feat(connections): add execute-only warehouses; stop silent full-project scans

A configured warehouse was always a scan/ingest target. The only way to use a
connection purely for SQL execution (ktx sql / sql_execution) was the leaky
workaround of an empty setup.database_connection_ids — which actually re-includes
every warehouse via the 'fall back to all' branch — so e.g. a BigQuery connection
meant only for read-only queries triggered a full-billing-project scan.

- Add a per-connection scan_enabled flag (default true) to warehouse connections.
  scan_enabled: false registers the connection for execution only and never as a
  scan target.
- Route every scan-target selection path through one predicate
  (isScanTargetWarehouse): both ingest (primaryWarehouseConnectionIds, including
  the all-warehouses fallback) and setup (configuredPrimaryConnectionIds) now
  exclude execute-only connections. Setup validates the credential but skips
  scope discovery and scan for them. Execution paths are untouched — the warehouse
  descriptor still resolves, so ktx sql / sql_execution keep working.
- Scripted setup with no --database-schema no longer silently scopes the scan to
  every discovered schema/dataset: it warns with the count and names how to narrow
  (--database-schema) or opt out (scan_enabled: false).

docs-site/content/docs/cli-reference/ktx-sql.mdx

@@ -15,6 +15,10 @@ Use `ktx sql` with a required connection id and positional SQL text.
 ktx sql --connection <id> [options] <sql...>
 ```
 
+`ktx sql` runs against any configured connection, whether or not it is a scan or
+ingest target. Connections marked `scan_enabled: false` (execute-only) work here
+too — see [execute-only connections](/docs/configuration/ktx-yaml#execute-only-connections).
+
 ## Options
 
 Use output flags to choose between terminal display, TSV rows, and structured