md, the docs-site copy, and the
matching setup-agents test description, matching the canonical
vocabulary in docs/terminology.md.

Also moves packages/cli/tsconfig.json's tsBuildInfoFile from
node_modules/.cache/ to dist/.tsbuildinfo so incremental builds survive
node_modules reinstalls.

* refactor(release): single source of truth for package version

Make packages/cli/package.json the single source of truth for the
@kaelio/ktx version. publicNpmPackageVersion() now reads it directly,
so artifact filenames, release-readiness checks, and the Python wheel
version all derive from one field. The duplicate
release-policy.json.publicNpmPackageVersion is removed.

Previously the two fields could drift: tarballs were named
kaelio-ktx-0.4.1.tgz while internally containing
@kaelio/ktx@0.0.0-private.

- update-public-release-version.mjs rewrites both Python pyproject.toml
  files (ktx-daemon, ktx-sl) alongside the npm package.jsons,
  normalizing the version for PEP 440 (e.g. 0.1.0-rc.2 -> 0.1.0rc2).
- semantic-release-config.cjs adds the two pyproject.toml files to
  @semantic-release/git assets so the release commit back to main
  carries every version source in lockstep.
- The six "?? '0.0.0-private'" fallback literals across the CLI are
  replaced with "?? getKtxCliPackageInfo().version", and
  createDefaultKtxMcpServer makes its version arg required.
- docs/release.md describes the actual commit-back model: the dev tree
  always reflects the most recent release; no sentinel pin to
  maintain.

Verified: pnpm run artifacts:build now produces
kaelio-ktx-0.4.1.tgz and kaelio_ktx-0.4.1-py3-none-any.whl with
@kaelio/ktx@0.4.1 inside. Full type-check, dead-code, and
2287 vitests + 173 script tests pass.

* refactor(cli): inject embedding provider resolution and detect sentence-transformers runtime

Make resolveProjectEmbeddingProvider and runtimeIo injectable in ingest and
scan command entrypoints so tests can stub them, and teach
resolvePublicIngestRuntimeRequirements to flag the local-embeddings runtime
feature when ktx.yaml selects sentence-transformers.

* chore(cli): mark buildLocalStatsStatus and LocalStatsStatus as @internal

Both symbols are consumed only by status-project.test.ts. Annotating with
/** @internal */ keeps knip's production-mode check clean without changing
runtime behavior.

* fix(cli): use real package metadata in print-command-tree

The stubbed package name embedded a forbidden product identifier that
tripped the boundary check in CI. Read the metadata from package.json
instead — keeps the rendered tree unchanged and removes a duplicate
source of truth.

* feat(cli): show embedding coverage in `ktx status`, drop duplicate disk counts

Inline `(N embedded)` next to the Wiki scope counts and Semantic-layer
source counts, computed with `SUM(embedding_json IS NOT NULL)` over
`knowledge_pages` and `local_sl_sources`. Rename the "Knowledge" label to
"Wiki" (canonical per `docs/terminology.md`) and rename the matching
`localStats.knowledgePages` field to `localStats.wikiPages`.

Drop `wiki=N md` and `semantic-layer=N yaml` from the Disk row — those
duplicated the per-surface rows above. Disk now reports only actual byte
usage (db, cache, raw-sources). The unused `wikiGlobalMarkdownCount` /
`semanticLayerYamlCount` fields, the `isMarkdownEntry` / `isYamlEntry`
helpers, and the `filter` arg on `summarizeDir` are removed.

packages/cli/src/context/sql-analysis/http-sql-analysis-port.test.ts

@@ -0,0 +1,178 @@
+import { describe, expect, it, vi } from 'vitest';
+import { createHttpSqlAnalysisPort } from './http-sql-analysis-port.js';
+
+describe('createHttpSqlAnalysisPort', () => {
+  it('calls the SQL-analysis fingerprint endpoint and maps snake_case response fields', async () => {
+    const requestJson = vi.fn(async () => ({
+      fingerprint: 'fingerprint-template',
+      normalized_sql: 'SELECT * FROM analytics.orders WHERE status = ?',
+      tables_touched: ['analytics.orders'],
+      literal_slots: [{ position: 1, type: 'string', example_value: 'paid' }],
+    }));
+    const port = createHttpSqlAnalysisPort({ baseUrl: 'http://python.test', requestJson });
+
+    await expect(
+      port.analyzeForFingerprint("SELECT * FROM analytics.orders WHERE status = 'paid'", 'postgres'),
+    ).resolves.toEqual({
+      fingerprint: 'fingerprint-template',
+      normalizedSql: 'SELECT * FROM analytics.orders WHERE status = ?',
+      tablesTouched: ['analytics.orders'],
+      literalSlots: [{ position: 1, type: 'string', exampleValue: 'paid' }],
+    });
+
+    expect(requestJson).toHaveBeenCalledWith('/api/sql/analyze-for-fingerprint', {
+      sql: "SELECT * FROM analytics.orders WHERE status = 'paid'",
+      dialect: 'postgres',
+    });
+  });
+
+  it('preserves SQL-analysis parse errors in the mapped result', async () => {
+    const requestJson = vi.fn(async () => ({
+      fingerprint: '',
+      normalized_sql: '',
+      tables_touched: [],
+      literal_slots: [],
+      error: 'Invalid expression / Unexpected token',
+    }));
+    const port = createHttpSqlAnalysisPort({ baseUrl: 'http://python.test', requestJson });
+
+    await expect(port.analyzeForFingerprint('SELECT * FROM WHERE', 'postgres')).resolves.toEqual({
+      fingerprint: '',
+      normalizedSql: '',
+      tablesTouched: [],
+      literalSlots: [],
+      error: 'Invalid expression / Unexpected token',
+    });
+  });
+
+  it('calls the SQL batch endpoint and maps snake_case response fields into a Map', async () => {
+    const requestJson = vi.fn(async () => ({
+      results: {
+        orders: {
+          tables_touched: ['public.orders', 'public.customers'],
+          columns_by_clause: {
+            select: ['status'],
+            where: ['created_at'],
+            join: ['customer_id', 'id'],
+          },
+          error: null,
+        },
+        broken: {
+          tables_touched: [],
+          columns_by_clause: {},
+          error: 'Invalid expression / Unexpected token',
+        },
+      },
+    }));
+    const port = createHttpSqlAnalysisPort({ baseUrl: 'http://python.test', requestJson });
+
+    await expect(
+      port.analyzeBatch(
+        [
+          { id: 'orders', sql: 'select status from public.orders' },
+          { id: 'broken', sql: 'select * from where' },
+        ],
+        'postgres',
+      ),
+    ).resolves.toEqual(
+      new Map([
+        [
+          'orders',
+          {
+            tablesTouched: ['public.orders', 'public.customers'],
+            columnsByClause: {
+              select: ['status'],
+              where: ['created_at'],
+              join: ['customer_id', 'id'],
+            },
+            error: null,
+          },
+        ],
+        [
+          'broken',
+          {
+            tablesTouched: [],
+            columnsByClause: {},
+            error: 'Invalid expression / Unexpected token',
+          },
+        ],
+      ]),
+    );
+
+    expect(requestJson).toHaveBeenCalledWith('/sql/analyze-batch', {
+      dialect: 'postgres',
+      items: [
+        { id: 'orders', sql: 'select status from public.orders' },
+        { id: 'broken', sql: 'select * from where' },
+      ],
+    });
+  });
+
+  it('maps read-only SQL validation responses', async () => {
+    const requests: Array<{ path: string; payload: Record<string, unknown> }> = [];
+    const port = createHttpSqlAnalysisPort({
+      baseUrl: 'http://127.0.0.1:8765',
+      requestJson: async (path, payload) => {
+        requests.push({ path, payload });
+        return { ok: false, error: 'SQL contains read/write operation: Insert' };
+      },
+    });
+
+    await expect(
+      port.validateReadOnly('with x as (insert into t values (1)) select * from x', 'postgres'),
+    ).resolves.toEqual({
+      ok: false,
+      error: 'SQL contains read/write operation: Insert',
+    });
+    expect(requests).toEqual([
+      {
+        path: '/sql/validate-read-only',
+        payload: {
+          dialect: 'postgres',
+          sql: 'with x as (insert into t values (1)) select * from x',
+        },
+      },
+    ]);
+  });
+
+  it('rejects malformed read-only validation responses', async () => {
+    const port = createHttpSqlAnalysisPort({
+      baseUrl: 'http://127.0.0.1:8765',
+      requestJson: async () => ({ ok: 'yes' }),
+    });
+
+    await expect(port.validateReadOnly('select 1', 'postgres')).rejects.toThrow(
+      'sql analysis response is missing boolean field ok',
+    );
+  });
+
+  it('rejects malformed SQL batch responses instead of inventing defaults', async () => {
+    const requestJson = vi.fn(async () => ({
+      results: {
+        orders: {
+          tables_touched: ['public.orders'],
+          columns_by_clause: { select: ['status'], where: [42] },
+          error: null,
+        },
+      },
+    }));
+    const port = createHttpSqlAnalysisPort({ baseUrl: 'http://python.test', requestJson });
+
+    await expect(port.analyzeBatch([{ id: 'orders', sql: 'select status from public.orders' }], 'postgres')).rejects
+      .toThrow('sql analysis response is missing string[] field columns_by_clause.where');
+  });
+
+  it('rejects malformed daemon responses instead of inventing defaults', async () => {
+    const requestJson = vi.fn(async () => ({
+      fingerprint: 'abc',
+      normalized_sql: 'SELECT ?',
+      tables_touched: 'orders',
+      literal_slots: [],
+    }));
+    const port = createHttpSqlAnalysisPort({ baseUrl: 'http://python.test', requestJson });
+
+    await expect(port.analyzeForFingerprint('SELECT 1', 'postgres')).rejects.toThrow(
+      'sql analysis response is missing string[] field tables_touched',
+    );
+  });
+});

packages/cli/src/context/sql-analysis/http-sql-analysis-port.ts

@@ -0,0 +1,233 @@
+import { request as httpRequest } from 'node:http';
+import { request as httpsRequest } from 'node:https';
+import { URL } from 'node:url';
+import type {
+  SqlAnalysisBatchItem,
+  SqlAnalysisBatchResult,
+  SqlAnalysisDialect,
+  SqlAnalysisFingerprintResult,
+  SqlAnalysisLiteralSlot,
+  SqlAnalysisLiteralSlotType,
+  SqlAnalysisPort,
+  SqlReadOnlyValidationResult,
+} from './ports.js';
+
+export type KtxSqlAnalysisHttpJsonRunner = (
+  path: string,
+  payload: Record<string, unknown>,
+) => Promise<Record<string, unknown>>;
+
+export interface HttpSqlAnalysisPortOptions {
+  baseUrl: string;
+  requestJson?: KtxSqlAnalysisHttpJsonRunner;
+}
+
+function normalizedBaseUrl(baseUrl: string): string {
+  return baseUrl.endsWith('/') ? baseUrl : `${baseUrl}/`;
+}
+
+function parseJsonObject(raw: string, path: string): Record<string, unknown> {
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error(`sql analysis HTTP ${path} returned non-object JSON`);
+  }
+  return parsed as Record<string, unknown>;
+}
+
+function postJson(baseUrl: string): KtxSqlAnalysisHttpJsonRunner {
+  return async (path, payload) =>
+    new Promise((resolve, reject) => {
+      const target = new URL(path.replace(/^\//, ''), normalizedBaseUrl(baseUrl));
+      const body = JSON.stringify(payload);
+      const client = target.protocol === 'https:' ? httpsRequest : httpRequest;
+      const request = client(
+        target,
+        {
+          method: 'POST',
+          headers: {
+            accept: 'application/json',
+            'content-type': 'application/json',
+            'content-length': Buffer.byteLength(body),
+          },
+        },
+        (response) => {
+          const chunks: Buffer[] = [];
+          response.on('data', (chunk: Buffer) => chunks.push(chunk));
+          response.on('end', () => {
+            const text = Buffer.concat(chunks).toString('utf8');
+            const statusCode = response.statusCode ?? 0;
+            if (statusCode < 200 || statusCode >= 300) {
+              reject(new Error(`sql analysis HTTP ${path} failed with ${statusCode}: ${text}`));
+              return;
+            }
+            try {
+              resolve(parseJsonObject(text, path));
+            } catch (error) {
+              reject(error);
+            }
+          });
+        },
+      );
+      request.on('error', reject);
+      request.end(body);
+    });
+}
+
+function requiredString(raw: Record<string, unknown>, field: string): string {
+  const value = raw[field];
+  if (typeof value !== 'string') {
+    throw new Error(`sql analysis response is missing string field ${field}`);
+  }
+  return value;
+}
+
+function optionalString(raw: Record<string, unknown>, field: string): string | null | undefined {
+  const value = raw[field];
+  if (value === null || value === undefined || typeof value === 'string') {
+    return value;
+  }
+  throw new Error(`sql analysis response has invalid optional string field ${field}`);
+}
+
+function requiredStringArray(raw: Record<string, unknown>, field: string): string[] {
+  const value = raw[field];
+  if (!Array.isArray(value) || value.some((item) => typeof item !== 'string')) {
+    throw new Error(`sql analysis response is missing string[] field ${field}`);
+  }
+  return value;
+}
+
+function requiredBoolean(raw: Record<string, unknown>, field: string): boolean {
+  const value = raw[field];
+  if (typeof value !== 'boolean') {
+    throw new Error(`sql analysis response is missing boolean field ${field}`);
+  }
+  return value;
+}
+
+function requiredObject(raw: Record<string, unknown>, field: string): Record<string, unknown> {
+  const value = raw[field];
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    throw new Error(`sql analysis response is missing object field ${field}`);
+  }
+  return value as Record<string, unknown>;
+}
+
+function isLiteralSlotType(value: unknown): value is SqlAnalysisLiteralSlotType {
+  return (
+    value === 'string' ||
+    value === 'number' ||
+    value === 'timestamp' ||
+    value === 'date' ||
+    value === 'boolean' ||
+    value === 'null' ||
+    value === 'unknown'
+  );
+}
+
+function literalSlots(raw: Record<string, unknown>): SqlAnalysisLiteralSlot[] {
+  const value = raw.literal_slots;
+  if (!Array.isArray(value)) {
+    throw new Error('sql analysis response is missing literal_slots array');
+  }
+  return value.map((item) => {
+    if (!item || typeof item !== 'object' || Array.isArray(item)) {
+      throw new Error('sql analysis response contains invalid literal slot');
+    }
+    const slot = item as Record<string, unknown>;
+    if (typeof slot.position !== 'number') {
+      throw new Error('sql analysis response literal slot is missing numeric position');
+    }
+    if (!isLiteralSlotType(slot.type)) {
+      throw new Error('sql analysis response literal slot is missing valid type');
+    }
+    if (typeof slot.example_value !== 'string') {
+      throw new Error('sql analysis response literal slot is missing example_value');
+    }
+    return {
+      position: slot.position,
+      type: slot.type,
+      exampleValue: slot.example_value,
+    };
+  });
+}
+
+function mapResult(raw: Record<string, unknown>): SqlAnalysisFingerprintResult {
+  const error = optionalString(raw, 'error');
+  return {
+    fingerprint: requiredString(raw, 'fingerprint'),
+    normalizedSql: requiredString(raw, 'normalized_sql'),
+    tablesTouched: requiredStringArray(raw, 'tables_touched'),
+    literalSlots: literalSlots(raw),
+    ...(error !== undefined ? { error } : {}),
+  };
+}
+
+function mapColumnsByClause(raw: Record<string, unknown>): SqlAnalysisBatchResult['columnsByClause'] {
+  const value = requiredObject(raw, 'columns_by_clause');
+  const result: SqlAnalysisBatchResult['columnsByClause'] = {};
+  for (const [clause, columns] of Object.entries(value)) {
+    if (!Array.isArray(columns) || columns.some((item) => typeof item !== 'string')) {
+      throw new Error(`sql analysis response is missing string[] field columns_by_clause.${clause}`);
+    }
+    result[clause] = columns;
+  }
+  return result;
+}
+
+function mapBatchResult(raw: Record<string, unknown>): SqlAnalysisBatchResult {
+  const error = optionalString(raw, 'error');
+  return {
+    tablesTouched: requiredStringArray(raw, 'tables_touched'),
+    columnsByClause: mapColumnsByClause(raw),
+    ...(error !== undefined ? { error } : {}),
+  };
+}
+
+function mapBatchResponse(raw: Record<string, unknown>): Map<string, SqlAnalysisBatchResult> {
+  const results = requiredObject(raw, 'results');
+  return new Map(
+    Object.entries(results).map(([id, value]) => {
+      if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error(`sql analysis response contains invalid batch result ${id}`);
+      }
+      return [id, mapBatchResult(value as Record<string, unknown>)];
+    }),
+  );
+}
+
+function mapReadOnlyValidation(raw: Record<string, unknown>): SqlReadOnlyValidationResult {
+  const error = optionalString(raw, 'error');
+  return {
+    ok: requiredBoolean(raw, 'ok'),
+    ...(error !== undefined ? { error } : {}),
+  };
+}
+
+export function createHttpSqlAnalysisPort(options: HttpSqlAnalysisPortOptions): SqlAnalysisPort {
+  const requestJson = options.requestJson ?? postJson(options.baseUrl);
+
+  return {
+    async analyzeForFingerprint(sql: string, dialect: SqlAnalysisDialect) {
+      const raw = await requestJson('/api/sql/analyze-for-fingerprint', {
+        sql,
+        dialect,
+      });
+      return mapResult(raw);
+    },
+    async analyzeBatch(items: SqlAnalysisBatchItem[], dialect: SqlAnalysisDialect) {
+      const raw = await requestJson('/sql/analyze-batch', {
+        dialect,
+        items,
+      });
+      return mapBatchResponse(raw);
+    },
+    async validateReadOnly(sql: string, dialect: SqlAnalysisDialect) {
+      const raw = await requestJson('/sql/validate-read-only', {
+        dialect,
+        sql,
+      });
+      return mapReadOnlyValidation(raw);
+    },
+  };
+}

packages/cli/src/context/sql-analysis/ports.ts

@@ -0,0 +1,53 @@
+export type SqlAnalysisDialect =
+  | 'bigquery'
+  | 'snowflake'
+  | 'postgres'
+  | 'redshift'
+  | 'mysql'
+  | 'sqlite'
+  | 'tsql'
+  | 'clickhouse'
+  | (string & {});
+
+export type SqlAnalysisLiteralSlotType = 'string' | 'number' | 'timestamp' | 'date' | 'boolean' | 'null' | 'unknown';
+
+export interface SqlAnalysisLiteralSlot {
+  position: number;
+  type: SqlAnalysisLiteralSlotType;
+  exampleValue: string;
+}
+
+export interface SqlAnalysisFingerprintResult {
+  fingerprint: string;
+  normalizedSql: string;
+  tablesTouched: string[];
+  literalSlots: SqlAnalysisLiteralSlot[];
+  error?: string | null;
+}
+
+type SqlAnalysisClause = 'select' | 'where' | 'join' | 'groupBy' | 'having' | 'orderBy' | (string & {});
+
+export interface SqlAnalysisBatchItem {
+  id: string;
+  sql: string;
+}
+
+export interface SqlAnalysisBatchResult {
+  tablesTouched: string[];
+  columnsByClause: Partial<Record<SqlAnalysisClause, string[]>>;
+  error?: string | null;
+}
+
+export interface SqlReadOnlyValidationResult {
+  ok: boolean;
+  error?: string | null;
+}
+
+export interface SqlAnalysisPort {
+  analyzeForFingerprint(sql: string, dialect: SqlAnalysisDialect): Promise<SqlAnalysisFingerprintResult>;
+  analyzeBatch(
+    items: SqlAnalysisBatchItem[],
+    dialect: SqlAnalysisDialect,
+  ): Promise<Map<string, SqlAnalysisBatchResult>>;
+  validateReadOnly(sql: string, dialect: SqlAnalysisDialect): Promise<SqlReadOnlyValidationResult>;
+}