A configured warehouse was always a scan/ingest target. The only way to use a
connection purely for SQL execution (ktx sql / sql_execution) was the leaky
workaround of an empty setup.database_connection_ids — which actually re-includes
every warehouse via the 'fall back to all' branch — so e.g. a BigQuery connection
meant only for read-only queries triggered a full-billing-project scan.
- Add a per-connection scan_enabled flag (default true) to warehouse connections.
scan_enabled: false registers the connection for execution only and never as a
scan target.
- Route every scan-target selection path through one predicate
(isScanTargetWarehouse): both ingest (primaryWarehouseConnectionIds, including
the all-warehouses fallback) and setup (configuredPrimaryConnectionIds) now
exclude execute-only connections. Setup validates the credential but skips
scope discovery and scan for them. Execution paths are untouched — the warehouse
descriptor still resolves, so ktx sql / sql_execution keep working.
- Scripted setup with no --database-schema no longer silently scopes the scan to
every discovered schema/dataset: it warns with the count and names how to narrow
(--database-schema) or opt out (scan_enabled: false).
