fix(snowflake): unblock multi-schema ingest and relationship discovery (#204)

* feat(setup): drop redundant Snowflake schema prompt; fall back to free-text on listSchemas failure

Snowflake setup previously asked for a single schema as free text, then
ran a multiselect against the discovered schemas — two schema questions
back-to-back, with the first being only a session bootstrap. The SDK's
`schema` is optional, so the bootstrap step is unnecessary.

- Remove the free-text Snowflake schema prompt; only pass `schema` to
  snowflake-sdk when one is configured.
- When `listSchemas()` fails (e.g. role lacks SHOW SCHEMAS), prompt the
  user for a comma-separated list, persist it as `schema_names`, and use
  it as both the table-list filter and the multiselect default. Applies
  to every driver with a scope-discovery spec, not just Snowflake.
- Update docs to lead with `schema_names`; keep `schema_name` as a
  documented single-schema shorthand.

* fix(snowflake): keep introspecting when primary-key discovery is denied

The PK query joins INFORMATION_SCHEMA.TABLE_CONSTRAINTS and
INFORMATION_SCHEMA.KEY_COLUMN_USAGE, which require grants the
connection role may not have. Previously a 'SQL compilation error:
Object ANALYTICS.INFORMATION_SCHEMA.KEY_COLUMN_USAGE does not exist
or not authorized' aborted the entire introspect — schemas, columns,
and row counts were all discarded over a missing nice-to-have.

Wrap the constraint query in try/catch, log a one-line warning per
schema, and return an empty PK map. Columns end up with
primaryKey=false; relationship inference still has FK and profiling
to fall back on.

* fix(scan): unblock relationship discovery on Snowflake

Two adjacent bugs prevented the scan's relationship pipeline from producing
any joins on a Snowflake warehouse:

- relationship-profiling.ts fell through to a default `GROUP_CONCAT` branch
  for unknown drivers. Snowflake has no GROUP_CONCAT, so every per-table
  profile query failed with "Unknown function GROUP_CONCAT". Add an explicit
  Snowflake branch that uses LISTAGG with a literal '\x1f' delimiter
  (Snowflake requires the delimiter to be a constant, so CHR(31) is rejected).
- description-generation.ts destructured `connector.sampleTable` and
  `connector.sampleColumn` into bare locals, losing the `this` binding when
  the class-method connectors (Snowflake, Postgres, MySQL) were invoked.
  Every sample call threw "Cannot read properties of undefined (reading
  'assertConnection')" and degraded LLM descriptions to metadata-only
  prompts. Call the methods through the connector instead.

Without these, even after the primary-key probe is allowed to fail softly,
the scan ends up with 0 validated relationships and an empty `joins:` block
in every shard YAML.

* test(scan): cover table-ref helpers

* feat(scan): plumb tableScope through live-database introspection port

* feat(scan): apply tableScope during metadata fetch

* feat(scan): enforce table scope at fetch boundary

* feat(scan): pool Snowflake sessions and batch enrichment for faster ingest (#206)

* feat(cli): add RSA key-pair auth option to Snowflake setup wizard

Extends the interactive Snowflake setup flow with an authentication-method
prompt (password vs RSA/JWT key-pair). The RSA branch collects a private-key
path (env/file/absolute) and an optional passphrase; the resulting connection
config records `authMethod: 'rsa'` with `privateKey` and `passphrase` instead
of `password`.

* feat(scan): pool Snowflake sessions

* fix(scan): reuse structural snapshots and cleanup connectors

* feat(scan): parallelize relationship profiling

* feat(scan): batch table description generation

* docs: document Snowflake ingest concurrency knobs

* fix(scan): close Snowflake ingest perf verification gaps

* fix(scan): keep batched description failure bounded

* feat(scan): dispatch query-history probes by connection driver

Extract historic-sql dialect resolution into a shared helper so the
status-project readiness check and the local ingest factory agree on
which connections enable query history and which probe to run. The
status command now picks the postgres/snowflake/bigquery probe based on
the connection's driver instead of always reporting against postgres,
which previously caused snowflake connections with queryHistory.enabled
to surface a misleading "driver is snowflake" failure.

Also drops a noisy console.warn from Snowflake primary-key discovery —
INFORMATION_SCHEMA.KEY_COLUMN_USAGE is commonly ungranted for read-only
roles and the FK + profiling paths handle the empty PK map already.

* fix(llm): allow StructuredOutput tool and raise maxTurns for generateObject

The Claude Code agent SDK announces an internal pseudo-tool named
StructuredOutput in the system/init message whenever outputFormat is set
to { type: 'json_schema' }. The runtime's isolation check built its
allowedToolIds set only from MCP tool ids and treated StructuredOutput
as an unexpected host-injected tool, so every generateObject call threw
"Claude Code runtime isolation failed: tools=StructuredOutput ..." and
the table-descriptions and relationship-LLM-proposal enrichment stages
recorded null output across the board.

Whitelist StructuredOutput specifically in generateObject's
allowedToolIds — the check also enforces missing_tools symmetry, so
generateText and runAgentLoop, which do not see StructuredOutput, must
not require it.

generateObject also ran with maxTurns: 1, which the model intermittently
breached when it emitted thinking text before the structured response.
Raised to 5 to give the schema-bound call enough headroom without
allowing unbounded loops. The existing tests now exercise the path with
an init message that announces StructuredOutput so the regression cannot
slip back in.

* chore(scripts): add ktx-reset.sh project-cleanup helper

Convenience script for repeatable ingest testing: takes a project
directory and prunes everything except ktx.yaml and .ktx/secrets/, so
the next ktx setup or ktx ingest run starts from a known-clean state.

packages/cli/src/status-project.test.ts

@@ -148,6 +148,161 @@ function withPostgresQueryHistory(config: KtxProjectConfig): KtxProjectConfig {
   };
 }
 
+function withSnowflakeQueryHistory(config: KtxProjectConfig): KtxProjectConfig {
+  return {
+    ...config,
+    connections: {
+      ...config.connections,
+      warehouse: {
+        driver: 'snowflake',
+        account: 'EMOVRJS-CZ07756',
+        warehouse: 'COMPUTE_WH',
+        database: 'ANALYTICS',
+        username: 'svc_ktx',
+        password: 'env:SNOWFLAKE_PASSWORD', // pragma: allowlist secret
+        context: { queryHistory: { enabled: true } },
+      } as KtxProjectConfig['connections'][string],
+    },
+  };
+}
+
+function withBigQueryQueryHistory(config: KtxProjectConfig): KtxProjectConfig {
+  return {
+    ...config,
+    connections: {
+      ...config.connections,
+      bq: {
+        driver: 'bigquery',
+        credentials_json: 'env:BQ_CREDENTIALS_JSON',
+        context: { queryHistory: { enabled: true } },
+      } as KtxProjectConfig['connections'][string],
+    },
+  };
+}
+
+function withMysqlQueryHistory(config: KtxProjectConfig): KtxProjectConfig {
+  return {
+    ...config,
+    connections: {
+      ...config.connections,
+      legacy: {
+        driver: 'mysql',
+        host: 'db.example.com',
+        database: 'analytics',
+        username: 'svc',
+        password: 'env:MYSQL_PASSWORD', // pragma: allowlist secret
+        context: { queryHistory: { enabled: true } },
+      } as KtxProjectConfig['connections'][string],
+    },
+  };
+}
+
+describe('buildProjectStatus query history dispatch', () => {
+  it('runs the snowflake probe for snowflake connections, not the postgres one', async () => {
+    let postgresCalls = 0;
+    let snowflakeCalls = 0;
+    const project = projectWithConfig(withSnowflakeQueryHistory(baseProjectConfig()));
+
+    const status = await buildProjectStatus(project, {
+      claudeCodeAuthProbe: stubClaudeCodeAuthProbe,
+      postgresQueryHistoryProbe: async () => {
+        postgresCalls += 1;
+        throw new Error('postgres probe should not run for snowflake');
+      },
+      snowflakeQueryHistoryProbe: async () => {
+        snowflakeCalls += 1;
+        return { warnings: [], info: [] };
+      },
+    });
+
+    expect(postgresCalls).toBe(0);
+    expect(snowflakeCalls).toBe(1);
+    expect(status.queryHistory).toHaveLength(1);
+    expect(status.queryHistory[0]).toMatchObject({
+      connection: 'warehouse',
+      driver: 'snowflake',
+      dialect: 'snowflake',
+      status: 'ok',
+    });
+    expect(status.queryHistory[0].detail).toMatch(/SNOWFLAKE\.ACCOUNT_USAGE\.QUERY_HISTORY/);
+    expect(status.queryHistory[0].fix).toBeUndefined();
+    expect(status.verdict).not.toBe('blocked');
+  });
+
+  it('reports snowflake probe failures with the reader-provided remediation', async () => {
+    const project = projectWithConfig(withSnowflakeQueryHistory(baseProjectConfig()));
+    const { HistoricSqlGrantsMissingError } = await import(
+      './context/ingest/adapters/historic-sql/errors.js'
+    );
+
+    const status = await buildProjectStatus(project, {
+      claudeCodeAuthProbe: stubClaudeCodeAuthProbe,
+      snowflakeQueryHistoryProbe: async () => {
+        throw new HistoricSqlGrantsMissingError({
+          dialect: 'snowflake',
+          message: 'role cannot read SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY',
+          remediation: 'GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE ktx;',
+        });
+      },
+    });
+
+    expect(status.queryHistory[0]).toMatchObject({
+      connection: 'warehouse',
+      driver: 'snowflake',
+      dialect: 'snowflake',
+      status: 'fail',
+      fix: 'GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE ktx;',
+    });
+    expect(status.queryHistory[0].detail).not.toMatch(/Set connections.*driver to postgres/);
+  });
+
+  it('runs the bigquery probe for bigquery connections', async () => {
+    let bigqueryCalls = 0;
+    const project = projectWithConfig(withBigQueryQueryHistory(baseProjectConfig()));
+
+    const status = await buildProjectStatus(project, {
+      claudeCodeAuthProbe: stubClaudeCodeAuthProbe,
+      bigqueryQueryHistoryProbe: async () => {
+        bigqueryCalls += 1;
+        return { warnings: [], info: [] };
+      },
+    });
+
+    expect(bigqueryCalls).toBe(1);
+    expect(status.queryHistory[0]).toMatchObject({
+      connection: 'bq',
+      driver: 'bigquery',
+      dialect: 'bigquery',
+      status: 'ok',
+    });
+    expect(status.queryHistory[0].detail).toMatch(/INFORMATION_SCHEMA\.JOBS_BY_PROJECT/);
+  });
+
+  it('fails with an accurate message for drivers without a query history reader', async () => {
+    const project = projectWithConfig(withMysqlQueryHistory(baseProjectConfig()));
+
+    const status = await buildProjectStatus(project, {
+      claudeCodeAuthProbe: stubClaudeCodeAuthProbe,
+      postgresQueryHistoryProbe: async () => {
+        throw new Error('postgres probe must not run for mysql');
+      },
+    });
+
+    expect(status.queryHistory).toHaveLength(1);
+    expect(status.queryHistory[0]).toMatchObject({
+      connection: 'legacy',
+      driver: 'mysql',
+      dialect: 'mysql',
+      status: 'fail',
+      detail: 'query history is not supported for driver "mysql"',
+    });
+    expect(status.queryHistory[0].fix).toMatch(
+      /Disable connections\.legacy\.context\.queryHistory/,
+    );
+    expect(status.queryHistory[0].fix).not.toMatch(/driver to postgres/);
+  });
+});
+
 describe('buildProjectStatus --fast', () => {
   it('skips claude-code probe and Postgres query-history probe', async () => {
     let claudeProbeCalls = 0;