MR-793 phases 1-6: TableStorage trait + staged-write surface for engine writers

Hoists Lance's stage+commit two-phase write pattern from "discipline at
each writer" to a sealed trait surface (`TableStorage`). New engine code
that needs to advance Lance HEAD MUST go through `stage_*` + `commit_staged`;
the trait's opaque `SnapshotHandle` / `StagedHandle` types keep
`lance::Dataset` and `lance::Transaction` out of trait signatures.

Phases landed (see .context/mr-793-design.md for the full plan):
* 1a: `crates/omnigraph/src/storage_layer.rs` — `TableStorage` trait,
  sealed (only in-tree types can impl), single impl on `TableStore`
  delegating to existing inherent methods; `Omnigraph::storage()`
  accessor returns `&dyn TableStorage`.
* 2: three new staged primitives — `stage_overwrite`,
  `stage_create_btree_index`, `stage_create_inverted_index` —
  implementing the simple branch of Lance's `CreateIndexBuilder::execute`
  (scalar indices only; vector indices stay inline because
  `build_index_metadata_from_segments` is `pub(crate)` in lance-4.0.0).
  Six new tests in `tests/staged_writes.rs` pin both the new primitives
  and the inline residuals (`delete_where`, `create_vector_index`).
* 3: `tests/forbidden_apis.rs` — defense-in-depth integration test
  walks engine source, fails on direct lance::* inline-commit API use
  outside `table_store.rs` / `db/manifest/`. Skips comment lines and
  honors `// forbidden-api-allow:` sentinels.
* 4: `ensure_indices` migration — scalar index builds now route through
  `stage_create_*_index` + `commit_staged` instead of
  `create_*_index(&mut Dataset)`. Vector indices stay inline (residual,
  named honestly at the call site).
* 5: `branch_merge::publish_rewritten_merge_table` migration — the
  merge_insert phase now uses `stage_merge_insert` + `commit_staged`;
  delete phase stays inline (Lance #6658 residual, named honestly).
* 6: `schema_apply` rewritten_tables migration — non-empty rewrites
  use `stage_overwrite` + `commit_staged`; empty-batch rewrites stay
  inline because `InsertBuilder::execute_uncommitted` rejects empty
  data. The narrow inline window is bounded by `__schema_apply_lock__`.

Verified-green test surface:
* `cargo test -p omnigraph-engine` — 68 lib + ~120 integration tests
  (incl. 6 new staged_writes tests + the new forbidden_apis test).
* `cargo test -p omnigraph-engine --features failpoints --test failpoints`
  — 5 tests, all green.
* `cargo test --workspace` — green.

Deferred to follow-up sessions (see design doc §17 split):
* Phase 1b — convert remaining engine call sites to `&dyn TableStorage`
  (mostly READS that don't touch the staged-write invariant).
* Phase 7 — recovery-on-open reconciler (closes Phase B → Phase C
  residual across process restarts; new subsystem).
* Phase 8 — index-coverage reconciler (full §VII.35 compliance —
  removes synchronous index work from the publish path).
* Phase 9 — demote unused `TableStore` inherent methods to `pub(crate)`
  (depends on Phase 1b).

Lance upstream blockers documented:
* lance-format/lance#6658 — two-phase delete API (open, no PRs).
* Companion: `build_index_metadata_from_segments` should be `pub` so
  vector-index builds can be staged outside the lance crate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/runs.md

@@ -63,6 +63,44 @@ edges break referential integrity). Until Lance exposes a two-phase
 delete API, the parse-time rejection keeps both paths atomic and
 correct. Tracked: MR-793, plus a Lance-upstream ticket.
 
+### MR-793 status (storage trait two-phase invariant) — partial
+
+MR-793 hoists the staged-write pattern into a `TableStorage` trait
+surface with sealed-trait enforcement and opaque `SnapshotHandle` /
+`StagedHandle` types — see `crates/omnigraph/src/storage_layer.rs`.
+The trait is the canonical surface for new engine code; existing call
+sites still use the inherent `TableStore` methods (mechanical migration
+deferred to a follow-up cycle — tracked).
+
+Three writers have been migrated onto staged primitives:
+
+* **`ensure_indices`** (`db/omnigraph/table_ops.rs::build_indices_on_dataset_for_catalog`)
+  — scalar indices (BTree, Inverted) now use `stage_create_*_index` +
+  `commit_staged`. Vector indices stay inline (residual — Lance
+  `build_index_metadata_from_segments` is `pub(crate)` in 4.0.0;
+  companion ticket to lance-format/lance#6658 needed).
+* **`branch_merge::publish_rewritten_merge_table`**
+  (`exec/merge.rs`) — merge_insert now uses `stage_merge_insert` +
+  `commit_staged`. Deletes stay inline (Lance #6658 residual).
+* **`schema_apply` rewritten_tables** (`db/omnigraph/schema_apply.rs`)
+  — non-empty rewrites use `stage_overwrite` + `commit_staged`.
+  Empty-batch rewrites stay inline (Lance `InsertBuilder::execute_uncommitted`
+  rejects empty data; the empty case is rare and bounded by the
+  schema-apply lock branch).
+
+A defense-in-depth integration test (`tests/forbidden_apis.rs`) walks
+engine source and fails if non-allow-listed code calls Lance's
+inline-commit APIs directly. The trait surface itself is the primary
+enforcement (sealed + only-callable-via-trait once call sites land);
+the grep test catches type-system bypass attempts.
+
+The "finalize → publisher residual" described below applies equally to
+the migrated writers — Lance has no multi-dataset atomic commit
+primitive, so the per-table commit_staged → manifest publish gap is
+the same drift class. Closing it requires either upstream Lance
+multi-dataset commit OR the omnigraph-side recovery-on-open reconciler
+described in `.context/mr-793-design.md` §15 (deferred to MR-795).
+
 ### `LoadMode::Overwrite` residual
 
 The bulk loader's Append and Merge modes use the staged-write path